On Thu, Aug 23, 2012 at 08:12:43PM +0200, Milan Broz wrote: > On 08/23/2012 06:07 PM, Arno Wagner wrote: > >> Debian has full support for cryptsetup/LUKS, > > > > For encrypted root? News to me, but would be a good thing. > > I am using it for several years on Debian (supported only with combination > with lvm IIRC). > > >> but not for plain dm-crypt, not to > >> my knowledge anyway. I think this makes sense as there is no way to > >> automatically detect an encrypted partition with no header. > >> > >> The only advantage I can see in using encrypted partitions with no header > >> is to "hide" the encrypted volume, however the partition, cipher and hash > > > > The second one is better resilience, as there is no header > > single-point-of-failure. Whether that is worth total loss of > > key management depends on the application. > > Well, you can have detached LUKS header on USB flash disk (optionally > with the whole boot partition) for example. That is not really a good idea. LUKS on Flash/SSD may not work as intended. I just added an entry for that to the FAQ (5.17). For some scenarios, plain dm-cryp is just the way to go. Of course, it requires some understanding, e.g. a high-entropy passphrase is a must. > (cryptsetup has support for separate LUKS header but no support > in distros yet I think) > > (You can even have different disk with another header with shifted data > offset in LUKS header and hide another volume inside the first > Not that it is comfortable though but possible...) Hehehe. Messy ;-) > > > >> function have to be specified somewhere if one wants the distro to be able > >> to do automatic configuration. > > > > Thet is not the issue. Reasonable defaults would do that. The > > issue is that the partiton type cannot be detected anymore > > without the key. > > > >> The bootloader will need it in its > >> configuration, which doesn't make it any better than LUKS in terms of > >> discreetness. > > > > Huh? What is the bootloader going to do with that info? Last > > I checked, you still need a running kernel and system (possibly > > in the form of an initrd) to do anything with encrypted partitions, > > no matter whether LUKS or plain. I may be behind times here, if so, > > please explain. > > Grub2 can handle LUKS directly. Nice. Finally a reason to switch. > (And separate header support is perhaps easy to add.) Should be. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
