LUKS/dm-crypt first time setup

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

I'm about to delve head down into the fascinating word of cryptography,
starting from implementing a full HDD encryption. I have to state that
I'm a recent convert to Linux and I'm still finding my way around it, so
if my questions will be a bit naive please bear the above in mind.

Let me describe in short what I'm trying to achieve and then I will have
couple of questions.

I will create couple of LVM partitions on top of LUKS/dm-crypt -
boot, /, usr, tmp, var, home, swap. I want to encrypt them with a key
file which will be stored in MBR of a usb-key and (possibly) add a
pass-phrase as a precaution to lost/damaged usb. And that is it, really.

Now for the questions:

1. Suspend/hibernate - I came across information that swap encrypted
with key file can/will leak it to unencrypted boot along with any other
stored keys/pass-phrases. I read as well that during un-suspend key
file/pass-phrase is stored in the actual swap making it possible for the
attacker to retrieve it (if, for example, attacker have access to the
machine through internet). Are those informations correct? Is there a
way of encrypting swap which will allow user to enjoy the benefits of
suspend/hibernate without security breach? I know about possibility of
random key/pass-phrase with every boot but that will exclude suspend.

2. Will I have any problems if I will decide to add a HDD to the above
set-up? Or it will be enough to extend already existing volume group
with it?

3. I'm looking into possibility of having boot partition on external usb
key and the whole HDD would be encrypted. Now, I'm not sure if its
possible at all and if yes, if its not beyond my current knowledge. But
assuming (for now) that I can boot the system from usb key, will it work
with LUKS/dm-crypt? I mean whole HDD will be encrypted LVM and
unencrypted boot partition alongside with key file (either as a
plaintext or hidden in MBR) will be on usb stick.

And that will be all, I think. Thanks everyone for your time and
patience!


Tom

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux