From 414be8387df8d168abade7566997038163ef0134 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javier=20Fernandez-Sanguino=20Pe=C3=B1a?= Date: Mon, 24 Jul 2006 06:15:04 +0000 Subject: Translation update --- es/hardware/supported/arm.xml | 2 +- es/howto/installation-howto.xml | 8 +- es/using-d-i/modules/partman-crypto.xml | 363 ++++++++++++++++++++++++++++++++ 3 files changed, 368 insertions(+), 5 deletions(-) create mode 100644 es/using-d-i/modules/partman-crypto.xml (limited to 'es') diff --git a/es/hardware/supported/arm.xml b/es/hardware/supported/arm.xml index 814a81bf7..92dbf0920 100644 --- a/es/hardware/supported/arm.xml +++ b/es/hardware/supported/arm.xml @@ -1,5 +1,5 @@ - + diff --git a/es/howto/installation-howto.xml b/es/howto/installation-howto.xml index 5467a1eb4..2508d089c 100644 --- a/es/howto/installation-howto.xml +++ b/es/howto/installation-howto.xml @@ -1,5 +1,5 @@ - + @@ -27,7 +27,7 @@ favor, dir instrucciones sobre cómo informar de éstos. Si tiene preguntas que este documento no absuelve, por favor, diríjala a la lista de correo debian-boot (&email-debian-boot-list;) o pregunte en el IRC (#debian-boot en la red -freenode). +OFTC). @@ -147,9 +147,9 @@ lugar. La forma más fácil de preparar su dispositivo de memoria USB es descargar hd-media/boot.img.gz y usar -«gunzip» para extraer la imagen de 128 MB desde este fichero. +«gunzip» para extraer la imagen de 256 MB desde este fichero. Escriba esta imagen directamente en el dispositivo de memoria, -que debe tener por lo menos 128 MB de tamaño. Obviamente se +que debe tener por lo menos 256 MB de tamaño. Obviamente se destruirá todo lo que ya se encuentre en el dispositivo de memoria. A continuación monte el dispositivo de memoria, que ahora tendrá un sistema de ficheros FAT. Por último, descargue una imagen de CD «netinst» diff --git a/es/using-d-i/modules/partman-crypto.xml b/es/using-d-i/modules/partman-crypto.xml new file mode 100644 index 000000000..6c75ad8ae --- /dev/null +++ b/es/using-d-i/modules/partman-crypto.xml @@ -0,0 +1,363 @@ + + + + + Configuring Encrypted Volumes + + +&d-i; allows you to set up encrypted partitions. Every file you write +to such a partition is immediately saved to the device in encrypted +form. Access to the encrypted data is granted only after entering +the passphrase used when the encrypted +partition was originally created. This feature is useful to protect +sensitive data in case your laptop or hard drive gets stolen. The +thief might get physical access to the hard drive, but without knowing +the right passphrase, the data on the hard drive will look like random +characters. + + + +The two most important partitions to encrypt are: the home partition, +where your private data resides, and the swap partition, where +sensitive data might be stored temporarily during operation. Of +course, nothing prevents you from encrypting any other partitions that might +be of interest. For example /var where database +servers, mail servers or print servers store their data, or +/tmp which is used by various programs to store +potentially interesting temporary files. Some people may even want to +encrypt their whole system. The only exception is +the /boot partition which must remain +unencrypted, because currently there is no way to load the kernel from +an encrypted partition. + + + +Please note that the performance of encrypted partitions will be +less than that of unencrypted ones because the data needs to be +decrypted or encrypted for every read or write. The performance impact +depends on your CPU speed, chosen cipher and a key length. + + + +To use encryption, you have to create a new partition by selecting +some free space in the main partitioning menu. Another option is to +choose an existing partition (e.g. a regular partition, an LVM logical +volume or a RAID volume). In the Partition setting +menu, you need to select physical volume for +encryption at the Use +as: option. The menu will then change to +include several cryptographic options for the partition. + + + +&d-i; supports several encryption methods. The default method +is dm-crypt (included in newer Linux kernels, +able to host LVM physical volumes), the other +is loop-AES (older, maintained separately from +the Linux kernel tree). Unless you have compelling reasons to do +otherwise, it is recommended to use the default. + + + + + +First, let's have a look at available options available when you +select Device-mapper (dm-crypt) as the +encryption method. As always: when in doubt, use the defaults, because +they have been carefully chosen with security in mind. + + + + +Encryption: aes + + + +This option lets you select the encryption algorithm +(cipher) which will be used to encrypt the data +on the partition. &d-i; currently supports the following block +ciphers: aes, blowfish, +serpent, and twofish. +It is beyond the scope of this document to discuss the qualities of +these different algorithms, however, it might help your decision to +know that in 2000, AES was chosen by the American +National Institute of Standards and Technology as the standard +encryption algorithm for protecting sensitive information in the 21st +century. + + + + + +Key size: 256 + + + +Here you can specify the length of the encryption key. With a larger +key size, the strength of the encryption is generally improved. On the +other hand, increasing the length of the key usually has a negative +impact on performance. Available key sizes vary depending on the +cipher. + + + + + +IV algorithm: cbc-essiv:sha256 + + + +The Initialization Vector or +IV algorithm is used in cryptography to ensure +that applying the cipher on the same clear text +data with the same key always produces a unique +cipher text. The idea is to prevent the +attacker from deducing information from repeated patterns in the encrypted +data. + + + +From the provided alternatives, the default +cbc-essiv:sha256 is currently the least +vulnerable to known attacks. Use the other alternatives only when you +need to ensure compatibility with some previously installed system +that is not able to use newer algorithms. + + + + + +Encryption key: Passphrase + + + +Here you can choose the type of the encryption key for this partition. + + + + Passphrase + + +The encryption key will be computed + + +Using a passphrase as the key currently means that the partition will +be set up using LUKS. + + on the basis of a passphrase which you will be able +to enter later in the process. + + + + + + Random key + + +A new encryption key will be generated from random data each time you +try to bring up the encrypted partition. In other words: on every +shutdown the content of the partition will be lost as the key is +deleted from memory. (Of course, you could try to guess the key with a +brute force attack, but unless there is an unknown weakness in the +cipher algorithm, it is not achievable in our lifetime.) + + + +Random keys are useful for swap partitions because you do not need to +bother yourself with remembering the passphrase or wiping sensitive +information from the swap partition before shutting down your +computer. However, it also means that you +will not be able to use +the suspend-to-disk functionality offered by newer +Linux kernels as it will be impossible (during a subsequent boot) to +recover the suspended data written to the swap partition. + + + + + + + + + +Erase data: yes + + + +Determines whether the content of this partition should be overwritten +with random data before setting up the encryption. This is recommended +because it might otherwise be possible for an attacker to discern +which parts of the partition are in use and which are not. In +addition, this will make it harder to recover any leftover data from +previous installations + +It is believed that the guys from three-letter agencies can restore +the data even after several rewrites of the magnetooptical media, +though. + +. + + + + + + + + +If you select Encryption method: +Loopback (loop-AES) , the menu +changes to provide the following options: + + + + +Encryption: AES256 + + + +For loop-AES, unlike dm-crypt, the options for cipher and key size are +combined, so you can select both at the same time. Please see the +above sections on ciphers and key sizes for further information. + + + + + +Encryption key: Keyfile (GnuPG) + + + +Here you can select the type of the encryption key for this partition. + + + + Keyfile (GnuPG) + + +The encryption key will be generated from random data during the +installation. Moreover this key will be encrypted +with GnuPG, so to use it, you will need to +enter the proper passphrase (you will be asked to provide one later in +the process). + + + + + + Random key + + +Please see the the section on random keys above. + + + + + + + + + +Erase data: yes + + + +Please see the the section on erasing data above. + + + + + + + + +Please note that the graphical version of the +installer still has some limitations when compared to the textual +one. For cryptography it means you can set up only volumes using +passphrases as the encryption keys. + + + + +After you have selected the desired parameters for your encrypted +partitions, return back to the main partitioning menu. There should +now be a new menu item called Configure encrypted +volumes. After you select it, you will be asked to confirm +the deletion of data on partitions marked to be erased and possibly +other actions such as writing a new partition table. For large +partitions this might take some time. + + + +Next you will be asked to enter a passphrase for partitions configured +to use one. Good passphrases should be longer than 8 characters, +should be a mixture of letters, numbers and other characters and +should not contain common dictionary words or information easily +associable with you (such as birthdates, hobbies, pet names, names of +family members or relatives, etc.). + + + +Before you input any passphrases, you should have made sure that your +keyboard is configured correctly and generates the expected +characters. If you are unsure, you can switch to the second virtual +console and type some text at the prompt. This ensures that you won't be +surprised later, e.g. by trying to input a passphrase using a qwerty +keyboard layout when you used an azerty layout during the installation. +This situation can have several causes. Maybe you switched to another +keyboard layout during the installation, or the selected keyboard layout +might not have been set up yet when entering the passphrase for the +root file system. + + + +If you selected to use methods other than a passphrase to create +encryption keys, they will be generated now. Because the kernel may +not have gathered a sufficient amount of entropy at this early stage +of the installation, the process may take a long time. You can help +speed up the process by generating entropy: e.g. by pressing random +keys, or by switching to the shell on the second virtual console and +generating some network and disk traffic (downloading some files, +feeding big files into /dev/null, etc.). + + + +This will be repeated for each partition to be encrypted. + + + +After returning to the main partitioning menu, you will see all +encrypted volumes as additional partitions which can be configured in +the same way as ordinary partitions. The following example shows two +different volumes. The first one is encrypted via dm-crypt, the second +one via loop-AES. + + +Encrypted volume (crypt0) - 115.1 GB Linux device-mapper + #1 115.1 GB F ext3 + +Loopback (loop0) - 515.2 MB AES256 keyfile + #1 515.2 MB F ext3 + + +Now is the time to assign mount points to the volumes and optionally +change the file system types if the defaults do not suit you. + + + +One thing to note here are the identifiers in parentheses +(crypt0 +and loop0 in this case) and the mount +points you assigned to each encrypted volume. You will need this +information later when booting the new system. The differences between +ordinary boot process and boot process with encryption involved will +be covered later in . + + + +Once you are satisfied with the partitioning scheme, continue with the +installation. + + + -- cgit v1.2.3