From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-140967-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id EE7A5138010
	for <garchives@archives.gentoo.org>; Tue,  4 Sep 2012 19:20:11 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 62229E052E;
	Tue,  4 Sep 2012 19:19:28 +0000 (UTC)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25])
	by pigeon.gentoo.org (Postfix) with ESMTP id 827E0E064B
	for <gentoo-user@lists.gentoo.org>; Tue,  4 Sep 2012 18:59:44 +0000 (UTC)
Received: from compute2.internal (compute2.nyi.mail.srv.osa [10.202.2.42])
	by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 38527209EF
	for <gentoo-user@lists.gentoo.org>; Tue,  4 Sep 2012 14:59:44 -0400 (EDT)
Received: from frontend1.nyi.mail.srv.osa ([10.202.2.160])
  by compute2.internal (MEProxy); Tue, 04 Sep 2012 14:59:44 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net;
	 h=message-id:date:from:mime-version:to:subject:references
	:in-reply-to:content-type; s=mesmtp; bh=YsHL9Ok6xhkN10Mz61hi6Z6S
	Ezo=; b=IXoS57VWxXJcg4hDHA5uQIoG2Y1rqkJDr/wdAmshkBAG4am1dmPDp1tG
	Rlg26BU+ViPgUHKYOKFChVNzfQn5F5J1PpBYL6gllT/n5Sk4R2tzYI47897jQvT+
	Vx3wCZcyzfXd2p1rmpexvDfBzNv3dOjZe/vPWnuKu+j9GM/e2YU=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=
	messagingengine.com; h=message-id:date:from:mime-version:to
	:subject:references:in-reply-to:content-type; s=smtpout; bh=YsHL
	9Ok6xhkN10Mz61hi6Z6SEzo=; b=JzY8YkpDhg0QiR+3DszeSk2ENqlcZNow0vsj
	3/duNkBPl02DXeXmTZKP3NkGTCrPo3JH7Tt6DMXHnj+6edyGazhqzS8tnFR/vmQS
	gzjmbY7fE5SHw0lungVNRT2byF6ivFUMflN4RC1eOgzwQxoFtjbONInCZUADOFdp
	8YYN66A=
X-Sasl-enc: s1g3Q5VpkEKpFOPp+eLaRuxc6W4Q7Ev/qt81HS+7jCvO 1346785182
Received: from [10.198.57.214] (unknown [46.115.36.57])
	by mail.messagingengine.com (Postfix) with ESMTPA id 620538E03C1
	for <gentoo-user@lists.gentoo.org>; Tue,  4 Sep 2012 14:59:42 -0400 (EDT)
Message-ID: <50464F96.4070508@binarywings.net>
Date: Tue, 04 Sep 2012 20:59:34 +0200
From: Florian Philipp <lists@binarywings.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6esrpre) Gecko/20120804 Thunderbird/10.0.6
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
References: <trinity-d4c8875e-6af1-4873-9151-83c82e7599a8-1346703623543@3capp-webde-bs27> <trinity-aebe8c59-aa7a-40ec-b60b-ae9e5d9f11e7-1346704595742@3capp-webde-bs27>, <504518A3.7000207@binarywings.net> <trinity-f7c5ffa7-f823-43b1-bfbf-b4a799518634-1346707396655@3capp-webde-bs10>
In-Reply-To: <trinity-f7c5ffa7-f823-43b1-bfbf-b4a799518634-1346707396655@3capp-webde-bs10>
X-Enigmail-Version: 1.3.5
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enigF1989018D2782782ACFA033A"
X-Archives-Salt: a095b836-aeb0-45f1-8526-44bc33540256
X-Archives-Hash: 8151bdebfe79e39042ef50aa3d36711d

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigF1989018D2782782ACFA033A
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Am 03.09.2012 23:23, schrieb "Roland H=C3=A4der":
>=20
>> No comment on dracut as I have no experience with it.
> Okay, so I have to try it out myself. When I found something out, I
> expand the wiki with it.
>=20
>>=20
>> However, as I see it, you need no key file if you just use a pass=20
>> phrase. In my opinion, a key file is only necessary for two
>> improvements:
> Entering just a pass phrase means that this pass phrase will be used
> to decrypt the device, if you decrypt a key before and then with that
> key decrypt all your volumes you have a much better security because
> that key will then be used as 'pass phrase' which is *way* much
> stronger (4096+ chars + ~10-20 chars you can remember).
>=20

That's not exactly how it works.

1. An attacker could still simply break the pass phrase used to encrypt
the key file.

2. You don't actually weaken the encryption of your disk if you use a
small key (besides the obviously easier guessing of the key). The actual
encryption key is generated from the pass phrase (or key file) by a hash
function (default: SHA-1). This always expands or compresses your key to
the key size defined when issuing `cryptsetup luksFormat`.

>>=20
>> 1. Two-factor authentication (read: encrypted key file)
>>=20

This is what makes a key file better and more secure. The attacker not
only needs a pass phrase /or/ a memory stick; he needs both.

>> 2. Avoiding re-typing the pass phrase for multiple dmcrypt
>> partitions
> See above. :)
>=20
>> You can easily achieve the second point by putting an unencrypted
>> key file on the first partition which you encrypt with a pass
>> phrase. You don't even need dracut for this, /etc/conf.d/dmcrypt
>> lets you configure it easily (as long as it doesn't affect /usr).
> Okay, I look into this.
>=20
>>=20
>> However, I personally find it easier to put LVM on a single
>> dmcrypt volume and be done this. All you need for this to work are
>> two lines in /etc/rc.conf: rc_dmcrypt_before=3D"lvm"=20
>> rc_dmcrypt_after=3D"udev"
> I'm new to LVM, does it setup key-based encryption (best is to put
> that key on an USB stick, so the attacker needs my stick).
>=20
> Regards, Roland
>=20


I guess I didn't make myself clear. Mostly because I didn't want to
write a whole article on it before someone actually showed interest in
this. Anyway:

LVM has nothing to do with the encryption. It is just a way to partition
a single dmcrypt partition into more devices. Maybe it gets clearer if I
show my partitioning scheme (shortened a bit and with some artistic
liberties):

/dev/sda1          # /boot
/dev/sda2          # root + /usr + /etc
/dev/sda3         -> /dev/mapper/crypt # dmcrypt partition
/dev/mapper/crypt -> vg_notebook       # LVM volume group on dmcrypt
vg_noteboot       -> /dev/mapper/vg_notebook-var  # /var
vg_noteboot       -> /dev/mapper/vg_notebook-home # /home
vg_noteboot       -> /dev/mapper/vg_notebook-swap # swap
vg_noteboot       -> /dev/mapper/vg_notebook-opt  # /opt
vg_noteboot       -> /dev/mapper/vg_notebook-usr-local # /usr/local


You see, it is just an alternative to different approaches on getting
several parts of your file system encrypted without having to enter pass
phrases for several dmcrypt partitions. Alternatives are

1. Put an unencrypted key file on the first encrypted partition.
2. Use a single file system on a single dmcrypt partition and then
`mount --bind` or `ln -s` parts of it in different places.

For me personally, it is a nice compromise as it allows me to work
without an initrd while still keeping most of my file systems encrypted.
I just have to make sure to leave nothing private on root, /usr or /etc.

Regards,
Florian Philipp


--------------enigF1989018D2782782ACFA033A
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlBGT5oACgkQqs4uOUlOuU9HLgCeOwyZsV5wqF/b/3n7IntVJOzp
dnEAn2FNxH/FCYCQhk4Npvo+TzdSy1bx
=EV/K
-----END PGP SIGNATURE-----

--------------enigF1989018D2782782ACFA033A--