From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zx4v7izxnmde for ; Thu, 11 Jul 2013 13:56:20 +0200 (CEST) Received: from mail-ea0-x231.google.com (mail-ea0-x231.google.com [IPv6:2a00:1450:4013:c01::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Thu, 11 Jul 2013 13:56:20 +0200 (CEST) Received: by mail-ea0-f177.google.com with SMTP id j14so5559547eak.36 for ; Thu, 11 Jul 2013 04:56:19 -0700 (PDT) Message-ID: <51DE9DD8.1090802@gmail.com> Date: Thu, 11 Jul 2013 13:58:16 +0200 From: Milan Broz MIME-Version: 1.0 References: <20130711065320.GA19568@tansi.org> <51DE79C6.7010306@freesources.org> In-Reply-To: <51DE79C6.7010306@freesources.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] encrypted SWAP FAQ item List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Jonas Meurer Cc: dm-crypt@saout.de On 07/11/2013 11:24 AM, Jonas Meurer wrote: > Heya, > > Am 11.07.2013 08:53, schrieb Arno Wagner: >> Dear all, >> >> I just have added a mini-HOWOT on how to set up encrypted swap >> in FAQ item 2.2: >> http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions >> >> Proofreading and suggestions welcome. > > Good idea to add it to the FAQ. Thanks for maintaining this very > valuable piece of documentation. > > But maybe you should more emphasize the fact that /etc/crypttab > implementations are distro-specific. While I know for sure that options > like swap and noearly are supported in Debian-based distributions, I'm > not sure about Redhat-based ones. Last time I looked, only a small > subset of crypttab options that we've implemented in Debian were > supported on Redhat-based systems. Fedora (and future RHEL, perhaps) is using systemd, crypttab is parsed in systemd. IIRC most of the options are "systemd standardized". IIRC all Debian keywords were already there. And for swap... it never worked properly with systemd but it is implementation bug prhaps only, enjoy reading https://bugzilla.redhat.com/show_bug.cgi?id=759402 (systemd is using libcryptsetup for real device activation) > Additionally, the following sentence looks wrong to me: > > "Note: use /dev/random if you are paranoid or in a potential low-entropy > situation (embedded system, etc.).". > > Mainly in low-entropy situations /dev/random would cause the boot > process to hang, right? So for these setups /dev/urandom actually is the > better solution. Granted that one isn't paranoid ;) This is not so simple. Once /dev/random is "fixed" for most configs (read: internal pool is continuously mixed with good entropy source like e.g. RDRAND instructions) cryptsetup will switch default to /dev/random (for long-live keys). Perhaps in next major version. See my notes here http://code.google.com/p/cryptsetup/issues/detail?id=161 Milan