On 23.07.2010, Grant Olson wrote: > Just keep in mind that if you're not encrypting the whole disk, your > sensitive data can leak to /tmp and swap. I'm only bringing this up > because it seems like you've taken some elaborate steps to protect your > data.
I second that. Besides, holding a GPG encrypted keyfile on unencrypted space to open a LUKS/dmcrypt encrypted device, opening/decrypting the keyfile in the boot process by entering the correct passphrase, to finally open the LUKS/dmcrypt secured device seems broken to me. Why not just use the same secure passphrase for the LUKS keyslot directly, instead of using a keyfile? Seems a little bit like "security by obscurity" to me.. (Malte: I hacked a lot on the opensuse bootscripts related to LUKS/dmcrypt in the last 2 years, if you need to customize your system in such a way that is not possible to achieve with the opensuse installer, feel free to drop me a note) _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
