FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 09-04-2012, 07:09 PM
Florian Philipp
 
Default dm-crypt + ext4 = where will the journal go?

Am 04.09.2012 20:27, schrieb Michael Mol:
> On Tue, Sep 4, 2012 at 2:18 PM, Florian Philipp <lists@binarywings.net> wrote:
>> Am 04.09.2012 19:37, schrieb Hinnerk van Bruinehsen:
>>> On 04.09.2012 15:48, "Roland Häder" wrote:
>>>> I think I made a (tollerateable) mistake:
>>>
>>>> My hard drive has two partitions: - sda1 - encrypted swap - sda2 -
>>>> encrypted root
>>>
>>>> How should it boot? One way could be by external media (e.g.
>>>> stick), other is from hard drive. But that is encrypted. So I must
>>>> leave a small area left for kernel, initrd, System.map and maybe
>>>> config.
>>>
>>>> So the page at [1] is a little wrong because it misses the boot
>>>> partition, so the new layout should be: - sda1 - unencrypted boot
>>>> (/boot) partition - sda2 - encrypted swap (at least as double as
>>>> your RAM) (crypt-swap) - sda3 - encrypted root (crypt-root)
>>>
>>>> Can someone update this?
>>>
>>>> Regards, Roland
>>>
>>>> [1]: http://wiki.gentoo.org/wiki/DM-Crypt
>>>
>>>
>>> In theory grub2 is able to open a luks-encrypted volume though it
>>> seems to have some disadvantages: you'll need to enter the passphrase
>>> (or pass the keyfile) two times, because grub itself needs to decrypt
>>> the volume to get the later stages from the encrypted volume and
>>> afterwards the decryption in the bootprocess itself takes place.
>>>
>>> I can't give any real advice about it though, because I use an
>>> unencrypted boot partition. Depending on your needs it could be an
>>> increase of security, because you can stop an attacker from injecting
>>> malicious code into your kernel (or replace it completely).
>>>
>>> WKR
>>> Hinnerk
>>
>>
>> For personal use, I see no point in using an encrypted boot partition.
>> An attacker needs physical or root access to change the kernel or initrd
>> in order to get to your encrypted data. In both cases, you are hosed
>> anyway (keyloggers, etc.).
>
> Now you've got me pondering cryptographically-verified input devices.
> But perhaps a paired USB key fob with a challenge/response setup would
> be reasonable.
>
>

Don't forget to look for hidden cameras or telescopes pointed at nearby
windows. You also have to worry about the characteristic electromagnetic
interference caused by your input devices (you don't need to wear a
tinfoil hat but maybe your keyboard should ;-) ).

Once you start to worry, there is no end.

This seems to be of interest:
http://news.cnet.com/8301-10784_3-9741357-7.html

But this should not be forgotten, either:
http://xkcd.com/538/

Regards,
Florian Philipp
 
Old 09-04-2012, 07:47 PM
Michael Mol
 
Default dm-crypt + ext4 = where will the journal go?

On Tue, Sep 4, 2012 at 3:40 PM, "Roland Häder" <r.haeder@web.de> wrote:
>> 1. Maybe it would be a good idea to use an ASCII-only random string, for
>> example by piping it through `base64 -w 0`. That way you don't loose any
>> entropy (the key just gets longer) but it is easier to type the keyfile
>> manually, in case you ever need to. You also don't have to worry about
>> odd behavior of password prompts anymore.
> I think that is now to late for? I have already formated it and added ext4 on it plus installed some packages already (was a long way).
>
>>
>> 2. You should `shred` key.out instead of `rm`.
> That key file was on RAM disk, not on real.

So shred your swap partition. :P


--
:wq
 
Old 09-04-2012, 08:09 PM
Neil Bothwick
 
Default dm-crypt + ext4 = where will the journal go?

On Tue, 04 Sep 2012 10:53:38 -0500, Dale wrote:

> If you are using hibernate/suspend thingys then that is different.
> Isn't that when it has to be at least as much swap as you have ram?

Not necessarily because the data is compressed before saving, but you
can't know how much it is going to compress, so only if your RAM is all
used up with incompressible data (an unlikely scenario) will you need
that much.

Not that hibernating a system with 16GB is ever going to be fast enough
to be worth bothering with. As Alan has discovered, it can take longer
than a cold boot.


--
Neil Bothwick

"Be strict when sending and tolerant when receiving."
RFC 1958 - Architectural Principles of the Internet - section 3.9
 
Old 09-04-2012, 08:14 PM
Neil Bothwick
 
Default dm-crypt + ext4 = where will the journal go?

On Tue, 04 Sep 2012 20:59:34 +0200, Florian Philipp wrote:

> I just have to make sure to leave nothing private on root, /usr or /etc.

Like your passwd and shadow files?


--
Neil Bothwick

Ifyoucanreadthis,youspendtoomuchtimefiguringouttag lines.
 
Old 09-04-2012, 08:15 PM
Neil Bothwick
 
Default dm-crypt + ext4 = where will the journal go?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 04 Sep 2012 19:37:16 +0200, Hinnerk van Bruinehsen wrote:

> In theory grub2 is able to open a luks-encrypted volume though it
> seems to have some disadvantages: you'll need to enter the passphrase
> (or pass the keyfile) two times, because grub itself needs to decrypt
> the volume to get the later stages from the encrypted volume and
> afterwards the decryption in the bootprocess itself takes place.

You don't need to mount /boot as part of the boot process, only when you
want to install a new kernel or reconfigure the bootloader.


- --
Neil Bothwick

What do you call a dead bee? - A was.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlBGYWoACgkQum4al0N1GQPiEgCdE2ZCKHSAe7 fmZOuLxt/7QSWX
QbEAniwZxHfxfOpyYrdNKNhGcpfWbPOW
=fft+
-----END PGP SIGNATURE-----
 
Old 09-04-2012, 08:36 PM
Florian Philipp
 
Default dm-crypt + ext4 = where will the journal go?

Am 04.09.2012 21:40, schrieb "Roland Häder":
>> 1. Maybe it would be a good idea to use an ASCII-only random string, for
>> example by piping it through `base64 -w 0`. That way you don't loose any
>> entropy (the key just gets longer) but it is easier to type the keyfile
>> manually, in case you ever need to. You also don't have to worry about
>> odd behavior of password prompts anymore.
> I think that is now to late for? I have already formated it and added ext4 on it plus installed some packages already (was a long way).
>

Well, if you want, you can just change the pass phrase. Or even create
another one. LUKS supports multiple "key slots". Use `cryptsetup
luksAddKey` and friends.

Regards,
Florian Philipp
 
Old 09-04-2012, 08:45 PM
Florian Philipp
 
Default dm-crypt + ext4 = where will the journal go?

Am 04.09.2012 22:14, schrieb Neil Bothwick:
> On Tue, 04 Sep 2012 20:59:34 +0200, Florian Philipp wrote:
>
>> I just have to make sure to leave nothing private on root, /usr or /etc.
>
> Like your passwd and shadow files?
>
>

*g*, good point. However, I'm willing to take the risk on just these
two: passwd doesn't contain anything of considerable interest. shadow
contains exactly two passwords, both as sha256-sums (or similar, did not
really check). The passwords themselves are in excess of 90 bit entropy,
depending on how you estimate it.

Most of the rest which might be of interest and is usually in /etc can
be symlinked there from a safe location in /var.

Regards,
Florian Philipp
 
Old 09-04-2012, 08:51 PM
Florian Philipp
 
Default dm-crypt + ext4 = where will the journal go?

Am 04.09.2012 22:09, schrieb Neil Bothwick:
> On Tue, 04 Sep 2012 10:53:38 -0500, Dale wrote:
>
>> If you are using hibernate/suspend thingys then that is different.
>> Isn't that when it has to be at least as much swap as you have ram?
>
> Not necessarily because the data is compressed before saving, but you
> can't know how much it is going to compress, so only if your RAM is all
> used up with incompressible data (an unlikely scenario) will you need
> that much.
>

I think the capability of compressing hibernate images is still limited
to sys-kernel/tuxonice-sources.

> Not that hibernating a system with 16GB is ever going to be fast enough
> to be worth bothering with. As Alan has discovered, it can take longer
> than a cold boot.
>

Yes but (at least with tuxonice) you don't need to repopulate your
in-memory disk cache which might again save you time. However, I find it
easier to just suspend. In my experience it is more stable and many
modern laptops can easily survive a week in suspension.

Regards,
Florian Philipp
 
Old 09-04-2012, 09:10 PM
Neil Bothwick
 
Default dm-crypt + ext4 = where will the journal go?

On Tue, 04 Sep 2012 22:45:07 +0200, Florian Philipp wrote:

> >> I just have to make sure to leave nothing private on root, /usr
> >> or /etc.
> >
> > Like your passwd and shadow files?

> *g*, good point. However, I'm willing to take the risk on just these
> two: passwd doesn't contain anything of considerable interest. shadow
> contains exactly two passwords, both as sha256-sums (or similar, did not
> really check). The passwords themselves are in excess of 90 bit entropy,
> depending on how you estimate it.
>
> Most of the rest which might be of interest and is usually in /etc can
> be symlinked there from a safe location in /var.

I used to do that, but as the number of sensitive directories grew -
samba, wicd, etc. - I decided it was less hassle to set up an encrypted /
and forget about it.


--
Neil Bothwick

When you go to court you are putting yourself in the hands of 12 people
that were not smart enough to get out of jury duty.
 
Old 09-04-2012, 10:03 PM
Samurai
 
Default dm-crypt + ext4 = where will the journal go?

To add my 2¢:

I have 3 working setups almost done by this http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS guide which results in either unencrypted /boot on drive or booting from stick resulting layout is following:

/dev/sda1 /boot

/dev/sda2 dm-crypt container with lvm vg atop of it

In vg is: vg-root vg-swap vg-home



All you need is build initram and pass it as a argument to pre configured kernel (with needed encryption and hash algorithms built in)



Initram scripts are on github here https://github.com/tokiclover/mkinitramfs-ll





Hope it helps if not contact me (first time I needed to reinstall the system three times before successful boot but that time I was complete noob in gentoo)

S

Neil Bothwick <neil@digimed.co.uk> wrote:
On Tue, 04 Sep 2012 22:45:07 +0200, Florian Philipp wrote:

I just have to make sure to leave nothing private on root, /usr
or /etc.
Like your passwd and shadow files?
*g*, good point. However, I'm willing to take the risk on just these
two: passwd doesn't contain anything of considerable interest. shadow
contains exactly two passwords, both as sha256-sums (or similar, did not
really check). The passwords themselves are in excess of 90 bit entropy,
depending on how
you estimate it.

Most of the rest which might be of interest and is usually in /etc can
be symlinked there from a safe location in /var.
I used to do that, but as the number of sensitive directories grew -
samba, wicd, etc. - I decided it was less hassle to set up an encrypted /
and forget about it.



--

Sent from my Android phone with K-9 Mail. Please excuse my brevity.
 

Thread Tools




All times are GMT. The time now is 04:34 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org