From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Encrypt all partitions with dm-crypt
Date: Sat, 8 Sep 2012 15:26:54 +0200 [thread overview]
Message-ID: <20120908132654.GB23589@tansi.org> (raw)
In-Reply-To: <20120908081338.GC1540@fancy-poultry.org>
On Sat, Sep 08, 2012 at 10:13:38AM +0200, Heinz Diehl wrote:
> On 06.09.2012, Arno Wagner wrote:
>
> > I was thinking about automatic swap set-up. If you do that
> > with a non-random key, you have to store it somewhere and that
> > will be a problem.
>
> I created my swap partiton while installing the distribution. The
> whole harddisk (laptop) is LUKS/dmcrypt encrypted. When I start up the
> machine, all I have to do is to provide the proper passphrase, and all
> my encrypted partitions will be unlocked, incl. swap.
>
> As far as I can see, dracut stores the passphrase in memory, unlocks
> the root-partition first, and runs the same passphrase on all the
> other LUKS-devices afterwards. I can't see how this procedure could be
> a problem related to swap, and why I maybe should choose a random key
> over a predefined one.
Swap can be encrypted with a one-time passphrase. This is more
secure as a constan passphrase. It can also be done
non-interactively. The (slight) security decrease when encrypting
swap with a static passphrase is that in the future you may still
find stuff in there if the passphrase gets compromised.
The point is that there is no reason to include swap in
a normal encryption scheme and doing it with a random passphrase
even increases security. In addition, encrypted swap can
be something you want on a system that does not encrypt anything
else.
Arno
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell
next prev parent reply other threads:[~2012-09-08 13:26 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-22 12:10 [dm-crypt] Encrypt all partitions with dm-crypt Stayvoid
2012-08-22 12:24 ` Arno Wagner
2012-08-22 15:40 ` Stayvoid
2012-08-22 15:52 ` Heinz Diehl
2012-08-22 15:54 ` Matthew Monaco
2012-08-22 15:57 ` Javier Juan Martínez Cabezón
2012-08-23 7:28 ` Arno Wagner
2012-08-23 9:00 ` Christophe
2012-08-23 11:27 ` Arno Wagner
2012-08-23 14:12 ` Heinz Diehl
2012-08-23 15:10 ` Christophe
2012-08-23 16:07 ` Arno Wagner
2012-08-23 18:12 ` Milan Broz
2012-08-23 19:34 ` Arno Wagner
2012-08-24 14:01 ` Milan Broz
2012-08-24 14:40 ` Heinz Diehl
2012-08-24 15:14 ` Arno Wagner
2012-09-05 4:21 ` Stayvoid
2012-09-05 13:01 ` Arno Wagner
2012-09-06 12:54 ` Stayvoid
2012-09-06 16:46 ` Arno Wagner
2012-09-06 17:53 ` Heinz Diehl
2012-09-06 19:58 ` Arno Wagner
2012-09-07 16:10 ` Stayvoid
2012-09-07 19:04 ` Arno Wagner
2012-09-08 2:50 ` Stayvoid
2012-09-08 7:01 ` Milan Broz
2012-09-09 16:21 ` Stayvoid
2012-09-15 0:52 ` Stayvoid
2012-09-15 1:09 ` Matthew Monaco
2012-09-15 1:10 ` Matthew Monaco
2012-09-20 7:13 ` Stayvoid
2012-09-20 9:18 ` Javier Juan Martínez Cabezón
2012-09-21 5:01 ` Stayvoid
2012-09-21 10:01 ` Arno Wagner
2012-09-21 18:14 ` Stayvoid
2012-09-22 22:36 ` Stayvoid
2012-09-25 3:12 ` Stayvoid
2012-09-25 6:31 ` Matthew Monaco
2012-09-25 7:13 ` Stayvoid
2012-09-25 13:58 ` Stayvoid
2012-09-25 19:06 ` Matthew Monaco
2012-09-25 23:54 ` Stayvoid
2012-09-26 2:12 ` Matthew Monaco
2012-09-26 8:23 ` Stayvoid
2012-09-26 9:24 ` Matthew Monaco
2012-09-26 10:49 ` Stayvoid
2012-09-26 10:51 ` Stayvoid
2012-09-26 11:13 ` Matthew Monaco
2012-09-26 23:34 ` Stayvoid
2012-09-15 6:13 ` Javier Juan Martínez Cabezón
2012-09-08 8:13 ` Heinz Diehl
2012-09-08 13:26 ` Arno Wagner [this message]
2012-09-08 14:37 ` Heinz Diehl
2012-09-08 16:05 ` Arno Wagner
2012-09-08 16:39 ` Heinz Diehl
2012-09-08 19:36 ` Arno Wagner
2012-09-08 14:58 ` Marc MERLIN
2012-09-19 4:15 ` Two Spirit
2012-09-19 4:52 ` Javier Juan Martínez Cabezón
2012-09-19 5:13 ` Arno Wagner
2012-08-24 14:47 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120908132654.GB23589@tansi.org \
--to=arno@wagner.name \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.