On Fri, 2009-10-09 at 01:09 +0200, markus reichelt wrote: > * Fred Gazerblezeebe <fgazerblezeebe@xxxxxxxxx> wrote: > > > work, as described in your faq. (Interestingly, 'df' does not list > > the mount, although I can see it has been mounted with 'ls /var'.) > > Hm. df should list them. What does mount say? > > %mount /dev/loop5 on / type ext4 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) %df Filesystem 1K-blocks Used Available Use% Mounted on /dev/loop5 6048352 1759460 3981652 31% / Neither command shows that /var is mounted, but %ls /var account/ cvs/ empty/ lib/ lock/ lost+found/ nis/ preserve/ spool/ yp/ cache/ db/ games/ local/ log/ mail@ opt/ run/ tmp/ Also interesting is the fact that mount lists /dev/loop5 on / as being mounted rw, yet I'm unable to write to it. > > However, I don't think leaving unencrypted keys around is a viable > > solution, and if I could get gpg to create them temporarily during > > boot, I imagine it would also be able to decrypt them as part of > > the original commandline in losetup.sh. > > Well, since you already have the password to unlock the keys in some > file in cleartext, it wouldn't make much of a difference in my book. > But I hear you :) > No difference actually; I wasn't thinking clearly last night. Ultimately I would like to avoid any passwords or plaintext keys lying around, but I'm taking this one step at a time. > Just for the record, I've no problems setting up encrypted partitions > the "echo pw | magic" way via rc.local on my systems (various > Slackware 12.x & 13.0-64). > > I realize that that approach won't work on your specific setup, but > perhaps you could try the concept on a spare (swap?) partition. > > Anyway, someone mentioned on this list (I cannot find the article > atm) that you can add to the (decrypted) root key additional lines of > text, e.g. passwords or setup-lines - cos losetup will just take the > first 65 lines as key input and ignore the rest. Maybe you can script > something to make good use of that fact and set up additional > partitions that way instead of going via the classic init-style > script-approach. > I've been working through the archives, but I haven't come across this yet; I'll keep digging. I'd also been thinking along the lines of concatenating all of the encrypted keys into a single file that could be decrypted by entering a single passphrase, and then delivering the appropriate subsets of lines via some combination of head/tail/awk/etc. In any case, after much experimentation, I have at least figured out how to avoid the 'cannot open /dev/tty...' error and decrypt the keyfiles during boot, cat <keyfile>.gpg | gpg --decrypt --passphrase "<SUPPRESSED>" works, so based on the mount commands in your faq mount -p3 /dev/sda6 /var -o loop=/dev/loop6,encryption=aes128 \ 3<keyfile>.plaintxt -and- mount /dev/sda6 /var -o loop=/dev/loop6,encryption=aes128,\ cleartextkey=<keyfile>.plaintxt that do work, I tried the following variations without success mount -p3 /dev/sda6 /var -o loop=/dev/loop6,encryption=aes128 3<`cat <keyfile>.gpg | gpg --decrypt --passphrase "<SUPPRESSED>"` which returns the error `cat <keyfile>.gpg | gpg --decrypt --passphrase "<SUPPRESSED>"`: Ambiguous and mount /dev/sda6 /var -o loop=/dev/loop6,encryption=aes128,\ cleartextkey=`cat <keyfile>.gpg | gpg --decrypt --passphrase "<SUPPRESSED>"` which returns the mount --help text. So I guess I'm back to trying to solve the issue with gpg and /dev/tty, which is really what I need to do anyway. If I haven't said so already, thanks for the suggestions Markus and your faq; they've been very helpful. FG - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
