From: Florian Philipp <lists@binarywings.net>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
Date: Tue, 04 Sep 2012 21:09:51 +0200 [thread overview]
Message-ID: <504651FF.9000506@binarywings.net> (raw)
In-Reply-To: <CA+czFiBuZanp5qppf38WXp7E7mQvvhrrzyuCQ6n_tgphOt9NWA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2627 bytes --]
Am 04.09.2012 20:27, schrieb Michael Mol:
> On Tue, Sep 4, 2012 at 2:18 PM, Florian Philipp <lists@binarywings.net> wrote:
>> Am 04.09.2012 19:37, schrieb Hinnerk van Bruinehsen:
>>> On 04.09.2012 15:48, "Roland Häder" wrote:
>>>> I think I made a (tollerateable) mistake:
>>>
>>>> My hard drive has two partitions: - sda1 - encrypted swap - sda2 -
>>>> encrypted root
>>>
>>>> How should it boot? One way could be by external media (e.g.
>>>> stick), other is from hard drive. But that is encrypted. So I must
>>>> leave a small area left for kernel, initrd, System.map and maybe
>>>> config.
>>>
>>>> So the page at [1] is a little wrong because it misses the boot
>>>> partition, so the new layout should be: - sda1 - unencrypted boot
>>>> (/boot) partition - sda2 - encrypted swap (at least as double as
>>>> your RAM) (crypt-swap) - sda3 - encrypted root (crypt-root)
>>>
>>>> Can someone update this?
>>>
>>>> Regards, Roland
>>>
>>>> [1]: http://wiki.gentoo.org/wiki/DM-Crypt
>>>
>>>
>>> In theory grub2 is able to open a luks-encrypted volume though it
>>> seems to have some disadvantages: you'll need to enter the passphrase
>>> (or pass the keyfile) two times, because grub itself needs to decrypt
>>> the volume to get the later stages from the encrypted volume and
>>> afterwards the decryption in the bootprocess itself takes place.
>>>
>>> I can't give any real advice about it though, because I use an
>>> unencrypted boot partition. Depending on your needs it could be an
>>> increase of security, because you can stop an attacker from injecting
>>> malicious code into your kernel (or replace it completely).
>>>
>>> WKR
>>> Hinnerk
>>
>>
>> For personal use, I see no point in using an encrypted boot partition.
>> An attacker needs physical or root access to change the kernel or initrd
>> in order to get to your encrypted data. In both cases, you are hosed
>> anyway (keyloggers, etc.).
>
> Now you've got me pondering cryptographically-verified input devices.
> But perhaps a paired USB key fob with a challenge/response setup would
> be reasonable.
>
>
Don't forget to look for hidden cameras or telescopes pointed at nearby
windows. You also have to worry about the characteristic electromagnetic
interference caused by your input devices (you don't need to wear a
tinfoil hat but maybe your keyboard should ;-) ).
Once you start to worry, there is no end.
This seems to be of interest:
http://news.cnet.com/8301-10784_3-9741357-7.html
But this should not be forgotten, either:
http://xkcd.com/538/
Regards,
Florian Philipp
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]
next prev parent reply other threads:[~2012-09-04 19:19 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-03 20:20 [gentoo-user] dm-crypt + ext4 = where will the journal go? "Roland Häder"
2012-09-03 20:36 ` Aw: " "Roland Häder"
2012-09-03 20:52 ` Florian Philipp
2012-09-03 21:23 ` Aw: " "Roland Häder"
2012-09-03 22:12 ` "Roland Häder"
2012-09-04 13:48 ` "Roland Häder"
2012-09-04 14:15 ` Dale
2012-09-04 15:14 ` Alan McKinnon
2012-09-04 15:53 ` Dale
2012-09-04 16:10 ` Michael Mol
2012-09-04 20:09 ` Neil Bothwick
2012-09-04 20:51 ` Florian Philipp
2012-09-04 15:59 ` Aw: Re: " "Roland Häder"
2012-09-04 17:37 ` Aw: " Hinnerk van Bruinehsen
2012-09-04 18:18 ` Florian Philipp
2012-09-04 18:27 ` Michael Mol
2012-09-04 19:09 ` Florian Philipp [this message]
2012-09-04 20:05 ` Aw: " "Roland Häder"
2012-09-04 20:15 ` Hinnerk van Bruinehsen
2012-09-04 18:48 ` Michael Hampicke
2012-09-04 20:08 ` Hinnerk van Bruinehsen
2012-09-04 20:15 ` Neil Bothwick
2012-09-04 18:33 ` Florian Philipp
2012-09-04 19:40 ` Aw: " "Roland Häder"
2012-09-04 19:47 ` Michael Mol
2012-09-04 20:36 ` Florian Philipp
2012-09-04 18:59 ` Florian Philipp
2012-09-04 20:14 ` Neil Bothwick
2012-09-04 20:45 ` Florian Philipp
2012-09-04 21:10 ` Neil Bothwick
2012-09-04 22:03 ` Samurai
2012-09-05 16:04 ` Aw: " "Roland Häder"
2012-09-05 16:12 ` Michael Mol
2012-09-05 18:18 ` Aw: " "Roland Häder"
2012-09-05 22:10 ` Florian Philipp
2012-09-06 14:20 ` Aw: " "Roland Häder"
2012-09-06 15:36 ` "Roland Häder"
2012-09-03 20:40 ` Florian Philipp
2012-09-03 20:52 ` Aw: " "Roland Häder"
2012-09-03 20:51 ` Steve Buzonas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=504651FF.9000506@binarywings.net \
--to=lists@binarywings.net \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox