John Maher wrote:
Marc Schwartz wrote:
Marc, thanks for your help.
Welcome.
I have not used the boot.cryptmap script on FC4. I have used the wiki
instructions here:
http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS
for setting up my encrypted partitions.
Yes, these instructions worked well for me too.
The information here:
http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedSwap
for setting up encrypted swap with a random boot key
I had not tried to encrypt swap. Except for highly secure systems, it
did not seem important to me. I, of course, could be wrong.
If you don't encrypt your swap partition, anything that you want to
protect which is in RAM (like a document or data file), will get written
to the swap partition in the clear, when there is a need to swap
physical memory to disk. That leaves that information vulnerable.
You do want to encrypt swap and there is a reasonable argument to be
made that if you don't, there is almost no point in encrypting /home.
and the script here:
http://www.saout.de/tikiwiki/tiki-index.php?page=luksopen
for boot time prompts for the passphrase to open the LUKS protected
partitions. Be sure to note my comment (#2) on the script relative to
the bash shell related issue. I put the script in /etc/rc.d/rc.local and
it works fine at boot.
I didn't notice in the luksopen information anything written about boot
time prompts for the passphrase. If you place /sbin/luksopen in
/etc/rc.d/rc.local (after ensuring luksopen is in /sbin), does the boot
process pause and prompt for a passphrase automatically?
That's the point of the luksopen script and putting it in
/etc/rc.d/rc.local. It will run before booting is finished on FC4 and
you will be prompted for the LUKS passphrase.
I saw the
luksopen script, but I was hesitant to place it in rc.local because I
thought that 'cryptsetup luksClose' needed to be executed before
shutting down, and I didn't see how that would happen. Any thoughts on
that?
There have been various discussions as to whether or not one needs to
unmount and close (unmap) the encrypted partitions prior to shutting
down. I have yet to see a definitive response from the list.
I would say that in general, doing that if you want to temporarily make
an encrypted partition not accessible, makes sense. For example, if you
have an external drive or USB stick that you only need on a temporary
basis. However, when you fully shut down, the volumes are unmounted and
the mapping is lost anyway.
Unless the LUKS close process wipes the passphrase and actual encryption
key from memory, then doing this prior to shutdown is not likely to help
prevent someone from reading any residual RAM imprints anyway. Unless
you are worried about a TLA getting your data, this should not be a concern.
HTH,
Marc
---------------------------------------------------------------------
- http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
