Date: Tue, 14 May 2013 16:32:26 +0400 From: gremlin@...mlin.ru To: owl-users@...ts.openwall.com Subject: Re: Owl encrypted / and tcplay On 04-May-2013 15:45:51 +0200, Zenny wrote: > Is there a way to encrypt Owl / with aes-xts-plain64 which can be > remotely authenticated remotely for decryption (like using dropbear > in initrd or mandos server-client mechanism in debian using hooks)? No. And normally you don't need that. When dealing with sensitive data, personally I prefer leaving bare system at unencrypted / and /var, while keeping all the sensitive data inside VZ containers stored at encrypted /home; when I reboot the server, I wait for it to start and then issue the command like: gpg < vzhost.key | ssh root@...ost.somewhere \ "xxd -p -r | losetup -p 0 -e twofish -k 256 -H sha512 /dev/loop0 /dev/md2" (hint: `head -c128 /dev/random | xxd -p -c32 | gpg -ea > vzhost.key` will provide you with secure encryption key). After that, I go to vzhost.somewhere and issue two obvious commands: mount /dev/loop0 service vz start Please see the http://openwall.info/wiki/Owl/secure-storage page for instructions of how to set up secure data storage. > Also interested in tcplay, but would be nice to know to securely > integrated with Owl 3.0. It uses devmapper, and thus is inacceptable due to its' ability to bury all the data at once. -- Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru> GPG key ID: 0xEF3B1FA8, keyserver: hkp://subkeys.pgp.net GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.