1 |
On 05/07/2010 11:14 PM, Stefan G. Weichinger wrote: |
2 |
> Am 07.05.2010 16:24, schrieb Stefan G. Weichinger: |
3 |
>> Am 07.05.2010 10:53, schrieb Stefan G. Weichinger: |
4 |
>> |
5 |
>>> I think I am gonna file a bug for this now. |
6 |
>> |
7 |
>> http://bugs.gentoo.org/show_bug.cgi?id=318865 |
8 |
> |
9 |
> Aside from the potential bug: |
10 |
> |
11 |
> As I store the "verysekrit.key" on the same hdd as the encrypted |
12 |
> device and use the rather simple shadowed password to decrypt that |
13 |
> key ... isn't that just plain stupid? |
14 |
> |
15 |
> The overall security is just as good as my password. Cracking it with |
16 |
> john opens the key to decrypting the LUKS-volume ... |
17 |
> |
18 |
> Yes, if I would store the key on another volume (stick or something) |
19 |
> as mentioned in that howto it would make sense but in my case ... |
20 |
> |
21 |
> *scratches head* ;-) |
22 |
> |
23 |
> Stefan |
24 |
I prefer to encrypt my entire harddisk. Well - a hugh partition (excl. |
25 |
only Windows and Solaris :) which I encrypt, then the decrypted |
26 |
partition is used as a PV for LVM and all OS and partitions an in LVs. |
27 |
This way I have to type in the password to decrypt the PV once, and all |
28 |
LVs are decrypted. Then I have to use a second PW to login of course. As |
29 |
all Linux destros support encrypted roots and LVM nowadays I have |
30 |
Gentoo, Fedora and Ubuntu all in the same VG. The speed disadvantage is |
31 |
small, as my CPU+RAM is so much faster than the HDD. But in terms of |
32 |
security it's better to have everything encrypted, because it makes it |
33 |
more difficult to manipulate your system to get the key (the kernel is |
34 |
still unencrypted), and no possibly private information can be obtained |
35 |
from /tmp and /var. I compile all needed modules into the kernel, so I |
36 |
don't need to recreate my initrd for every new kernel. |
37 |
|
38 |
Bye, |
39 |
Daniel |
40 |
|
41 |
-- |
42 |
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get |
43 |
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 |