On Sat, Sep 08, 2012 at 10:13:38AM +0200, Heinz Diehl wrote: > On 06.09.2012, Arno Wagner wrote: > > > I was thinking about automatic swap set-up. If you do that > > with a non-random key, you have to store it somewhere and that > > will be a problem. > > I created my swap partiton while installing the distribution. The > whole harddisk (laptop) is LUKS/dmcrypt encrypted. When I start up the > machine, all I have to do is to provide the proper passphrase, and all > my encrypted partitions will be unlocked, incl. swap. > > As far as I can see, dracut stores the passphrase in memory, unlocks > the root-partition first, and runs the same passphrase on all the > other LUKS-devices afterwards. I can't see how this procedure could be > a problem related to swap, and why I maybe should choose a random key > over a predefined one. Swap can be encrypted with a one-time passphrase. This is more secure as a constan passphrase. It can also be done non-interactively. The (slight) security decrease when encrypting swap with a static passphrase is that in the future you may still find stuff in there if the passphrase gets compromised. The point is that there is no reason to include swap in a normal encryption scheme and doing it with a random passphrase even increases security. In addition, encrypted swap can be something you want on a system that does not encrypt anything else. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
