On 22/04/2006 rupert wrote: > im trying to get my crypted disks to be started at boottime. > I encrypted 3 Harddisks, on for /home and two for data. > I made a keyfile for each disk that is stored onto a USB Stick, > when the machine boots and starts /etc/init.d/cryptdisks i get an error > about that the /home disks uses an unsecure mode and also the USB Stick > foesnt get mounted correctly(can fix this by myself i think). hello rupert, i assume that your usbstick has a fat32 filesystem on it, and that one doesn't support file permissions. therefore the key on your usbstick is readable and writeable by everyone, and cryptdisks just warns you about that. it is only a warning though, not an error. in the next release that will be turned of by default. the "loud" option will support warnings. > I had to edit the init script like this: the next upload of cryptsetup supports a "mount" option in the crypttab. it will be uploaded to debian/unstable within the next days. see the crypttab.5 manpage for more information. > --schnipp-- > case "$1" in > start) > log_begin_msg "Starting crypto disks..." > #edit > mount /dev/sdb1 /media/hdd1 > sleep 1 > cryptsetup luksOpen -d /media/hdd1/home.key /dev/hda1 hda1 > sleep 2 > cryptsetup luksOpen -d /media/hdd1/Daten.key /dev/sda1 Daten > sleep 1 > cryptsetup luksOpen -d /media/hdd1/MoreData.key /dev/hdb1 MoreData > sleep 1 > umount /media/hdd1 > > #edit end > egrep -v "^[[:space:]]*(#|$)" $TABFILE | while read dst src key opt; > do > echo -n " $dst" > --schnapp-- you don't need to run cryptsetup manually in the initscript. just mount /dev/sdb1 and set the keyfiles to '/media/hdd/*.key' in your /etc/crypttab. the sleeps are unnecessary too. that will do everything. > when i run this script manually most of the times everything gets done ok, I > have to keys for home, sometimes changing it here and in crypttab does the > job. > > this is my crypttab: > > hda1 /dev/hda1 /media/STICK/hda1.key > Daten /dev/sda1 /media/STICK/Daten.key > luks,retry=3,cipher=aes-cbc-essiv:sha256 > MoreData /dev/hdb1 /media/STICK/MoreData.key > luks,retry=3,cipher=aes-cbc-essiv:sha256 update the keyfiles to point their real location (in your example above this seems to be /media/hdd1, not /media/STICK. apart from that, it looks good. as already said, you don't need to run cryptsetup manually in the initscript, if you have listed the encrypted disks in /etc/crypttab. > The other annoying problem is that i get some popups during gnome startup to > enter the passwords for the already initialized encrypted Disks, > can i stop this somehow? i don't know how this is generated, but maybe it's due to the wrong keyfile locations in /etc/crypttab. no idea about that one. > thx for help, not much people on this list, but I hope someone read this sorry for the long delay before answering. ... jonas --------------------------------------------------------------------- - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
