On Mon, 2004-07-05 at 19:00, mike@xxxxxxxx wrote: > > - encrypted file system partitions or logical volumes > > I am working on implementing encrypted root filesystem support to mkinitrd. > See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124789 for more > information and an patch. I looked at the patch any I see the problem that you need to call mkinitrd with certain arguments in order for this to work. This should just kind of determine the parameters (i.e. read them from a config file written while creating the encrypted root device) used on the current root fs and apply them automatically so that calls to mkinitrd from e.g. the kernel pkgs' %post scripts work. > > - user owned encrypted storage (encrypted loop devices, can substitute > > encrypted directories to a certain degree) > > This can be implemented pretty nicely using pam_mount > (http://www.flyn.org/projects/pam_mount/index.html) because pam_mount can > unlock filesystems at login time using a user's system authentication token. > An article I wrote for the Linux Journal on the subject of encrypted home > directories is available at http://www.flyn.org/docs/ehd.pdf. Note that > there have been some changes to pam_mount since the article's publication > last year. I was thinking of a slightly different thing, i.e. you only mount the encrypted, potentially sensitive stuff when you need it and you definitely don't want it to be unlocked for everyone who -- by whatever means -- knows your login password. So these two cases need to be treated differently as well, though I like your implementing support for the key to be on e.g. a USB stick, this would be helpful for what I described, too. > There is also an active bug that asks for encrypted filesystem support in > general: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=56698. This would basically be "discussing this outside of fedora-devel-list", i.e. getting a sensible interface somewhere upstream (in this instance, extending mount to deal with encrypted file systems). Nils -- Nils Philippsen / Red Hat / nphilipp@xxxxxxxxxx "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- B. Franklin, 1759 PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011
Attachment:
signature.asc
Description: This is a digitally signed message part
