From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 9DBC8138010 for ; Mon, 3 Sep 2012 21:25:22 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6707721C0B5; Mon, 3 Sep 2012 21:25:01 +0000 (UTC) Received: from mout.web.de (mout.web.de [212.227.15.4]) by pigeon.gentoo.org (Postfix) with ESMTP id 9345C21C078 for ; Mon, 3 Sep 2012 21:23:17 +0000 (UTC) Received: from 3capp-webde-bs10.server.lan ([172.19.170.10]) by mriweb.server.lan (mriweb001) with ESMTPA (Nemesis) id 0MeOVV-1SwrCF2xxv-00Q1Rc for ; Mon, 03 Sep 2012 23:23:16 +0200 Received: from [94.221.159.125] by 3capp-webde-bs10.server.lan with HTTP; Mon Sep 03 23:23:16 CEST 2012 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Message-ID: From: =?UTF-8?Q?=22Roland_H=C3=A4der=22?= To: gentoo-user@lists.gentoo.org Subject: Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go? Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Date: Mon, 3 Sep 2012 23:23:16 +0200 (CEST) In-Reply-To: <504518A3.7000207@binarywings.net> References: , <504518A3.7000207@binarywings.net> Importance: normal Sensitivity: Normal X-UI-Message-Type: mail X-Priority: 3 X-Provags-ID: V01U2FsdGVkX1/PAP7leeTwMTLBpogTXOFVfw7Drb2WMNz92RZ5K2Q+LNDJWCSFHEJh oojGfufYqr4qcXIvghZHoh2quSgLkAy2Cr7rYpSa6Xqya4jxXieuQw== X-Archives-Salt: f5006152-e9d4-4412-b028-554c784d3c6d X-Archives-Hash: cd2151c9c64ab7a06d7ceba1e5e4ecfe > No comment on dracut as I have no experience with it. Okay, so I have to try it out myself. When I found something out, I expand the wiki with it. > > However, as I see it, you need no key file if you just use a pass > phrase. In my opinion, a key file is only necessary for two improvements: Entering just a pass phrase means that this pass phrase will be used to decrypt the device, if you decrypt a key before and then with that key decrypt all your volumes you have a much better security because that key will then be used as 'pass phrase' which is *way* much stronger (4096+ chars + ~10-20 chars you can remember). > > 1. Two-factor authentication (read: encrypted key file) > > 2. Avoiding re-typing the pass phrase for multiple dmcrypt partitions See above. :) > You can easily achieve the second point by putting an unencrypted key > file on the first partition which you encrypt with a pass phrase. You > don't even need dracut for this, /etc/conf.d/dmcrypt lets you configure > it easily (as long as it doesn't affect /usr). Okay, I look into this. > > However, I personally find it easier to put LVM on a single dmcrypt > volume and be done this. All you need for this to work are two lines in > /etc/rc.conf: > rc_dmcrypt_before="lvm" > rc_dmcrypt_after="udev" I'm new to LVM, does it setup key-based encryption (best is to put that key on an USB stick, so the attacker needs my stick). Regards, Roland