* [dm-crypt] Shipping/Cloning encrypted disks
@ 2017-05-18 13:26 vasili
2017-05-18 14:20 ` Arno Wagner
2017-05-18 18:24 ` Robert Nichols
0 siblings, 2 replies; 3+ messages in thread
From: vasili @ 2017-05-18 13:26 UTC (permalink / raw)
To: dm-crypt
[-- Attachment #1: Type: text/plain, Size: 1206 bytes --]
Hello,
I was thinking about a project which basically involves linux images with full disk encryption. The images should be shipped to or downloaded by multiple users. Since the end users are likely linux novices the setup should be as easy as possible.
At the moment I see two options.
1.: Filesystem image with non-encrypted boot and encrypted main filesystem.
The image should be dd'ed to a hdd or usb drive and resized to fill the whole drive. Then the master key will be changed with cryptsetup-reencrypt.
2.: Like 1 but the filesystem has also a non-encrypted main filesystem.
Encryption will be done either as described here: https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encrypt_an_unencrypted_filesystem or with this tool : https://johannes-bauer.com/linux/luksipc
Currently I am strongly in favor of option 1 since it forces the end user to use full disk encryption. With option 2 it could just be skipped. Also the required effort seems to be the same for both options.
Is there anything else to consider for option 1? Is changing the master key enough? Best practices/build options for the encrypted filesystem?
Maybe an option 3 ... ?
Vasili
[-- Attachment #2: Type: text/html, Size: 1674 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dm-crypt] Shipping/Cloning encrypted disks
2017-05-18 13:26 [dm-crypt] Shipping/Cloning encrypted disks vasili
@ 2017-05-18 14:20 ` Arno Wagner
2017-05-18 18:24 ` Robert Nichols
1 sibling, 0 replies; 3+ messages in thread
From: Arno Wagner @ 2017-05-18 14:20 UTC (permalink / raw)
To: dm-crypt
You also need to change the passphrase(s) with option
1. or anybody with access to the default passhprase can
get in.
In principle, full-disk encryption is not more secure
against a competent attacker than data-partition only
encryption. The attack just takes a bit more effort
for FDE, like manipulating the kernel image or the
initrd. Of course, if logs or the like are confidental,
they need to go into the encrypted part.
Regards,
Arno
On Thu, May 18, 2017 at 15:26:02 CEST, vasili@keemail.me wrote:
> Hello,
> I was thinking about a project which basically involves linux images
> with full disk encryption. The images should be shipped to or
> downloaded by multiple users. Since the end users are likely linux
> novices the setup should be as easy as possible.
> At the moment I see two options.
> 1.: Filesystem image with non-encrypted boot and encrypted main
> filesystem.
> The image should be dd'ed to a hdd or usb drive and resized to
> fill the whole drive. Then the master key will be changed with
> cryptsetup-reencrypt.
> 2.: Like 1 but the filesystem has also a non-encrypted main filesystem.
> Encryption will be done either as described here:
> [1]https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encr
> ypt_an_unencrypted_filesystem or with this tool :
> [2]https://johannes-bauer.com/linux/luksipc
> Currently I am strongly in favor of option 1 since it forces the end
> user to use full disk encryption. With option 2 it could just be
> skipped. Also the required effort seems to be the same for both
> options.
> Is there anything else to consider for option 1? Is changing the master
> key enough? Best practices/build options for the encrypted filesystem?
> Maybe an option 3 ... ?
> Vasili
>
> References
>
> 1. https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encrypt_an_unencrypted_filesystem
> 2. https://johannes-bauer.com/linux/luksipc/
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dm-crypt] Shipping/Cloning encrypted disks
2017-05-18 13:26 [dm-crypt] Shipping/Cloning encrypted disks vasili
2017-05-18 14:20 ` Arno Wagner
@ 2017-05-18 18:24 ` Robert Nichols
1 sibling, 0 replies; 3+ messages in thread
From: Robert Nichols @ 2017-05-18 18:24 UTC (permalink / raw)
To: dm-crypt
On 05/18/2017 08:26 AM, vasili@keemail.me wrote:
> 1.: Filesystem image with non-encrypted boot and encrypted main filesystem.
> The image should be dd'ed to a hdd or usb drive and resized to fill the whole drive. Then the master key will be changed with cryptsetup-reencrypt.
That's going to take at least 3 times as long as it needs to. The cryptsetup-reencrypt operation is slow. Because it's reading and writing the same disk, it takes about 2X the time it took to copy the original image.
Format the LUKS destination container, then open the source and destination containers and "dd" from one to the other. You've already got a new master key and whatever passphrase you chose at the destination. You can resize the filesystem after you've done the copying.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-05-18 18:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-18 13:26 [dm-crypt] Shipping/Cloning encrypted disks vasili
2017-05-18 14:20 ` Arno Wagner
2017-05-18 18:24 ` Robert Nichols
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.