I was thinking about a project which basically involves linux images with full disk encryption. The images should be shipped to or downloaded by multiple users. Since the end users are likely linux novices the setup should be as easy as possible.
At the moment I see two options.
1.: Filesystem image with non-encrypted boot and encrypted main filesystem.
The image should be dd'ed to a hdd or usb drive and resized to fill the whole drive. Then the master key will be changed with cryptsetup-reencrypt.
2.: Like 1 but the filesystem has also a non-encrypted main filesystem.
Encryption will be done either as described here: https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encrypt_an_unencrypted_filesystem or with this tool : https://johannes-bauer.com/linux/luksipc
Currently I am strongly in favor of option 1 since it forces the end user to use full disk encryption. With option 2 it could just be skipped. Also the required effort seems to be the same for both options.
Is there anything else to consider for option 1? Is changing the master key enough? Best practices/build options for the encrypted filesystem?
Maybe an option 3 ... ?
Vasili
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
