On 05/07/2010 11:14 PM, Stefan G. Weichinger wrote: > Am 07.05.2010 16:24, schrieb Stefan G. Weichinger: >> Am 07.05.2010 10:53, schrieb Stefan G. Weichinger: >> >>> I think I am gonna file a bug for this now. >> >> http://bugs.gentoo.org/show_bug.cgi?id=318865 > > Aside from the potential bug: > > As I store the "verysekrit.key" on the same hdd as the encrypted > device and use the rather simple shadowed password to decrypt that > key ... isn't that just plain stupid? > > The overall security is just as good as my password. Cracking it with > john opens the key to decrypting the LUKS-volume ... > > Yes, if I would store the key on another volume (stick or something) > as mentioned in that howto it would make sense but in my case ... > > *scratches head* ;-) > > Stefan I prefer to encrypt my entire harddisk. Well - a hugh partition (excl. only Windows and Solaris :) which I encrypt, then the decrypted partition is used as a PV for LVM and all OS and partitions an in LVs. This way I have to type in the password to decrypt the PV once, and all LVs are decrypted. Then I have to use a second PW to login of course. As all Linux destros support encrypted roots and LVM nowadays I have Gentoo, Fedora and Ubuntu all in the same VG. The speed disadvantage is small, as my CPU+RAM is so much faster than the HDD. But in terms of security it's better to have everything encrypted, because it makes it more difficult to manipulate your system to get the key (the kernel is still unencrypted), and no possibly private information can be obtained from /tmp and /var. I compile all needed modules into the kernel, so I don't need to recreate my initrd for every new kernel.
Bye, Daniel -- PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887
signature.asc
Description: OpenPGP digital signature
