Re: debian with raid1+cryptsetup+lvm on notebook?
Douglas A. Tutty, Tue Apr 21 2009 16:06:03 GMT+0200 (CEST):
On Tue, Apr 21, 2009 at 12:39:38PM +0200, Peter Jordan wrote:
since my ThinkPad T400 has two 250GB HD, i considered to install debian
testing with raid1+cryptsetup+lvm on it.
Has anyone experience with that kind of setup?
Any significant reasons against my plan?
Sounds like a good idea. I think that the installer has that
out-of-the-box as one of the guided-partitioning options. If not, you
can certainly do it manually.
This came up not that long ago. It was suggested that having /
encrypted can prevent someone trojaning executables on / (e.g. /bin/ls).
However, since you need an unencrypted /boot, then someone could trojan
the kernel or the initrd itself (perhaps to email the attacker the
password you enter to decrypt the filesystem), who knows?
I suppose that you could have /boot on a USB stick so that without the
stick, the laptop won't boot and there won't be any unencrypted data on
the laptop. There's good LUKS documentation: read it.
I'm sure that this has been (and is being) looked at by people with a
particular interest in laptop security. Just don't assume that
raid1+crypsetup+lvm will make your laptop absoulutly secure.
job is done,
Everything works fine. No problems during live migration.