Am 03.09.2012 23:23, schrieb "Roland Häder": > >> No comment on dracut as I have no experience with it. > Okay, so I have to try it out myself. When I found something out, I > expand the wiki with it. > >> >> However, as I see it, you need no key file if you just use a pass >> phrase. In my opinion, a key file is only necessary for two >> improvements: > Entering just a pass phrase means that this pass phrase will be used > to decrypt the device, if you decrypt a key before and then with that > key decrypt all your volumes you have a much better security because > that key will then be used as 'pass phrase' which is *way* much > stronger (4096+ chars + ~10-20 chars you can remember). >
That's not exactly how it works. 1. An attacker could still simply break the pass phrase used to encrypt the key file. 2. You don't actually weaken the encryption of your disk if you use a small key (besides the obviously easier guessing of the key). The actual encryption key is generated from the pass phrase (or key file) by a hash function (default: SHA-1). This always expands or compresses your key to the key size defined when issuing `cryptsetup luksFormat`. >> >> 1. Two-factor authentication (read: encrypted key file) >> This is what makes a key file better and more secure. The attacker not only needs a pass phrase /or/ a memory stick; he needs both. >> 2. Avoiding re-typing the pass phrase for multiple dmcrypt >> partitions > See above. :) > >> You can easily achieve the second point by putting an unencrypted >> key file on the first partition which you encrypt with a pass >> phrase. You don't even need dracut for this, /etc/conf.d/dmcrypt >> lets you configure it easily (as long as it doesn't affect /usr). > Okay, I look into this. > >> >> However, I personally find it easier to put LVM on a single >> dmcrypt volume and be done this. All you need for this to work are >> two lines in /etc/rc.conf: rc_dmcrypt_before="lvm" >> rc_dmcrypt_after="udev" > I'm new to LVM, does it setup key-based encryption (best is to put > that key on an USB stick, so the attacker needs my stick). > > Regards, Roland > I guess I didn't make myself clear. Mostly because I didn't want to write a whole article on it before someone actually showed interest in this. Anyway: LVM has nothing to do with the encryption. It is just a way to partition a single dmcrypt partition into more devices. Maybe it gets clearer if I show my partitioning scheme (shortened a bit and with some artistic liberties): /dev/sda1 # /boot /dev/sda2 # root + /usr + /etc /dev/sda3 -> /dev/mapper/crypt # dmcrypt partition /dev/mapper/crypt -> vg_notebook # LVM volume group on dmcrypt vg_noteboot -> /dev/mapper/vg_notebook-var # /var vg_noteboot -> /dev/mapper/vg_notebook-home # /home vg_noteboot -> /dev/mapper/vg_notebook-swap # swap vg_noteboot -> /dev/mapper/vg_notebook-opt # /opt vg_noteboot -> /dev/mapper/vg_notebook-usr-local # /usr/local You see, it is just an alternative to different approaches on getting several parts of your file system encrypted without having to enter pass phrases for several dmcrypt partitions. Alternatives are 1. Put an unencrypted key file on the first encrypted partition. 2. Use a single file system on a single dmcrypt partition and then `mount --bind` or `ln -s` parts of it in different places. For me personally, it is a nice compromise as it allows me to work without an initrd while still keeping most of my file systems encrypted. I just have to make sure to leave nothing private on root, /usr or /etc. Regards, Florian Philipp
signature.asc
Description: OpenPGP digital signature
