I've been looking for a better solution for encrypted loopback root filesystems. The current strategy used by cryptoapi and loop-AES seems to be: 1. Boot on an initrd 2. On the initrd, load crypto modules (unless already built in) 3. losetup -e ... /dev/loop0 /dev/hda1 4. Swap roots, exit, let kernel exec /sbin/init Unfortunately, this has one major problem: it seems to be impossible to get rid of the RAM disk afterwards, because the filesystem on the RAM disk is in use (due to the /dev device inode used for losetup). This means that whatever RAM is used for the RAM disk is lost forever. Encrypted root is most useful on laptops, where RAM is scarce, expensive, or both...so this plan sucks. What I'd like to do is build all the crypto stuff into the kernel (which is not new) as well as the equivalent of losetup and some mechanism for stacking a loop device on top of a physical device that does not require a /dev inode. Additional support for salting the passphrase using some handy nearby data would be nice, but not essential. Has anyone done such a thing? Does anyone intend to? -- Zygo Blaxell (Laptop) <zblaxell@xxxxxxxxxxxxxxxxxxxxx> GPG = D13D 6651 F446 9787 600B AD1E CCF3 6F93 2823 44AD
Attachment:
pgp00080.pgp
Description: PGP signature
