1 |
On 8/19/06, Stefan G. Weichinger <lists@×××××.at> wrote: |
2 |
> Would you recommend to use the initramfs from the HOWTO, or might there |
3 |
> be another way of doing it, staying closer at the genkernel-way of doing it? |
4 |
|
5 |
Well genkernel also allows you to specify a custom linuxrc |
6 |
(--linuxrc=). This is probably the route I would take with genkernel. |
7 |
The default is in /usr/share/genkernel/generic/linuxrc, which you can |
8 |
use for inspiration. Generally that script does everything that you |
9 |
will want to do, just not in the order you want to do it in. |
10 |
|
11 |
You have a few options for this setup. If you don't mind typing your |
12 |
password twice, you can just use cryptsetup twice in your linuxrc to |
13 |
decrypt swap and root. Actually, with suspend2 usage, you would |
14 |
probably have something like: |
15 |
|
16 |
cryptsetup ... crypt_swap |
17 |
if test -f /proc/suspend2/resume2; then |
18 |
devnum=`busybox stat -c "0x%.2t%.2T" /dev/mapper/crypt_swap` |
19 |
echo $devnum >/proc/suspend2/resume2 |
20 |
fi |
21 |
if test -f /proc/suspend2/do_resume; then |
22 |
echo > /proc/suspend2/do_resume |
23 |
fi |
24 |
# didn't resume, so continue booting |
25 |
cryptsetup ... crypt_root |
26 |
... |
27 |
|
28 |
An option to allow typing your password once duing bootup is to |
29 |
suspend to a file on the root filesystem, and encrypt your swap |
30 |
partition randomly. I've never tried this, but I expect the resume |
31 |
part would be something like: |
32 |
|
33 |
cryptsetup ... crypt_root |
34 |
mount -o ro /dev/mapper/crypt_root /mnt/newroot |
35 |
if test -f /proc/suspend2/resume2; then |
36 |
echo "/mnt/newroot/.suspend.img" >/proc/suspend2/resume2 |
37 |
fi |
38 |
if test -f /proc/suspend2/do_resume; then |
39 |
echo > /proc/suspend2/do_resume |
40 |
fi |
41 |
|
42 |
Another option if you want to keep a single combined swap/suspend2 |
43 |
'partition' is to use LVM. In this case, you would combine your swap |
44 |
and root partitions, and setup a dm-crypt mapping. On the encrypted |
45 |
volume, you make an LVM physical volume, create a volume group on the |
46 |
pv, and then create logical volumes within the volume group. It |
47 |
sounds complex, but it really isn't too hard. The bootup sequence |
48 |
there looks like: |
49 |
|
50 |
cryptsetup ... crypt_pv |
51 |
vgchange -a y |
52 |
if test -f /proc/suspend2/resume2; then |
53 |
devnum=`busybox stat -c "0x%.2t%.2T" /dev/mapper/vg0-swap` |
54 |
echo $devnum >/proc/suspend2/resume2 |
55 |
fi |
56 |
if test -f /proc/suspend2/resume2; then |
57 |
echo "/mnt/newroot/.suspend.img" >/proc/suspend2/resume2 |
58 |
fi |
59 |
# didn't resume, so continue booting |
60 |
mount -o ro /dev/mapper/vg0-root /mnt/newroot |
61 |
... |
62 |
|
63 |
You do have to remember to update your lvm configuration to scan |
64 |
encrypted device-mapper volumes: |
65 |
|
66 |
filter = [ "a|/dev/mapper/crypt_*|", "r|/dev/mapper/*|" ] |
67 |
|
68 |
> Are there any comparisons between the speed of using |
69 |
> aes-cbc-essiv:sha256, 128bit and |
70 |
> aes-cbc-essiv:sha256, 256bit ? |
71 |
|
72 |
I don't have any comparisons, but it should be easy enough for you to |
73 |
create. Just setup a bare (not luks) mapping and do: |
74 |
|
75 |
dd if=/dev/mapper/crypt_foo of=/dev/null bs=64k count=49152 |
76 |
|
77 |
This will read 3G of 'encrypted' data from the drive. You can do this |
78 |
without affecting any data on the disk, as long as you do *not* |
79 |
luksFormat it. Remember to keep an eye on the CPU usage of this with |
80 |
vmstat or top as well. |
81 |
|
82 |
> /dev/mapper/root is active: |
83 |
> cipher: serpent-cbc-essiv:sha256 |
84 |
|
85 |
Generally I've found AES to be slightly faster... |
86 |
|
87 |
> and the performance seems OK to me. But it could always be better ;) |
88 |
> I will have a look through the docs to see the security-implications of |
89 |
> using "only" 128bit. |
90 |
|
91 |
Just be sure to keep in mind the type of data you have and who you are |
92 |
trying to defend against. Researching encryption on the net is a |
93 |
quick way to get irrationally paranoid. The bottom line is that |
94 |
everything can be broken given enough time and money. |
95 |
|
96 |
So if you work for the CIA and keep the secret identies of all spies |
97 |
and informants on your laptop, well, then dm-crypt is not sufficient |
98 |
to begin with. If you work for my investment brokerage and have all |
99 |
your customers' financial records on your disk, I want you to use |
100 |
256-bit encryption. If it is just your bank records and personal |
101 |
emails, use whatever you want. |
102 |
|
103 |
-Richard |
104 |
-- |
105 |
gentoo-user@g.o mailing list |