Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 14 May 2013 21:44:05 +0200
From: Zenny <>
Subject: Re: Owl encrypted / and tcplay

@Alexey: I checked the page that you referred to about storage, but I
am trying to use zfs instead of traditional softraid or hardraid
whereas all the vms will be stored in the encrypted zfs volumes.
However, like I stated earlier, / encryption is one of the

On 5/14/13, Zenny <> wrote:
> Thanks to Alexancer and Alexey both for very useful info.
> @Alexey: I need to encrypt /. I am quite impressed by full disk
> encryption, recognized by bootloader of OpenBSD 5.3. Impressive work.
> If Owl can implement somehting similar it would be wonderful. (ref:
> Actually full disk encryption is a basic requirement for me. I also
> thought of installing Owl as a qemu instance of OpenBSD, but gave up
> the idea of running vitualization on top of another virtualization i.e
> openvz on top of qemu!
> On 5/14/13, <> wrote:
>> On 04-May-2013 15:45:51 +0200, Zenny wrote:
>>  > Is there a way to encrypt Owl / with aes-xts-plain64 which can be
>>  > remotely authenticated remotely for decryption (like using dropbear
>>  > in initrd or mandos server-client mechanism in debian using hooks)?
>> No. And normally you don't need that.
>> When dealing with sensitive data, personally I prefer leaving bare
>> system at unencrypted / and /var, while keeping all the sensitive
>> data inside VZ containers stored at encrypted /home; when I reboot
>> the server, I wait for it to start and then issue the command like:
>> gpg < vzhost.key | ssh root@...ost.somewhere \
>>  "xxd -p -r | losetup -p 0 -e twofish -k 256 -H sha512 /dev/loop0
>> /dev/md2"
>> (hint: `head -c128 /dev/random | xxd -p -c32 | gpg -ea > vzhost.key`
>> will provide you with secure encryption key).
>> After that, I go to vzhost.somewhere and issue two obvious commands:
>> mount /dev/loop0
>> service vz start
>> Please see the page for
>> instructions of how to set up secure data storage.
>>  > Also interested in tcplay, but would be nice to know to securely
>>  > integrated with Owl 3.0.
>> It uses devmapper, and thus is inacceptable due to its' ability to bury
>> all the data at once.
>> --
>> Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК
>> ru>
>> GPG key ID: 0xEF3B1FA8, keyserver: hkp://
>> GPG key fingerprint: 8832 FE9F A791 F796 8AC9 6E4E 909D AC45 EF3B 1FA8

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.