Re: Disk encryption and installing new versions of Fedora

Mike wrote: 
Mike <mike.cloaked <at> gmail.com> writes:

  
Can any experts who know about this comment please?

If disk encryption using dm-crypt/luks is not fully supported then what tools 
or changes might be required within the distribution to properly support this
facility?  Is this going to get more support in F9?
    

No-one interested in disk encryption?  It is I understand supported
well in Ubuntu! Fedora should be just as secure in this regard - surely?

    I'd just add that in most companies and government agencies these days require laptops be encrypted - even retail stores do these days - so it would be nice if it worked better out of the box. We are not there yet.

    Encrypted swap can be made to work using luks and /etc/crypttab - which does work fine. There is a warning at boot about the swap device not being able to be resumed - which while a true statement is irrelevant in a cold boot setting. But it encrypted swap does at least work and is quite straightforward to set up. (You cannot use sleep/hibernate/freeze resume however).
 
    Be warned however that upon fresh install of F8 the swap partition will be used as regular swap which you need to fix again by hand after you have installed F8. To be safe one should rerandmomize the swap partition to avoid information leakage. Anaconda knows nothing about encrypted anything - including swap or any partition.

   Encrypted partitions (in F7) such as /home do not work correctly when in /etc/crypttab - the passphrase cannot be entered - and it is asked multiple times .. anyway there is a work around using a hand crafted script out of /etc/rc.local. I have not tried this in F8 but I doubt it is any different.

  Encrypted root has no chance yet - at a minimum it requires the updated mkinitrd.

  It is my current view that encrypted root - while appealing in some ways - may be more problematic than its worth. And that  encrypting swap and /home in addition to doing a mount --rebind of /tmp and /var/tmp onto the encrypted partition is pretty reasonable from a security standpoint. And it is workable on fedora - albeit by hand. And will ensure your laptop is always bootable - which is a nice benefit!!

   g


  
 

   
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • Re: ssh clarification needed
    ... I have luks encryption on /home on the netbook - which is what I'm really ... If laptop is stolen and swap is not encrypted then the bad guys can ... use a random passphrase - i will show my hand the random passphrase way ...
    (Fedora)
  • Re: Announcing crypto suspend
    ... Disk encryption is also common for most of this community. ... And it still is a PITA backup wise. ... natively in the swap implementation ... As well as swsusp-encryption is concerned this should be _userspace_ and ...
    (Linux-Kernel)
  • Re: Announcing crypto suspend
    ... Pavel Machek wrote: ... Suspend is a feature that is most used by the mobile community. ... Disk encryption is also common for most of this community. ... [I believe we should encrypt swap with random key generated on boot by ...
    (Linux-Kernel)
  • Re: Secure laptop with SuSE 9.1?
    ... I just create one single encrypted partition which i mount e.g. as ... But i now have to assure, that the swap is turned on *after* mounting ... encryption password from /dev/urandom. ...
    (alt.os.linux.suse)
  • encrypted hibernation (was Re: Hibernation considerations)
    ... Encryption - I'd actually prefer if my luks device did not ... remember the key accross a hibernation; I want to be forced to ... could only suspend to swap partition. ...
    (Linux-Kernel)