1 |
Richard Fish wrote: |
2 |
|
3 |
>> http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS |
4 |
> |
5 |
> This guide seems reasonable. I think the current live CD includes the |
6 |
> version of cryptsetup that understands LUKS though, so it shouldn't be |
7 |
> necessary to download that. And I prefer to randomize the disk by |
8 |
> encrypting with a random password before I setup the actual mapping. |
9 |
> |
10 |
> If you want to get started on this before your new laptop arrives, I |
11 |
> suggest starting with the initramfs and encrypting swap only. You |
12 |
> should be able to create an initramfs that will setup the mapping and |
13 |
> do the swapon before your root filesystem mounts. Once you have that |
14 |
> working, and are comfortable with how the initramfs works, you can |
15 |
> move on to your root filesystem. |
16 |
|
17 |
I followed that guide and have now managed to boot from my encrypted |
18 |
root-fs, using the current genkernel, which provides LUKS-support via |
19 |
--luks. Doing it this way I skipped the init-script on that page completely. |
20 |
|
21 |
But this only works for /root, not for swap. |
22 |
|
23 |
As my goal is to encrypt root and swap *and* use suspend2, I had to go |
24 |
slightly different paths than the mentioned howto says. |
25 |
|
26 |
There are various HOWTOs out there, but no one that exactly meets my |
27 |
requirements. (For example I also tried genkernel-luks 3.1.0, but AFAI |
28 |
can see, this is already merged into the current genkernel 3.4.0) |
29 |
|
30 |
Would you recommend to use the initramfs from the HOWTO, or might there |
31 |
be another way of doing it, staying closer at the genkernel-way of doing it? |
32 |
|
33 |
- |
34 |
|
35 |
I also didn't fully understand that note about having two |
36 |
swap-partitions, one for swap and one for suspend: Wouldn't the |
37 |
suspended image be unencrypted? |
38 |
|
39 |
- |
40 |
|
41 |
Are there any comparisons between the speed of using |
42 |
aes-cbc-essiv:sha256, 128bit and |
43 |
aes-cbc-essiv:sha256, 256bit ? |
44 |
|
45 |
I write this on my P4-M 1.8GHz, using this root-partition: |
46 |
|
47 |
/dev/mapper/root is active: |
48 |
cipher: serpent-cbc-essiv:sha256 |
49 |
keysize: 256 bits |
50 |
device: /dev/hda6 |
51 |
offset: 2056 sectors |
52 |
size: 20111261 sectors |
53 |
mode: read/write |
54 |
|
55 |
|
56 |
and the performance seems OK to me. But it could always be better ;) |
57 |
I will have a look through the docs to see the security-implications of |
58 |
using "only" 128bit. |
59 |
|
60 |
Greetings, Stefan. |
61 |
-- |
62 |
gentoo-user@g.o mailing list |