[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Libreboot] best method for full encryption
|
From: |
Robert Alessi |
|
Subject: |
[Libreboot] best method for full encryption |
|
Date: |
Sun, 19 Oct 2014 16:44:33 +0200 |
|
User-agent: |
Mutt/1.5.23 (2014-03-12) |
Hi all,
Back in January, 2014, I installed Parabola on a Thinkpad X60s with
Libreboot. Considering what could be achieved, I chose to have an
unencrypted /boot partition, then an encrypted partition on top of
LVM to be used for the root partition and for the swap volume as well.
I also updated Libreboot to release 4 (June 22, 2014).
To date, I must say that all of this works very well. But what I
would like now is to update Libreboot and fully encrypt my system.
Basically, I think I have two options:
1. Reinstall everything in a single large sda1 following the
guidelines of libreboot.org
2. Only encrypt my /boot (sda1) partition, then put somewhere into it
a keyfile to have the whole system unencrypted with a single
passphrase at boot time from grub.
Before going on, I would really appreciate your input on what you
think is the best way to proceed. My concerns are the following:
1. Option 1 or option 2?
2. Option 1: what system backup method should I prefer? At present, I
am thinking of simply doing a
"rsync -aAXv /* /path/to/backup/folder"
after having excluded the directories which are populated at boot.
3. Option 2: when I installed my system back in January, I made the
following choices:
-----
Cipher name: aes
Cipher mode: xts-plain64
Hash spec: sha1
MK bits: 512
-----
which are different from those which are found in Libreboot
tutorial (--cipher serpent-xts-plain64 --key-size 512 --hash
whirlpool, etc.)
When it comes to security, the stronger is the better. So, are my
choices safe enough? If I would change them, how would I proceed?
I did some research, and I came across this:
http://asalor.blogspot.fr/2012/08/re-encryption-of-luks-device-cryptsetup.html
What do you think of this method?
I know that I may have asked too many questions in a single email. My
apologies for that in anticipation. I must confess that I am somehow
reluctant to reinstall everything, but I would not hesitate to proceed
to get stronger security. I also guess that I may not be the the only
one in this case.
Many, many thanks in anticipation for your input on these questions.
Robert
pgpaylvtSzb8D.pgp
Description: PGP signature
- [Libreboot] best method for full encryption,
Robert Alessi <=