[dm-crypt] Encrypt all partitions with dm-crypt

Milan Broz gmazyland at gmail.com
Thu Aug 23 20:12:43 CEST 2012


On 08/23/2012 06:07 PM, Arno Wagner wrote:
>> Debian has full support for cryptsetup/LUKS, 
> 
> For encrypted root? News to me, but would be a good thing.

I am using it for several years on Debian (supported only with combination
with lvm IIRC).

>> but not for plain dm-crypt, not to
>> my knowledge anyway. I think this makes sense as there is no way to
>> automatically detect an encrypted partition with no header. 
>>
>> The only advantage I can see in using encrypted partitions with no header
>> is to "hide" the encrypted volume, however the partition, cipher and hash
> 
> The second one is better resilience, as there is no header 
> single-point-of-failure. Whether that is worth total loss of
> key management depends on the application.

Well, you can have detached LUKS header on USB flash disk (optionally
with the whole boot partition) for example.

(cryptsetup has support for separate LUKS header but no support
in distros yet I think)

(You can even have different disk with another header with shifted data
offset in LUKS header and hide another volume inside the first
Not that it is comfortable though but possible...)

> 
>> function have to be specified somewhere if one wants the distro to be able
>> to do automatic configuration.  
> 
> Thet is not the issue. Reasonable defaults would do that. The
> issue is that the partiton type cannot be detected anymore 
> without the key.
> 
>> The bootloader will need it in its
>> configuration, which doesn't make it any better than LUKS in terms of
>> discreetness.
> 
> Huh? What is the bootloader going to do with that info? Last
> I checked, you still need a running kernel and system (possibly
> in the form of an initrd) to do anything with encrypted partitions,
> no matter whether LUKS or plain. I may be behind times here, if so,
> please explain.

Grub2 can handle LUKS directly.

(And separate header support is perhaps easy to add.)

Milan


More information about the dm-crypt mailing list