| 1 |
Dirk Heinrichs writes: |
| 2 |
|
| 3 |
> Am Samstag 04 Juli 2009 14:51:54 schrieb Alex Schuster: |
| 4 |
> > Dirk Heinrichs writes: |
| 5 |
> > > having said that, you can even do w/o |
| 6 |
> > > initramfs, just put everything into /boot (which should be a separate |
| 7 |
> > > partition, then). Again, see my reply to David for the details. |
| 8 |
> > |
| 9 |
> > Interesting. Getting rid of initramfs looks like a simpler approach, no |
| 10 |
> > need to fiddle with cpio in order to change things. |
| 11 |
> |
| 12 |
> Also with initramfs, you don't need to fiddle with cpio. The kernel build |
| 13 |
> system does this for you. |
| 14 |
|
| 15 |
Right. But at my first attempts I had some problems, and investigated them |
| 16 |
by looking into /init in the initramfs. In order to understand this stuff, I |
| 17 |
need to see it :) |
| 18 |
|
| 19 |
|
| 20 |
> > I do not want to have to enter a password every time my machine boots, |
| 21 |
> > so I put the key onto a stick. |
| 22 |
> |
| 23 |
> And how do you protect the key on the stick? What if you loose it? |
| 24 |
|
| 25 |
It's a long sentence from The Hichhiker's Guide To The Galaxy I can find |
| 26 |
again. And meanwhile I also have a gpg-encrypted backup of the stick's |
| 27 |
partition somewhere. |
| 28 |
|
| 29 |
|
| 30 |
> > And simply made it the same for all |
| 31 |
> > partitions. And while I was at it, for maximum security, I also put |
| 32 |
> > /boot onto the stick. Sure, who would ever break into my house and |
| 33 |
> > modify my boot partition, replacing the kernel with kernel+keylogger or |
| 34 |
> > such... but then, I would probably also not need to encrypt my stuff at |
| 35 |
> > all. |
| 36 |
> |
| 37 |
> Encryption doesn't protect a _running_ system, because then, all needed |
| 38 |
> LVs are readable. |
| 39 |
|
| 40 |
By me only. And when I leave, the screensaver kicks in and asks for a |
| 41 |
password. |
| 42 |
|
| 43 |
> It only protects the system while switched of (so that |
| 44 |
> an attacker can not acces your data after stealing the entire system, or |
| 45 |
> after you sold your harddisk). |
| 46 |
|
| 47 |
Right. |
| 48 |
|
| 49 |
> > > Then you did something wrong. It works out of the box. |
| 50 |
> > |
| 51 |
> > Really? I know it does for root and swap (it works here), but how do I |
| 52 |
> > tell the system to also luskOpen all my other LVM volumes? |
| 53 |
> |
| 54 |
> By listing them in /etc/conf.d/dmcrypt. |
| 55 |
|
| 56 |
Oh, thanks. I overlooked this. Did not find this mentioned in any of the |
| 57 |
guides I read, and I thought it only belonged to /etc/nit.d/dm-crypt, which |
| 58 |
is for baselayout 2. But I should have found it being used while editing |
| 59 |
/lib/rcscripts/addons/dm-crypt-start.sh. |
| 60 |
|
| 61 |
I think I will try that, then. With a little modification, I will try to add |
| 62 |
a & after dm_crypt_execute_${SVCNAME}, so all LVMs will be opened in |
| 63 |
parallel. Otherwise it takes a second for each LVM, and I have 12 of them. |
| 64 |
|
| 65 |
Wonko |
Archives