Re: recovering from compromised keys

[Roland Mas <lolando@debian.org>]

Mike Hommey, 2010-09-23 17:14:01 +0200 :

> On Thu, Sep 23, 2010 at 11:50:26PM +0900, Osamu Aoki wrote:
>> On Thu, Sep 23, 2010 at 03:13:06PM +0100, Simon McVittie wrote:
>> ...
>> > By policy, we use full-disk encryption at my workplace (where full-disk
>> > really means "except the bootloader and /boot"). For a 2-year-old recipe for
>> > it, which I believe still mostly works with grub2, see
>> > http://smcv.pseudorandom.co.uk/2008/09/cryptroot/
>> 
>> Can we maintain suspend/resume type-features with such configuration?
>> 
>> Unless we use unencrypted swap, it seems we have to give up
>> suspend/resume.  Then we a bit of loose security ....
>> 
>> How people cope with this on laptop ... I am curious.
>
> You only need to give up *randomized* swap encryption. You can still
> have an encrypted swap, you just can't use a random key.

Indeed.  My current setup is that sda1 is small, unencrypted and holds
/boot only.  sda2 is the whole rest of the hard disk, and it's mapped to
a LUKS device used as a physical volume for LVM, and there are several
LVs on there, including those mounted as filesystems and one for swap.

Roland.
-- 
Roland Mas

Au royaume des aveugles, il y a des borgnes à ne pas dépasser.
  -- in Soeur Marie-Thérèse des Batignoles (Maëster)