Complete disk encryption?

[The_Great_Sephiroth]

I am reading the wiki article on disk encryption and follow it well, but I have a question. If I opt not to use a key-file and use a password, how would that work? Also, is it possible to require the key-file to be on a USB stick? I always keep mine with me and this would mean you would need my laptop AND USB stick to gain access to the system, on top of the root password, user password, or whatever.

[The Doctor]

You don't need a keyfile, of course you could store a keyfile one an external media as long as your init process can mount and read the media.

All you need to do is set a password instead of a keyfile. If you simply use cryptsetup luksFormat <device> it will prompt you to enter a password.

Of course, you can do both.

[The_Great_Sephiroth]

Alright, if I enter a password, will it be possible to change the password in the future, such as on a schedule or if the unit is transferred to another employee? Also, how would thing work at that point? Would it boot to GRUB and then ask for a password or what?

[teefax]

LUKS supports up to 8 key slots which you can add/change/remove at any time. That is, you can have e.g. one key that you hand over to your employer and up to 7 additional keys for each employee that requires access to the device.

In order be prompted for a password during startup you will need to generate an initramfs, e.g. with dracut or genkernel.

[frostschutz]

Note that if those employees had root access at any point, they might have obtained the master key, which would allow them access regardless of passphrase changes. Note also that the device is inaccessible if no one remembers a password (if your employee had an accident, or whatever) so in such a scenario that involves several people, there should be some plans as to how to handle unexpected circumstances.

[Hu]

Also, anyone with the passphrase can unlock the device whether or not they finish the boot process, so they could unlock the device in a LiveCD and use that environment to grant themselves extra privileges on the installed system, or use it to extract data they otherwise cannot have on the raw system. In general, you should assume that anyone who has the decryption password and unsupervised physical access to the machine will have the same access that an unencrypted machine grants to someone with unsupervised physical access to the machine.

[The_Great_Sephiroth]

This isn't to keep IT guys out. This is in case the laptop is stolen or lost. The people who would fall into my position after my promotion would have no problem figuring a way around this, but if some retarded thug breaks in and snatches it, they're hosed and our client data is secure.

[The_Great_Sephiroth]

I just had an odd thought about this. If I encrypt the disk, would I be able to dual-boot 7 and Gentoo? I seriously doubt I would, but it would be neat if it was possible. Currently I run 7 64bit in VirtualBox, but I have a high-end Dell Latitude at home I game on when traveling, and it would be kind of cool to secure both systems. I use Gentoo for browsing and email, 7 strictly for gaming.

[chithanh]

Yes, you can still dual-boot while the Gentoo part of your hard disk is LUKS encrypted.

Be aware that someone with control over the Windows 7 installation can use that to attack the Gentoo boot partition.

[szatox]

Windows uses bitlocker, which is surprisingly similar to what truecrypt used to do (and it makes me a bit suspicious about tc being "deprecated"). I don't think those 2 are compatable, so if you encrypt the whole disk, you will only be able to use one of those.
On the other hand, TC used work with both, windows and linux so it might be possible. And it might be possible if you partition it and encrypt different partitions with different tools.