dhorf-hfref.4a288...@hashmail.org: > On Fri, Jun 12, 2020 at 12:49:04PM +0000, taran1s wrote: >> - - set a higher encryption from qubes default to aes 512-bit full disk >> encryption. > > a) there is no "aes 512". > b) the qubes default is aes-xts-512. (which is really aes-256 with > two different keys since whoever implemented it for linux read > the XTS paper wrong, but it doesnt matter for security) > c) check "cryptsetup luksDump /dev/yourqubesluksdev" >
Thank you for pointing out that qubes uses the aes-xts-512 already. I read somewhere in the past that qubes uses the 256-bit encryption but maybe it was confused with 256 effective or something. > >> Is this possible to do from within running qubes or will I need to >> reinstall the QubesOS and do it all fresh? > > most likely for the "encryption" part no change is required. > so just moving /boot + grub. Are there any good guides on how to do this move? /boot partition and grub installation onto the usb stick? > > >> cryptsetup luksChangeKey /dev/sdX with sdX to be the luks partition >> like for example sd3 in case of default qubes installation procedure. >> Is that case from inside of qubes too? > > cryptsetup can be used from inside qubes dom0, yes. > i recommend adding a new passphrase first, making sure it works, then > removing the old one. > luks default has 8 key slots. This would mean to execute sudo cryptsetup luksAddKey /dev/sd3 (sda3 is the luks partition in my case). If I get it right it should automatically add Key to the next free slot if available. Since sudo cryptsetup luksDump /dev/sd3 | grep -i key returns only one slot enabled, my new passphrase will be in the slot 1. Than sudo cryptsetup luksRemoveKey /dev/sdX will remove the passphrase I enter, so I dont need to specify the slot. Is that right? > > >> Are there any pros/cons of this setup? > > make sure to have more than one boot device for redundancy. > you will have to update them all for every kernel, xen or grub update. > (or accept booting your system from an old grub/xen/kernel if > you end up using an outdated boot stick) How do I update it? Are there any noob friendly guides? > > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/960bb5d2-8b98-2937-16d5-1ab3a1394d32%40mailbox.org.
0xA664B90BD3BE59B3.asc
Description: application/pgp-keys