On 05/07/2010 11:14 PM, Stefan G. Weichinger wrote:
> Am 07.05.2010 16:24, schrieb Stefan G. Weichinger:
>> Am 07.05.2010 10:53, schrieb Stefan G. Weichinger:
>>> I think I am gonna file a bug for this now.
> Aside from the potential bug:
> As I store the "verysekrit.key" on the same hdd as the encrypted
> device and use the rather simple shadowed password to decrypt that
> key ... isn't that just plain stupid?
> The overall security is just as good as my password. Cracking it with
> john opens the key to decrypting the LUKS-volume ...
> Yes, if I would store the key on another volume (stick or something)
> as mentioned in that howto it would make sense but in my case ...
> *scratches head* ;-)
I prefer to encrypt my entire harddisk. Well - a hugh partition (excl.
only Windows and Solaris
which I encrypt, then the decrypted
partition is used as a PV for LVM and all OS and partitions an in LVs.
This way I have to type in the password to decrypt the PV once, and all
LVs are decrypted. Then I have to use a second PW to login of course. As
all Linux destros support encrypted roots and LVM nowadays I have
Gentoo, Fedora and Ubuntu all in the same VG. The speed disadvantage is
small, as my CPU+RAM is so much faster than the HDD. But in terms of
security it's better to have everything encrypted, because it makes it
more difficult to manipulate your system to get the key (the kernel is
still unencrypted), and no possibly private information can be obtained
from /tmp and /var. I compile all needed modules into the kernel, so I
don't need to recreate my initrd for every new kernel.
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887