On Wed, 2006-11-15 at 23:53 +0100, Christian Boltz wrote:
Hello,
Am Mittwoch, 15. November 2006 21:17 schrieb Andreas Jaeger:
for tomorrow's meeting we have one topic so far:
Encrypted Home Partitions:
- Use dm-crypt and LUKS by default for newly encrypted partitions
From what I remember from the german Linux Magazin some time ago (multiple passwords per partition, passwords easily changeable etc.), this is a very good idea :-)
[... more good ideas snipped ...]
Any comments, suggestions etc?
I'd propose to check how useful /etc/cryptotab is. I see several disadvantages compared to an entry in /etc/fstab:
a) /etc/cryptotab needs an explicit /dev/loopX entry
YaST2 always puts the first (at partition creation time) available device (usually /dev/loop0) to /etc/cryptotab
This becomes funny if you manually add a loop mount to your fstab which is mounted at boot time - in fact, you won't be able to mount the encrypted partition because /dev/loop0 is already in use.
In fstab, you don't need to specify which loop device to use - you specify the "loop" option and it simply uses the first available, whatever number it has.
Yes, you can specify which loop device to use in /etc/fstab or you can modify /etc/cryptotab to use another loop device - but this are ugly workarounds.
b) if you skipped mounting your encrypted partition while booting, you can't mount them with "mount" afterwards if they are not listed in fstab. See also https://bugzilla.novell.com/show_bug.cgi?id=209647 (which might be invalid for yast2-storage, but not for the whole story)
In short, there's no additional value by using a separate file (/etc/cryptotab) for encrypted partitions, but several disadvantages and problems. OTOH, I see no disadvantages when using /etc/fstab for encrypted partitions.
Did I already mention that I suggest to drop /etc/cryptotab completely and to put all partitions, including encrypted, to /etc/fstab? ;-))
Regards,
Christian Boltz
PS: If you decide not to drop /etc/cryptotab, please consider to drop the "loop device" column. I proposed this some time ago [1], but this was (understandable) WONTFIX because it would be an incompatible change. Now that you are going to do major changes, compatibility could get rated lower.
[1] https://bugzilla.novell.com/show_bug.cgi?id=77126 (9.3 bug, therefore not public unfortunately)
Oh, and /etc/cryptotab bit back in 10.0 ;-) https://bugzilla.novell.com/show_bug.cgi?id=105020 (public bug) Short summary: The installation/update now ignores the "loop device" column...
It's been a while ago since i experimented with crypto (beginning 10.1 ;-) But from what i recollect... 1) Using the general partitioner, with yast, results in a partition that gets mounted at startup. works well, but the partition gets mounted allways. 2) Some people (not me) wants to encrypt EVERYTHING, inluding swap and root. AFAIK, that is still not possible. Perhaps its should be pointed out, that it both a) irrelevant, and b) counter productive. a) 90% on the harddisk is opensource and general available b) encrypting cost cpu-cycles,so hard disk will be slowed down. 3) best solution (imho) is to have for each individual user a seperate container, which gets mounted on his home directory after login (pam_mount) 4) for the the paranoia, have also /var/spool/mail en swap encrypted Nothing else is worthwhile 5) for the super-paranoia, encrypt with the key from a smartcard. I still use loop-aes on my usk-stick and i would highly recommend it.. Hans -- pgp-id: 926EBB12 pgp-fingerprint: BE97 1CBF FAC4 236C 4A73 F76E EDFC D032 926E BB12 Registered linux user: 75761 (http://counter.li.org) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org