1 |
Am 03.09.2012 23:23, schrieb "Roland Häder": |
2 |
> |
3 |
>> No comment on dracut as I have no experience with it. |
4 |
> Okay, so I have to try it out myself. When I found something out, I |
5 |
> expand the wiki with it. |
6 |
> |
7 |
>> |
8 |
>> However, as I see it, you need no key file if you just use a pass |
9 |
>> phrase. In my opinion, a key file is only necessary for two |
10 |
>> improvements: |
11 |
> Entering just a pass phrase means that this pass phrase will be used |
12 |
> to decrypt the device, if you decrypt a key before and then with that |
13 |
> key decrypt all your volumes you have a much better security because |
14 |
> that key will then be used as 'pass phrase' which is *way* much |
15 |
> stronger (4096+ chars + ~10-20 chars you can remember). |
16 |
> |
17 |
|
18 |
That's not exactly how it works. |
19 |
|
20 |
1. An attacker could still simply break the pass phrase used to encrypt |
21 |
the key file. |
22 |
|
23 |
2. You don't actually weaken the encryption of your disk if you use a |
24 |
small key (besides the obviously easier guessing of the key). The actual |
25 |
encryption key is generated from the pass phrase (or key file) by a hash |
26 |
function (default: SHA-1). This always expands or compresses your key to |
27 |
the key size defined when issuing `cryptsetup luksFormat`. |
28 |
|
29 |
>> |
30 |
>> 1. Two-factor authentication (read: encrypted key file) |
31 |
>> |
32 |
|
33 |
This is what makes a key file better and more secure. The attacker not |
34 |
only needs a pass phrase /or/ a memory stick; he needs both. |
35 |
|
36 |
>> 2. Avoiding re-typing the pass phrase for multiple dmcrypt |
37 |
>> partitions |
38 |
> See above. :) |
39 |
> |
40 |
>> You can easily achieve the second point by putting an unencrypted |
41 |
>> key file on the first partition which you encrypt with a pass |
42 |
>> phrase. You don't even need dracut for this, /etc/conf.d/dmcrypt |
43 |
>> lets you configure it easily (as long as it doesn't affect /usr). |
44 |
> Okay, I look into this. |
45 |
> |
46 |
>> |
47 |
>> However, I personally find it easier to put LVM on a single |
48 |
>> dmcrypt volume and be done this. All you need for this to work are |
49 |
>> two lines in /etc/rc.conf: rc_dmcrypt_before="lvm" |
50 |
>> rc_dmcrypt_after="udev" |
51 |
> I'm new to LVM, does it setup key-based encryption (best is to put |
52 |
> that key on an USB stick, so the attacker needs my stick). |
53 |
> |
54 |
> Regards, Roland |
55 |
> |
56 |
|
57 |
|
58 |
I guess I didn't make myself clear. Mostly because I didn't want to |
59 |
write a whole article on it before someone actually showed interest in |
60 |
this. Anyway: |
61 |
|
62 |
LVM has nothing to do with the encryption. It is just a way to partition |
63 |
a single dmcrypt partition into more devices. Maybe it gets clearer if I |
64 |
show my partitioning scheme (shortened a bit and with some artistic |
65 |
liberties): |
66 |
|
67 |
/dev/sda1 # /boot |
68 |
/dev/sda2 # root + /usr + /etc |
69 |
/dev/sda3 -> /dev/mapper/crypt # dmcrypt partition |
70 |
/dev/mapper/crypt -> vg_notebook # LVM volume group on dmcrypt |
71 |
vg_noteboot -> /dev/mapper/vg_notebook-var # /var |
72 |
vg_noteboot -> /dev/mapper/vg_notebook-home # /home |
73 |
vg_noteboot -> /dev/mapper/vg_notebook-swap # swap |
74 |
vg_noteboot -> /dev/mapper/vg_notebook-opt # /opt |
75 |
vg_noteboot -> /dev/mapper/vg_notebook-usr-local # /usr/local |
76 |
|
77 |
|
78 |
You see, it is just an alternative to different approaches on getting |
79 |
several parts of your file system encrypted without having to enter pass |
80 |
phrases for several dmcrypt partitions. Alternatives are |
81 |
|
82 |
1. Put an unencrypted key file on the first encrypted partition. |
83 |
2. Use a single file system on a single dmcrypt partition and then |
84 |
`mount --bind` or `ln -s` parts of it in different places. |
85 |
|
86 |
For me personally, it is a nice compromise as it allows me to work |
87 |
without an initrd while still keeping most of my file systems encrypted. |
88 |
I just have to make sure to leave nothing private on root, /usr or /etc. |
89 |
|
90 |
Regards, |
91 |
Florian Philipp |