From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OBWAq-0006J5-Qr for garchives@archives.gentoo.org; Mon, 10 May 2010 16:49:45 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 54EABE0684; Mon, 10 May 2010 16:48:37 +0000 (UTC) Received: from mx01.admin-box.com (mx01.admin-box.com [78.47.249.108]) by pigeon.gentoo.org (Postfix) with ESMTP id E6227E0684 for ; Mon, 10 May 2010 16:48:36 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mx01.admin-box.com (Postfix) with ESMTP id 2516431F02C6 for ; Mon, 10 May 2010 18:48:35 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mx01.admin-box.com Received: from mx01.admin-box.com ([127.0.0.1]) by localhost (mx01.admin-box.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q9BvDG7SvZTa for ; Mon, 10 May 2010 18:48:28 +0200 (CEST) Received: from maya.local (g231107061.adsl.alicedsl.de [92.231.107.61]) (Authenticated sender: daniel@troeder.de) by mx01.admin-box.com (Postfix) with ESMTPSA id 0898631F02B9 for ; Mon, 10 May 2010 18:48:27 +0200 (CEST) Message-ID: <4BE838DB.6080104@admin-box.com> Date: Mon, 10 May 2010 18:48:27 +0200 From: Daniel Troeder User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100411 Thunderbird/3.0.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure. References: <4BDFF195.9070404@xunil.at> <4BE05BA3.1000509@xunil.at> <4BE07570.7020305@xunil.at> <4BE090A5.9080804@admin-box.com> <4BE0F71D.7080907@xunil.at> <4BE125AB.1030105@admin-box.com> <4BE12F73.2080708@xunil.at> <4BE1C969.1010009@admin-box.com> <4BE1D26D.1050402@xunil.at> <4BE1D3CC.9040503@xunil.at> <4BE2ED48.4090006@admin-box.com> <4BE30CB2.4020307@xunil.at> <4BE3D517.8060004@xunil.at> <4BE422AD.7010304@xunil.at> <4BE482CD.5080502@xunil.at> In-Reply-To: <4BE482CD.5080502@xunil.at> X-Enigmail-Version: 1.0.1 OpenPGP: id=BB9D4887; url=http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig15BCB02B37536E25C7B89181" X-Archives-Salt: 604f860f-cc14-4a3a-94e8-635dbb044fc4 X-Archives-Hash: 741c743f17228661b2ad281779d21b88 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig15BCB02B37536E25C7B89181 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 05/07/2010 11:14 PM, Stefan G. Weichinger wrote: > Am 07.05.2010 16:24, schrieb Stefan G. Weichinger: >> Am 07.05.2010 10:53, schrieb Stefan G. Weichinger: >>=20 >>> I think I am gonna file a bug for this now. >>=20 >> http://bugs.gentoo.org/show_bug.cgi?id=3D318865 >=20 > Aside from the potential bug: >=20 > As I store the "verysekrit.key" on the same hdd as the encrypted > device and use the rather simple shadowed password to decrypt that > key ... isn't that just plain stupid? >=20 > The overall security is just as good as my password. Cracking it with > john opens the key to decrypting the LUKS-volume ... >=20 > Yes, if I would store the key on another volume (stick or something) > as mentioned in that howto it would make sense but in my case ... >=20 > *scratches head* ;-) >=20 > Stefan I prefer to encrypt my entire harddisk. Well - a hugh partition (excl. only Windows and Solaris :) which I encrypt, then the decrypted partition is used as a PV for LVM and all OS and partitions an in LVs. This way I have to type in the password to decrypt the PV once, and all LVs are decrypted. Then I have to use a second PW to login of course. As all Linux destros support encrypted roots and LVM nowadays I have Gentoo, Fedora and Ubuntu all in the same VG. The speed disadvantage is small, as my CPU+RAM is so much faster than the HDD. But in terms of security it's better to have everything encrypted, because it makes it more difficult to manipulate your system to get the key (the kernel is still unencrypted), and no possibly private information can be obtained from /tmp and /var. I compile all needed modules into the kernel, so I don't need to recreate my initrd for every new kernel. Bye, Daniel --=20 PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=3D0xBB9D4887&op=3Dg= et # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 --------------enig15BCB02B37536E25C7B89181 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvoONsACgkQg3+4tbudSIf67gCdHYAKCBI+zL0REFMkBkINaJQA QcQAniUlql1XVwqBJlPIpyH0b6wmMdoC =2vLM -----END PGP SIGNATURE----- --------------enig15BCB02B37536E25C7B89181--