From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Encrypt all partitions with dm-crypt
Date: Thu, 23 Aug 2012 21:34:15 +0200 [thread overview]
Message-ID: <20120823193415.GA31534@tansi.org> (raw)
In-Reply-To: <5036729B.1060905@gmail.com>
On Thu, Aug 23, 2012 at 08:12:43PM +0200, Milan Broz wrote:
> On 08/23/2012 06:07 PM, Arno Wagner wrote:
> >> Debian has full support for cryptsetup/LUKS,
> >
> > For encrypted root? News to me, but would be a good thing.
>
> I am using it for several years on Debian (supported only with combination
> with lvm IIRC).
>
> >> but not for plain dm-crypt, not to
> >> my knowledge anyway. I think this makes sense as there is no way to
> >> automatically detect an encrypted partition with no header.
> >>
> >> The only advantage I can see in using encrypted partitions with no header
> >> is to "hide" the encrypted volume, however the partition, cipher and hash
> >
> > The second one is better resilience, as there is no header
> > single-point-of-failure. Whether that is worth total loss of
> > key management depends on the application.
>
> Well, you can have detached LUKS header on USB flash disk (optionally
> with the whole boot partition) for example.
That is not really a good idea. LUKS on Flash/SSD may not work
as intended. I just added an entry for that to the FAQ (5.17).
For some scenarios, plain dm-cryp is just the way to go.
Of course, it requires some understanding, e.g. a high-entropy
passphrase is a must.
> (cryptsetup has support for separate LUKS header but no support
> in distros yet I think)
>
> (You can even have different disk with another header with shifted data
> offset in LUKS header and hide another volume inside the first
> Not that it is comfortable though but possible...)
Hehehe. Messy ;-)
> >
> >> function have to be specified somewhere if one wants the distro to be able
> >> to do automatic configuration.
> >
> > Thet is not the issue. Reasonable defaults would do that. The
> > issue is that the partiton type cannot be detected anymore
> > without the key.
> >
> >> The bootloader will need it in its
> >> configuration, which doesn't make it any better than LUKS in terms of
> >> discreetness.
> >
> > Huh? What is the bootloader going to do with that info? Last
> > I checked, you still need a running kernel and system (possibly
> > in the form of an initrd) to do anything with encrypted partitions,
> > no matter whether LUKS or plain. I may be behind times here, if so,
> > please explain.
>
> Grub2 can handle LUKS directly.
Nice. Finally a reason to switch.
> (And separate header support is perhaps easy to add.)
Should be.
Arno
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell
next prev parent reply other threads:[~2012-08-23 19:34 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-22 12:10 [dm-crypt] Encrypt all partitions with dm-crypt Stayvoid
2012-08-22 12:24 ` Arno Wagner
2012-08-22 15:40 ` Stayvoid
2012-08-22 15:52 ` Heinz Diehl
2012-08-22 15:54 ` Matthew Monaco
2012-08-22 15:57 ` Javier Juan Martínez Cabezón
2012-08-23 7:28 ` Arno Wagner
2012-08-23 9:00 ` Christophe
2012-08-23 11:27 ` Arno Wagner
2012-08-23 14:12 ` Heinz Diehl
2012-08-23 15:10 ` Christophe
2012-08-23 16:07 ` Arno Wagner
2012-08-23 18:12 ` Milan Broz
2012-08-23 19:34 ` Arno Wagner [this message]
2012-08-24 14:01 ` Milan Broz
2012-08-24 14:40 ` Heinz Diehl
2012-08-24 15:14 ` Arno Wagner
2012-09-05 4:21 ` Stayvoid
2012-09-05 13:01 ` Arno Wagner
2012-09-06 12:54 ` Stayvoid
2012-09-06 16:46 ` Arno Wagner
2012-09-06 17:53 ` Heinz Diehl
2012-09-06 19:58 ` Arno Wagner
2012-09-07 16:10 ` Stayvoid
2012-09-07 19:04 ` Arno Wagner
2012-09-08 2:50 ` Stayvoid
2012-09-08 7:01 ` Milan Broz
2012-09-09 16:21 ` Stayvoid
2012-09-15 0:52 ` Stayvoid
2012-09-15 1:09 ` Matthew Monaco
2012-09-15 1:10 ` Matthew Monaco
2012-09-20 7:13 ` Stayvoid
2012-09-20 9:18 ` Javier Juan Martínez Cabezón
2012-09-21 5:01 ` Stayvoid
2012-09-21 10:01 ` Arno Wagner
2012-09-21 18:14 ` Stayvoid
2012-09-22 22:36 ` Stayvoid
2012-09-25 3:12 ` Stayvoid
2012-09-25 6:31 ` Matthew Monaco
2012-09-25 7:13 ` Stayvoid
2012-09-25 13:58 ` Stayvoid
2012-09-25 19:06 ` Matthew Monaco
2012-09-25 23:54 ` Stayvoid
2012-09-26 2:12 ` Matthew Monaco
2012-09-26 8:23 ` Stayvoid
2012-09-26 9:24 ` Matthew Monaco
2012-09-26 10:49 ` Stayvoid
2012-09-26 10:51 ` Stayvoid
2012-09-26 11:13 ` Matthew Monaco
2012-09-26 23:34 ` Stayvoid
2012-09-15 6:13 ` Javier Juan Martínez Cabezón
2012-09-08 8:13 ` Heinz Diehl
2012-09-08 13:26 ` Arno Wagner
2012-09-08 14:37 ` Heinz Diehl
2012-09-08 16:05 ` Arno Wagner
2012-09-08 16:39 ` Heinz Diehl
2012-09-08 19:36 ` Arno Wagner
2012-09-08 14:58 ` Marc MERLIN
2012-09-19 4:15 ` Two Spirit
2012-09-19 4:52 ` Javier Juan Martínez Cabezón
2012-09-19 5:13 ` Arno Wagner
2012-08-24 14:47 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120823193415.GA31534@tansi.org \
--to=arno@wagner.name \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.