Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] USB Flash Drive Install



On 2009-10-13 09:19 +0900 (Tue), Leo Howell wrote:

> I assume you're aware that 9.10 is still in beta and won't be 
> declared working until the end of the month?

Yup. Still, in my world anyway, "beta, and about to be released in a
couple of weeks" does not usually mean, "expect it to be seriously
broken."

Anyway, after much mucking about I finally figured out a few
not-well-documented things you have to do to get things working.

First, don't try to do a live image. Caspar is just not well documented
enough to figure out what configurations will work and what won't, so
trying to do anything with a non-default configuration can lead to a
whole lot of pain.

Second, when using a standard hard disk install with an encrypted file
system (using the alternate install disk), make darn sure you remember
to add /boot to the list of partitions, and set it up as an filesystem,
even if you've already done this on previous installs. If you don't,
you'll receive no warnings, the install will appear to work just fine,
and you'll end up with an unbootable system.

Third, when using an encrypted partition, always put an LVM in it,
and put your root filesystem in that. If you don't, again, you'll get
mysterious failures, such as the boot dropping into busybox.

> >     1. Say, 128 GB instead of the usual 256 GB for /boot. That should be
> >     enough for three kernels and initrds and all, easy.
> 
> I assume you mean MB above. If this is just to see if ubuntu will work 
> on your PC (and for web cafes), why not just stick everything into one 
> filesystem?

It's for use when I don't have available a computer with an OS install
that I trust. If I lose the key, I don't want the data on it to be
easily available to whoever finds it, and so I need an encrypted
filesystem.

> >     2. The basic encryption of root that everybody expects these days.
> 
> Really? I don't. Especially not if I'm going to be typing in my 
> passphrase on an untrusted machine, which may well have any number of 
> malicious things lurking in the firmware / hardware.

I have to say, I don't understand your security analysis here. There are
some obvious attacks (such as someone else getting hold of your key)
where an encrypted filesystem will provide a lot of protection. What
attacks are you protecting against by having it unencrypted?

In particular, you imply that if an attacker uses a hardware keylogger
(or something similar) to collect your passphrase for that particular
partition, they're going to find this useful. For what will they find it
useful, and under what circumstances?

> If you don't want swap, then don't set any up in the installer. It will 
> ask once if you're really sure, but then you are, right?

Yes, that eventually worked; it was other requirements for which I was
not warned that were causing me problems.

cjs
-- 
Curt Sampson       <cjs@example.com>        +81 90 7737 2974
           Functional programming in all senses of the word:
                   http://www.starling-software.com


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links