Richard Fish wrote: > On 8/19/06, Stefan G. Weichinger <[EMAIL PROTECTED]> wrote: >> Would you recommend to use the initramfs from the HOWTO, or might there >> be another way of doing it, staying closer at the genkernel-way of >> doing it? > > Well genkernel also allows you to specify a custom linuxrc > (--linuxrc=). This is probably the route I would take with genkernel. > The default is in /usr/share/genkernel/generic/linuxrc, which you can > use for inspiration. Generally that script does everything that you > will want to do, just not in the order you want to do it in. > > You have a few options for this setup. If you don't mind typing your
[...] Great infos, thank you. I will look through them in more detail as soon as I have recovered from getting my current setup done. My main concern in this context is the question: How to maintain the encrypted partitions over time? What do I have to do/remind when I want to use a newer kernel? The maintenance-steps should be clear, as I for sure don't want to go through all of this everytime a new kernel is released. Or even worse, lose data ... (backups are done regularly, *yes*) So this was the/one reason to ask for the genkernel-way. >> Are there any comparisons between the speed of using >> aes-cbc-essiv:sha256, 128bit and >> aes-cbc-essiv:sha256, 256bit ? > > I don't have any comparisons, but it should be easy enough for you to > create. Just setup a bare (not luks) mapping and do: > > dd if=/dev/mapper/crypt_foo of=/dev/null bs=64k count=49152 > > This will read 3G of 'encrypted' data from the drive. You can do this > without affecting any data on the disk, as long as you do *not* > luksFormat it. Remember to keep an eye on the CPU usage of this with > vmstat or top as well. Maybe I give this a try after writing this ... >> /dev/mapper/root is active: >> cipher: serpent-cbc-essiv:sha256 > > Generally I've found AES to be slightly faster... I found this link at the end of the used HOWTO: http://www.saout.de/tikiwiki/tiki-index.php?page=UserPageChonhulio It also shows that AES is faster than Serpent, and additionally that, contrary to the Serpent-Algo, AES with 128 bits is faster than AES with a 256bit key. I will think about this a bit more before I move my data into place. >> and the performance seems OK to me. But it could always be better ;) >> I will have a look through the docs to see the security-implications of >> using "only" 128bit. > > Just be sure to keep in mind the type of data you have and who you are > trying to defend against. Researching encryption on the net is a > quick way to get irrationally paranoid. The bottom line is that > everything can be broken given enough time and money. > > So if you work for the CIA and keep the secret identies of all spies > and informants on your laptop, well, then dm-crypt is not sufficient > to begin with. If you work for my investment brokerage and have all > your customers' financial records on your disk, I want you to use > 256-bit encryption. If it is just your bank records and personal > emails, use whatever you want. No CIA, no. IT-consultant, trying to keep customer-related data protected. As well as my own business-related data. Sounds like AES-256 then. Thanks a lot for your infos, greets, Stefan -- gentoo-user@gentoo.org mailing list
