In the past year progress has been made with dm-crypt and luks being available
for F7 although with some residual bugs which were never resolved.

It is therefore possible to arrange to have F7 running with an encrypted swap
area, and encrypted /home for example.

I wonder what experience others have had with this?

The other question I have is to ask whether anyone has had problems when
installing F8 on a machine which has been running encrypted swap and
encrypted /home?

Ideally one should be able to do a clean install leaving the encrypted swap
as well as the encrypted /home in place as partitions separate from the root
partition.

Has anyone tried this? Is Fedora set up to properly support disk encryption
in this way? After all anybody running a laptop with sensitive information on
it would reasonably wish to use disk encryption to safeguard the information in
the event of the laptop being stolen. I don't know whether RHEL is any better
at supporting this essential facility.

I would imagine that many companies might not allow employees to use a laptop
for work unless it had secure disk encryption?

Can any experts who know about this comment please?

If disk encryption using dm-crypt/luks is not fully supported then what tools
or changes might be required within the distribution to properly support this
facility? Is this going to get more support in F9?

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Mike <mike.cloaked <at> gmail.com> writes:

> Can any experts who know about this comment please?
>
> If disk encryption using dm-crypt/luks is not fully supported then what tools
> or changes might be required within the distribution to properly support this
> facility? Is this going to get more support in F9?

No-one interested in disk encryption? It is I understand supported
well in Ubuntu! Fedora should be just as secure in this regard - surely?




--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike wrote:
> Mike <mike.cloaked <at> gmail.com> writes:
>
>> Can any experts who know about this comment please?
>>
>> If disk encryption using dm-crypt/luks is not fully supported then what tools
>> or changes might be required within the distribution to properly support this
>> facility? Is this going to get more support in F9?
>
> No-one interested in disk encryption? It is I understand supported
> well in Ubuntu! Fedora should be just as secure in this regard - surely?


Your question might be better asked on a different list. This a 'help'
type list.

https://www.redhat.com/mailman/listinfo/fedora-test-list

or

https://www.redhat.com/mailman/listinfo/fedora-devel-list


- --


David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)

iEYEARECAAYFAkd5N5IACgkQAO0wNI1X4QG2JQCfTI/YqHNX0Y3jBrAfu+QiT3LO
KocAn0wUsRtgwnKJkc3NzHBbv9/qlCAr
=kTKO
-----END PGP SIGNATURE-----

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Mike wrote:

Mike <mike.cloaked <at> gmail.com> writes:



Can any experts who know about this comment please?

If disk encryption using dm-crypt/luks is not fully supported then what tools
or changes might be required within the distribution to properly support this
facility? Is this going to get more support in F9?



No-one interested in disk encryption? It is I understand supported
well in Ubuntu! Fedora should be just as secure in this regard - surely?





*** I'd just add that in most companies and government agencies these
days require laptops be encrypted - even retail stores do these days -
so it would be nice if it worked better out of the box. We are not
there yet.



*** Encrypted swap can be made to work using luks and /etc/crypttab -
which does work fine. There is a warning at boot about the swap device
not being able to be resumed - which while a true statement is
irrelevant in a cold boot setting. But it encrypted swap does at least
work and is quite straightforward to set up. (You cannot use
sleep/hibernate/freeze resume however).

*

*** Be warned however that upon fresh install of F8 the swap partition
will be used as regular swap which you need to fix again by hand after
you have installed F8. To be safe one should rerandmomize the swap
partition to avoid information leakage. Anaconda knows nothing about
encrypted anything - including swap or any partition.



** Encrypted partitions (in F7) such as /home do not work correctly
when in /etc/crypttab - the passphrase cannot be entered - and it is
asked multiple times .. anyway there is a work around using a hand
crafted script out of /etc/rc.local. I have not tried this in F8 but I
doubt it is any different.



* Encrypted root has no chance yet - at a minimum it requires the
updated mkinitrd.



* It is my current view that encrypted root - while appealing in some
ways - may be more problematic than its worth. And that* encrypting
swap and /home in addition to doing a mount --rebind of /tmp and
/var/tmp onto the encrypted partition is pretty reasonable from a
security standpoint. And it is workable on fedora - albeit by hand. And
will ensure your laptop is always bootable - which is a nice benefit!!



** g





**

*



***




--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

David Boles <dgboles <at> gmail.com> writes:


> Your question might be better asked on a different list. This a 'help'
> type list.
>
> https://www.redhat.com/mailman/listinfo/fedora-test-list
>
> or
>
> https://www.redhat.com/mailman/listinfo/fedora-devel-list

Indeed this is possible - but I thought I would test the water on this list
to see if anyone else (as a user) was interested in this, and whether they
needed help or if further upstream support was required before anyone could
get this to work properly. From the other reply to your post it seems that
some have got disk encryption to work - but it can be hard work by the sound
of it.

I will ask further on the devel list - but I want to see what responses appear
here first.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

I am curious about this as well but i'd say if someone has access to your harddrive then you are screwed anyway, at that point it simply becomes a matter of time before they find a way to crack your encryption. Probably better off focusing your attention on keeping people out.

Mike <mike.cloaked@gmail.com> wrote: Mike gmail.com> writes:

> Can any experts who know about this comment please?
>
> If disk encryption using dm-crypt/luks is not fully supported then what tools
> or changes might be required within the distribution to properly support this
> facility? Is this going to get more support in F9?

No-one interested in disk encryption? It is I understand supported
well in Ubuntu! Fedora should be just as secure in this regard - surely?




--

fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list




Never miss a thing. Make Yahoo your homepage.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

On Mon, 2007-12-31 at 18:23 +0000, Mike wrote:
> No-one interested in disk encryption? It is I understand supported
> well in Ubuntu! Fedora should be just as secure in this regard -
> surely?

Perhaps you should wait until after the new years break, probably people
are paying less attention to the list at the moment than at other times.

--
[tim@bigblack ~]$ uname -ipr
2.6.23.1-10.fc7 i686 i386

Using FC 4, 5, 6 & 7, plus CentOS 5. Today, it's FC7.

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.



--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Tim <ignored_mailbox <at> yahoo.com.au> writes:

> Perhaps you should wait until after the new years break, probably people
> are paying less attention to the list at the moment than at other times.
>

I would like to get the views of developers but I guess they mostly frequent
fedora-devel rather than here. As you say I will see what gets posted
after New Year - Happy New Year to you all.


--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

On Mon, Dec 31, 2007 at 22:41:14 +0000,
Mike <mike.cloaked@gmail.com> wrote:
> Tim <ignored_mailbox <at> yahoo.com.au> writes:
>
> > Perhaps you should wait until after the new years break, probably people
> > are paying less attention to the list at the moment than at other times.
> >
>
> I would like to get the views of developers but I guess they mostly frequent
> fedora-devel rather than here. As you say I will see what gets posted
> after New Year - Happy New Year to you all.

Take a look at:
http://fedoraproject.org/wiki/Releases/FeatureEncryptedFilesystems

In addition to lots of references there, I have seen an announcement that
the latest rawhide install disk can install encrypted partitions in at
least some cases. I haven't tested yet though.

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Mike wrote:

Bruno Wolff III <bruno <at> wolff.to> writes:


Take a look at:
http://fedoraproject.org/wiki/Releases/FeatureEncryptedFilesystems

In addition to lots of references there, I have seen an announcement that
the latest rawhide install disk can install encrypted partitions in at
least some cases. I haven't tested yet though.


Thanks Bruno that is useful - would be nice to know if this is being planned for
a specific release (F9?) or just a future wish list...


It is not targeted for a specific release yet. The category listed at
the end of the wiki would denote a specific release if it was targeted.


Rahul

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list