[dm-crypt] Encrypt all partitions with dm-crypt

Arno Wagner arno at wagner.name
Sat Sep 8 15:26:54 CEST 2012


On Sat, Sep 08, 2012 at 10:13:38AM +0200, Heinz Diehl wrote:
> On 06.09.2012, Arno Wagner wrote: 
> 
> > I was thinking about automatic swap set-up. If you do that
> > with a non-random key, you have to store it somewhere and that 
> > will be a problem.
> 
> I created my swap partiton while installing the distribution. The
> whole harddisk (laptop) is LUKS/dmcrypt encrypted. When I start up the
> machine, all I have to do is to provide the proper passphrase, and all
> my encrypted partitions will be unlocked, incl. swap.
> 
> As far as I can see, dracut stores the passphrase in memory, unlocks
> the root-partition first, and runs the same passphrase on all the
> other LUKS-devices afterwards. I can't see how this procedure could be
> a problem related to swap, and why I maybe should choose a random key
> over a predefined one.

Swap can be encrypted with a one-time passphrase. This is more
secure as a constan passphrase. It can also be done 
non-interactively. The (slight) security decrease when encrypting
swap with a static passphrase is that in the future you may still
find stuff in there if the passphrase gets compromised.

The point is that there is no reason to include swap in 
a normal encryption scheme and doing it with a random passphrase
even increases security. In addition, encrypted swap can
be something you want on a system that does not encrypt anything
else.

Arno
-- 
Arno Wagner,    Dr. sc. techn., Dipl. Inform.,   Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell 


More information about the dm-crypt mailing list