| 1 |
Richard Fish wrote: |
| 2 |
|
| 3 |
>> http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS |
| 4 |
> |
| 5 |
> This guide seems reasonable. I think the current live CD includes the |
| 6 |
> version of cryptsetup that understands LUKS though, so it shouldn't be |
| 7 |
> necessary to download that. And I prefer to randomize the disk by |
| 8 |
> encrypting with a random password before I setup the actual mapping. |
| 9 |
> |
| 10 |
> If you want to get started on this before your new laptop arrives, I |
| 11 |
> suggest starting with the initramfs and encrypting swap only. You |
| 12 |
> should be able to create an initramfs that will setup the mapping and |
| 13 |
> do the swapon before your root filesystem mounts. Once you have that |
| 14 |
> working, and are comfortable with how the initramfs works, you can |
| 15 |
> move on to your root filesystem. |
| 16 |
|
| 17 |
I followed that guide and have now managed to boot from my encrypted |
| 18 |
root-fs, using the current genkernel, which provides LUKS-support via |
| 19 |
--luks. Doing it this way I skipped the init-script on that page completely. |
| 20 |
|
| 21 |
But this only works for /root, not for swap. |
| 22 |
|
| 23 |
As my goal is to encrypt root and swap *and* use suspend2, I had to go |
| 24 |
slightly different paths than the mentioned howto says. |
| 25 |
|
| 26 |
There are various HOWTOs out there, but no one that exactly meets my |
| 27 |
requirements. (For example I also tried genkernel-luks 3.1.0, but AFAI |
| 28 |
can see, this is already merged into the current genkernel 3.4.0) |
| 29 |
|
| 30 |
Would you recommend to use the initramfs from the HOWTO, or might there |
| 31 |
be another way of doing it, staying closer at the genkernel-way of doing it? |
| 32 |
|
| 33 |
- |
| 34 |
|
| 35 |
I also didn't fully understand that note about having two |
| 36 |
swap-partitions, one for swap and one for suspend: Wouldn't the |
| 37 |
suspended image be unencrypted? |
| 38 |
|
| 39 |
- |
| 40 |
|
| 41 |
Are there any comparisons between the speed of using |
| 42 |
aes-cbc-essiv:sha256, 128bit and |
| 43 |
aes-cbc-essiv:sha256, 256bit ? |
| 44 |
|
| 45 |
I write this on my P4-M 1.8GHz, using this root-partition: |
| 46 |
|
| 47 |
/dev/mapper/root is active: |
| 48 |
cipher: serpent-cbc-essiv:sha256 |
| 49 |
keysize: 256 bits |
| 50 |
device: /dev/hda6 |
| 51 |
offset: 2056 sectors |
| 52 |
size: 20111261 sectors |
| 53 |
mode: read/write |
| 54 |
|
| 55 |
|
| 56 |
and the performance seems OK to me. But it could always be better ;) |
| 57 |
I will have a look through the docs to see the security-implications of |
| 58 |
using "only" 128bit. |
| 59 |
|
| 60 |
Greetings, Stefan. |
| 61 |
-- |
| 62 |
gentoo-user@g.o mailing list |
Archives