On 6 June 2020 06:37:23 CEST, Dale <rdalek1...@gmail.com> wrote: >Howdy, > >I think I got a old 3TB hard drive to work. After dd'ing it, redoing >partitions and such, it seems to be working. Right now, I'm copying a >bunch of data to it to see how it holds up. Oh, it's a PMR drive too. >lol Once I'm pretty sure it is alive and working well, I want to play >with encryption. At some point, I plan to encrypt /home. I found a >bit >of info with startpage but some is dated. This is one link that seems >to be from this year, at least updated this year. > >https://linoxide.com/linux-how-to/encrypt-linux-filesystem/ > >It seems like a nice one since it has commands and what it should look >like when it is performing the commands. I like knowing what I'm doing >sort of matches what the howto shows. It also seems to use LVM which I >will be using as well. I think I can follow that and get a working >encrypted storage. Later, I can attempt this on /home without doing it >blind. I also have the options in the kernel as well. I'll post them >at the bottom. I enabled quite a lot a while back. ;-) > >Is this a secure method or is there a more secure way? Is there any >known issues with using this? Anyone here use this method? Keep in >mind, LVM. BTFRS, SP?, may come later. > >One other question, can one change the password every once in a while? >Or once set, you stuck with it from then on? > >If anyone has links to even better howtos, I'd love to check them out. > >Dale > >:-) :-) > > >root@fireball / # zcat /proc/config.gz | grep crypt | grep =y >CONFIG_ARCH_HAS_MEM_ENCRYPT=y >CONFIG_DM_CRYPT=y >CONFIG_CRYPTO=y >CONFIG_CRYPTO_ALGAPI=y >CONFIG_CRYPTO_ALGAPI2=y >CONFIG_CRYPTO_AEAD=y >CONFIG_CRYPTO_AEAD2=y >CONFIG_CRYPTO_SKCIPHER=y >CONFIG_CRYPTO_SKCIPHER2=y >CONFIG_CRYPTO_HASH=y >CONFIG_CRYPTO_HASH2=y >CONFIG_CRYPTO_RNG=y >CONFIG_CRYPTO_RNG2=y >CONFIG_CRYPTO_RNG_DEFAULT=y >CONFIG_CRYPTO_AKCIPHER2=y >CONFIG_CRYPTO_AKCIPHER=y >CONFIG_CRYPTO_KPP2=y >CONFIG_CRYPTO_ACOMP2=y >CONFIG_CRYPTO_MANAGER=y >CONFIG_CRYPTO_MANAGER2=y >CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y >CONFIG_CRYPTO_GF128MUL=y >CONFIG_CRYPTO_NULL=y >CONFIG_CRYPTO_NULL2=y >CONFIG_CRYPTO_CRYPTD=y >CONFIG_CRYPTO_AUTHENC=y >CONFIG_CRYPTO_SIMD=y >CONFIG_CRYPTO_GLUE_HELPER_X86=y >CONFIG_CRYPTO_RSA=y >CONFIG_CRYPTO_ECHAINIV=y >CONFIG_CRYPTO_CBC=y >CONFIG_CRYPTO_ECB=y >CONFIG_CRYPTO_LRW=y >CONFIG_CRYPTO_XTS=y >CONFIG_CRYPTO_NHPOLY1305=y >CONFIG_CRYPTO_NHPOLY1305_SSE2=y >CONFIG_CRYPTO_NHPOLY1305_AVX2=y >CONFIG_CRYPTO_ESSIV=y >CONFIG_CRYPTO_HMAC=y >CONFIG_CRYPTO_CRC32C=y >CONFIG_CRYPTO_XXHASH=y >CONFIG_CRYPTO_BLAKE2B=y >CONFIG_CRYPTO_CRCT10DIF=y >CONFIG_CRYPTO_MD5=y >CONFIG_CRYPTO_RMD128=y >CONFIG_CRYPTO_RMD160=y >CONFIG_CRYPTO_RMD256=y >CONFIG_CRYPTO_RMD320=y >CONFIG_CRYPTO_SHA1=y >CONFIG_CRYPTO_SHA1_SSSE3=y >CONFIG_CRYPTO_SHA256_SSSE3=y >CONFIG_CRYPTO_SHA512_SSSE3=y >CONFIG_CRYPTO_SHA256=y >CONFIG_CRYPTO_SHA512=y >CONFIG_CRYPTO_WP512=y >CONFIG_CRYPTO_AES=y >CONFIG_CRYPTO_AES_TI=y >CONFIG_CRYPTO_ARC4=y >CONFIG_CRYPTO_BLOWFISH=y >CONFIG_CRYPTO_BLOWFISH_COMMON=y >CONFIG_CRYPTO_BLOWFISH_X86_64=y >CONFIG_CRYPTO_CAMELLIA=y >CONFIG_CRYPTO_CAMELLIA_X86_64=y >CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y >CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y >CONFIG_CRYPTO_DES=y >CONFIG_CRYPTO_SERPENT=y >CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y >CONFIG_CRYPTO_TWOFISH=y >CONFIG_CRYPTO_TWOFISH_COMMON=y >CONFIG_CRYPTO_TWOFISH_X86_64=y >CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y >CONFIG_CRYPTO_ANSI_CPRNG=y >CONFIG_CRYPTO_DRBG_MENU=y >CONFIG_CRYPTO_DRBG_HMAC=y >CONFIG_CRYPTO_DRBG=y >CONFIG_CRYPTO_JITTERENTROPY=y >CONFIG_CRYPTO_USER_API=y >CONFIG_CRYPTO_USER_API_HASH=y >CONFIG_CRYPTO_USER_API_SKCIPHER=y >CONFIG_CRYPTO_USER_API_RNG=y >CONFIG_CRYPTO_LIB_AES=y >CONFIG_CRYPTO_LIB_ARC4=y >CONFIG_CRYPTO_LIB_DES=y >CONFIG_CRYPTO_LIB_POLY1305_GENERIC=y >CONFIG_CRYPTO_LIB_SHA256=y >CONFIG_CRYPTO_HW=y >root@fireball / # > >Just wanted to have a few extras. ROFL
Dale, I didn't read the full page, but as it uses LUKS to manage the encryption, it is (at least similar) to what I do on my laptops. A LUKS volume has support for multiple (I think 4) key slots (passwords that will decrypt the volume) So, in order to change the password you would do: 1) add the new password into an unused slot 2) test the new password works 3) delete the old password (freeing the slot) -- Joost -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
