En réponse à Milan Broz <mbroz@xxxxxxxxxx> : > Good luck. Do you know how easy is to use hw keylogger for > example? yes. > How do you detect that attacker installed such hw device when > he has repeated access to the system? > TPM will not help here. no. TPM won't help against an hw keylogger. But it will help in order to detect a change in my /boot partition. And for that, it works. It's so easy to break the encryption by modifying /boot than something has to be done. Here, TPM can help, so I use. For hardware keylogger, I would use a laptop very tiny where every change would be noticed. For example, a mac book air. So thin, you can't add a hardware keylogger. But it's not discussion for dm-crypt mailing list I guess. > (Btw read what truecrypt developers say about TPM - see FAQ > there.) > Done. > You cannot fix block level encryption to not leak info which > block changed without completely destroying performance. > The block device must be transparent to the system and also > you do not want to kill cache and hw acceleration here. > Ok. > What is possible is to provide on-the-fly master key change > and simply reencrypt the whole device on-fly when needed. > > You can implement is such way, that it will survive even > unexpected power fail. > > LVM has similar concept for pvmove - moved (here reencrypted) > area is mirrored, when mirror is synchronised, it will switch to final > destination. > > For encryption here you then need some temporary area and > after switch to destination area add wipe of old area with random data. > sure > If power fails, it will simple start resyncing again (so for > some time both keys are active). Of course this also handle all IO > requests to the storage during reencryption. > > So if this is what you want a thing like that, yes > - yes, I would like to see some > such functionality, but this is work for LVM, not dmcrypt. > Ok, I think I understand. I will look to LVM docs. Thanks > _______________________________________________ Envoyé avec Inmano, ma messagerie renversante et gratuite : http://www.inmano.com _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
