From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RVmPv-0002Rt-6a for garchives@archives.gentoo.org; Wed, 30 Nov 2011 15:49:51 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 762DE21C078; Wed, 30 Nov 2011 15:49:32 +0000 (UTC) Received: from mail.desaster-games.net (dns1.desaster-games.net [188.40.122.227]) by pigeon.gentoo.org (Postfix) with ESMTP id 0DB5921C037 for ; Wed, 30 Nov 2011 15:48:13 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.desaster-games.net (Postfix) with ESMTP id 11B9910285A4 for ; Wed, 30 Nov 2011 16:50:03 +0100 (CET) X-Virus-Scanned: Amavis at mail.desaster-games.com Received: from mail.desaster-games.net ([127.0.0.1]) by localhost (mail.desaster-games.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nstitHpYPhkK for ; Wed, 30 Nov 2011 16:50:02 +0100 (CET) Received: from [10.159.0.8] (main.felix.desaster-games.net [10.159.0.8]) by mail.desaster-games.net (Postfix) with ESMTPSA id DA633102859E for ; Wed, 30 Nov 2011 16:50:02 +0100 (CET) Message-ID: <4ED6503C.5070606@desaster-games.com> Date: Wed, 30 Nov 2011 16:48:12 +0100 From: Felix Kuperjans Organization: Desaster Games e.V. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20111030 Thunderbird/7.0.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Full disk encryption References: <20111130152753.176a9a08@hactar.digimed.co.uk> In-Reply-To: Content-Type: multipart/alternative; boundary="------------000902010101020809000903" X-Archives-Salt: f588f392-5f82-4c15-8098-455cddfba0a5 X-Archives-Hash: 1bbc6c66e0970803bf482f4feb49a341 This is a multi-part message in MIME format. --------------000902010101020809000903 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hello Peter, dmcrypt works perfectly without initrd as long as you do not encrypt the root filesystem. So for encrypted home directories, you can just create and use a LUKS volume with dmcrypt (AFAIK the fastest and easy-to-use way). Regarding other techniques like gpg or truecrypt, you should keep in mind, that dmcrypt works directly in the kernelspace, so it may be a lot faster with the same encryption strength (but it don't know any benchmark about that). Regards, Felix Am 30.11.2011 16:40, schrieb czernitko: > Hello, thanks for your response, Neil! > As for dmcrypt usage, what do you think about truecrypt or pgp whole > disk encryption as alternatives to dmcrypt? > I would like to have only one partition with all home directories on > it, and I would like to avoid usage of initrd as I don't use it now > and I would like to keep it that way if possible. > > Peter > > > 2011/11/30 Neil Bothwick > > > On Wed, 30 Nov 2011 16:19:18 +0100, czernitko wrote: > > > I would like to set up an encrypted partition for my /home > directories > > on Gentoo Hardened. Which approach do you recommend? > > Do you want a single encrypted filesystem, or separately encrypted > home > directories for each user. for the former, emerge cryptsetup, use > it to > create the encrypted block device and set it up in > /etc/conf.d/dmcrypt. > > For individually encrypted home directories, using ecryptfs on top > of a > standard filesystem, as used by Ubuntu, is probably the best way. > > > -- > Neil Bothwick > > "You want us to do WHAT?" - Ancient Chinese wall engineer. > > --------------000902010101020809000903 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Hello Peter,

dmcrypt works perfectly without initrd as long as you do not encrypt the root filesystem.

So for encrypted home directories, you can just create and use a LUKS volume with dmcrypt (AFAIK the fastest and easy-to-use way).

Regarding other techniques like gpg or truecrypt, you should keep in mind, that dmcrypt works directly in the kernelspace, so it may be a lot faster with the same encryption strength (but it don't know any benchmark about that).

Regards,
Felix

Am 30.11.2011 16:40, schrieb czernitko:
Hello, thanks for your response, Neil!
As for dmcrypt usage, what do you think about truecrypt or pgp whole disk encryption as alternatives to dmcrypt?
I would like to have only one partition with all home directories on it, and I would like to avoid usage of initrd as I don't use it now and I would like to keep it that way if possible.

Peter


2011/11/30 Neil Bothwick <neil@digimed.co.uk>
On Wed, 30 Nov 2011 16:19:18 +0100, czernitko wrote:

> I would like to set up an encrypted partition for my /home directories
> on Gentoo Hardened. Which approach do you recommend?

Do you want a single encrypted filesystem, or separately encrypted home
directories for each user. for the former, emerge cryptsetup, use it to
create the encrypted block device and set it up in /etc/conf.d/dmcrypt.

For individually encrypted home directories, using ecryptfs on top of a
standard filesystem, as used by Ubuntu, is probably the best way.


--
Neil Bothwick

"You want us to do WHAT?" - Ancient Chinese wall engineer.

--------------000902010101020809000903--