On Mon, Jul 16, 2007 at 07:08:21PM +0300, Richard Storm wrote:
> This is crappy howto. *encryption* there are as much as creating
> unsecure (without -K)
> single storage volume...
>
> We are talking about full disk encryption here, like mounting
> encrypted root partition :)
>
> Problems:
> * vnconfig -K makes use of file images. would be much simplier if it
> could use raw disks.
It can.
> * kernel can't pick up and ask for passphrase for encrypted root file
> system partition.
You are right there.
> * salt + passhrase are used directly to encrypt data, so no easy
> change of passphrase without reformating image... don't know if thats
> a big problem....
That is up to you; you can always use another utility to encrypt the
file used with -K.
> * no possibilities to change algorithms/chipers. guess this isn't big
> problem either, since blowfish is kinda strong :)
>
> Perhaps if making vnconfig to work with raw devices and putting in
> kernel crypto stuff which could ask for root-fs passphrase, then we
> could have full disk encrypton, except for kernel rc and MBR which
> should reside on unencrypted bootable medium like CD,usb, hdd...
But why encrypt the whole disk? I can see why you'd want to encrypt user
data - say, /home - but why encrypt boring stuff like /usr?
Joachim
--
TFMotD: w (1) - display users who are logged on and what they are doing
