On Nov 26, 2011, at 2:00 AM, Bob Proulx wrote:
The way I like to set up the system is to set up /boot in its own
partition on /dev/sda1. Then set up the rest of the disk in /dev/sda5
as a logical partition for an encrypted partition. Then use that
encrypted partition for one large LVM volume. This includes swap.
You definitely want to encrypt swap along with everything else.
Unless you are concerned about growing swap at some later date, you
should leave swap out of the LVM and encrypt it separately -- with a
*random* key.
I.e. something like this in /etc/crypttab:
# Swap
hda4_crypt /dev/hda4 /dev/urandom cipher=aes-cbc-
essiv:sha256,size=256,swap
You don't have to provide an extra key at boot time for swap (the
system generates it automatically).
This way, when the system is turned off, your swap becomes
undecipherable.
If you put swap on the LVM, its contents survive a reboot, and
therefor can be read by anyone who has the key to the LVM.
Rick
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/a61fcd91-efd5-4d8c-b7e3-854596c1c...@pobox.com
