encryption of partitions/lvm without speakup

encryption of partitions/lvm without speakup

[Gregory Nowak]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

as strange as it would seem, one has something to do with the
other. Is there anyone out there who has encrypted partitions/lvm
volumes such as root, or swap,and is using software speech only? If
so, can you please explain how you're doing that? The way I see it,
without access to speakup early in the boot process, you can't respond
to password dialogues, and leaving decryption keys lying around on
something that isn't encrypted nullifies the whole point of encrypting
at all. Any thoughts?

Greg


- -- 
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAk1qxYkACgkQ7s9z/XlyUyAGxwCfaT5RTOh/B6H786knvh9CoyyJ
ut4AmgOPCQcdjR78SAYLmsTpa8f/dct/
=VxF9
-----END PGP SIGNATURE-----

Re: encryption of partitions/lvm without speakup

[Joseph C. Lininger]

The way I see it, you have basically three options.

1. Store an encryption key on something like a USB device. You could
even put your entire boot partition there if you wanted. Then have the
encrypted root fs on your hard drive. No password needed, but someone
could steal your flash drive.

2. Just know that you're going to be prompted and type in the password
when it's time. Could have the system generate tones or something to let
you know if you need that. Have it generate another after you've
successfully entered it so you know you don't have to try again in case
of an error. USB method with encrypted keys is a variation on this,
password required, and booting from USB drive.

3. Modify your initrd to have all components for speach. Probably you'd
have a rather large initrd if you did that.

I use TrueCrypt to encrypt my windows partitions and no prompt is
available. I just have to enter the passphrase and watch for the boot
logo. Probably will do my Linux at some point, when I have time to rip
it all apart and put it back together with that.
Joe

Re: encryption of partitions/lvm without speakup

[Alex Snow]

What about just encrypting a separate partition containing just your 
home directories, then arange for that partition to be mounted late in 
the boot process after you have everything related to speach already 
started?

On Sun, Feb 27, 2011 at 08:35:04PM -0700, Joseph C. Lininger wrote:
> The way I see it, you have basically three options.
> 
> 1. Store an encryption key on something like a USB device. You could
> even put your entire boot partition there if you wanted. Then have the
> encrypted root fs on your hard drive. No password needed, but someone
> could steal your flash drive.
> 
> 2. Just know that you're going to be prompted and type in the password
> when it's time. Could have the system generate tones or something to let
> you know if you need that. Have it generate another after you've
> successfully entered it so you know you don't have to try again in case
> of an error. USB method with encrypted keys is a variation on this,
> password required, and booting from USB drive.
> 
> 3. Modify your initrd to have all components for speach. Probably you'd
> have a rather large initrd if you did that.
> 
> I use TrueCrypt to encrypt my windows partitions and no prompt is
> available. I just have to enter the passphrase and watch for the boot
> logo. Probably will do my Linux at some point, when I have time to rip
> it all apart and put it back together with that.
> Joe
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

-- 
Always borrow money from a pessimist; he doesn't expect to be paid
back.

Re: encryption of partitions/lvm without speakup

[Joseph C. Lininger]

That works, but does not result in an entire system encryption
situation. If you need the entire system to be encrypted (I do in my
line of work for instance), then encryption of /home or some other
filesystem only wouldn't work. In Greg's situation, that might be an
option though.
Joe

Re: encryption of partitions/lvm without speakup

[Luke Yelavich]

On Mon, Feb 28, 2011 at 03:07:19PM EST, Alex Snow wrote:
> What about just encrypting a separate partition containing just your 
> home directories, then arange for that partition to be mounted late in 
> the boot process after you have everything related to speach already 
> started?

Ecryptfs was designed for this very purpose, and when properly integrated, there is no having to deal with keys, the pam authentication framework deals with authenticating, and ecryptfs does the rest.

Note you need to encrypt swap as well for things to be totally secure.

Luke

Re: encryption of partitions/lvm without speakup

[Gregory Nowak]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks to Joe, Alex, and Luke for your input. It's pretty much as I
had figured things to be. I haven't heard of ecryptfs before though,
will have to look that up.

To expand a bit on what I was thinking of, I've got a couple
partitions that aren't necessary to boot encrypted already, and I
enter the pass phrase, and mount them by hand. I was however also
considering encrypting swap partitions, of which I have 2 on this
system (long story). The system has enough RAM, so that swap isn't
needed for booting to finish, so I could bring swap up by hand, except
that:

1. When the system is being shut down/rebooted, I'm not sure if the
system will turn off swap gracefully if swap partitions aren't found
in /etc/fstab, and

2. This is my server machine, which is why the usb drive method
wouldn't be practicable. Going back to swap though, I don't want to
risk a situation where the power goes off while I'm not hear, and the
system runs for say a week without any swap available.

Thanks again for the suggestions.

Greg


- -- 
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAk1rPSQACgkQ7s9z/XlyUyDfyACeJrtHFOHxvNqxMRlQvUMpBoa7
3YQAni4SOtkmdixuZmViSCBwbzo28dId
=i+vA
-----END PGP SIGNATURE-----

Re: encryption of partitions/lvm without speakup

[Jason White]

Gregory Nowak  <speakup@braille.uwo.ca> wrote:
>
>Thanks to Joe, Alex, and Luke for your input. It's pretty much as I
>had figured things to be. I haven't heard of ecryptfs before though,
>will have to look that up.

One advantage (if your entire system doesn't have to be encrypted) is that it
stores the files under directories in whatever file system you are already
using - it doesn't require its own file system, partition or logical volume,
if I recall rightly.

Encryption of the file names as well as the contents was introduced several kernel releases ago.

nother option for those requiring full system encryption might be to try to
get it working with a Yubikey or similar device. A Yubikey can be configured
to generate a fixed password, but that isn't the standard or recommended
mode of operation. Rather, it normally generates a one-time encrypted password
that can be verified locally or remotely and integrated into PAM.