On Wed, 2009-11-11 at 06:42 -0600, Jack Byer wrote: > I am currently using a luks-formatted software raid device made up of > four hard drives as a boot device. My initramfs first runs mdadm to > assemble to raid device and then runs cryptsetup to decrypt the > volume. > > I want to experiment with the raid features of btrfs while still using > encryption, but that means that I will need to encrypt each drive > individually. If I use luks as normal that means entering four > passphrases every time the system boots. I could get around this by > using an external key and encrypting it via GPG, but this has a few > downsides: it's easier to lose the key, the GPG passphrase interface > does not allow for passphrase retries and including GPG makes the > initramfs larger. > > What I would like to do is use the kernel keyring capability > (CONFIG_KEYS) so that I could enter the passphrase for the first > device and have cryptsetup use that stored key for the other three > devices. Is there any way to enable this functionality? I tried various approaches to this problem, and finally settled on an encrypted root partition that held the keys to the other partitions. That way I supply a password to get into the system, and the other partitions are automatically decrypted. Debian makes this easy by putting entries in /etc/crypttab; other distributions may require different/harder approaches to the automatic decryption. I didn't try the kernel keyring; in fact, I'm curious to know what it is. Ross _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
