| 1 |
Alexander Skwar wrote: |
| 2 |
|
| 3 |
>Richard Fish schrieb: |
| 4 |
> |
| 5 |
> |
| 6 |
>>Pupeno wrote: |
| 7 |
>> |
| 8 |
>> |
| 9 |
>> |
| 10 |
>>>>I use the dm-crypt from the kernel.... |
| 11 |
>>>> |
| 12 |
>>>> |
| 13 |
>>>> |
| 14 |
>>>> |
| 15 |
>>>I've read that it is unsecure and I also read that it is not yet vory well |
| 16 |
>>>suported. |
| 17 |
>>> |
| 18 |
>>> |
| 19 |
>>> |
| 20 |
>>> |
| 21 |
>>Dm-crypt is fairly well supported, since it is in the kernel, but I find |
| 22 |
>>it to be harder to setup |
| 23 |
>> |
| 24 |
>> |
| 25 |
> |
| 26 |
>hard to setup? How? What's hard about it? |
| 27 |
> |
| 28 |
>You just encrypt the block device and create an fs on it. |
| 29 |
> |
| 30 |
>/sbin/lvcreate -nToBeEnc -L5g sys \ |
| 31 |
> && echo 'sekret' | /bin/cryptsetup create Crypted /dev/sys/ToBeEnc \ |
| 32 |
> && mkfs -t reiser4 /dev/mapper/Crypted \ |
| 33 |
> && mount /dev/mapper/Crypted /some/where |
| 34 |
> |
| 35 |
>Obviously, the lvcreate and mkfs steps are just a one time step :) |
| 36 |
> |
| 37 |
> |
| 38 |
> |
| 39 |
|
| 40 |
First, I did not say dm-crypt was "hard to setup". I said I find it |
| 41 |
harder to be setup than loop-AES. Please quote me correctly. :-) |
| 42 |
|
| 43 |
Have you used both loop-AES and dm-crypt? I have. |
| 44 |
|
| 45 |
If you want to know what, specifically, I find more difficult about |
| 46 |
cryptsetup, it is the documentation. The grand sum of documentation |
| 47 |
available for dm-crypt/cryptsetup after doing an 'emerge cryptsetup' is |
| 48 |
"cryptsetup --help". Not terribly informative compared to "man losetup" |
| 49 |
or /usr/share/doc/loop-aes-3.0d/README.gz. |
| 50 |
|
| 51 |
And yes, I know there are better guides online, but it is not always |
| 52 |
possible to go online. |
| 53 |
|
| 54 |
Also, I wanted to be able to change my password. With loop-AES, this is |
| 55 |
a simple matter of re-encrypting my key file with a new password. |
| 56 |
cryptsetup makes this more difficult. Not impossible, just more difficult. |
| 57 |
|
| 58 |
<advice> |
| 59 |
Also, echoing your password on a command line to cryptsetup is an |
| 60 |
extremely bad idea. If an attacker happens to be on your system at that |
| 61 |
moment, a simple 'ps' will show them your passphrase. Even if you are |
| 62 |
not worried about that, you should still take special precautions |
| 63 |
regarding the shell history file. Otherwise all someone has to do is |
| 64 |
crack your system while it is up and cat your .bash_history file. |
| 65 |
</advice> |
| 66 |
|
| 67 |
>>and less 'flexible' than loop-AES (the changing |
| 68 |
>>passphrase thing, for example). |
| 69 |
>> |
| 70 |
>> |
| 71 |
> |
| 72 |
>Any other example? |
| 73 |
> |
| 74 |
> |
| 75 |
|
| 76 |
Sure: |
| 77 |
|
| 78 |
o Ability to specify encryption parameters in fstab. |
| 79 |
o Automatic cleanup of the encrypted device when the filesystem is |
| 80 |
unmounted. |
| 81 |
o Additional security options, if someone really requires them. |
| 82 |
|
| 83 |
-Richard |
| 84 |
|
| 85 |
-- |
| 86 |
gentoo-user@g.o mailing list |
Archives