From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Encrypt all partitions with dm-crypt
Date: Thu, 6 Sep 2012 18:46:59 +0200 [thread overview]
Message-ID: <20120906164659.GA20640@tansi.org> (raw)
In-Reply-To: <CAK5fS_Ehqsmm8jSirDJ7G-ix435dxrhmEd52D_t4jLOVvk3+4w@mail.gmail.com>
On Thu, Sep 06, 2012 at 04:54:18PM +0400, Stayvoid wrote:
> > You solution will work though, although if you do it with
>
> >? dd_rescue /dev/urandom /dev/sda
>
> > you get a progess indicator.
>
> In that case it's also possible to check the progress like this:
>
> $ kill -USR1 $(pidof dd)
>
> (This should be typed in another terminal.)
>
>
> > No. You just map it like you stated and then create the filesystem
> > on the mapped device.
>
> How to map it? Will the following work?
>
> $ cryptsetup create /dev/sda2 boot
> $ cryptsetup create /dev/sda3 main
Yes, "create" is the mapping command for plain dm-crypt.
>
> > mkswap /dev/mapper/main
>
> Is this a typo? I guess that it should be changed to:
>
> mkswap /dev/mapper/swap
Yes.
>
> > No idea. Suspend-to-disk is insecure unless done right and it
> > needs to be done right by your distro.
>
> What about this option [1]?
> Is it secure?
Well, it does not have the security problems of suspend-to-disk
at least ;-)
Whether it is ecyure depends on some factors. For example, you
need a high-entropy passphrase for plain dm-crypt to be secure.
See FAQ for more info.
> I know that some people don't use swap at all because of security issues.
> But I'd like to use it.
Encrypted swap is generally fine, as long as it gets a random
encryption key on system boot. I have been doing that for a
while now, no problems.
> By the way, are there any differences between a swap partition and a
> swap file (in terms of security)?
Depends. For example, if you use a journaling filesystem or a filesystem
where writes may not overwrite old data, stuff can survive far longer
than expected. The same can happen with SWAP on SSD, even if ut
goes to its own partition.
Usually, the secure option is to use swap on a magnetic disk
that is encrypted with a random key chosen at system boot. If
you are paranoid, change the key periodically (cron-job).
Arno
> [1] https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS#Without_suspend-to-disk_support
>
> Thanks
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell
next prev parent reply other threads:[~2012-09-06 16:47 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-22 12:10 [dm-crypt] Encrypt all partitions with dm-crypt Stayvoid
2012-08-22 12:24 ` Arno Wagner
2012-08-22 15:40 ` Stayvoid
2012-08-22 15:52 ` Heinz Diehl
2012-08-22 15:54 ` Matthew Monaco
2012-08-22 15:57 ` Javier Juan Martínez Cabezón
2012-08-23 7:28 ` Arno Wagner
2012-08-23 9:00 ` Christophe
2012-08-23 11:27 ` Arno Wagner
2012-08-23 14:12 ` Heinz Diehl
2012-08-23 15:10 ` Christophe
2012-08-23 16:07 ` Arno Wagner
2012-08-23 18:12 ` Milan Broz
2012-08-23 19:34 ` Arno Wagner
2012-08-24 14:01 ` Milan Broz
2012-08-24 14:40 ` Heinz Diehl
2012-08-24 15:14 ` Arno Wagner
2012-09-05 4:21 ` Stayvoid
2012-09-05 13:01 ` Arno Wagner
2012-09-06 12:54 ` Stayvoid
2012-09-06 16:46 ` Arno Wagner [this message]
2012-09-06 17:53 ` Heinz Diehl
2012-09-06 19:58 ` Arno Wagner
2012-09-07 16:10 ` Stayvoid
2012-09-07 19:04 ` Arno Wagner
2012-09-08 2:50 ` Stayvoid
2012-09-08 7:01 ` Milan Broz
2012-09-09 16:21 ` Stayvoid
2012-09-15 0:52 ` Stayvoid
2012-09-15 1:09 ` Matthew Monaco
2012-09-15 1:10 ` Matthew Monaco
2012-09-20 7:13 ` Stayvoid
2012-09-20 9:18 ` Javier Juan Martínez Cabezón
2012-09-21 5:01 ` Stayvoid
2012-09-21 10:01 ` Arno Wagner
2012-09-21 18:14 ` Stayvoid
2012-09-22 22:36 ` Stayvoid
2012-09-25 3:12 ` Stayvoid
2012-09-25 6:31 ` Matthew Monaco
2012-09-25 7:13 ` Stayvoid
2012-09-25 13:58 ` Stayvoid
2012-09-25 19:06 ` Matthew Monaco
2012-09-25 23:54 ` Stayvoid
2012-09-26 2:12 ` Matthew Monaco
2012-09-26 8:23 ` Stayvoid
2012-09-26 9:24 ` Matthew Monaco
2012-09-26 10:49 ` Stayvoid
2012-09-26 10:51 ` Stayvoid
2012-09-26 11:13 ` Matthew Monaco
2012-09-26 23:34 ` Stayvoid
2012-09-15 6:13 ` Javier Juan Martínez Cabezón
2012-09-08 8:13 ` Heinz Diehl
2012-09-08 13:26 ` Arno Wagner
2012-09-08 14:37 ` Heinz Diehl
2012-09-08 16:05 ` Arno Wagner
2012-09-08 16:39 ` Heinz Diehl
2012-09-08 19:36 ` Arno Wagner
2012-09-08 14:58 ` Marc MERLIN
2012-09-19 4:15 ` Two Spirit
2012-09-19 4:52 ` Javier Juan Martínez Cabezón
2012-09-19 5:13 ` Arno Wagner
2012-08-24 14:47 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120906164659.GA20640@tansi.org \
--to=arno@wagner.name \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.