Full disk encryption without a boot partition

Pierre Abbat phma at bezitopo.org
Fri Dec 28 09:37:50 PST 2012


On Friday, December 28, 2012 12:28:02 mhca12 wrote:
> I've always wondered how well tested and supported it is to
> 'cryptsetup luksFormat' a volume on Linux and then use
> the same volume on both dfly and linux. Given that there's
> a also luks loader for Windows, this seems like a big advantage
> in favor of dfly out of the BSDs. What do you think?

Last I looked, ext4 doesn't work on DFly, and Hammer doesn't work on Linux. 
But I use cryptsetup and luks on both.

> The biggest issue I have with full disk encryption on Linux is
> the requirement for initrd (initial ramdisk) and that you cannot
> use a no-kernel-modules kernel. Someday I will research this
> and find out if it cannot be avoided.

I've always left the root partition unencrypted. My setups are like this:
darner (DFly): /crypt, /olv, and /backup are encrypted on a 500 GB drive; the 
rest is plaintext on a 60 GB drive. I got the 500 GB drive later, so it was an 
afterthought.
caracal (Ubuntu laptop, the one that can't run DragonFly): /,  /olv and /usr 
plaintext, /home and /var encrypted. It has two separate disks, both with LVM 
volume groups, one of which is encrypted.
leopard (Ubuntu): /, /olv, /usr, /var plaintext, /home and /backup encrypted.
zyxomma (future DFly with SSD and HDD): /home, /usr/obj, /usr/src, and 
/usr/pkgsrc on encrypted HDD, the rest on plaintext SSD. It'll be my gateway, 
so it has to boot up even if I'm not here to type in the password.

Pierre
-- 
Don't buy a French car in Holland. It may be a citroen.




More information about the Users mailing list