Richard Fish schrieb: > Alexander Skwar wrote: > >>Richard Fish schrieb: >> >> >>>Pupeno wrote: >>> >>> >>> >>>>>I use the dm-crypt from the kernel.... >>>>> >>>>> >>>>> >>>>> >>>>I've read that it is unsecure and I also read that it is not yet vory well >>>>suported. >>>> >>>> >>>> >>>> >>>Dm-crypt is fairly well supported, since it is in the kernel, but I find >>>it to be harder to setup >>> >>> >> >>hard to setup? How? What's hard about it? >> >>You just encrypt the block device and create an fs on it. >> >>/sbin/lvcreate -nToBeEnc -L5g sys \ >> && echo 'sekret' | /bin/cryptsetup create Crypted /dev/sys/ToBeEnc >> \ >> && mkfs -t reiser4 /dev/mapper/Crypted \ >> && mount /dev/mapper/Crypted /some/where >> >>Obviously, the lvcreate and mkfs steps are just a one time step :) >> >> >> > > First, I did not say dm-crypt was "hard to setup". I said I find it > harder to be setup than loop-AES.
Yes, you're right. But since dm-crypt is so easy to setup with cryptsetup, I can't imagine how much more easy you want to have it. > Have you used both loop-AES and dm-crypt? I have. No. dm-crypt is good enough for me. No need for something else. Is it possible to encrypt the complete block device with loop-AES? Or does it only encrypt a file that's afterwards loop mounted? > If you want to know what, specifically, I find more difficult about > cryptsetup, it is the documentation. Well. > The grand sum of documentation > available for dm-crypt/cryptsetup after doing an 'emerge cryptsetup' is > "cryptsetup --help". Well. I didn't need more. > And yes, I know there are better guides online, but it is not always > possible to go online. Well. Download the stuff and print it, or something. For me, it's always possible to go online. > Also, I wanted to be able to change my password. With loop-AES, this is > a simple matter of re-encrypting my key file with a new password. > cryptsetup makes this more difficult. Not impossible, just more difficult. Well, no. It IS impossible. You need to create a new crypted device. > <advice> > Also, echoing your password on a command line to cryptsetup is an > extremely bad idea. If an attacker happens to be on your system at that > moment, a simple 'ps' will show them your passphrase. How? /bin/crypsetup < file-with-passphrase Where does the attacker see the passphrase? Oh. You took my example way too literally. *echo*ing the password is an extremely bad idea. You're of course right. But in reality I of course don't do that. Further, I said, that the password can be piped to cryptsetup. Alexander Skwar -- Paul: Good way to avoid frostbite, folks, put your hands between your buttocks. That's nature's pocket. -- gentoo-user@gentoo.org mailing list
