1 |
Alexander Skwar wrote: |
2 |
|
3 |
>Richard Fish schrieb: |
4 |
> |
5 |
> |
6 |
>>Pupeno wrote: |
7 |
>> |
8 |
>> |
9 |
>> |
10 |
>>>>I use the dm-crypt from the kernel.... |
11 |
>>>> |
12 |
>>>> |
13 |
>>>> |
14 |
>>>> |
15 |
>>>I've read that it is unsecure and I also read that it is not yet vory well |
16 |
>>>suported. |
17 |
>>> |
18 |
>>> |
19 |
>>> |
20 |
>>> |
21 |
>>Dm-crypt is fairly well supported, since it is in the kernel, but I find |
22 |
>>it to be harder to setup |
23 |
>> |
24 |
>> |
25 |
> |
26 |
>hard to setup? How? What's hard about it? |
27 |
> |
28 |
>You just encrypt the block device and create an fs on it. |
29 |
> |
30 |
>/sbin/lvcreate -nToBeEnc -L5g sys \ |
31 |
> && echo 'sekret' | /bin/cryptsetup create Crypted /dev/sys/ToBeEnc \ |
32 |
> && mkfs -t reiser4 /dev/mapper/Crypted \ |
33 |
> && mount /dev/mapper/Crypted /some/where |
34 |
> |
35 |
>Obviously, the lvcreate and mkfs steps are just a one time step :) |
36 |
> |
37 |
> |
38 |
> |
39 |
|
40 |
First, I did not say dm-crypt was "hard to setup". I said I find it |
41 |
harder to be setup than loop-AES. Please quote me correctly. :-) |
42 |
|
43 |
Have you used both loop-AES and dm-crypt? I have. |
44 |
|
45 |
If you want to know what, specifically, I find more difficult about |
46 |
cryptsetup, it is the documentation. The grand sum of documentation |
47 |
available for dm-crypt/cryptsetup after doing an 'emerge cryptsetup' is |
48 |
"cryptsetup --help". Not terribly informative compared to "man losetup" |
49 |
or /usr/share/doc/loop-aes-3.0d/README.gz. |
50 |
|
51 |
And yes, I know there are better guides online, but it is not always |
52 |
possible to go online. |
53 |
|
54 |
Also, I wanted to be able to change my password. With loop-AES, this is |
55 |
a simple matter of re-encrypting my key file with a new password. |
56 |
cryptsetup makes this more difficult. Not impossible, just more difficult. |
57 |
|
58 |
<advice> |
59 |
Also, echoing your password on a command line to cryptsetup is an |
60 |
extremely bad idea. If an attacker happens to be on your system at that |
61 |
moment, a simple 'ps' will show them your passphrase. Even if you are |
62 |
not worried about that, you should still take special precautions |
63 |
regarding the shell history file. Otherwise all someone has to do is |
64 |
crack your system while it is up and cat your .bash_history file. |
65 |
</advice> |
66 |
|
67 |
>>and less 'flexible' than loop-AES (the changing |
68 |
>>passphrase thing, for example). |
69 |
>> |
70 |
>> |
71 |
> |
72 |
>Any other example? |
73 |
> |
74 |
> |
75 |
|
76 |
Sure: |
77 |
|
78 |
o Ability to specify encryption parameters in fstab. |
79 |
o Automatic cleanup of the encrypted device when the filesystem is |
80 |
unmounted. |
81 |
o Additional security options, if someone really requires them. |
82 |
|
83 |
-Richard |
84 |
|
85 |
-- |
86 |
gentoo-user@g.o mailing list |