From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 767F0138010 for ; Tue, 4 Sep 2012 22:06:03 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B2867E0630; Tue, 4 Sep 2012 22:05:34 +0000 (UTC) Received: from mail1.wedos.net (mail1.wedos.net [46.28.105.6]) by pigeon.gentoo.org (Postfix) with ESMTP id 2358EE05D5 for ; Tue, 4 Sep 2012 22:03:57 +0000 (UTC) Received: from ([78.80.114.83]) by mail1.wedos.net (WEDOS Mail Server mail1) with ASMTP (SSL) id PLI00055; Wed, 05 Sep 2012 00:03:55 +0200 User-Agent: K-9 Mail for Android In-Reply-To: <20120904221025.4ea720a9@hactar.digimed.co.uk> References: <504518A3.7000207@binarywings.net> <50464F96.4070508@binarywings.net> <20120904211426.3acc7267@hactar.digimed.co.uk> <50466853.5070704@binarywings.net> <20120904221025.4ea720a9@hactar.digimed.co.uk> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----08B25SYY2G7YEAPO8ZYVD3STYNX821" Subject: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go? From: Samurai Date: Wed, 05 Sep 2012 00:03:09 +0200 To: gentoo-user@lists.gentoo.org Message-ID: <8921b86c-9331-4c87-a4f2-4e6726c751d0@email.android.com> X-Archives-Salt: c1c6f9a5-1dcb-41d0-868d-285687bb81c4 X-Archives-Hash: 28a83f6a191dff02e9b62def63d9ae8b ------08B25SYY2G7YEAPO8ZYVD3STYNX821 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit To add my 2¢: I have 3 working setups almost done by this http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS guide which results in either unencrypted /boot on drive or booting from stick resulting layout is following: /dev/sda1 /boot /dev/sda2 dm-crypt container with lvm vg atop of it In vg is: vg-root vg-swap vg-home All you need is build initram and pass it as a argument to pre configured kernel (with needed encryption and hash algorithms built in) Initram scripts are on github here https://github.com/tokiclover/mkinitramfs-ll Hope it helps if not contact me (first time I needed to reinstall the system three times before successful boot but that time I was complete noob in gentoo) S Neil Bothwick wrote: >On Tue, 04 Sep 2012 22:45:07 +0200, Florian Philipp wrote: > >> >> I just have to make sure to leave nothing private on root, /usr >> >> or /etc. >> > >> > Like your passwd and shadow files? > >> *g*, good point. However, I'm willing to take the risk on just these >> two: passwd doesn't contain anything of considerable interest. shadow >> contains exactly two passwords, both as sha256-sums (or similar, did >not >> really check). The passwords themselves are in excess of 90 bit >entropy, >> depending on how you estimate it. >> >> Most of the rest which might be of interest and is usually in /etc >can >> be symlinked there from a safe location in /var. > >I used to do that, but as the number of sensitive directories grew - >samba, wicd, etc. - I decided it was less hassle to set up an encrypted >/ >and forget about it. > > >-- >Neil Bothwick > >When you go to court you are putting yourself in the hands of 12 people >that were not smart enough to get out of jury duty. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. ------08B25SYY2G7YEAPO8ZYVD3STYNX821 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit To add my 2¢:
I have 3 working setups almost done by this http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS guide which results in either unencrypted /boot on drive or booting from stick resulting layout is following:
/dev/sda1 /boot
/dev/sda2 dm-crypt container with lvm vg atop of it
In vg is: vg-root vg-swap vg-home

All you need is build initram and pass it as a argument to pre configured kernel (with needed encryption and hash algorithms built in)

Initram scripts are on github here https://github.com/tokiclover/mkinitramfs-ll


Hope it helps if not contact me (first time I needed to reinstall the system three times before successful boot but that time I was complete noob in gentoo)
S

Neil Bothwick <neil@digimed.co.uk> wrote:
On Tue, 04 Sep 2012 22:45:07 +0200, Florian Philipp wrote:

I just have to make sure to leave nothing private on root, /usr
or /etc.  

Like your passwd and shadow files?

*g*, good point. However, I'm willing to take the risk on just these
two: passwd doesn't contain anything of considerable interest. shadow
contains exactly two passwords, both as sha256-sums (or similar, did not
really check). The passwords themselves are in excess of 90 bit entropy,
depending on how
you estimate it.

Most of the rest which might be of interest and is usually in /etc can
be symlinked there from a safe location in /var.

I used to do that, but as the number of sensitive directories grew -
samba, wicd, etc. - I decided it was less hassle to set up an encrypted /
and forget about it.


--
Sent from my Android phone with K-9 Mail. Please excuse my brevity. ------08B25SYY2G7YEAPO8ZYVD3STYNX821--