On Mon, 16 Aug 2004 12:54, "W. Michael Petullo" <mike@xxxxxxxx> wrote: > I have a patch here locally (not yet in bugzilla) that works with mkinitrd > 4.0.5 and the new initramfs code. I am working towards allowing folks > to unlock their root disk using a USB-device-hosted key, passphrase or > hexified key. I don't think that a USB hosted key is worth doing. If you have only the key on the USB device then someone who gains temporary access to your machine can replace the kernel and/or initrd to compromise the machine later. If you are using USB then I think it's best to boot from USB and read no unencrypted data from the disk apart from the partition table. It seems that all new hardware supports booting from USB and it seems impossible to purchase a USB device smaller than 32M. So there's no reason not to just boot from USB (IMHO). > In order for this all to be taken seriously I think anaconda needs to be > modified to create an encrypted root at install time. The anaconda folks > have balked at additions in the past because the partition interface is > already quite complicated. So a clever and simple interface would > be necessary. We can't expect anyone to do anything for anaconda until after mkinitrd etc have already got support. The anaconda work may be the hardest part of this and we can't expect them to do the hard work before we do the easy work! Converting an installation that has an unencrypted root fs to have an encrypted root fs is not particularly difficult once the mkinitrd issues are solved. You just have to boot in single-user mode, create a new LV, run cryptsetup, and then use dd to copy the data across. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
