hello, On 14/08/2009 Ross Boylan wrote: > On Fri, 2009-08-14 at 10:19 -0700, Ross Boylan wrote: > > Someone referred recently to a scenario in which a human would type in > > the password for the root partition, and then the passwords for the > > other partitions would come from a file in /etc. > > > > Could anyone provide some more details about how that would work, and > > whether it is advisable? Clearly someone with access to the live system > > could get the passwords for all but root, and someone who, e.g., stole > > the disk, would only need to crach one password. I think those limits > > would be acceptable to me; are there others? > I think unless I'm careful I'll end up with an unencrypted initrd that > includes file with the passwords. So I need either to make the boot > partition the one with the user-entered password, or eliminate the > file(s) with the secrets from the initrd. > > Debian has a file /etc/cryptab that supports automounting, but I'll have > to dig around to see how this interacts with the initrd framework (I'm > running Lenny). neither crypt keys nor passwords are stored in the initramfs. you don't even need cryptsetup magic in the initramfs for encrypted non-root partitions. the only partition that needs to be decrypted within the initramfs is the root partition. all other partitions are decrypted later in the boot process, when the root filesystem is already mounted. thus storing the keyfiles for encrypted user filesystems on the root filesystem works well. greetings, jonas
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
