From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-user+bounces-178341-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 38F5F139694
	for <garchives@archives.gentoo.org>; Thu, 25 May 2017 12:23:52 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 9D109E0D34;
	Thu, 25 May 2017 12:23:41 +0000 (UTC)
Received: from mail-yw0-x243.google.com (mail-yw0-x243.google.com [IPv6:2607:f8b0:4002:c05::243])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 41223E0CCA
	for <gentoo-user@lists.gentoo.org>; Thu, 25 May 2017 12:23:41 +0000 (UTC)
Received: by mail-yw0-x243.google.com with SMTP id h82so14579979ywb.3
        for <gentoo-user@lists.gentoo.org>; Thu, 25 May 2017 05:23:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to;
        bh=l4oX57m+QfuhrACrdbY6x1Wn3bi00o32PcCv04bu58A=;
        b=Cw62YXnkbTYrauBPKKbRj5+UzvALMKczlSVcOwTjDoa4kso1z3fKMJ3ac4e+T50Jhy
         Ozqbdm9q5loxqg6uKVRtKNiPOIQUTbvOS/hsxvdMcsGx41D5+LGOw6dWHn92ukuQh0rj
         4anLPtLbqPPqI0o88POalbjxrhYJizLJSS1NtTM/EK2Xo19UneOk2Oeqy44otHbC09mF
         RQm19unzse7MOLqW7j7z4WT2pOt3Iy3ETIQYic6QqudQ/QUXNy7mhhJOg53CZN6deJag
         mscpuMfQnSx9ipg5fOKD3BujC0Dp1MfIygSJPHV6nuzRMzUsBd3UTeHWU197SwqWqzeX
         s9Gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to;
        bh=l4oX57m+QfuhrACrdbY6x1Wn3bi00o32PcCv04bu58A=;
        b=ueVwzS5z/zgz3BiDvlrNTDJLMJlUqQ0+ojXjXQdBFZAOUpsxCyu5qnm9CffAT7mGV2
         xE0xR/nJsMJx2t05b1ponLpJKAb2KSWQsGbFz0Z/fxkaieuOL3qIk1VGnwsyMqW7jfOe
         VxG1D8DLz4/ZIhIGE6epyyHqGcNdBb73U1PviOIWsqSOjnw+u7DHxGJv9rI4c8Zl4z/r
         ZOo3dSE7iK4BWNvZZzFdgdlTABhzUA4L1SqfaHj34dVPlWNamzqHS75A33tfSpHW3/nu
         nnVNsXaudPC5D5wVmwnS5oVYwxUbzn09g5GUlEkpeU9y7sRKSnPnFTzLPG7W0C6ZwNHb
         7eJw==
X-Gm-Message-State: AODbwcBXPHYHGQxgAKZprzfjQgWRIQNRHe8i6/1cBDDJNvo/UTKiNC8l
	1bW8vZRvQYGcBXLfuPlWD0Th4GWXiIu9
X-Received: by 10.13.217.129 with SMTP id b123mr34209232ywe.105.1495715019999;
 Thu, 25 May 2017 05:23:39 -0700 (PDT)
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Sender: freemanrich@gmail.com
Received: by 10.129.56.2 with HTTP; Thu, 25 May 2017 05:23:39 -0700 (PDT)
In-Reply-To: <20170525130407.64d28784@jupiter.sol.kaishome.de>
References: <20170524051002.12325.12B52329@matica.foolinux.mooo.com>
 <20170524053434.GA2656@anonymous> <20170524080033.19e66e6e@jupiter.sol.kaishome.de>
 <20170524182146.3926.2A178EC5@matica.foolinux.mooo.com> <CAGfcS_nFxj+Ze5dLuruZgZaaA84BGCkisYYD7Q1FYOQ-_18VEA@mail.gmail.com>
 <20170525001645.9936124963aab1a259c9cf84@gentoo.org> <CAGfcS_nsiOxf6EgRR40h9ygRVK=9+m9HGoB3zfA0XPCcMkXb1g@mail.gmail.com>
 <3294A185-6D02-49E3-B477-68FA53555898@antarean.org> <20170525130407.64d28784@jupiter.sol.kaishome.de>
From: Rich Freeman <rich0@gentoo.org>
Date: Thu, 25 May 2017 08:23:39 -0400
X-Google-Sender-Auth: 4sYptpiXd2umUsxKejYxMYDe5aE
Message-ID: <CAGfcS_=DWcO4YZTxkiHkB-Qv0y5+P3j4p3TiD0EKSRNM2gO3AQ@mail.gmail.com>
Subject: Re: [gentoo-user] Re: tmp on tmpfs
To: gentoo-user@lists.gentoo.org
Content-Type: text/plain; charset="UTF-8"
X-Archives-Salt: 46469ec1-8473-4192-b1a4-4221152c2fe5
X-Archives-Hash: 860420895ba8c73f30031065b355980c

On Thu, May 25, 2017 at 7:04 AM, Kai Krakow <hurikhan77@gmail.com> wrote:
> Am Thu, 25 May 2017 08:34:10 +0200
> schrieb "J. Roeleveld" <joost@antarean.org>:
>
>> It is possible. I have it set up like that on my laptop.
>> Apart from a small /boot partition. The whole drive is encrypted.
>> Decryption keys are stored encrypted in the initramfs, which is
>> embedded in the kernel.
>
> And the kernel is on /boot which is unencrypted, so are your encryption
> keys. This is not much better, I guess...
>

Agree.  There are only a few ways to do persistent encryption in a secure way:
1.  Require entry of a key during boot, protected by lots of rounds to
deter brute force.
2.  Store the key on some kind of hardware token that the user keeps
on their person.
3.  Store the key in a TPM, protected either by:
   a. entry of a PIN/password of some sort with protections on attempt
frequency/total
   b. verification of the boot path (which should be possible with
existing software on linux, but I'm not aware of any distro that
actually implements this)

If you don't have hibernation then you can just generate a random key
on boot, and that is very secure, but your swap is unrecoverable after
power-off.

Of the options above 3b is the only one that really lets you do this
with the same level of convenience.  This is how most full-drive
encryption solutions work in the Windows world.  Chromebooks use a
variation on 3a I believe using your google account password as one
component of the key and putting it through the TPM to have a hardware
component and to throttle attempts.

-- 
Rich