diff options
Diffstat (limited to 'nl/using-d-i/modules/partman-crypto.xml')
-rw-r--r-- | nl/using-d-i/modules/partman-crypto.xml | 355 |
1 files changed, 0 insertions, 355 deletions
diff --git a/nl/using-d-i/modules/partman-crypto.xml b/nl/using-d-i/modules/partman-crypto.xml deleted file mode 100644 index 233f98693..000000000 --- a/nl/using-d-i/modules/partman-crypto.xml +++ /dev/null @@ -1,355 +0,0 @@ -<!-- retain these comments for translator revision tracking --> -<!-- original version: 56427 untranslated --> - - <sect3 id="partman-crypto"> - <title>Configuring Encrypted Volumes</title> -<para> - -&d-i; allows you to set up encrypted partitions. Every file you write -to such a partition is immediately saved to the device in encrypted -form. Access to the encrypted data is granted only after entering -the <firstterm>passphrase</firstterm> used when the encrypted -partition was originally created. This feature is useful to protect -sensitive data in case your laptop or hard drive gets stolen. The -thief might get physical access to the hard drive, but without knowing -the right passphrase, the data on the hard drive will look like random -characters. - -</para><para> - -The two most important partitions to encrypt are: the home partition, -where your private data resides, and the swap partition, where -sensitive data might be stored temporarily during operation. Of -course, nothing prevents you from encrypting any other partitions that might -be of interest. For example <filename>/var</filename> where database -servers, mail servers or print servers store their data, or -<filename>/tmp</filename> which is used by various programs to store -potentially interesting temporary files. Some people may even want to -encrypt their whole system. The only exception is -the <filename>/boot</filename> partition which must remain -unencrypted, because currently there is no way to load the kernel from -an encrypted partition. - -</para><note><para> - -Please note that the performance of encrypted partitions will be -less than that of unencrypted ones because the data needs to be -decrypted or encrypted for every read or write. The performance impact -depends on your CPU speed, chosen cipher and a key length. - -</para></note><para> - -To use encryption, you have to create a new partition by selecting -some free space in the main partitioning menu. Another option is to -choose an existing partition (e.g. a regular partition, an LVM logical -volume or a RAID volume). In the <guimenu>Partition settings</guimenu> -menu, you need to select <guimenuitem>physical volume for -encryption</guimenuitem> at the <menuchoice> <guimenu>Use -as:</guimenu> </menuchoice> option. The menu will then change to -include several cryptographic options for the partition. - -</para><para> - -&d-i; supports several encryption methods. The default method -is <firstterm>dm-crypt</firstterm> (included in newer Linux kernels, -able to host LVM physical volumes), the other -is <firstterm>loop-AES</firstterm> (older, maintained separately from -the Linux kernel tree). Unless you have compelling reasons to do -otherwise, it is recommended to use the default. - -<!-- TODO: link to the "Debian block device encryption guide" - once Max writes it :-) --> - -</para><para> - -First, let's have a look at the options available when you select -<userinput>Device-mapper (dm-crypt)</userinput> as the encryption -method. As always: when in doubt, use the defaults, because -they have been carefully chosen with security in mind. - -<variablelist> - -<varlistentry> -<term>Encryption: <userinput>aes</userinput></term> - -<listitem><para> - -This option lets you select the encryption algorithm -(<firstterm>cipher</firstterm>) which will be used to encrypt the data -on the partition. &d-i; currently supports the following block -ciphers: <firstterm>aes</firstterm>, <firstterm>blowfish</firstterm>, -<firstterm>serpent</firstterm>, and <firstterm>twofish</firstterm>. -It is beyond the scope of this document to discuss the qualities of -these different algorithms, however, it might help your decision to -know that in 2000, <emphasis>AES</emphasis> was chosen by the American -National Institute of Standards and Technology as the standard -encryption algorithm for protecting sensitive information in the 21st -century. - -</para></listitem> -</varlistentry> - -<varlistentry> -<term>Key size: <userinput>256</userinput></term> - -<listitem><para> - -Here you can specify the length of the encryption key. With a larger -key size, the strength of the encryption is generally improved. On the -other hand, increasing the length of the key usually has a negative -impact on performance. Available key sizes vary depending on the -cipher. - -</para></listitem> -</varlistentry> - -<varlistentry> -<term>IV algorithm: <userinput>cbc-essiv:sha256</userinput></term> - -<listitem><para> - -The <firstterm>Initialization Vector</firstterm> or -<firstterm>IV</firstterm> algorithm is used in cryptography to ensure -that applying the cipher on the same <firstterm>clear text</firstterm> -data with the same key always produces a unique -<firstterm>cipher text</firstterm>. The idea is to prevent the -attacker from deducing information from repeated patterns in the encrypted -data. - -</para><para> - -From the provided alternatives, the default -<userinput>cbc-essiv:sha256</userinput> is currently the least -vulnerable to known attacks. Use the other alternatives only when you -need to ensure compatibility with some previously installed system -that is not able to use newer algorithms. - -</para></listitem> -</varlistentry> - -<varlistentry> -<term>Encryption key: <userinput>Passphrase</userinput></term> - -<listitem><para> - -Here you can choose the type of the encryption key for this partition. - - <variablelist> - <varlistentry> - <term>Passphrase</term> - <listitem><para> - -The encryption key will be computed<footnote> -<para> - -Using a passphrase as the key currently means that the partition will -be set up using <ulink url="&url-luks;">LUKS</ulink>. - -</para></footnote> on the basis of a passphrase which you will be able -to enter later in the process. - - </para></listitem> - </varlistentry> - - <varlistentry> - <term>Random key</term> - <listitem><para> - -A new encryption key will be generated from random data each time you -try to bring up the encrypted partition. In other words: on every -shutdown the content of the partition will be lost as the key is -deleted from memory. (Of course, you could try to guess the key with a -brute force attack, but unless there is an unknown weakness in the -cipher algorithm, it is not achievable in our lifetime.) - - </para><para> - -Random keys are useful for swap partitions because you do not need to -bother yourself with remembering the passphrase or wiping sensitive -information from the swap partition before shutting down your -computer. However, it also means that you -will <emphasis>not</emphasis> be able to use -the <quote>suspend-to-disk</quote> functionality offered by newer -Linux kernels as it will be impossible (during a subsequent boot) to -recover the suspended data written to the swap partition. - - </para></listitem> - </varlistentry> - </variablelist> - -</para></listitem> -</varlistentry> - -<varlistentry> -<term>Erase data: <userinput>yes</userinput></term> - -<listitem><para> - -Determines whether the content of this partition should be overwritten -with random data before setting up the encryption. This is recommended -because it might otherwise be possible for an attacker to discern -which parts of the partition are in use and which are not. In -addition, this will make it harder to recover any leftover data from -previous installations<footnote><para> - -It is believed that the guys from three-letter agencies can restore -the data even after several rewrites of the magnetooptical media, -though. - -</para></footnote>. - -</para></listitem> -</varlistentry> - -</variablelist> - -</para><para> - -If you select <menuchoice> <guimenu>Encryption method:</guimenu> -<guimenuitem>Loopback (loop-AES)</guimenuitem> </menuchoice>, the menu -changes to provide the following options: - - -<variablelist> -<varlistentry> -<term>Encryption: <userinput>AES256</userinput></term> - -<listitem><para> - -For loop-AES, unlike dm-crypt, the options for cipher and key size are -combined, so you can select both at the same time. Please see the -above sections on ciphers and key sizes for further information. - -</para></listitem> -</varlistentry> - -<varlistentry> -<term>Encryption key: <userinput>Keyfile (GnuPG)</userinput></term> - -<listitem><para> - -Here you can select the type of the encryption key for this partition. - - <variablelist> - <varlistentry> - <term>Keyfile (GnuPG)</term> - <listitem><para> - -The encryption key will be generated from random data during the -installation. Moreover this key will be encrypted -with <application>GnuPG</application>, so to use it, you will need to -enter the proper passphrase (you will be asked to provide one later in -the process). - - </para></listitem> - </varlistentry> - - <varlistentry> - <term>Random key</term> - <listitem><para> - -Please see the section on random keys above. - - </para></listitem> - </varlistentry> - </variablelist> - -</para></listitem> -</varlistentry> - -<varlistentry> -<term>Erase data: <userinput>yes</userinput></term> - -<listitem><para> - -Please see the the section on erasing data above. - -</para></listitem> -</varlistentry> - -</variablelist> - -</para><para> - -After you have selected the desired parameters for your encrypted -partitions, return back to the main partitioning menu. There should -now be a new menu item called <guimenu>Configure encrypted -volumes</guimenu>. After you select it, you will be asked to confirm -the deletion of data on partitions marked to be erased and possibly -other actions such as writing a new partition table. For large -partitions this might take some time. - -</para><para> - -Next you will be asked to enter a passphrase for partitions configured -to use one. Good passphrases should be longer than 8 characters, -should be a mixture of letters, numbers and other characters and -should not contain common dictionary words or information easily -associable with you (such as birthdates, hobbies, pet names, names of -family members or relatives, etc.). - -</para><warning><para> - -Before you input any passphrases, you should have made sure that your -keyboard is configured correctly and generates the expected -characters. If you are unsure, you can switch to the second virtual -console and type some text at the prompt. This ensures that you won't be -surprised later, e.g. by trying to input a passphrase using a qwerty -keyboard layout when you used an azerty layout during the installation. -This situation can have several causes. Maybe you switched to another -keyboard layout during the installation, or the selected keyboard layout -might not have been set up yet when entering the passphrase for the -root file system. - -</para></warning><para> - -If you selected to use methods other than a passphrase to create -encryption keys, they will be generated now. Because the kernel may -not have gathered a sufficient amount of entropy at this early stage -of the installation, the process may take a long time. You can help -speed up the process by generating entropy: e.g. by pressing random -keys, or by switching to the shell on the second virtual console and -generating some network and disk traffic (downloading some files, -feeding big files into <filename>/dev/null</filename>, etc.). - -<!-- TODO: Mention hardware random generators when we will support - them --> - -This will be repeated for each partition to be encrypted. - -</para><para> - -After returning to the main partitioning menu, you will see all -encrypted volumes as additional partitions which can be configured in -the same way as ordinary partitions. The following example shows two -different volumes. The first one is encrypted via dm-crypt, the second -one via loop-AES. - -<informalexample><screen> -Encrypted volume (<replaceable>sda2_crypt</replaceable>) - 115.1 GB Linux device-mapper - #1 115.1 GB F ext3 - -Loopback (<replaceable>loop0</replaceable>) - 515.2 MB AES256 keyfile - #1 515.2 MB F ext3 -</screen></informalexample> - -Now is the time to assign mount points to the volumes and optionally -change the file system types if the defaults do not suit you. - -</para><para> - -Pay attention to the identifiers in parentheses -(<replaceable>sda2_crypt</replaceable> -and <replaceable>loop0</replaceable> in this case) and the mount -points you assigned to each encrypted volume. You will need this -information later when booting the new system. The differences between -the ordinary boot process and the boot process with encryption involved will -be covered later in <xref linkend="mount-encrypted-volumes"/>. - -</para><para> - -Once you are satisfied with the partitioning scheme, continue with the -installation. - -</para> - </sect3> |