diff options
| -rw-r--r-- | en/boot-new/mount-encrypted.xml | 51 | ||||
| -rw-r--r-- | en/using-d-i/modules/partman-crypto.xml | 96 |
2 files changed, 15 insertions, 132 deletions
diff --git a/en/boot-new/mount-encrypted.xml b/en/boot-new/mount-encrypted.xml index f304b173f..332f60f52 100644 --- a/en/boot-new/mount-encrypted.xml +++ b/en/boot-new/mount-encrypted.xml @@ -8,14 +8,10 @@ If you created encrypted volumes during the installation and assigned them mount points, you will be asked to enter the passphrase for each -of these volumes during the boot. The actual procedure differs -slightly between dm-crypt and loop-AES. +of these volumes during the boot. </para> - <sect2 id="mount-dm-crypt"> - <title>dm-crypt</title> - <para> For partitions encrypted using dm-crypt you will be shown the following @@ -68,36 +64,6 @@ for further information. After entering all passphrases the boot should continue as usual. </para> - </sect2> - - <sect2 id="mount-loop-aes"> - <title>loop-AES</title> - -<para> - -For partitions encrypted using loop-AES you will be shown the following -prompt during the boot: - -<informalexample><screen> -Checking loop-encrypted file systems. -Setting up /dev/loop<replaceable>X</replaceable> (/<replaceable>mountpoint</replaceable>) -Password: -</screen></informalexample> - -</para><para> - -No characters (even asterisks) will be shown while entering the passphrase. -If you enter the wrong passphrase, you have two more tries to correct it. -After the third try the boot process will skip this volume and continue to -mount the next filesystem. Please see <xref linkend="crypto-troubleshooting"/> -for further information. - -</para><para> - -After entering all passphrases the boot should continue as usual. - -</para> - </sect2> <sect2 id="crypto-troubleshooting"> <title>Troubleshooting</title> @@ -122,22 +88,11 @@ computer to try again. The easiest case is for encrypted volumes holding data like <filename>/home</filename> or <filename>/srv</filename>. You can -simply mount them manually after the boot. For loop-AES this is -a one-step operation: - -<informalexample><screen> -<prompt>#</prompt> <userinput>mount <replaceable>/mount_point</replaceable></userinput> -<prompt>Password:</prompt> -</screen></informalexample> - -where <replaceable>/mount_point</replaceable> should be replaced by -the particular directory (e.g. <filename>/home</filename>). The only -difference from an ordinary mount is that you will be asked to enter -the passphrase for this volume. +simply mount them manually after the boot. </para><para> -For dm-crypt this is a bit trickier. First you need to register the +However for dm-crypt this is a bit tricky. First you need to register the volumes with <application>device mapper</application> by running: <informalexample><screen> diff --git a/en/using-d-i/modules/partman-crypto.xml b/en/using-d-i/modules/partman-crypto.xml index ee8b6dff1..26e14b85d 100644 --- a/en/using-d-i/modules/partman-crypto.xml +++ b/en/using-d-i/modules/partman-crypto.xml @@ -50,21 +50,18 @@ include several cryptographic options for the partition. </para><para> -&d-i; supports several encryption methods. The default method +The encryption method supported by &d-i; is <firstterm>dm-crypt</firstterm> (included in newer Linux kernels, -able to host LVM physical volumes), the other -is <firstterm>loop-AES</firstterm> (older, maintained separately from -the Linux kernel tree). Unless you have compelling reasons to do -otherwise, it is recommended to use the default. +able to host LVM physical volumes). <!-- TODO: link to the "Debian block device encryption guide" once Max writes it :-) --> </para><para> -First, let's have a look at the options available when you select -<userinput>Device-mapper (dm-crypt)</userinput> as the encryption -method. As always: when in doubt, use the defaults, because +Let's have a look at the options available when you select +encryption via <userinput>Device-mapper (dm-crypt)</userinput>. +As always: when in doubt, use the defaults, because they have been carefully chosen with security in mind. <variablelist> @@ -104,7 +101,7 @@ cipher. </varlistentry> <varlistentry> -<term>IV algorithm: <userinput>cbc-essiv:sha256</userinput></term> +<term>IV algorithm: <userinput>xts-plain64</userinput></term> <listitem><para> @@ -119,7 +116,7 @@ data. </para><para> From the provided alternatives, the default -<userinput>cbc-essiv:sha256</userinput> is currently the least +<userinput>xts-plain64</userinput> is currently the least vulnerable to known attacks. Use the other alternatives only when you need to ensure compatibility with some previously installed system that is not able to use newer algorithms. @@ -203,73 +200,8 @@ though. </variablelist> -</para><para> - -If you select <menuchoice> <guimenu>Encryption method:</guimenu> -<guimenuitem>Loopback (loop-AES)</guimenuitem> </menuchoice>, the menu -changes to provide the following options: - - -<variablelist> -<varlistentry> -<term>Encryption: <userinput>AES256</userinput></term> - -<listitem><para> - -For loop-AES, unlike dm-crypt, the options for cipher and key size are -combined, so you can select both at the same time. Please see the -above sections on ciphers and key sizes for further information. - -</para></listitem> -</varlistentry> - -<varlistentry> -<term>Encryption key: <userinput>Keyfile (GnuPG)</userinput></term> - -<listitem><para> - -Here you can select the type of the encryption key for this partition. - - <variablelist> - <varlistentry> - <term>Keyfile (GnuPG)</term> - <listitem><para> - -The encryption key will be generated from random data during the -installation. Moreover this key will be encrypted -with <application>GnuPG</application>, so to use it, you will need to -enter the proper passphrase (you will be asked to provide one later in -the process). - - </para></listitem> - </varlistentry> - - <varlistentry> - <term>Random key</term> - <listitem><para> - -Please see the section on random keys above. - - </para></listitem> - </varlistentry> - </variablelist> - -</para></listitem> -</varlistentry> - -<varlistentry> -<term>Erase data: <userinput>yes</userinput></term> - -<listitem><para> - -Please see the section on erasing data above. - -</para></listitem> -</varlistentry> - -</variablelist> - -</para><para> +</para> +<para> After you have selected the desired parameters for your encrypted partitions, return back to the main partitioning menu. There should @@ -321,16 +253,12 @@ This will be repeated for each partition to be encrypted. After returning to the main partitioning menu, you will see all encrypted volumes as additional partitions which can be configured in -the same way as ordinary partitions. The following example shows two -different volumes. The first one is encrypted via dm-crypt, the second -one via loop-AES. +the same way as ordinary partitions. The following example shows a +volume encrypted via dm-crypt. <informalexample><screen> Encrypted volume (<replaceable>sda2_crypt</replaceable>) - 115.1 GB Linux device-mapper #1 115.1 GB F ext3 - -Loopback (<replaceable>loop0</replaceable>) - 515.2 MB AES256 keyfile - #1 515.2 MB F ext3 </screen></informalexample> Now is the time to assign mount points to the volumes and optionally @@ -340,7 +268,7 @@ change the file system types if the defaults do not suit you. Pay attention to the identifiers in parentheses (<replaceable>sda2_crypt</replaceable> -and <replaceable>loop0</replaceable> in this case) and the mount +in this case) and the mount points you assigned to each encrypted volume. You will need this information later when booting the new system. The differences between the ordinary boot process and the boot process with encryption involved will |