Hi Arno, On Fri, June 26, 2015 14:30, Arno Wagner wrote: > Hi Arbiel, > > I think you have some misunderstanding here: crypttab does > not work for encrypted system, as it is on that encrypted system > itself (catch-22). Conceptually yes, well, kinda. Usually crypttab ends up in the initram/rd and should be available during early boot > > In order to have an encrypted system partition, you need some > mechanism in the initrd to read your passphrase. What form that > mechanism takes depends on the distribution you are using. Exactly, so it all is distribution specific. If the distribution builds initram/rd with cryptsetup+tab and has all the necesary meat around the bones crypttab is the right place. But the info the OP is looking for will be coming with his distribution and is only loosely related to cryptsetup itself. > > My advice is to not encrypt the system partition itself, just > all user and data partitions. An "evil Maid" attacker can get > into your boot process anyways. Disk encryption really only > protects against encrypted devices being stolen while not > mapped (machine is off, e.g.). A good advice, esp. for less experienced users. Even when the distribution makes it a piece of cake to set up, once it fails, it bakfires hard on inexperienced users. > > Gr"usse, > Arno > > Regards -Sven > > > On Thu, Jun 25, 2015 at 16:57:33 CEST, Arbiel (gmx) wrote: >> Hi >> >> I decided to use a 512-byte randomly generated passphrase to crypt my >> system partition. I recorded this passphrase on a removable device (USB >> key) and correctly wrote the crypttab and fstab files and updated my >> initrd.img for all this to work. >> >> I am anxious now to replicate my passphrase on additionnal USB keys, in >> case my primary USB key get lost or damaged. >> >> For some reasons, I cannot name all partitions where my passphrase will >> be recorded with a unique label. >> >> I tried to write several lines in the crypttab file for defining as many >> passphrase locations as necessary such as >> root UUID=uuid /dev/disk/by-label/USBkey1/passphrase:x >> luks,keyscript=/lib/cryptsetup/scripts/passdev >> root UUID=uuid /dev/disk/by-label/USBkey2/passphrase:x >> luks,keyscript=/lib/cryptsetup/scripts/passdev >> and so on, but this does not work. >> >> I thank in advance anybody who can advise me on how to solve this issue. >> >> Arbiel >> > > > >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@xxxxxxxx >> http://www.saout.de/mailman/listinfo/dm-crypt > > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx > GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D > 9718 > ---- > A good decision is based on knowledge and not on numbers. -- Plato > > If it's in the news, don't worry about it. The very definition of > "news" is "something that hardly ever happens." -- Bruce Schneier > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt > _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
