[tor-relays] cryptsetup some folders
diffusae
punasipuli at t-online.de
Mon Oct 24 18:14:27 UTC 2016
On 24.10.2016 09:53, Petrusko wrote:
> Any suggestions and master's thoughts are welcome :)
:-)
Yes, why not use a full disk encryption? You could encrypt the root
partition. I know, it's harder to do this on a running system and
Raspbian doesn't offer you encryption within setup. The best thing would
be an ssh shell on initrd to start the system.
Why not also encrypt the swap partition, if there is one? Raspbian uses
a swapfile afaik.
http://resources.infosecinstitute.com/luks-swap-root-boot-partitions/
The passphrase to use the encrypted partitions is stored in RAM. If some
of the contents of the RAM are kept in the swapfile, you could easily
read this. It should be better to encrypt the swap file, too.
Swapfile's previous contents remain transparent over reboots.
But anyway, the swapfile in Raspbian is located in /var.
https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption#Using_a_swap_file
You shouldn't encrypt the boot partition unless you know what you are
doing. Having a backup of your partitions LUKS headers is important.
If a LUKS key slot or the header itself becomes damaged and you don't
have a good copy to restore to the encrypted partition, the partition
becomes unusable. You can use a key file to automatically decrypt e.g.
/home on boot. Store the key files on encrypted partitions.
The performance of the SD card could be very slow:
https://raspberrypi.stackexchange.com/questions/42100/performance-with-an-encrypted-disk
Regards,
More information about the tor-relays
mailing list