[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Libreboot] best method for full encryption

From: Robert Alessi
Subject: [Libreboot] best method for full encryption
Date: Sun, 19 Oct 2014 16:44:33 +0200
User-agent: Mutt/1.5.23 (2014-03-12)

Hi all,

Back in January, 2014, I installed Parabola on a Thinkpad X60s with
Libreboot.  Considering what could be achieved, I chose to have an
unencrypted /boot partition, then an encrypted partition on top of
LVM to be used for the root partition and for the swap volume as well.

I also updated Libreboot to release 4 (June 22, 2014).

To date, I must say that all of this works very well.  But what I
would like now is to update Libreboot and fully encrypt my system.
Basically, I think I have two options:

1. Reinstall everything in a single large sda1 following the
   guidelines of
2. Only encrypt my /boot (sda1) partition, then put somewhere into it
   a keyfile to have the whole system unencrypted with a single
   passphrase at boot time from grub.

Before going on, I would really appreciate your input on what you
think is the best way to proceed.  My concerns are the following:

1. Option 1 or option 2?
2. Option 1: what system backup method should I prefer?  At present, I
   am thinking of simply doing a
   "rsync -aAXv /* /path/to/backup/folder"
   after having excluded the directories which are populated at boot.
3. Option 2: when I installed my system back in January, I made the
   following choices:
   Cipher name:         aes
   Cipher mode:         xts-plain64
   Hash spec:           sha1
   MK bits:             512
   which are different from those which are found in Libreboot
   tutorial (--cipher serpent-xts-plain64 --key-size 512 --hash
   whirlpool, etc.)

   When it comes to security, the stronger is the better.  So, are my
   choices safe enough?  If I would change them, how would I proceed?
   I did some research, and I came across this:
   What do you think of this method?

I know that I may have asked too many questions in a single email.  My
apologies for that in anticipation.  I must confess that I am somehow
reluctant to reinstall everything, but I would not hesitate to proceed
to get stronger security.  I also guess that I may not be the the only
one in this case.

Many, many thanks in anticipation for your input on these questions.


Attachment: pgpaylvtSzb8D.pgp
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]