Mr. McGee: Mr. Mutz's commentary is not complete accurate in its basis for logic. After all, if one has three partitions, with three different pass phrases, with only one partition truly being the one with the date (/home /usr and /), then we enhance the choice the would be cracker must make in which partition to start with first. He also must then crack (perhaps) 3 pass phrases before he gets your data! Lastly, if you use loop-aes, and encrypt the root partition, then the cracker must get access to root first, and then get access to the loop-aes file by breaking its pass phrase. Sorry Mr. Mutz, but that doesn't sound like less security to me at all. Very Respectfully, Stuart Blake Tener, IT3, USNR-R, N3GWG Beverly Hills, California VTU 1904G (Volunteer Training Unit) stuart@xxxxxxxxxxx west coast: (310)-358-0202 P.O. Box 16043, Beverly Hills, CA 90209-2043 east coast: (215)-338-6005 P.O. Box 45859, Philadelphia, PA 19149-5859 Telecopier: (419)-715-6073 fax to email gateway via www.efax.com (it's free!) JOIN THE US NAVY RESERVE, SERVE YOUR COUNTRY, AND BENEFIT FROM IT ALL. Friday, October 05, 2001 11:40 PM -----Original Message----- From: owner-linux-crypto@xxxxxxxxxxxx [mailto:owner-linux-crypto@xxxxxxxxxxxx]On Behalf Of Rob McGee Sent: Friday, October 05, 2001 11:31 PM To: linux-crypto@xxxxxxxxxxxx Subject: Re: encrypting the whole disk / all the data On Fri, Oct 05, 2001 at 09:41:50PM +0200, Marc Mutz wrote: > > Simple question: How do I guarantee that not a single bit of my > > essential data is written non-crypted on my Linux (laptop-)box ? > <snip> > > Then root-filesystem. > > What for? Multiple GB's of almost-known plaintext encrypted under a > single key just makes it easier for an attacker. You should only > encrypt what's secret. Your /usr surely isn't! That is a good point, but not the only way of looking at it. My thoughts in wanting to encrypt the root filesystem are that an attacker would have to spend a lot of energy to get at useless data. I figure that the TLA's have taken multiple GB's of fully-known plaintext, and they have done a lot of research looking for ways to crack all the known algorithms. If that hasn't taught them how to do it, my /usr isn't going to help them. Or if it *has* worked and they know how to break my algorithm, they'll get my data anyway, and I might as well hide my needles[1] in a bigger haystack. Rob - /dev/rob0 [1] No, there are no needles. :) For those of you who are not native English speakers, that is a common idiom to describe a difficult search. Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/ Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
