Re: encrypted SWAP FAQ item

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/11/2013 11:24 AM, Jonas Meurer wrote:
Heya,

Am 11.07.2013 08:53, schrieb Arno Wagner:
Dear all,

I just have added a mini-HOWOT on how to set up encrypted swap
in FAQ item 2.2:
http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions

Proofreading and suggestions welcome.

Good idea to add it to the FAQ. Thanks for maintaining this very
valuable piece of documentation.

But maybe you should more emphasize the fact that /etc/crypttab
implementations are distro-specific. While I know for sure that options
like swap and noearly are supported in Debian-based distributions, I'm
not sure about Redhat-based ones. Last time I looked, only a small
subset of crypttab options that we've implemented in Debian were
supported on Redhat-based systems.

Fedora (and future RHEL, perhaps) is using systemd,
crypttab is parsed in systemd. IIRC most of the options are
"systemd standardized". IIRC all Debian keywords were already there.

And for swap... it never worked properly with systemd but it is implementation
bug prhaps only, enjoy reading
https://bugzilla.redhat.com/show_bug.cgi?id=759402

(systemd is using libcryptsetup for real device activation)

Additionally, the following sentence looks wrong to me:

"Note: use /dev/random if you are paranoid or in a potential low-entropy
situation (embedded system, etc.).".

Mainly in low-entropy situations /dev/random would cause the boot
process to hang, right? So for these setups /dev/urandom actually is the
better solution. Granted that one isn't paranoid ;)

This is not so simple. Once /dev/random is "fixed" for most configs
(read: internal pool is continuously mixed with good entropy source like
e.g. RDRAND instructions) cryptsetup will switch default to /dev/random
(for long-live keys). Perhaps in next major version.

See my notes here http://code.google.com/p/cryptsetup/issues/detail?id=161

Milan
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt




[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux