To Arno: I tried first a regular LUKS partition as swap with passfrase. This of course worked. I assume that ArnoWagners comment : "Allways /dev/random, unless you have a low-entropy scenario" is for the general understanding that urandom is not random but bound to predictable math calculation. Or does ArnoWagner mean: opposed to a passphrase ? In the last instance it is of course safer with /dev/random since nobody has read the output of that blockfile except the machine(Rechner) itself. So far my understanding if it is right. To change from passfrase to dev_random I experienced that the partition had to be zeroed with dd. Else it seemed like the LUKS-header was read and asking for passfrase which did not work, and at the same time rejecting the none-regular-file /dev/random with a message about that matter. This of course is in consistency with the mechanism of LUKS-extension mentioned under "DESCRIPTION" at a site like: http://pwet.fr/man/linux/formats/crypttab But I could get hold of the swap by: cryptsetup -d /dev/random create _swap /dev/hdc11 mkswap /dev/mapper/_swap swapon -a But not with restart before or after this event just by changing the files to: /etc/crypttab(1): _swap /dev/hdc11 /dev/random swap,cipher=aes-cbc-essiv:sha256 /etc/fstab: dev/mapper/_swap swap swap defaults 0 0 But reediting the tab-files /etc/crypttab(2): _swap /dev/hdc11 none swap and restarting again the machine, I got hold of the swap-partition with the previous passfrase like before, so mkswap probably do not overwrite the 592 bytes luks-header and the AF splitted keys(?) Or is there another explanation for this like with /dev/mapper_swap or that the swap had not yet at that moment come into use, so I was just lucky? QUESTION: Would it suffice to erase the luks-magic with dd if=/dev/zero of=/dev/hdc11 bs=1 count=6 to make the crypttab and fstab work without zeroing out the partition first? IN ALL: The swap after zeroing with dd on the partition in question works with the crypttab(1) above, and as follows there ARE sufficient entropy available to make up a key, so far. As to the config of fstab and crypttab I followed the assignment from this site: https://www.antagonism.org/privacy/encrypted-swap-linux.shtml QUESTION: But in case I would have to use a seed, how is this done? Especially with an UPDATED seed? This I do not know. To Heinz: Would not a pre-generated keyfile need to be opened by a passfrase? (Off the subject to HeinzDiehl: Hear you are a well reputated bestyrer at sjukeheimen, and that you impressingly learned the language BEFORE entering the country. Und weiter: Haben Sie Ihr Deutsch vergessen nach so vielen Jahren in dem Lande?) SiSt ____________________________________________________________________________ From: "Heinz Diehl" <htd@xxxxxxxxxxxxxxxxx> On 19.04.2010, Si St wrote: > I am thinking about a potential crash and the consequences if the > swap partition has to be used for rebuild of something. Then a > /dev/random or if necessary /dev/urandom would not be so good. In this case, the only way to go is to have a passphrase, a randomly generated key means you're locked out after the partition is closed. Another possibility, if this sounds acceptable for you, is to pre-generate a keyfile which resides on the root partition (and you keep a backup of it on a safe place somwhere outside this machine), which is then used to automatically unlock the swap partition in the boot process. --------------------------------------------------------------- From: "Arno Wagner" <arno@xxxxxxxxxxx> On Mon, Apr 19, 2010 at 05:37:45PM +0100, Si St wrote: > What should be recommended: > > To apply either /dev/random or a passfrase for the establishment of a > keyfile to a swap partition? Allways /dev/random, unless you have a low-entropy scenario, in which you may have to combine it with a stored and updated seed. > I am thinking about a potential crash and the consequences if the swap > partition has to be used for rebuild of something. Then a /dev/random or > if necessary /dev/urandom would not be so good. The swap partition is not used in reconstructing things under Linux. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F -- _______________________________________________ Surf the Web in a faster, safer and easier way: Download Opera 9 at http://www.opera.com _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
