From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9sCynKulXEUj for ; Thu, 6 Sep 2012 18:47:00 +0200 (CEST) Received: from v4.tansi.org (ns.km33513-03.keymachine.de [87.118.94.3]) by mail.saout.de (Postfix) with ESMTP for ; Thu, 6 Sep 2012 18:47:00 +0200 (CEST) Received: from gatewagner.dyndns.org (84-72-142-78.dclient.hispeed.ch [84.72.142.78]) by v4.tansi.org (Postfix) with ESMTPA id 2C47E1404001 for ; Thu, 6 Sep 2012 18:47:00 +0200 (CEST) Date: Thu, 6 Sep 2012 18:46:59 +0200 From: Arno Wagner Message-ID: <20120906164659.GA20640@tansi.org> References: <20120823151025.GM14639@Latty> <20120823160728.GA26979@tansi.org> <5036729B.1060905@gmail.com> <20120823193415.GA31534@tansi.org> <50378927.7090508@gmail.com> <20120824144028.GB2407@fancy-poultry.org> <20120824151439.GA30694@tansi.org> <20120905130125.GB11942@tansi.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [dm-crypt] Encrypt all partitions with dm-crypt List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On Thu, Sep 06, 2012 at 04:54:18PM +0400, Stayvoid wrote: > > You solution will work though, although if you do it with > > >? dd_rescue /dev/urandom /dev/sda > > > you get a progess indicator. > > In that case it's also possible to check the progress like this: > > $ kill -USR1 $(pidof dd) > > (This should be typed in another terminal.) > > > > No. You just map it like you stated and then create the filesystem > > on the mapped device. > > How to map it? Will the following work? > > $ cryptsetup create /dev/sda2 boot > $ cryptsetup create /dev/sda3 main Yes, "create" is the mapping command for plain dm-crypt. > > > mkswap /dev/mapper/main > > Is this a typo? I guess that it should be changed to: > > mkswap /dev/mapper/swap Yes. > > > No idea. Suspend-to-disk is insecure unless done right and it > > needs to be done right by your distro. > > What about this option [1]? > Is it secure? Well, it does not have the security problems of suspend-to-disk at least ;-) Whether it is ecyure depends on some factors. For example, you need a high-entropy passphrase for plain dm-crypt to be secure. See FAQ for more info. > I know that some people don't use swap at all because of security issues. > But I'd like to use it. Encrypted swap is generally fine, as long as it gets a random encryption key on system boot. I have been doing that for a while now, no problems. > By the way, are there any differences between a swap partition and a > swap file (in terms of security)? Depends. For example, if you use a journaling filesystem or a filesystem where writes may not overwrite old data, stuff can survive far longer than expected. The same can happen with SWAP on SSD, even if ut goes to its own partition. Usually, the secure option is to use swap on a magnetic disk that is encrypted with a random key chosen at system boot. If you are paranoid, change the key periodically (cron-job). Arno > [1] https://wiki.archlinux.org/index.php/Dm-crypt_with_LUKS#Without_suspend-to-disk_support > > Thanks > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell