You are not logged in.

#1 2008-10-19 18:28:42

jason_f
Member
Registered: 2006-08-18
Posts: 78

Full disk encryption question, multiple encrypted partitions [solved]

Im planning on installing arch on my laptop using FDE. Going to have one root partition and one swap that I want to encrypt.
If I do this, will I need to type in the passwords for both partitions on bootup?

I have no need for LVM and would like to keep it simple but dont want to type in 2 passwords on every bootup...

Last edited by jason_f (2008-10-20 04:26:31)

Offline

#2 2008-10-19 18:35:39

moljac024
Member
From: Serbia
Registered: 2008-01-29
Posts: 2,676

Re: Full disk encryption question, multiple encrypted partitions [solved]

Why do you want to encrypt the whole drive ?
What are you hiding ? An open-source operating system ?
What's wrong with just encrypting your actual data partition ?
Keep It Simple Stupid wink


The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner.
--------------------------------------------------------------------------------------------------------------
But if they tell you that I've lost my mind, maybe it's not gone just a little hard to find...

Offline

#3 2008-10-19 18:54:23

Xyne
Administrator/PM
Registered: 2008-08-03
Posts: 6,963
Website

Re: Full disk encryption question, multiple encrypted partitions [solved]

You won't need a password for swap if you set it up to use a random key at boot, which you most likely want to do (unless you need hibernation), so that brings it down to one password. If that's still too much, you could use a key file on a usb stick (of course, if you lose that or forget it at home, you're in trouble).

You might want to consider creating a large swap partition and using a ram disk for /tmp too (depends on your hardware and RAM though). With the aforementioned random key, it means that nothing placed in /tmp or in memory will be recoverable after powering off your system (unless the Feds are able to deepfreeze it within a few minutes of powering off... but if they're after you, you're f**ked anyway).

Last edited by Xyne (2008-11-22 08:19:15)


My Arch Linux StuffForum EtiquetteCommunity Ethos - Arch is not for everyone

Offline

#4 2008-10-20 04:26:17

jason_f
Member
Registered: 2006-08-18
Posts: 78

Re: Full disk encryption question, multiple encrypted partitions [solved]

xyne, thanks...i do really want hibernation support so i guess lvm is the way to go.. glad i didnt finish configuring it this way, would have been a PITA.

moljac, maybe...but my hard drive is fairly small on my laptop so i thought it would be easier to just have one / partition and not have to worry about running out of space...and i kinda like the idea the machine cant even be booted by the casual theif. im sure the feds wouldnt have a problem brute forcing it anyway... then again i sometimes wonder if its worth it at all as i really dont have any sensitive data to protect.... hmm...

Offline

#5 2008-10-20 09:31:10

Xyne
Administrator/PM
Registered: 2008-08-03
Posts: 6,963
Website

Re: Full disk encryption question, multiple encrypted partitions [solved]

Just to be clear, you don't need lvm for hibernation. You can still have a physical swap partition, just make sure that you encrypt it with a password or a key file instead of a random key. Of course, I recommend lvm. Also, if you go down that path, consider separate partitions for root, /tmp, /var, /home, /usr and swap. Aside from preventing some problems with limited disk space later, it also lets you pick and choose file systems for the different partitions (ext3, xfs, etc).

As for not having any truly sensitive data, don't let that stop you. I don't either but I find creating an encryptes and/or secure system a fun challenge... plus you never know when you might actually need it. wink

Last edited by Xyne (2008-10-20 09:33:35)


My Arch Linux StuffForum EtiquetteCommunity Ethos - Arch is not for everyone

Offline

#6 2008-11-22 07:29:59

kludge
Member
Registered: 2008-08-03
Posts: 294

Re: Full disk encryption question, multiple encrypted partitions [solved]

my fully encrypted system lives on six partitions (/boot, /, /swap, /home, /var, /tmp), all encrypted except for /boot, no lvm.  i solve the problem of multiple passphrases by using key files.

however, i just got my grubby paws on a 160 gb western digital scorpio.

i've already created a 128 MB /boot on the new drive (in fact, i'm running off my old drive in my archos jukebox, booted from the new one actually in the laptop... goddamn hardware 137 gb limits...).  and i used frandom to random-crapify the other 163712 MB while i was walking the dog this evening.  now it's time to get this beast ready for data migration, and frankly, i can't decide what i want to do.

i've a bad history with choosing partition schemes.  i've learned far more about manually resizing partitions and filesystems than i'd like.  so lvm is really appealing, because i never wanna calculate another ending block offset from the end of partition in my life.  and i want to have encryption, because it's sweet.

the most obvious scenario is one big partition, encrypted with luks, with lvm living on top of it, divided up however i feel.  however, this

  (a) keeps the same single point of failure as the current system and
  (b) would be difficult to *shrink* if wanna free up space for some other os
  (c) just seems decadent... i mean, a single 160 gb partition?!?

so a second scenario i'm considering is:

  /dev/sda2 == 60 gb, luks encrypted
  /dev/sda3 == 60 gb, luks encrypted
  /dev/sda4 == 40 gb, unencrypted

so i could

  (a) mirror my install in the absence of an external drive
  (b) have a big old scratch space to play with other distros, truecrypt hidden volumes, etc
  (c) have some structure to the drive, because 160 gb of seamless dataspace is ontologically terrifying

but someday, i might want more than 60 gb in one volume group (and i really don't need to mirror or backup *everything*).  this tutorial: http://www.howtoforge.com/encrypted-root-lvm indicates that it's possible.  but it uses ubuntu's initrd, which is very different from our initcpio, and i can't see how to unlock *two* encrypted partitions at boot time with arch.  any clues?

any suggestions?

and while i'm scheming on the awesome possibilities of the second-largest ata-100 2.5" hdd on the market, is this possible: encrypted physical partition(s) --> lvm --> encrypted logical volumes?

because you can *never* be *too* careful.

p.s.: we joined on the same day, xyne!

Last edited by kludge (2008-11-22 08:14:35)


[23:00:16]    dr_kludge | i want to invent an olfactory human-computer interface, integrate it into the web standards, then produce my own forked browser.
[23:00:32]    dr_kludge | can you guess what i'd call it?
[23:01:16]    dr_kludge | nosilla.
[23:01:32]    dr_kludge | i really should be going to bed.  i'm giggling madly about that.

Offline

#7 2008-11-22 13:21:52

moljac024
Member
From: Serbia
Registered: 2008-01-29
Posts: 2,676

Re: Full disk encryption question, multiple encrypted partitions [solved]

jason_f wrote:

xyne, thanks...i do really want hibernation support so i guess lvm is the way to go.. glad i didnt finish configuring it this way, would have been a PITA.

moljac, maybe...but my hard drive is fairly small on my laptop so i thought it would be easier to just have one / partition and not have to worry about running out of space...and i kinda like the idea the machine cant even be booted by the casual theif. im sure the feds wouldnt have a problem brute forcing it anyway... then again i sometimes wonder if its worth it at all as i really dont have any sensitive data to protect.... hmm...

Why would an encrypted drive prevent a thief from booting the machine ? He would most likely wipe the drive and install his own operating system.
Unless you work for a secret agency or a big evil corporation and have really vital and secretive information on there, which would be the reason for someone stealing your computer/drive. Either way, no-one is interested in your operating system, we all use pretty much the same anyway tongue


The day Microsoft makes a product that doesn't suck, is the day they make a vacuum cleaner.
--------------------------------------------------------------------------------------------------------------
But if they tell you that I've lost my mind, maybe it's not gone just a little hard to find...

Offline

#8 2009-06-15 17:55:01

sambo357
Member
Registered: 2007-12-06
Posts: 1

Re: Full disk encryption question, multiple encrypted partitions [solved]

moljac024 wrote:

Why would an encrypted drive prevent a thief from booting the machine ? He would most likely wipe the drive and install his own operating system.
Unless you work for a secret agency or a big evil corporation and have really vital and secretive information on there, which would be the reason for someone stealing your computer/drive. Either way, no-one is interested in your operating system, we all use pretty much the same anyway tongue

Canadian customs began using a program called i-c-what-u-c to scan windows machines for child pornography. I don't care what they're scanning for but I don't want anyone to c-what-i-c when it comes to my laptop. I think U.S. customs does this too and it's probably only a matter of time before they can scan Linux/BSD/Apple... A coworker of mine was recently scanned so I got serious about encryption. An open-source bios would be nice to disable cd-drive and usb ports too. As for why the whole thing?: libdvdcss and some codecs, though not exactly illegal, aren't exactly legal either. I don't want to be the setting legal precedent. Encrypt because your data is your business and only your business.

Offline

Board footer

Powered by FluxBB