On 2/12/19 4:40 AM, Johannes Graumann wrote:
Gentlepeople,
After playing with it on a secondary machine, I'm looking to transition
from my Arch-setup to Qubes.
I am traditionally choosing to encrypt my file systems using serpent
(considered the strongest entry into the AES competition with slightly
worse speed than the finally choosen Rijndael algorithm) and the
following partitioning:
- UEFI-required EFI System Partition, 512MB, EFI System
- /boot partition (to be encrypted), 512MB, Linux filesystem
- SWAP partition (to be encrypted using a random key), size of RAM
(`free -m`) + 1 MiB, Linux filesystem
- tmp partition (to be encrypted using a random key), 2GB, Linux
filesystem
All but the UEFI partition are being encrypted. '/boot' uses a keyfile
resident in '/' (appropriate grub configuration) and thus PW-protectded
through the encryption of '/'.
FWIW, if you switch to legacy BIOS boot and your system has a TPM you
may be able to use the Qubes anti-evil-maid package to guard against
firmware & boot tampering. Most Qubes users don't seem to opt for it,
but I thought you might be interested in the extra security.
Questions:
1) Does that make sense (for Qubes)?
On this topic, the sensibility of encryption options with Qubes is about
the same as for regular Linux distros. Personally, I don't think
switching away from AES is necessary.
2) Am I missing something necessary?
3) Is there documentation on custom disk encryption and if no: where in
the installation process would I break out (how) to the CLI to get it
done?
Qubes uses the RHEL/Fedora installation tool called 'anaconda' which is
documented on the Red Hat and Fedora sites. I don't recall if the
anaconda UI lets you specify the cipher, but the 'kickstart' feature
does so that might be an option.
Also note that a non-AES cipher may seem nearly as quick as AES for
access times, however it will have an impact on multitasking performance
since AES is hardware accelerated while the other ciphers are not on
most systems.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/dad94f39-94b3-dee8-44e7-23601646cbff%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
