Alexander Skwar wrote:
Richard Fish schrieb:
Pupeno wrote:
I use the dm-crypt from the kernel....
I've read that it is unsecure and I also read that it is not yet vory well
suported.
Dm-crypt is fairly well supported, since it is in the kernel, but I find
it to be harder to setup
hard to setup? How? What's hard about it?
You just encrypt the block device and create an fs on it.
/sbin/lvcreate -nToBeEnc -L5g sys \
&& echo 'sekret' | /bin/cryptsetup create Crypted /dev/sys/ToBeEnc
\
&& mkfs -t reiser4 /dev/mapper/Crypted \
&& mount /dev/mapper/Crypted /some/where
Obviously, the lvcreate and mkfs steps are just a one time step :)
First, I did not say dm-crypt was "hard to setup". I said I find it
harder to be setup than loop-AES. Please quote me correctly. :-)
Have you used both loop-AES and dm-crypt? I have.
If you want to know what, specifically, I find more difficult about
cryptsetup, it is the documentation. The grand sum of documentation
available for dm-crypt/cryptsetup after doing an 'emerge cryptsetup' is
"cryptsetup --help". Not terribly informative compared to "man losetup"
or /usr/share/doc/loop-aes-3.0d/README.gz.
And yes, I know there are better guides online, but it is not always
possible to go online.
Also, I wanted to be able to change my password. With loop-AES, this is
a simple matter of re-encrypting my key file with a new password.
cryptsetup makes this more difficult. Not impossible, just more difficult.
<advice>
Also, echoing your password on a command line to cryptsetup is an
extremely bad idea. If an attacker happens to be on your system at that
moment, a simple 'ps' will show them your passphrase. Even if you are
not worried about that, you should still take special precautions
regarding the shell history file. Otherwise all someone has to do is
crack your system while it is up and cat your .bash_history file.
</advice>
and less 'flexible' than loop-AES (the changing
passphrase thing, for example).
Any other example?
Sure:
o Ability to specify encryption parameters in fstab.
o Automatic cleanup of the encrypted device when the filesystem is
unmounted.
o Additional security options, if someone really requires them.
-Richard
--
gentoo-user@gentoo.org mailing list
