Sure, that is a better way! Previously superblock was encrypted too
(what information it contains?)
But why should one write:
losetup -d /dev/loop1
mount -t ext3 /dev/md0 /mnt -o loop=/dev/loop1,encryption=AES128,gpgkey=/etc/foo.gpg
insted of just:
mount /dev/loop1 /mnt ?
********************
Here I'll provide some information about how I set up my raid1 array for
data storage:
1. create 2 partitions of equal size (looks like it can be a little
different) on separate disks
2. install mdadm and execute these commands:
mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/hda2 /dev/hdb4
# if that makes an error, probably there was no /dev/md0 (use mknod)!
# after this command kernel synchronises both disks. To watch progress, execute "watch -n 1 cat /proc/mdstat"
# I don't know how safe it is to proceed before synchornising is complete.
losetup -e AES128 -K /etc/foo.gpg /dev/loop1 /dev/md0
mkfs -t ext2 /dev/loop1
# if you want to write some information, mount /dev/loop1 and do it here!
losetup -d /dev/loop1
3. To make usage of encrypted raid1 convenient, I updated my gentoo's
init scripts:
a) in checkroot init script after root partition has been checked insert
ebegin "Starting multi disk array"
/sbin/mdadm -A /dev/md0 /dev/hda2 /dev/hdb4
echo "20+ character password" | losetup -p 0 -e AES128 -K /etc/foo.gpg /dev/loop1 /dev/md0
eend $?
# use chmod to make file readable only to root
# these lines could be inserted anywhere else before filesystems in /etc/fstab are mounted (but make sure, that they will be executed!)
b) update /etc/fstab:
/dev/loop1 /mountpoint ext2 defaults 0 2
c) reboot to see, if everything works ok!
********************
How big vulnerability is that password written in init file?
--
Jan
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
