From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id CD9D3138010 for ; Tue, 4 Sep 2012 18:21:03 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 23ED6E0507; Tue, 4 Sep 2012 18:20:44 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by pigeon.gentoo.org (Postfix) with ESMTP id AD8EDE0478 for ; Tue, 4 Sep 2012 18:18:55 +0000 (UTC) Received: from compute2.internal (compute2.nyi.mail.srv.osa [10.202.2.42]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 6770D2079F for ; Tue, 4 Sep 2012 14:18:55 -0400 (EDT) Received: from frontend1.nyi.mail.srv.osa ([10.202.2.160]) by compute2.internal (MEProxy); Tue, 04 Sep 2012 14:18:55 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net; h=message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type; s=mesmtp; bh=06YrGCqROHrAjNlZjU32g/SH Peg=; b=HQYq+enju3t7mC29pG5Uz6JDohvG/owXcCwaQBq/xzD68KJXYcZU8a2U 7Sk+4r7UpjelfRfbJ9yBTwSIFd0guNOs9KRBZx1CLPZLs3LfCOFT29OvcyesUdi1 NK1AUY0Akj6Hve5flRQSNtja+sn5Owox1w7B4ue6JiWoaSiAmSg= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=06Yr GCqROHrAjNlZjU32g/SHPeg=; b=ql2ZxTFdqDTCTEjVWx7N5K1nHZDPkSTVGs89 oJzn753DaqdnuLE1R23+1qs4YUdf1IGrFL7O3O1yR+4KtLxFaAPruByt42B0/6LQ P9qd33rKwzin16RTo1jYmM/7O+We6z7ZuojJO6DEcBQ9Ts4QmHfJ/ySAdCli0TOM GxdlqXE= X-Sasl-enc: gm3d2iXmJE8JClAICO9f+ZNv0QylLKlWtwcueOT9Fdbn 1346782734 Received: from [10.198.57.214] (unknown [46.115.36.57]) by mail.messagingengine.com (Postfix) with ESMTPA id 417638E0206 for ; Tue, 4 Sep 2012 14:18:53 -0400 (EDT) Message-ID: <50464606.5050404@binarywings.net> Date: Tue, 04 Sep 2012 20:18:46 +0200 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6esrpre) Gecko/20120804 Thunderbird/10.0.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go? References: , <504518A3.7000207@binarywings.net>, , <50463C4C.6040602@fu-berlin.de> In-Reply-To: <50463C4C.6040602@fu-berlin.de> X-Enigmail-Version: 1.3.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigF878313072D2BA7B888FD62D" X-Archives-Salt: 5c684265-2ee4-46e6-9b34-835b32a22db2 X-Archives-Hash: 726e54366b92b806143734338accc19a This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF878313072D2BA7B888FD62D Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 04.09.2012 19:37, schrieb Hinnerk van Bruinehsen: > On 04.09.2012 15:48, "Roland H=C3=A4der" wrote: >> I think I made a (tollerateable) mistake: >=20 >> My hard drive has two partitions: - sda1 - encrypted swap - sda2 - >> encrypted root >=20 >> How should it boot? One way could be by external media (e.g. >> stick), other is from hard drive. But that is encrypted. So I must >> leave a small area left for kernel, initrd, System.map and maybe >> config. >=20 >> So the page at [1] is a little wrong because it misses the boot >> partition, so the new layout should be: - sda1 - unencrypted boot >> (/boot) partition - sda2 - encrypted swap (at least as double as >> your RAM) (crypt-swap) - sda3 - encrypted root (crypt-root) >=20 >> Can someone update this? >=20 >> Regards, Roland >=20 >> [1]: http://wiki.gentoo.org/wiki/DM-Crypt >=20 >=20 > In theory grub2 is able to open a luks-encrypted volume though it > seems to have some disadvantages: you'll need to enter the passphrase > (or pass the keyfile) two times, because grub itself needs to decrypt > the volume to get the later stages from the encrypted volume and > afterwards the decryption in the bootprocess itself takes place. >=20 > I can't give any real advice about it though, because I use an > unencrypted boot partition. Depending on your needs it could be an > increase of security, because you can stop an attacker from injecting > malicious code into your kernel (or replace it completely). >=20 > WKR > Hinnerk For personal use, I see no point in using an encrypted boot partition. An attacker needs physical or root access to change the kernel or initrd in order to get to your encrypted data. In both cases, you are hosed anyway (keyloggers, etc.). Encrypting everything except the boot partition still protects you against theft, seizure and so on (as long as you sanitize the device when you get it back). Secure Boot would help further but let's not re-iterate that particular flame/FUD war. Regards, Florian Philipp --------------enigF878313072D2BA7B888FD62D Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlBGRgoACgkQqs4uOUlOuU/mlACfQq43F5vrbzZiGH01sh0w1PO+ zg4AnRrJC440vWKZ7TW6f21wwNNbbXQp =qKtR -----END PGP SIGNATURE----- --------------enigF878313072D2BA7B888FD62D--