On 04-May-2013 15:45:51 +0200, Zenny wrote: > Is there a way to encrypt Owl / with aes-xts-plain64 which can be > remotely authenticated remotely for decryption (like using dropbear > in initrd or mandos server-client mechanism in debian using hooks)?
No. And normally you don't need that. When dealing with sensitive data, personally I prefer leaving bare system at unencrypted / and /var, while keeping all the sensitive data inside VZ containers stored at encrypted /home; when I reboot the server, I wait for it to start and then issue the command like: gpg < vzhost.key | ssh [email protected] \ "xxd -p -r | losetup -p 0 -e twofish -k 256 -H sha512 /dev/loop0 /dev/md2" (hint: `head -c128 /dev/random | xxd -p -c32 | gpg -ea > vzhost.key` will provide you with secure encryption key). After that, I go to vzhost.somewhere and issue two obvious commands: mount /dev/loop0 service vz start Please see the http://openwall.info/wiki/Owl/secure-storage page for instructions of how to set up secure data storage. > Also interested in tcplay, but would be nice to know to securely > integrated with Owl 3.0. It uses devmapper, and thus is inacceptable due to its' ability to bury all the data at once. -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8
