From: Milan Broz <gmazyland@gmail.com>
To: Jonas Meurer <jonas@freesources.org>
Cc: dm-crypt@saout.de
Subject: Re: [dm-crypt] encrypted SWAP FAQ item
Date: Thu, 11 Jul 2013 13:58:16 +0200 [thread overview]
Message-ID: <51DE9DD8.1090802@gmail.com> (raw)
In-Reply-To: <51DE79C6.7010306@freesources.org>
On 07/11/2013 11:24 AM, Jonas Meurer wrote:
> Heya,
>
> Am 11.07.2013 08:53, schrieb Arno Wagner:
>> Dear all,
>>
>> I just have added a mini-HOWOT on how to set up encrypted swap
>> in FAQ item 2.2:
>> http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions
>>
>> Proofreading and suggestions welcome.
>
> Good idea to add it to the FAQ. Thanks for maintaining this very
> valuable piece of documentation.
>
> But maybe you should more emphasize the fact that /etc/crypttab
> implementations are distro-specific. While I know for sure that options
> like swap and noearly are supported in Debian-based distributions, I'm
> not sure about Redhat-based ones. Last time I looked, only a small
> subset of crypttab options that we've implemented in Debian were
> supported on Redhat-based systems.
Fedora (and future RHEL, perhaps) is using systemd,
crypttab is parsed in systemd. IIRC most of the options are
"systemd standardized". IIRC all Debian keywords were already there.
And for swap... it never worked properly with systemd but it is implementation
bug prhaps only, enjoy reading
https://bugzilla.redhat.com/show_bug.cgi?id=759402
(systemd is using libcryptsetup for real device activation)
> Additionally, the following sentence looks wrong to me:
>
> "Note: use /dev/random if you are paranoid or in a potential low-entropy
> situation (embedded system, etc.).".
>
> Mainly in low-entropy situations /dev/random would cause the boot
> process to hang, right? So for these setups /dev/urandom actually is the
> better solution. Granted that one isn't paranoid ;)
This is not so simple. Once /dev/random is "fixed" for most configs
(read: internal pool is continuously mixed with good entropy source like
e.g. RDRAND instructions) cryptsetup will switch default to /dev/random
(for long-live keys). Perhaps in next major version.
See my notes here http://code.google.com/p/cryptsetup/issues/detail?id=161
Milan
next prev parent reply other threads:[~2013-07-11 11:56 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-11 6:53 [dm-crypt] encrypted SWAP FAQ item Arno Wagner
2013-07-11 7:14 ` .. ink ..
2013-07-11 7:47 ` Arno Wagner
2013-07-11 7:59 ` Justin Tracey
2013-07-11 8:03 ` Arno Wagner
2013-07-11 9:24 ` Jonas Meurer
2013-07-11 11:58 ` Milan Broz [this message]
2013-07-11 15:44 ` Arno Wagner
2013-07-11 10:19 ` octane indice
2013-07-13 2:32 ` Robert Nichols
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51DE9DD8.1090802@gmail.com \
--to=gmazyland@gmail.com \
--cc=dm-crypt@saout.de \
--cc=jonas@freesources.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox