07/07/2011 08:35, Jochen Schulz wrote: >> Colin: [trim] >> I guess if I didn't have it I would need a separate dm-crypt and LUKS >> partition for each of /, /home and swap which in turn would mean 3 >> separate keys + passwords. > > Yes. You could get away with only one passphrase if you put key files > for the other filesystems on that one. > > J.
Here I use on my desktop a pass-phrase for / (typed during boot), decrypt_derived for swap (see #8 in /usr/share/doc/cryptsetup/README.initramfs.gz), and pam-mount for /home (decrypting is done on login). On the laptop I use essentially the same setup, but /boot and the / key-file are stored on an usb flash-disk with hardware encryption (see #10 in /usr/share/doc/cryptsetup/README.initramfs.gz), this way I only need to type in my login, it makes booting the laptop quicker. If you don't care about suspend to disk you can also use a swap file on an encrypted partition instead of decrypt_derived, or a random key generated on startup, reducing complexity. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e15af59.8040...@googlemail.com
