jwwolf wrote:And what is wrong with using loop-aes?
loop-aes isn't supported in mkinitcpio as yet. I think i could get it to work but i would have to build a custom hook, and that's a whole lot more work.
Read Example 5 and here
]]>You might find this entry interesting though: http://wiki.archlinux.org/index.php/LUKS
or a very detailed entry from the Gentoo wiki: http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS
Hope it helps
]]>Well, I just tested it myself with an empty partition on my hard drive and it worked perfectly fine. It doesn't offer ext4 yet, but ext3 works.
Yes you can use Truecrypt to encrypt almost any-type of disk attached to you box, but to get the root disk encrypted, which is what i am trying to achieve, the problem is that the kernel doesn't know how to decrypt it, so it has to be done in early userspace, i may be wrong, but i would think you would need to create a custom hook, and include truecrypt in the initramfs, same problem as loop-aes i guess...
so the easy option is to just slightly modify what arch linux already has, and which has been thoroughly tested...
]]>As far as i know Truecrypt does not support full disk encryption in linux, only windows.
Well, I just tested it myself with an empty partition on my hard drive and it worked perfectly fine. It doesn't offer ext4 yet, but ext3 works.
]]>It's probably a bit beside the point, but why not use TrueCrypt? http://www.truecrypt.org/
As far as i know Truecrypt does not support full disk encryption in linux, only windows. Truecrypt is good when you want to encrypt that something that has to be decrypted cross platform. For example a usbkey.
And what is wrong with using loop-aes?
loop-aes isn't supported in mkinitcpio as yet. I think i could get it to work but i would have to build a custom hook, and that's a whole lot more work.
]]>So basically adding a whole new layer of security to the system. The more layers of security you can add the better.
I do know this is a little over board, but its more for the fun of doing it. In a strange sort of nerdy way
But back to what you were saying about the libraries? From the archlinux wiki
These options allow users to add files to the image. Both BINARIES and FILES are added before hooks are run, and may be used to override files used or provided by a hook. BINARIES are dependency-parsed, meaning any required libraries will also be added. FILES are added as-is. For example:
So I shouldn't have to worry about them.
]]>But what's wrong with using LUKS?
]]>from what i understand this should do the trick?
]]>To create it and open it I would use something like this.
#dd if=/dev/urandom bs=512 count=4|gpg –symmetric –a > ./rootkey.gpg
#gpg --quiet --decrypt rootkey.gpg | cryptsetup -v --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda3
#gpg --decrypt key.gpg 2>/dev/null | cryptsetup luksOpen /dev/sda3 root
which works, if i can manually enter the commands to decrypt the drive, but how would i do that at boot? i was reading a article on the gentoo wiki about creating custom scripts etc etc to handle it all. can something similar be applied in arch linux? if this is at all possible is there somewhere where i can find some documentation regarding doing this?
cheers.
]]>