I don't think this is such a good idea as having the crypto keys
reside in the same place as the kernel would completely defeats the
purpose of using crypto devices.
It does not. You can have kernel and initramfs on removable media. You
have this media secure and don't need separate media for keys. It's
even more secure than having kernel and initramfs on harddrive because
it protects you from case when someone replaces your initramfs to stole
the key (e.g. sends to some remote machine).
And of course keys inside initramfs will be optional extra solution.
Good point - I haven't thought of that, it makes sense then.
I hope I've answered to your concerns above in previous e-mail.
I did a reply - there are 2 configuration files in order to run/read
tokens and these configuration files should be easily tailored to each
user's settings without the need to rebuilt initrd.
One other thing I forgot to mention in my last post that with the
proposed parameter changes there is a third possible scenario with the
password authentication, in which case, the format of the parameter in
the kernel would simply be:
c) rd.luks.<luks_uuid>[=]
You don't have to specify anything for password scenario. root=<dev> is
just enough. Have you tried using crypt module?
I am using dracut-006 (I think - the last which comes out of FC13
repository) and currently I have to specify rd_LUKS_UUID=luks-<UUID> in
order to make it work, which is not very convenient.
--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
