Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Using USB key as real $HOME and possible encryption?
Date: Wed, 30 Apr 2014 05:25:52
Message-Id: 201404300625.20897.michaelkintzios@gmail.com
In Reply to: Re: [gentoo-user] Using USB key as real $HOME and possible encryption? by "Rick \\\"Zero_Chaos\\\" Farina"
1 On Wednesday 30 Apr 2014 03:50:12 Rick "Zero_Chaos" Farina wrote:
2 > On 04/29/2014 03:58 PM, Walter Dnes wrote:
3 > > On Tue, Apr 29, 2014 at 01:32:46PM -0400, Rick "Zero_Chaos" Farina wrote
4 > >
5 > >> On 04/29/2014 12:27 PM, Walter Dnes wrote:
6 > >>> Another couple of things I didn't realize. According to
7 > >>>
8 > >>> https://wiki.gentoo.org/wiki/Dm-crypt I have to build in support for
9 > >>> the crypt target in the kernel. It also suggests
10 > >>> <*> SHA224 and SHA256 digest algorithm
11 > >>>
12 > >>> Any comments on their strength? I'm not worried about the NSA or
13 > >>> CSIS as much as opportunistic criminals.
14
15 If it's only opportunistic criminals you're worried about then SHA1 with its
16 160-bit string is ample and so is MD5 with its 128-bit. Both are considered
17 weak hashes these days and should be avoided for business critical set ups,
18 but they are soooooo widely used (esp. by internet browsers, VPN routers,
19 etc.) that it would be difficult to upgrade everything overnight to SHA2.
20
21
22 > >> I use whirlpool. Why you ask? It sounds cool! Also it supported 512bit
23 > >> which seems nice.
24
25 Whirlpool is of course better, because it has an even longer 521-bit string.
26
27
28 > > Sorry to pester you, but I'm beginning to realize just how much is
29 > > involved here that I'm a newbie at. Two more questions...
30 > >
31 > >
32 > > 1) If multiple encryption algorithms are enabled in the kernel, how does
33 > > the system decide which one to use?
34 >
35 > dmcrypt/luks stores the proper encryption algorithm, as long as the
36 > correct one is supported you are all set.
37
38 It will use the default. Run:
39
40 cryptsetup -h
41
42 to see the default that it was compiled with.
43
44 Or,
45
46 it will use the --hash and --cipher options that you specify when you run
47 cryptsetup. Have a look at the fine manual.
48
49
50 > > 2) I assume that if I want to use the same encrypted USB key on 2 or
51 > > more machines, then the kernels of all the machines must be built with
52 > > the same encryption algorithms?
53 >
54 > No, but they do both need the encryption and hashing algorithm you are
55 > using.
56
57 As I understand it, but may be wrong because I have not used LUKS you need to
58 have the same ciphers and hashes on both machines. Thankfully, all PCs these
59 days have aes and sha1. :-)
60
61 --
62 Regards,
63 Mick

Attachments

File name MIME type
signature.asc application/pgp-signature