Michael,
well, i am not a 'doctor' in encryption algorithms and stuff like this,
but i do read :)
from the stuff ive been reading, luks is way much better then loop-aes ,
regarding the essiv(against watermark attacks and brute-force), and
because the fact that you can change your passphrase without
re-encrypting the whole thing.
I use luks with cypher aes, mode cbc-essiv:sha256, but i do not use LVM.
for swap, i use blowfish-cbc-essiv:sha256 (a little faster then aes? ) ...
I implement the whole thing using a different initrd, from the GRUB
loader. i am thinking about implementing some plausible-deniability ,
but i am not sure how. In my oppinion, the main ideea for a safe system,
is a strong passphrase. With luks you can use up to 8 .. or 16 (i am not
sure) passphrases to decrypt the same device.
Again, in my oppinion, it depends on WHAT you are protecting, and from
WHO :)
Dan
Hello again,
I am protecting a few computers. One server and two almost identical
workstations.
The server encrypts directly to the hard drives, then has LVMv2 over
the top. This requires a boot disk (USB boot unsupported) to load the
encryption scheme, then perform:
lvm vgchange -ay
to detect the volume groups and be able to mount the root logical volume.
On the workstations, since I run Windows and Linux as dual boot, I use
a boot disk again (was storing my keys on the disk) and mount the
encrypted system. I was mounting three partitions with three seperate
keys, but I might convert to one key and use LVM. Anyway, I then mount
the root filesystem and boot it. The boot process can take care of
mounting the other drives.
Since I was using loop-AES, I was storing the keys away form the
system and keeping the keys physically secure. Having the keys on disk
means that the encryption is only as good as the password (which I do
choose carefully). Off disk keys means that an attacker without the
keys will need to resort to brute force, which is far too dificult.
Now that I know the USB stick will store the keys off disk (I believe
that is what you were getting at Dan), I will opt to use that for
additional security. In any case, I will either need a small boot
partition, or I will need to use a boot disk. Boot disk is my
preferred option. I assume that I can store the keys on the boot disk,
and not need a USB specifically for the job of storing the keys off
disk.
Thanks again for the help. Mark this thread as solved if it's possible.
dm-crypt with LUKS here I come.
---------------------------------------------------------------------
- http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
---------------------------------------------------------------------
- http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
