From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id AB593138010 for ; Tue, 4 Sep 2012 19:19:22 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E964AE0507; Tue, 4 Sep 2012 19:18:56 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by pigeon.gentoo.org (Postfix) with ESMTP id 484A6E03E4 for ; Tue, 4 Sep 2012 19:09:59 +0000 (UTC) Received: from compute4.internal (compute4.nyi.mail.srv.osa [10.202.2.44]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id EC13B20B70 for ; Tue, 4 Sep 2012 15:09:58 -0400 (EDT) Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161]) by compute4.internal (MEProxy); Tue, 04 Sep 2012 15:09:58 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net; h=message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type; s=mesmtp; bh=++4X9QOFLqonxhWTB4Wd51As DOA=; b=VTT6gdLanj6Ts3hKjZxNnYTRGDBQe5VzK53TOIDpA7rAAD3Dx+PHf3eT WC+i2+lPSjB/Ks8xwEAlEGOtQy2XOjw5f/rgfS9NzaMq+TeQA+tQqZfmZrVNRnXn GzGw7Jh37tf9Px1Ip1XNddIn4xMgXCaxQMvmUPC3b+YEyYVgeFs= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=++4X 9QOFLqonxhWTB4Wd51AsDOA=; b=YgZLRD/sk00aS2L15vE5dh7O0UMnsR5T1Ufo Rz+Mlso7oPC2A4r771HgKvKCchUWj/uiwDHdnlfT/FpoXHHi1q1ofBRJmKM+oCZ3 LxrjKqU0hF2GsB1BuswUs70SZ3tUQjLS53B3QTxLhVWVKp58dNgk8qOS7u6rkKft i90TJfk= X-Sasl-enc: pp9HetUVYujuXIBitGKxROjkVPg2rMI3GkgXyTLNEYNl 1346785798 Received: from [10.198.57.214] (unknown [46.115.36.57]) by mail.messagingengine.com (Postfix) with ESMTPA id 05B45482499 for ; Tue, 4 Sep 2012 15:09:57 -0400 (EDT) Message-ID: <504651FF.9000506@binarywings.net> Date: Tue, 04 Sep 2012 21:09:51 +0200 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6esrpre) Gecko/20120804 Thunderbird/10.0.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go? References: <504518A3.7000207@binarywings.net> <50463C4C.6040602@fu-berlin.de> <50464606.5050404@binarywings.net> In-Reply-To: X-Enigmail-Version: 1.3.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig1DD36F5ECA8EFEB42B83201C" X-Archives-Salt: 34be59b7-3ecd-4d8e-8dd9-2f3b0b2f11e6 X-Archives-Hash: 5eab2bd529ecb36ac54c53caed7a43d9 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig1DD36F5ECA8EFEB42B83201C Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 04.09.2012 20:27, schrieb Michael Mol: > On Tue, Sep 4, 2012 at 2:18 PM, Florian Philipp = wrote: >> Am 04.09.2012 19:37, schrieb Hinnerk van Bruinehsen: >>> On 04.09.2012 15:48, "Roland H=C3=A4der" wrote: >>>> I think I made a (tollerateable) mistake: >>> >>>> My hard drive has two partitions: - sda1 - encrypted swap - sda2 - >>>> encrypted root >>> >>>> How should it boot? One way could be by external media (e.g. >>>> stick), other is from hard drive. But that is encrypted. So I must >>>> leave a small area left for kernel, initrd, System.map and maybe >>>> config. >>> >>>> So the page at [1] is a little wrong because it misses the boot >>>> partition, so the new layout should be: - sda1 - unencrypted boot >>>> (/boot) partition - sda2 - encrypted swap (at least as double as >>>> your RAM) (crypt-swap) - sda3 - encrypted root (crypt-root) >>> >>>> Can someone update this? >>> >>>> Regards, Roland >>> >>>> [1]: http://wiki.gentoo.org/wiki/DM-Crypt >>> >>> >>> In theory grub2 is able to open a luks-encrypted volume though it >>> seems to have some disadvantages: you'll need to enter the passphrase= >>> (or pass the keyfile) two times, because grub itself needs to decrypt= >>> the volume to get the later stages from the encrypted volume and >>> afterwards the decryption in the bootprocess itself takes place. >>> >>> I can't give any real advice about it though, because I use an >>> unencrypted boot partition. Depending on your needs it could be an >>> increase of security, because you can stop an attacker from injecting= >>> malicious code into your kernel (or replace it completely). >>> >>> WKR >>> Hinnerk >> >> >> For personal use, I see no point in using an encrypted boot partition.= >> An attacker needs physical or root access to change the kernel or init= rd >> in order to get to your encrypted data. In both cases, you are hosed >> anyway (keyloggers, etc.). >=20 > Now you've got me pondering cryptographically-verified input devices. > But perhaps a paired USB key fob with a challenge/response setup would > be reasonable. >=20 >=20 Don't forget to look for hidden cameras or telescopes pointed at nearby windows. You also have to worry about the characteristic electromagnetic interference caused by your input devices (you don't need to wear a tinfoil hat but maybe your keyboard should ;-) ). Once you start to worry, there is no end. This seems to be of interest: http://news.cnet.com/8301-10784_3-9741357-7.html But this should not be forgotten, either: http://xkcd.com/538/ Regards, Florian Philipp --------------enig1DD36F5ECA8EFEB42B83201C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlBGUgMACgkQqs4uOUlOuU93DQCeK3tzV/5lgX/82PX8NXS0OUhS BocAn0E7u/U5thco9jd2aWxwyzqKO7Uc =G7MA -----END PGP SIGNATURE----- --------------enig1DD36F5ECA8EFEB42B83201C--