-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Pupeno wrote: >>I use the dm-crypt from the kernel.... > > I've read that it is unsecure and I also read that it is not yet vory well > suported. You read wrong. Dm-crypt *is* the encryption technique now used in the kernel, and it wasn't chosen out of a hat. What you do with it can make it insecure though, like a postit with the password attached to the monitor ;-) As for being supported, well if something is actually in the kernel itself (without patches), then it IS fully supported. Dm-crypt is fully supported since linux 2.6.4 Basically, as with any encryption, your secret is as safe as your password. There are of course tools to help you make your password even harder to crack, like hashalot, which basically sends your password though a pipe which hashes it into "greek" ;-) > I know I don't need a key, but I do want a key (stored in a remobable modia) > encripted with a passphrase I will be able to change, or best, my wife can > have the key protected with a different passphrase than I do. > Beyond that, encripting with a key is much better than doing that with a > passphrase because the passphrase can be cracked (dictionary attack) while > the key-encripted that can't. It seems what you are looking for with your "key" is probably a GPG key needed to unlock your drive. This is definitely possible, but you will have to do the research yourself. I do know there are tutorials to use gpg keys with encryption passsords etc... and iirc there was a tutorial for loop-AES too on their site. If you need this is another story. I know that gpg can have two separate kleys to do the same thing, so I presume separate keys and passwords are an option, but I have never ventured down that lane, as I'm not that paranoid. I use gpg myself for mailing, and encrypting certain files themselves, but I'm not paranoid enough to encrypt all my files with such heavy encryption. In fact, not even the US military is that bad. They now use 256bit AES encryption, which is the default of dm-crypt, and from an atricle I read it still would take them a couple of decades to crack. I use dm-crypt on all three of my machines (laptop, workstation and server), but none of them are fully encrypted ~ just partitions (and in one case a looped back file acting as partition). All are mounted with a simple #bash script I wrote to create the decrypted device link, ask to password, mount the device link to the filesystem. This means that none of this is found in /etc/fstab either. Users who are allowed to mount (use that script) are added into sudoers. Good luck ... Ralph -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFC6dctAWKxH5yWMT8RAttKAJ0Y+NErA8lbji5HwzG+tPWbvnbzRACfYD4t DuFFNkZcURq3r41wHxjVuBM= =slBW -----END PGP SIGNATURE----- -- gentoo-user@gentoo.org mailing list
