On Fri, Feb 06, 2009 at 06:22:46PM -0800, Ross Boylan wrote: > I am interested in encrypting some, but not all, of my partitions. If I > use the same pass-phrase for each partition, will I only have to answer > one prompt to unlock all of them? Only if you write a wrapper that does all the individual calls per partition with this one passphrase. > Actually, when and how do I have to supply the pass-phrase? Whne you call cryptsetup. > I've > encrypted the whole disk before, and I get prompted at boot time. > http://www.saout.de/tikiwiki/tiki-index.php?page=HOWTO makes it sound as > if the story is the same for partitions, at least if I > configure /etc/fstab and /etc/crypttab a certain way. Depends on your distro, I guess. Behind the stage, there is allways a call to cryptsetup (or equivalend direct decive-mapper operations). The question at boot time is just a wrapper-script. What potential automatisation is already in place depends on your distribution. To give you an idea how cryptsetup works: In order to set-up /dev/sda5 with passphrase "abcd", and the decrypted device mappet to /dev/mapper c5, and mounted on /mnt do the following: prompt> cryptsetup create c5 /dev/sda5 <asks interactively for passphrase> ptompt> mount /dev/mapper/c5 /mnt You can also pipe in the passphrase: echo "abcd" | cryptsetup create c5 /dev/sda5 You shouold not do this on the prompt except for experiments. The problem is thet the passphrase will end up in the shell history and likely on disk. Not good. In any case the passphrase will end up in memory, but there is not really a lot that can be done about it. The usual hope is that the input/file buffers will be overwritten pretty fast anyways. The second thong is that getting it from memory would likely require root access and that people with root access can simply install a backdoor and wait for you to enter your passphrase.... Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
