Web lists-archives.com

Re: Debian boot and LUKS




On Mon, Dec 04, 2017 at 12:19:07PM -0500, rhkramer@xxxxxxxxx wrote:
This is somewhat OT, but I just thought I'd mention:

I keep my computer up (almost) all the time, but, for security, I mount (and
then umount) my encrypted disk partitions only when needed.

(To make it easier for myself, I wrote a few  (primitive) (bash) scripts to
help.  Of course, the passwords are not in the  scripts, but the script / LUKs
prompts me for the passwords when required.)

If you do not encrypt everything, you must be prepared to carefully
partition what data goes where and hope that neither you nor the
software you run make a mistake. For most people, it's safer to just
encrypt everything.

There is some good support for remote unlocking in the initramfs stage
now which makes this a little easier: install dropbear and configure
authorized_keys etc. in /etc/initramfs-tools, then rebuild the
initramfs. There are still some improvements that could be made here.
(I have to check my own page describing my NAS setup whenever I reboot
to remember which fifo to write the passphrase to:
https://jmtd.net/hardware/phobos/#index6h3)

--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland
⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net
⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.