[dm-crypt] Shipping/Cloning encrypted disks

vasili at keemail.me vasili at keemail.me
Thu May 18 15:26:02 CEST 2017


I was thinking about a project which basically involves linux images with full disk encryption. The images should be shipped to or downloaded by multiple users. Since the end users are likely linux novices the setup should be as easy as possible.
At the moment I see two options.

1.: Filesystem image with non-encrypted boot and encrypted main filesystem.
     The image should be dd'ed to a hdd or usb drive and resized to fill the whole drive. Then the master key will be changed with cryptsetup-reencrypt.

2.: Like 1 but the filesystem has also a non-encrypted main filesystem. 
Encryption will be done either as described here: https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Encrypt_an_unencrypted_filesystem or with this tool : https://johannes-bauer.com/linux/luksipc

Currently I am strongly in favor of option 1 since it forces the end user to use full disk encryption. With option 2 it could just be skipped. Also the required effort seems to be the same for both options.
Is there anything else to consider for option 1? Is changing the master key enough? Best practices/build options for the encrypted filesystem?
Maybe an option 3 ... ?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20170518/6ce9a145/attachment.html>

More information about the dm-crypt mailing list