On Thu, Jul 11, 2013 at 11:24:22AM +0200, Jonas Meurer wrote: > Heya, > > Am 11.07.2013 08:53, schrieb Arno Wagner: > > Dear all, > > > > I just have added a mini-HOWOT on how to set up encrypted swap > > in FAQ item 2.2: > > http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions > > > > Proofreading and suggestions welcome. > > Good idea to add it to the FAQ. Thanks for maintaining this very > valuable piece of documentation. Thanks! > But maybe you should more emphasize the fact that /etc/crypttab > implementations are distro-specific. While I know for sure that options > like swap and noearly are supported in Debian-based distributions, I'm Well, if "swap" is not supported, then this will just fail. In this case, the user will likely have to write his/her own startup-script. Same with noearly, it will simply fail if the device is not yet available because it needs LVM or RAID-assembly. I will see about saying this clearer though. > not sure about Redhat-based ones. Last time I looked, only a small > subset of crypttab options that we've implemented in Debian were > supported on Redhat-based systems. > > Additionally, the following sentence looks wrong to me: > > "Note: use /dev/random if you are paranoid or in a potential low-entropy > situation (embedded system, etc.).". > > Mainly in low-entropy situations /dev/random would cause the boot > process to hang, right? So for these setups /dev/urandom actually is the No. It hangs only in a "no entropy" situation. With "low entropy", it merely takes long. In a "no entropy" situation, you cannot do secure encryption and should do without it or find some entropy. Also note that a pre-seeded /dev/urandom is not a "low entropy" situation. > better solution. Granted that one isn't paranoid ;) Not "better", faster. But catastrophically worse with regard to security. If you do not care about security in swap it is better to not encrypt it in the first place. But if you encrypt, then it must be secure. Otherwise people will make wrong assumptions. History has shown time and again that having no security in place makes (most) people careful, but having very weak security in place gives them a false sense of security, which is a lot worse. Hence do encryption right or do without it. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult. --Tony Hoare _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
