You are not logged in.
Hi,
I'm trying to setup encryption on one of my partitions. Here's what I did.
modprobe dm-crypt
modprobe aes-i586
cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/sda4
cryptsetup luksOpen /dev/sda4 private
mkfs.ext4 /dev/mapper/private
mount -t ext4 /dev/mapper/private /home/archie/private
Then to mount after restart I do:
cryptsetup luksOpen /dev/sda4 private
mount -t ext4 /dev/mapper/private /home/archie/private
Is my /dev/sda4 safe?
Cheers,
Tomas
Offline
Yes that's safe (as long as you don't give your passphrase away)
Note that you don't need to manually mount/umount every time. put it in fstab and put the encrypt hook in mkinitcpio.conf (it handles the cryptsetup luksOpen part)
< Daenyth> and he works prolifically
4 8 15 16 23 42
Offline
Sure, if you encrypted your /var/tmp, /tmp, and swap (in order of least to most important) too Otherwise, the second your key or some files from the encrypted part that you read in are either swapped out or placed in a temp directory, *boom* they've been written unencrypted and can be recovered by a dedicated individual. If you're willing to go through the trouble of encrypting a partition, it's IMO mandatory to do those other parts too.
Remember, /var/tmp needs to be persistent (it's used for temp files that can't be deleted after a shutdown), but /tmp doesn't (an idea is to mount it as a tmpfs, basically a ramdisk that can use RAM or swap, that'd be secure as long as swap is encrypted), so another idea is to encrypt both /tmp and swap with random keys on every boot (I think the Wiki says how to do this) - that's even more secure.
For an example on how easy it would be to get something written to a temp directory, say you make an ISO from files on the encrypted partition. AFAIK every big ISO-maker stores the temporary files in /tmp (I'm pretty sure the standard CLI tool does at least).
Offline
Thanks for your responses, I'll look into encrypting swap and tmp
Regards,
Tomas
Offline
Yes that's safe (as long as you don't give your passphrase away)
Note that you don't need to manually mount/umount every time. put it in fstab and put the encrypt hook in mkinitcpio.conf (it handles the cryptsetup luksOpen part)
I thought that encrypt hook in mkinitcpio is when you have encrypted root (/), since that needs to be decrypted before mounting root (/). For the other encrypted partitions, you could/should? use /etc/crypttab (utilized by initscripts).
Offline
Note that you don't need to manually mount/umount every time. put it in fstab and put the encrypt hook in mkinitcpio.conf (it handles the cryptsetup luksOpen part)
false
mkinitcpio.conf is for initrd only so only if you have / encrypted
for /etc/fstab mouting is responsible /etc/rc.sysinit
for /etc/crypttab as well
Zygfryd Homonto
Offline
Dieter@be wrote:Yes that's safe (as long as you don't give your passphrase away)
Note that you don't need to manually mount/umount every time. put it in fstab and put the encrypt hook in mkinitcpio.conf (it handles the cryptsetup luksOpen part)
I thought that encrypt hook in mkinitcpio is when you have encrypted root (/), since that needs to be decrypted before mounting root (/). For the other encrypted partitions, you could/should? use /etc/crypttab (utilized by initscripts).
Right.
My mistake.
< Daenyth> and he works prolifically
4 8 15 16 23 42
Offline