From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id E61AC138010 for ; Tue, 4 Sep 2012 17:39:48 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EA2C3E0512; Tue, 4 Sep 2012 17:39:24 +0000 (UTC) Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) by pigeon.gentoo.org (Postfix) with ESMTP id ACFA9E04D6 for ; Tue, 4 Sep 2012 17:37:24 +0000 (UTC) Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost1.zedat.fu-berlin.de (Exim 4.69) for gentoo-user@lists.gentoo.org with esmtp (envelope-from ) id <1T8x3z-0002Bf-QL>; Tue, 04 Sep 2012 19:37:23 +0200 Received: from dslb-188-103-204-228.pools.arcor-ip.net ([188.103.204.228] helo=[192.168.178.32]) by inpost2.zedat.fu-berlin.de (Exim 4.69) for gentoo-user@lists.gentoo.org with esmtpsa (envelope-from ) id <1T8x3z-0000vl-KJ>; Tue, 04 Sep 2012 19:37:23 +0200 Message-ID: <50463C4C.6040602@fu-berlin.de> Date: Tue, 04 Sep 2012 19:37:16 +0200 From: Hinnerk van Bruinehsen User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120902 Thunderbird/15.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go? References: , <504518A3.7000207@binarywings.net>, , In-Reply-To: X-Enigmail-Version: 1.4.4 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Originating-IP: 188.103.204.228 X-Archives-Salt: 4e575553-572d-42c1-837d-4a08648e65d7 X-Archives-Hash: 6c42bf3207921b82e16acd9c87c53261 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04.09.2012 15:48, "Roland Häder" wrote: > I think I made a (tollerateable) mistake: > > My hard drive has two partitions: - sda1 - encrypted swap - sda2 - > encrypted root > > How should it boot? One way could be by external media (e.g. > stick), other is from hard drive. But that is encrypted. So I must > leave a small area left for kernel, initrd, System.map and maybe > config. > > So the page at [1] is a little wrong because it misses the boot > partition, so the new layout should be: - sda1 - unencrypted boot > (/boot) partition - sda2 - encrypted swap (at least as double as > your RAM) (crypt-swap) - sda3 - encrypted root (crypt-root) > > Can someone update this? > > Regards, Roland > > [1]: http://wiki.gentoo.org/wiki/DM-Crypt > In theory grub2 is able to open a luks-encrypted volume though it seems to have some disadvantages: you'll need to enter the passphrase (or pass the keyfile) two times, because grub itself needs to decrypt the volume to get the later stages from the encrypted volume and afterwards the decryption in the bootprocess itself takes place. I can't give any real advice about it though, because I use an unencrypted boot partition. Depending on your needs it could be an increase of security, because you can stop an attacker from injecting malicious code into your kernel (or replace it completely). WKR Hinnerk -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQRjxMAAoJEJwwOFaNFkYcWfcIAJvh9CxmlPeWTlJ8qMMb24tf 8tCVPo7FjnELrOqHwccqRceC1/1kIfjfYy0BowbRBOAV49WEIt3WWZhySVcS5PzH mh30OVZZ1Gb94QjwUSoKb+4FfULpM8oVp3kpaxf11Ls7SlJgRkW4hiSNmEWGt/2Q RRgTQpkFp7W6b1sWnbnKY491iCsL657G90UK7lKe3qe15u7V0E8bY2XvzJrPSf4E K3V0mpHunLWDMbr0lfoezbeOEuqSfRdUlgQWw3Q4iCKBxFX5hh9ac5T8cne4xUJ7 OKp6HAYE3sl8othQ+ngMNVyu/vX6j0dCtZHgPtAZEDU1pjE33rjiaLXm15aCVbU= =AG8l -----END PGP SIGNATURE-----