sidux.com
Menu

News

Give back
Last 3 Contributions
06-09-2008 100.00
25-08-2008 20.00
20-08-2008 15.00

Donate


Sponsor
hetzner.de

Languages
Preferred language:


FAQ  •  Search  •  Register  •  Log in to check your private messages
Log in  •   Sub-Forum  •   Maximize

Wiki article about full disc encryption
sidux.com Forum Index » English Forum » Web Site, Forum, Wiki & Manual Suggestions
Post new topic   Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Author Message
capone
Post subject: Wiki article about full disc encryption  PostPosted: Jul 20, 2008 - 06:28 PM



Joined: Oct 11, 2007
Posts: 23
Location: Germany, Franken
Status: Offline
Hello sidux leader and user,

security is a rather sensitive topic, so i feel its better to publish the article here first, before i link it to "System Administration - Installation".

Full disc encryption for your laptop with luks + using LVM2 (during installation)

If noone finds any big flaws or dangers to the concept i will link it to System Administration in a few days.
 
 View user's profile Send private message  
Reply with quote Back to top
Steve`
Post subject: Wiki article about full disc encryption  PostPosted: Aug 04, 2008 - 09:32 PM



Joined: Jun 17, 2007
Posts: 286
Location: Buchholz i.d.N.
Status: Offline
Hi,

first of all: I tried your HOWTO and what can I say? It works .... Smile

Now some notes ...

Code:
dd if=/dev/urandom of=/home/sidux/sda3Keyfile bs=1024 count=4

and
Code:
cryptsetup luksAddKey /dev/sda3 /home/sidux/Desktop/sda3Keyfile

You see the difference? (/home/sidux/... and /home/sidux/Desktop/....).

You create bootSda1 with
Code:
mkdir LVhome LVvar LVusr cryptRoot bootSda1
and copy the initrd to it with
Code:
mv /media/cryptRoot/boot/initrd.img /media/bootsda1/initrd.img-2.6.25-9,slh.1-sidux-686
but you do not mount /dev/sda1 to /media/bootsda1 in your HOWTO. You should add a mount line.

I think I have to add cryptdisks-early via rcconf. May that be possible?

The keyfile
Code:
mv /home/sidux/Desktop/sda3Keyfile /media/cryptRoot/root/
has wrong permissions.
It needs to be root:root with 0400 like this one:
Code:
-r-------- 1 root root 4096  4. Aug 20:43 /root/cryptkeyfile

For more information on this point have a look at the README.Debian.gz:
/usr/share/doc/cryptsetup/README.Debian.gz wrote:
3. Insecure mode/owner for keys
-------------------------------

Any key that is stored somewhere to be used with cryptsetup should have the
mode 400 (-r--------) and owner/group root. This way only root has permissions
to read the file. 'chown root.root keyfile' and 'chmod 400 keyfile' will do
the trick for you.

_________________
[blog.crashmail.de] [last.fm-Profil]
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
capone
Post subject:   PostPosted: Aug 05, 2008 - 01:40 AM



Joined: Oct 11, 2007
Posts: 23
Location: Germany, Franken
Status: Offline
Thanks Steve!

The insecure file permissions are now fixed.

I will change the other bugs tomorrow.
 
 View user's profile Send private message  
Reply with quote Back to top
H-Cl
Post subject:   PostPosted: Aug 05, 2008 - 07:38 AM



Joined: Dec 04, 2006
Posts: 364
Location: Kraichgau
I think there are also some typos in the path of the keyfile, sometimes it's "/home/sidux/Desktop/", somtetimes it's "/home/sidux/".

Holger

_________________
Dignus est intrare (Acidix Hydrochloridrix)
 
 View user's profile Send private message  
Reply with quote Back to top
Steve`
Post subject:   PostPosted: Aug 05, 2008 - 11:34 AM



Joined: Jun 17, 2007
Posts: 286
Location: Buchholz i.d.N.
Status: Offline
H-Cl wrote:
I think there are also some typos in the path of the keyfile, sometimes it's "/home/sidux/Desktop/", somtetimes it's "/home/sidux/".

Yes, as I mentioned above Very Happy

_________________
[blog.crashmail.de] [last.fm-Profil]
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
Display posts from previous:     
Jump to:  
All times are GMT - 1 Hours
Post new topic   Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
 sidux.com Forum Index » English Forum »  Web Site, Forum, Wiki & Manual Suggestions
Powered by PNphpBB2 © 2003-2007 The PNphpBB Group
Credits
 
Logos and trademarks are the property of their respective owners, comments are property of their posters, the rest is © 2006-2008 by sidux e.V., 10407 Berlin, Kniprodestr. 104. sidux e.V. is a Berlin, Germany based non-profit foundation. Consult Impressum and Legal Terms for details. sidux is Free Software released under the GNU/GPL license and other compatible licenses.
This CMS is powered by PostNuke, all themes used at this site are released under the GNU/GPL license. designed by w3you.