D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Security Thoughts

 

On 30/03/17 20:27, M. J. Everitt via list wrote:

> For the uninitiated, what should one be looking for for encrypted
> file-systems .. I will probably set my new Gentoo incarnation up
> properly if I can find the appropriate topic in the extensive wiki ... :]

Luckily there's virtually nothing to do, especially for a Gentoo system
as the default installer includes all the bits required. It's entirely
setup during the partitioning stage - apart from a small ext /boot
partition to hold the initial bootloader and kernel/ramdisk, set up all
the rest of your available disk(s) as LUKS and your installer will
usually handle all the rest for you. So all the rest of your following
partitions will be contained within the LUKS volumes (including swap)
and used transparently.

So when you boot, the bootloader executes and grub stages your kernel
and ramdisk and then before it mounts any further filesystems, including
/, it will stop and ask for verification (you can have multiple
passwords, 2F, etc) - no password, no decryption/boot for you.

Really neat and super simple to setup (Ubuntu/Fedora/Suse/etc can
literally do it all for you with a single "encrypt all disks" checkbox
during install) and unless the LUKS guys or the crypto guys made an
implementation error, uncrackable even by serious actors. Unlike
FileVault or Bitlocker for example, which are demonstrably backdoored.

You can make it considerably more difficult for yourself, particularly
on Gentoo of course :]

Most of the Gentoo LUKS wikis go into WAY more detail than you're going
to need by the way. Just playing around in the disk setup steps in a VM
without any instructions would be entirely sufficient to get you up and
running I suspect.

Cheers
-- 
The Mailing List for the Devon & Cornwall LUG
https://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq