Re: recovering from compromised keys
On Thu, 23 Sep 2010 at 17:31:39 +0200, Roland Mas wrote:
> Indeed. My current setup is that sda1 is small, unencrypted and holds
> /boot only. sda2 is the whole rest of the hard disk, and it's mapped to
> a LUKS device used as a physical volume for LVM, and there are several
> LVs on there, including those mounted as filesystems and one for swap.
That's the configuration we use too. Suspend-to-disk works fine; you're
prompted for a passphrase by the initramfs, which then decrypts and sets up
the LVM blob, and resumes from there.
Suspend-to-RAM also works, but is obviously not secure against attackers
waking up the laptop and exploiting some bug in a locked screensaver, or
remote access, or whatever.