Re: [PATCH] 90crypt: keys on external devices support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



  rd.luks.key=<key_path>:<key_dev>:<key_dev_fs>:<luks_dev>
I still think the reversed form makes it better (when you look for a file you first look for a device, then a directory and then the file itself, not the other way around), but you are the rd.luks.key expert so it is up to you really how you are going to organise it. :-) 

That's my two pence worth.



But would be cool if you get idea how to do it without extra configs
from outside.  Maybe it's possible to perform some settings guesses on
run-time?
I'll see what I can do - there are (at least) two additional processes which need to be running (that is it in addition to pkcs11-tool/pkcs15-tool which is responsible for fetching the key data from the token itself) and they are all dependant on what is in those two config files as that would require different modules (.ko files) to be loaded in order for this operation to succeed.
I have to spend some time and determine what I can leave out (i.e. run a bare-bones system configuration and start from there). As of right now, my hunch is that it *may* be possible to specify some core parameters to be included as part of the rd.luks.token syntax, but I am not at all sure if that is going to be enough - further analysis is needed, which I would probably do over the weekend when I have more time (I am not a student as you, unfortunately ;-) ) ... 



One other query related to this: if I want to use crypttab for my root
(/) partition how is that handled by dracut?


Password support only for now, but I'm gonna extended it.
That is the problem though - there is no way you can have crypttab for root as there is nowhere to put it in, other than outside initrd or hard-code it in initrd in which case once there it cannot be changed. For all other partitions the solution is simple - use root, but for (encrypted) root itself the options are rather limited. 
--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux