[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Libreboot] best method for full encryption
|
From: |
Denis 'GNUtoo' Carikli |
|
Subject: |
Re: [Libreboot] best method for full encryption |
|
Date: |
Sun, 26 Oct 2014 13:08:33 +0100 |
On Sun, 19 Oct 2014 16:44:33 +0200
Robert Alessi <address@hidden> wrote:
> Hi all,
Hi,
> 1. Reinstall everything in a single large sda1 following the
> guidelines of libreboot.org
> 2. Only encrypt my /boot (sda1) partition, then put somewhere into it
> a keyfile to have the whole system unencrypted with a single
> passphrase at boot time from grub.
The keyfile has to go in the initramfs: That way you use a password in
grub, then the initramfs will reopen the root partition
Beware about the dd commands found on the net to generate the key file:
* Most of them use /dev/urandom instead of /dev/random
* Beware if you use /dev/random, tripple check the key size at the end,
if you have some dd errors due to the randomness beeing too slow to
generate, don't use that key. Search for an answer to the error first!
> Before going on, I would really appreciate your input on what you
> think is the best way to proceed. My concerns are the following:
>
> 1. Option 1 or option 2?
Option 2 is possible, the most easy way to do it is:
1) install the wipe package, don't generate a key yet
2) Move the /boot content:
# umount /boot
# mount /dev/the_boot_partition /mnt
# cp -a /mnt/* /boot/
# # remove /boot from fstab
3) update grub config
4) boot on the encrypted rootfs
=> It should work but it will ask for the LUKS password twice: once in
grub and once in the initramfs
5) At that point create the key and add it to the initramfs.
6) maybe get rid of the old partition somehow? or just leave it there
and don't use it anymore. Or add it as encrypted swap?
> 3. Option 2: when I installed my system back in January, I made the
> following choices:
> -----
> Cipher name: aes
> Cipher mode: xts-plain64
> Hash spec: sha1
> MK bits: 512
> -----
> which are different from those which are found in Libreboot
> tutorial (--cipher serpent-xts-plain64 --key-size 512 --hash
> whirlpool, etc.)
>
> When it comes to security, the stronger is the better. So, are my
> choices safe enough? If I would change them, how would I proceed?
> I did some research, and I came across this:
>
> http://asalor.blogspot.fr/2012/08/re-encryption-of-luks-device-cryptsetup.html
> What do you think of this method?
Look at wikipedia first, they have articles on all the ciphers.
Denis.
pgpNDiaTcu4np.pgp
Description: OpenPGP digital signature