diff options
| author | Holger Wansing <linux@wansing-online.de> | 2014-08-26 19:05:25 +0000 |
|---|---|---|
| committer | Holger Wansing <linux@wansing-online.de> | 2014-08-26 19:05:25 +0000 |
| commit | 1e76cd6945a070ebf1d80ed82d094bd41aea8a7b (patch) | |
| tree | 68a434271cdc7a5db2cc91ebbdfc48adc02aff0d /en/using-d-i | |
| parent | 69962c2acd6300010c1ff183afe56abb937c011a (diff) | |
| download | installation-guide-1e76cd6945a070ebf1d80ed82d094bd41aea8a7b.zip | |
loop-AES is no longer supported by the installer;
update the manual accordingly.
Diffstat (limited to 'en/using-d-i')
| -rw-r--r-- | en/using-d-i/modules/partman-crypto.xml | 96 |
1 files changed, 12 insertions, 84 deletions
diff --git a/en/using-d-i/modules/partman-crypto.xml b/en/using-d-i/modules/partman-crypto.xml index ee8b6dff1..26e14b85d 100644 --- a/en/using-d-i/modules/partman-crypto.xml +++ b/en/using-d-i/modules/partman-crypto.xml @@ -50,21 +50,18 @@ include several cryptographic options for the partition. </para><para> -&d-i; supports several encryption methods. The default method +The encryption method supported by &d-i; is <firstterm>dm-crypt</firstterm> (included in newer Linux kernels, -able to host LVM physical volumes), the other -is <firstterm>loop-AES</firstterm> (older, maintained separately from -the Linux kernel tree). Unless you have compelling reasons to do -otherwise, it is recommended to use the default. +able to host LVM physical volumes). <!-- TODO: link to the "Debian block device encryption guide" once Max writes it :-) --> </para><para> -First, let's have a look at the options available when you select -<userinput>Device-mapper (dm-crypt)</userinput> as the encryption -method. As always: when in doubt, use the defaults, because +Let's have a look at the options available when you select +encryption via <userinput>Device-mapper (dm-crypt)</userinput>. +As always: when in doubt, use the defaults, because they have been carefully chosen with security in mind. <variablelist> @@ -104,7 +101,7 @@ cipher. </varlistentry> <varlistentry> -<term>IV algorithm: <userinput>cbc-essiv:sha256</userinput></term> +<term>IV algorithm: <userinput>xts-plain64</userinput></term> <listitem><para> @@ -119,7 +116,7 @@ data. </para><para> From the provided alternatives, the default -<userinput>cbc-essiv:sha256</userinput> is currently the least +<userinput>xts-plain64</userinput> is currently the least vulnerable to known attacks. Use the other alternatives only when you need to ensure compatibility with some previously installed system that is not able to use newer algorithms. @@ -203,73 +200,8 @@ though. </variablelist> -</para><para> - -If you select <menuchoice> <guimenu>Encryption method:</guimenu> -<guimenuitem>Loopback (loop-AES)</guimenuitem> </menuchoice>, the menu -changes to provide the following options: - - -<variablelist> -<varlistentry> -<term>Encryption: <userinput>AES256</userinput></term> - -<listitem><para> - -For loop-AES, unlike dm-crypt, the options for cipher and key size are -combined, so you can select both at the same time. Please see the -above sections on ciphers and key sizes for further information. - -</para></listitem> -</varlistentry> - -<varlistentry> -<term>Encryption key: <userinput>Keyfile (GnuPG)</userinput></term> - -<listitem><para> - -Here you can select the type of the encryption key for this partition. - - <variablelist> - <varlistentry> - <term>Keyfile (GnuPG)</term> - <listitem><para> - -The encryption key will be generated from random data during the -installation. Moreover this key will be encrypted -with <application>GnuPG</application>, so to use it, you will need to -enter the proper passphrase (you will be asked to provide one later in -the process). - - </para></listitem> - </varlistentry> - - <varlistentry> - <term>Random key</term> - <listitem><para> - -Please see the section on random keys above. - - </para></listitem> - </varlistentry> - </variablelist> - -</para></listitem> -</varlistentry> - -<varlistentry> -<term>Erase data: <userinput>yes</userinput></term> - -<listitem><para> - -Please see the section on erasing data above. - -</para></listitem> -</varlistentry> - -</variablelist> - -</para><para> +</para> +<para> After you have selected the desired parameters for your encrypted partitions, return back to the main partitioning menu. There should @@ -321,16 +253,12 @@ This will be repeated for each partition to be encrypted. After returning to the main partitioning menu, you will see all encrypted volumes as additional partitions which can be configured in -the same way as ordinary partitions. The following example shows two -different volumes. The first one is encrypted via dm-crypt, the second -one via loop-AES. +the same way as ordinary partitions. The following example shows a +volume encrypted via dm-crypt. <informalexample><screen> Encrypted volume (<replaceable>sda2_crypt</replaceable>) - 115.1 GB Linux device-mapper #1 115.1 GB F ext3 - -Loopback (<replaceable>loop0</replaceable>) - 515.2 MB AES256 keyfile - #1 515.2 MB F ext3 </screen></informalexample> Now is the time to assign mount points to the volumes and optionally @@ -340,7 +268,7 @@ change the file system types if the defaults do not suit you. Pay attention to the identifiers in parentheses (<replaceable>sda2_crypt</replaceable> -and <replaceable>loop0</replaceable> in this case) and the mount +in this case) and the mount points you assigned to each encrypted volume. You will need this information later when booting the new system. The differences between the ordinary boot process and the boot process with encryption involved will |