Thanks for your answer! Now I understand a bit more but have even more questions... > That is redundant. Just use the passphrase and do wthout the > USB key. Also, why would you want to store a key-file in an MBR? > That does not make sense. > Forget hiding anything. It is just not effective against > any halfway competent attacker. And, as I said, forget about the > keyfile. LUKS already has an encrypted master-key in the header. > Your protection is the passphrase. I want to use usb key and a key file to automate decryption process, in a way. With this set-up I wont have to enter long and complicated passphrase on each boot, key file will be automatically read from the usb. Storing it in MBR is not essential, but it will provide additional protection layer - "security through obscurity". I do agree with you, that it is useless against competent attacker. And will create even more problems, Grub can overwrite key file or the other way around - making system unbootable / impossible to decrypt. I just want to try and see if I can pull it off and learn in the process of doing so. But, as I said, MBR thing is not essential and I will be happy with plaintext key file on usb. > I don't think so. More correct would be that you cannot suspend > to disk without re-entring your passphrase on un-suspend. > That could be diffilult, and would be impossible with full > disk encryption. On the other hand, full-disk encrypton > is already impossible without BIOS support, you alwqays have > at least the kernel an some tools unencrypted. > > Sounds to me some people were suspending to non-tnectypted > disk here. However, suspend and hibernate is not something > you usually do on a UNIX-like system. Maybe just do without > it? I never found a any need to do it ever and it is a security > risk. > Regular encryption and wipe the key from memory at the end of > the suspend operaton. Sounds like a lot of effort for very little > gain. Information about swap leaking key file I found on Arch Linux wiki: https://wiki.archlinux.org/index.php/Talk:System_Encryption_with_LUKS_for_dm-crypt#Suspend_to_disk_instructions_are_insecure There was another web site as well mentioning this issue but I'm unable to find it now. Suspend and hibernate are not things I can't live without but if there is a option to have them enabled (in a secure matter) I would like to try to. It's just the case of having the choice to suspend against no choice whatsoever. > > 3. I'm looking into possibility of having boot partition on external usb > > key and the whole HDD would be encrypted. > > What would be the benefit? > > Now, I'm not sure if its > > possible at all and if yes, if its not beyond my current knowledge. > > If the USB is bootable on your cmputer, then it is rather simple. > > But > > assuming (for now) that I can boot the system from usb key, will it work > > with LUKS/dm-crypt? > > Yes. You need an unencrypted initrd on the key though. Again it's just proof of concept. It's not essential for security of my data (I'm archaeologist so I don't deal with very sensitive data), I just want to try if it's possible and if I'm able to figure out how to do it. I couldn't find any informations about having a whole boot partition on external usb with main HDD encrypted, so if I will manage to do that I can contribute to overall knowledge. > > And that will be all, I think. Thanks everyone for your time and > > patience! > > No problem. > > Also, *read the FAQ*, especially the section about backup > and recovery from overwtitten LUKS headers. Thanks again! I did my backups already - on external HDD and dvd's (OK, I'm a little bit paranoid!). As you confirmed that having boot on external usb is possible (yes, my BIOS is supporting booting from usb) now I have to look into that. Tom _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
