| 1 |
On 8/19/06, Stefan G. Weichinger <lists@×××××.at> wrote: |
| 2 |
> Would you recommend to use the initramfs from the HOWTO, or might there |
| 3 |
> be another way of doing it, staying closer at the genkernel-way of doing it? |
| 4 |
|
| 5 |
Well genkernel also allows you to specify a custom linuxrc |
| 6 |
(--linuxrc=). This is probably the route I would take with genkernel. |
| 7 |
The default is in /usr/share/genkernel/generic/linuxrc, which you can |
| 8 |
use for inspiration. Generally that script does everything that you |
| 9 |
will want to do, just not in the order you want to do it in. |
| 10 |
|
| 11 |
You have a few options for this setup. If you don't mind typing your |
| 12 |
password twice, you can just use cryptsetup twice in your linuxrc to |
| 13 |
decrypt swap and root. Actually, with suspend2 usage, you would |
| 14 |
probably have something like: |
| 15 |
|
| 16 |
cryptsetup ... crypt_swap |
| 17 |
if test -f /proc/suspend2/resume2; then |
| 18 |
devnum=`busybox stat -c "0x%.2t%.2T" /dev/mapper/crypt_swap` |
| 19 |
echo $devnum >/proc/suspend2/resume2 |
| 20 |
fi |
| 21 |
if test -f /proc/suspend2/do_resume; then |
| 22 |
echo > /proc/suspend2/do_resume |
| 23 |
fi |
| 24 |
# didn't resume, so continue booting |
| 25 |
cryptsetup ... crypt_root |
| 26 |
... |
| 27 |
|
| 28 |
An option to allow typing your password once duing bootup is to |
| 29 |
suspend to a file on the root filesystem, and encrypt your swap |
| 30 |
partition randomly. I've never tried this, but I expect the resume |
| 31 |
part would be something like: |
| 32 |
|
| 33 |
cryptsetup ... crypt_root |
| 34 |
mount -o ro /dev/mapper/crypt_root /mnt/newroot |
| 35 |
if test -f /proc/suspend2/resume2; then |
| 36 |
echo "/mnt/newroot/.suspend.img" >/proc/suspend2/resume2 |
| 37 |
fi |
| 38 |
if test -f /proc/suspend2/do_resume; then |
| 39 |
echo > /proc/suspend2/do_resume |
| 40 |
fi |
| 41 |
|
| 42 |
Another option if you want to keep a single combined swap/suspend2 |
| 43 |
'partition' is to use LVM. In this case, you would combine your swap |
| 44 |
and root partitions, and setup a dm-crypt mapping. On the encrypted |
| 45 |
volume, you make an LVM physical volume, create a volume group on the |
| 46 |
pv, and then create logical volumes within the volume group. It |
| 47 |
sounds complex, but it really isn't too hard. The bootup sequence |
| 48 |
there looks like: |
| 49 |
|
| 50 |
cryptsetup ... crypt_pv |
| 51 |
vgchange -a y |
| 52 |
if test -f /proc/suspend2/resume2; then |
| 53 |
devnum=`busybox stat -c "0x%.2t%.2T" /dev/mapper/vg0-swap` |
| 54 |
echo $devnum >/proc/suspend2/resume2 |
| 55 |
fi |
| 56 |
if test -f /proc/suspend2/resume2; then |
| 57 |
echo "/mnt/newroot/.suspend.img" >/proc/suspend2/resume2 |
| 58 |
fi |
| 59 |
# didn't resume, so continue booting |
| 60 |
mount -o ro /dev/mapper/vg0-root /mnt/newroot |
| 61 |
... |
| 62 |
|
| 63 |
You do have to remember to update your lvm configuration to scan |
| 64 |
encrypted device-mapper volumes: |
| 65 |
|
| 66 |
filter = [ "a|/dev/mapper/crypt_*|", "r|/dev/mapper/*|" ] |
| 67 |
|
| 68 |
> Are there any comparisons between the speed of using |
| 69 |
> aes-cbc-essiv:sha256, 128bit and |
| 70 |
> aes-cbc-essiv:sha256, 256bit ? |
| 71 |
|
| 72 |
I don't have any comparisons, but it should be easy enough for you to |
| 73 |
create. Just setup a bare (not luks) mapping and do: |
| 74 |
|
| 75 |
dd if=/dev/mapper/crypt_foo of=/dev/null bs=64k count=49152 |
| 76 |
|
| 77 |
This will read 3G of 'encrypted' data from the drive. You can do this |
| 78 |
without affecting any data on the disk, as long as you do *not* |
| 79 |
luksFormat it. Remember to keep an eye on the CPU usage of this with |
| 80 |
vmstat or top as well. |
| 81 |
|
| 82 |
> /dev/mapper/root is active: |
| 83 |
> cipher: serpent-cbc-essiv:sha256 |
| 84 |
|
| 85 |
Generally I've found AES to be slightly faster... |
| 86 |
|
| 87 |
> and the performance seems OK to me. But it could always be better ;) |
| 88 |
> I will have a look through the docs to see the security-implications of |
| 89 |
> using "only" 128bit. |
| 90 |
|
| 91 |
Just be sure to keep in mind the type of data you have and who you are |
| 92 |
trying to defend against. Researching encryption on the net is a |
| 93 |
quick way to get irrationally paranoid. The bottom line is that |
| 94 |
everything can be broken given enough time and money. |
| 95 |
|
| 96 |
So if you work for the CIA and keep the secret identies of all spies |
| 97 |
and informants on your laptop, well, then dm-crypt is not sufficient |
| 98 |
to begin with. If you work for my investment brokerage and have all |
| 99 |
your customers' financial records on your disk, I want you to use |
| 100 |
256-bit encryption. If it is just your bank records and personal |
| 101 |
emails, use whatever you want. |
| 102 |
|
| 103 |
-Richard |
| 104 |
-- |
| 105 |
gentoo-user@g.o mailing list |
Archives