My apologizes to Christophe for sending this to the bounce address, I
have recently changed my email client and I am still getting my settings
how I want them.
Ross,
I have a setup like that where my root partition contains a /etc/crypt
file where I keep keys.
After my root partition is decrypted I use the keys in my /etc/crypt
folder to decrypt my home partition. Although you could have it do as
many partitions as you wanted.
I do this in the same part of the init processes that I activate my swap.
I do this mainly because I like having my home directory separate from
my root partition and I don't want to have to enter two passwords in at
once.
The key I use is 1MB generated from /dev/random, it takes awhile to
generate the key but if you want I can send you the really simple script
I use to generate them.
As I use luks I have my password on my home directory in the second
slot, in case my root partition ever became corrupted and I didn't have
access to the key.
Here is the relevant part of my /etc/init.d/localmount, I kept the swap
activation part in just for reference of where I placed the code:
ebegin "Activating encrypted swap"
#added to enable encrypted swap
unset open_loop_dev
open_loop_dev="$(/sbin/losetup -f)"
/sbin/losetup "${open_loop_dev}" /swap.lpb &> /dev/null
/sbin/cryptsetup -c aes-xts-essiv:sha256 -s 512 -h sha512 -d dev/urandom
create swap "${open_loop_dev}" &> /dev/null
/sbin/mkswap /dev/mapper/swap &> /dev/null
/sbin/swapon -a &> /dev/null
unset open_loop_dev
eend $?
#added to enable encrypted home
ebegin "Mounting encrypted home directory"
/sbin/cryptsetup luksOpen /dev/sda4 home --key-file /etc/crypt/home.key
&> /dev/null
/bin/mount /dev/mapper/home /home &> /dev/null
#added to make sure if there is a crash jfs will recover
if [ -z "$(/bin/mount | grep /dev/mapper/home 2> /dev/null )" ]; then
/sbin/fsck.jfs /dev/mapper/home
/bin/mount /dev/mapper/home /home &> /dev/null
fi
if [ -z "$(/bin/mount | grep /dev/mapper/home 2> /dev/null )" ]; then
/sbin/fsck.jfs -afv /dev/mapper/home
/bin/mount /dev/mapper/home /home &> /dev/null
fi
eend $?
Ross Boylan wrote:
> > Someone referred recently to a scenario in which a human would type in
> > the password for the root partition, and then the passwords for the
> > other partitions would come from a file in /etc.
> >
> > Could anyone provide some more details about how that would work, and
> > whether it is advisable? Clearly someone with access to the live system
> > could get the passwords for all but root, and someone who, e.g., stole
> > the disk, would only need to crach one password. I think those limits
> > would be acceptable to me; are there others?
> >
> > It is useful for me to have quite a few partitions (I've just discovered
> > I need more so I can control mount options better), and typing in a
> > whole bunch of passwords on boot is pretty tedious.
> >
> > Thanks.
> > Ross Boylan
> >
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@xxxxxxxx
> > http://www.saout.de/mailman/listinfo/dm-crypt
> >
Ross Boylan wrote:
> Someone referred recently to a scenario in which a human would type in
> the password for the root partition, and then the passwords for the
> other partitions would come from a file in /etc.
>
> Could anyone provide some more details about how that would work, and
> whether it is advisable? Clearly someone with access to the live system
> could get the passwords for all but root, and someone who, e.g., stole
> the disk, would only need to crach one password. I think those limits
> would be acceptable to me; are there others?
>
> It is useful for me to have quite a few partitions (I've just discovered
> I need more so I can control mount options better), and typing in a
> whole bunch of passwords on boot is pretty tedious.
>
> Thanks.
> Ross Boylan
>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@xxxxxxxx
> http://www.saout.de/mailman/listinfo/dm-crypt
>
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
