[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: debian with raid1+cryptsetup+lvm on notebook?



Douglas A. Tutty, Tue Apr 21 2009 16:06:03 GMT+0200 (CEST):
On Tue, Apr 21, 2009 at 12:39:38PM +0200, Peter Jordan wrote:
Hello,

since my ThinkPad T400 has two 250GB HD, i considered to install debian testing with raid1+cryptsetup+lvm on it.

Has anyone experience with that kind of setup?

Any significant reasons against my plan?

Sounds like a good idea.  I think that the installer has that
out-of-the-box as one of the guided-partitioning options.  If not, you
can certainly do it manually.

This came up not that long ago.  It was suggested that having /
encrypted can prevent someone trojaning executables on / (e.g. /bin/ls).
However, since you need an unencrypted /boot, then someone could trojan
the kernel or the initrd itself (perhaps to email the attacker the
password you enter to decrypt the filesystem), who knows?

I suppose that you could have /boot on a USB stick so that without the
stick, the laptop won't boot and there won't be any unencrypted data on
the laptop.  There's good LUKS documentation: read it.

I'm sure that this has been (and is being) looked at by people with a
particular interest in laptop security.  Just don't assume that
raid1+crypsetup+lvm will make your laptop absoulutly secure.

Doug.



job is done,

Everything works fine. No problems during live migration.

PJ


Reply to: