From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-191697-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id C95811382C5
	for <garchives@archives.gentoo.org>; Sat,  6 Jun 2020 20:22:03 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 88441E0A10;
	Sat,  6 Jun 2020 20:21:58 +0000 (UTC)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 4787DE0900
	for <gentoo-user@lists.gentoo.org>; Sat,  6 Jun 2020 20:21:58 +0000 (UTC)
Received: by mail-ed1-x535.google.com with SMTP id q13so10219959edi.3
        for <gentoo-user@lists.gentoo.org>; Sat, 06 Jun 2020 13:21:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
        bh=DiFJuZLGnUY2yUmLwgZVC5VMmAtpUQQ+yFuuZgGG9SI=;
        b=UNyvnwLY5lFpuRQER0AZVo8kaUm+AICueNo9WkWu9M7oiBRubiX6oiGIVDZMKmqYcz
         R6AQZOsrjJ8UsWzDIQ4IvqH+HukPxLJCIVopzSuDNI4TgAllb3Mw6ZdnqJ/Gv58wwa9s
         0qIEDKrFkr94BLbac09J4Fw9NYbGSt2fXVL+goLrJg1NBZfa0qTkh2k+I3AOM47fqGrk
         +jfyeXvQZxaIBQh7pyjMKBcH65kGJh8TZ2Xp18bwmXzUsG8K98ydePEAOARdvUbcoeo8
         M7myuTNGY0otoz/7X+lULP3ISOmPIf4bvT6jixjPD2virx8so8RSeCBi2tCEeUIHJQAM
         uyDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=DiFJuZLGnUY2yUmLwgZVC5VMmAtpUQQ+yFuuZgGG9SI=;
        b=G8f8/w3nouEFdQoO2O3IH+gZrIJH0A8THsZK1K5XpTGnnRgZSmQC5n8Bz1q2Y9N4wx
         mOOIfrY5x9DhzwpAD8MxJlBA3DfxsrNcAt4U2Ex+TISxHbgoCu3MBUd5zp6/RILs9vtY
         RVEFQJVhG28uwiT1I6iG+moM/+77V3Gm//LED1OoBBf2m7j+7NSYMdi19dfo4gofs/Dm
         o633ex/AMWOpBl/+HsFcexJn47/dlMx6OU9RGDRkjspne1k8gjZuXfi5XnH2hEhDhbKm
         u/M/DGfhqTAabb3aitW25cwUvmnqsHx5amuDNFYKLxWxPaNdyJjurAjjXZm3e9A5o1Fe
         NWjw==
X-Gm-Message-State: AOAM532Ib3KON9QnIy+zknhtUQwK844kQuXcR50InZIoLZZrxcntotsM
	xvGAR+BYj1x9MJa6BeoZo+m89T7nZ2usZRzRiAhltA==
X-Google-Smtp-Source: ABdhPJzdwfvtLD3O7Koo+GYvglBfZbetqo+qbU+qrDs2aClKkOM776jAxVFPJiQQm5J2McT6JAeOviTto860tz5xV/k=
X-Received: by 2002:aa7:df96:: with SMTP id b22mr15501828edy.348.1591474916616;
 Sat, 06 Jun 2020 13:21:56 -0700 (PDT)
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
References: <ddcf7e41-ef39-eae8-ba36-82efc057a1ee@gmail.com>
In-Reply-To: <ddcf7e41-ef39-eae8-ba36-82efc057a1ee@gmail.com>
From: "Sebastiaan L. Zoutendijk" <slzoutendijk@gmail.com>
Date: Sat, 6 Jun 2020 20:21:45 +0000
Message-ID: <CADiAjt3EYE3-qK7VOdfD0byK+sJDbPq1_S0-8Nv5rXP0-quS-w@mail.gmail.com>
Subject: Re: [gentoo-user] Encrypting a hard drive's data. Best method.
To: gentoo-user@lists.gentoo.org
Content-Type: text/plain; charset="UTF-8"
X-Archives-Salt: 085ec0bc-86cf-49b6-aae3-a32e67959c3c
X-Archives-Hash: c81c37b055d54cd104b8ad8b468f1e5b

Dear Dale,

    On Friday 5 June 2020, 11.37pm -0500, Dale wrote:

> Is this a secure method or is there a more secure way?  Is there any
> known issues with using this?  Anyone here use this method?  Keep in
> mind, LVM.  BTFRS, SP?, may come later.

    Another thing to keep in mind: if you only encrypt your /home, it is
possible  that some data leak out of the encrypted volume. For  example,
if  you  use swap, then the decrypted contents of /home residing in  RAM
can  be  swapped out. If you want to protect yourself against that,  you
will need to encrypt the swap volume as well. The same could happen with
temporary files, so /tmp and /var/tmp might also need special treatment.
Aside from encrypting, tmpfs is another possibility here.
    This  problem is similar, but slightly different, to that  described
by  J.  Roeleveld.  Here I am talking about the contents of  your  files
leaking, instead of the LUKS keys.
    If  you  are going to encrypt multiple filesystems, you  can  either
make  separate  LUKS  volumes for each of them (each LUKS  volume  being
inside  a  partition or LVM volume, for example), or you can create  one
LUKS volume with several LVM volumes inside.

                                                              Sincerely,

                                                                 Bas


--
Sebastiaan L. Zoutendijk | slzoutendijk@gmail.com