Full Encryption Setup

[viking60]

I thought this was being done by the Debian installer
S.

Jupp I checked the Debian documentation so the Debian LVM will do this. I think you have the option of configuring LVM in that installer.

That is a "what" that is explained.
I think you are asking all the right questions so knowing what is going on is an important safety "feature" (that is why I like Arch).

From my research aes is the most tested and strongest one. It is my impression that it is the best. Blowfish is to old and Twofish is ok but will loose on speed against AES without having any other great advantages over it.

....to be continued

[viking60]

Trying an ecnrypted install with the Debian 8 installer now...
Picked guided setup with encrypted LVM..
Putting my /home in a separate Partition...
And wrote the partitioning to the disk....
The installer does overwrite the disk completely to avoid leakage from the encrypted system - that is good....and it takes time...
And you are right it goes through without telling us what kind of encryption it has chosen for us - having a look at that now...

[Snorkasaurus]

The installer does overwrite the disk completely to avoid leakage from the encrypted system - that is good....and it takes time...
And you are right it goes through without telling us what kind of encryption it has chosen for us - having a look at that now...

Exactly... as you can see, it does ensure that the appropriate parts of the OS are encrypted but it does not let you configure that encryption manually. Which seems weird to me, because I have read your previous statement about "aes-xts-essiv:sha256" being for the "paranoid type people" in multiple places... and yet I see no way for the paranoid people to encrypt their OS that way. It certainly doesn't make sense that a paranoid person would want to encrypt their data but not their OS.

If you try the GUI installer you should see that the partitioning section of the install is very subtly different, but I still didn't see a way to select custom encryption parameters in there. I have been looking for information about installing Debian on pre-existing encrypted drives but it isn't working out so far.

S.

[Snorkasaurus]

I think part of my problem is that I am bothered by the way LVM is designed... and yet it seems this is not going to work without LVM. The clearest description of how LVM is structured is something like this:

But even that doesn't seem to be well designed. First, I think the chart should be upside down, because in English (the language the article is written in) we read left to right and top to bottom - so the creation of the parts is done in the same order we read. And for my single-disk system it seems pretty excessive to

• Put in the physical disk
• Create a physical volume
• Create a volume group
• Create a logical volume (or in my case two logical volumes, one for root and one for swap)

To me this design strays from the KISS model and doesn't offer much in the way of benefit.

S.

[dedanna1029]

[*]What cyphers are not available to me and why not?
[*]What cyphers are available to me, which should I use, and why?
[*]What hashing systems are not available and why?
[*]What hashing systems are available, which should I use, and why?
[*]Should I be concerned about entropy generation and if so then how do I manage it?[/list]

Well... this sounds totally out of the box, but IF these proggies will accept it, I've found that using no cybers, hashes, or anything works. People who try to crack you will try every cyber and hash in the book, and get nowhere.

This is not the same, btw, as using things like passwords online or anything else. I'm talking with very tight security, the kind people feel compelled to try to crack - it challenges them.

However, not having used these, they probably wouldn't accept just nothing, their purpose is to have something.

LVM is the exact reason I don't use these things. I despise it.