From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j8DbT4bVqtXl for ; Thu, 23 Aug 2012 21:34:16 +0200 (CEST) Received: from v4.tansi.org (ns.km33513-03.keymachine.de [87.118.94.3]) by mail.saout.de (Postfix) with ESMTP for ; Thu, 23 Aug 2012 21:34:15 +0200 (CEST) Received: from gatewagner.dyndns.org (84-72-142-78.dclient.hispeed.ch [84.72.142.78]) by v4.tansi.org (Postfix) with ESMTPA id 9FE24206680 for ; Thu, 23 Aug 2012 21:34:15 +0200 (CEST) Date: Thu, 23 Aug 2012 21:34:15 +0200 From: Arno Wagner Message-ID: <20120823193415.GA31534@tansi.org> References: <20120823090049.GB14639@Latty> <20120823112728.GA20834@tansi.org> <20120823151025.GM14639@Latty> <20120823160728.GA26979@tansi.org> <5036729B.1060905@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5036729B.1060905@gmail.com> Subject: Re: [dm-crypt] Encrypt all partitions with dm-crypt List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On Thu, Aug 23, 2012 at 08:12:43PM +0200, Milan Broz wrote: > On 08/23/2012 06:07 PM, Arno Wagner wrote: > >> Debian has full support for cryptsetup/LUKS, > > > > For encrypted root? News to me, but would be a good thing. > > I am using it for several years on Debian (supported only with combination > with lvm IIRC). > > >> but not for plain dm-crypt, not to > >> my knowledge anyway. I think this makes sense as there is no way to > >> automatically detect an encrypted partition with no header. > >> > >> The only advantage I can see in using encrypted partitions with no header > >> is to "hide" the encrypted volume, however the partition, cipher and hash > > > > The second one is better resilience, as there is no header > > single-point-of-failure. Whether that is worth total loss of > > key management depends on the application. > > Well, you can have detached LUKS header on USB flash disk (optionally > with the whole boot partition) for example. That is not really a good idea. LUKS on Flash/SSD may not work as intended. I just added an entry for that to the FAQ (5.17). For some scenarios, plain dm-cryp is just the way to go. Of course, it requires some understanding, e.g. a high-entropy passphrase is a must. > (cryptsetup has support for separate LUKS header but no support > in distros yet I think) > > (You can even have different disk with another header with shifted data > offset in LUKS header and hide another volume inside the first > Not that it is comfortable though but possible...) Hehehe. Messy ;-) > > > >> function have to be specified somewhere if one wants the distro to be able > >> to do automatic configuration. > > > > Thet is not the issue. Reasonable defaults would do that. The > > issue is that the partiton type cannot be detected anymore > > without the key. > > > >> The bootloader will need it in its > >> configuration, which doesn't make it any better than LUKS in terms of > >> discreetness. > > > > Huh? What is the bootloader going to do with that info? Last > > I checked, you still need a running kernel and system (possibly > > in the form of an initrd) to do anything with encrypted partitions, > > no matter whether LUKS or plain. I may be behind times here, if so, > > please explain. > > Grub2 can handle LUKS directly. Nice. Finally a reason to switch. > (And separate header support is perhaps easy to add.) Should be. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell