Mailinglist Archive: opensuse (1213 mails)

< Previous Next >
Re: [opensuse] Re: 12.1 - not possible to encrypt root partition anymore?
HG said the following on 04/14/2012 03:36 AM:

I wanted to have full disk encryption ...

Just for the record ...

Full disk encryption, partition encryption, file system encryption and
file encryption are all quite different things.

Full disk encryption is often implemented in the disk hardware.
As the Wikipedia article points out
http://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption
<quote>
The symmetric encryption key is maintained independently from the CPU,
thus removing computer memory as a potential attack vector.
</quote>

I've also seem full disk encryption implemented in the low level disk
drivers.

The point being that the disk is encrypted regardless of how you
partition it, regardless of the file system you use.


I recognise that there are applications like TrueCrypt (and other
vendors) which try to encompass many aspects. Their use of terms like
'disk' and 'drive' is often very liberal.

LVM is very good but very daunting until you gain experience and a
comfort level. Partition level encryption (see also TrueCrypt again)
gives flexibility but that comes at a price - complexity and management.

Encrypting the RootFS leads to the question of having a separate /boot
and whether that is encrypted, and that is encrypted and what goes into
the initrd, which gets into key management.

Perhaps you should also look at LUKS - kernel level encryption.


My personal opinion is that you have chosen to 'dive in the deep end'.
Even though I have experince with encryption in other areas, if I was
approaching this I'd experiment with non-critical, non-root, techniques
first.
--
"The wide world is all about you: you can fence
yourselves in, but you cannot for ever fence it out."
-- JRR Tolkien,
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >