1 |
Dirk Heinrichs writes: |
2 |
|
3 |
> Am Samstag 04 Juli 2009 14:51:54 schrieb Alex Schuster: |
4 |
> > Dirk Heinrichs writes: |
5 |
> > > having said that, you can even do w/o |
6 |
> > > initramfs, just put everything into /boot (which should be a separate |
7 |
> > > partition, then). Again, see my reply to David for the details. |
8 |
> > |
9 |
> > Interesting. Getting rid of initramfs looks like a simpler approach, no |
10 |
> > need to fiddle with cpio in order to change things. |
11 |
> |
12 |
> Also with initramfs, you don't need to fiddle with cpio. The kernel build |
13 |
> system does this for you. |
14 |
|
15 |
Right. But at my first attempts I had some problems, and investigated them |
16 |
by looking into /init in the initramfs. In order to understand this stuff, I |
17 |
need to see it :) |
18 |
|
19 |
|
20 |
> > I do not want to have to enter a password every time my machine boots, |
21 |
> > so I put the key onto a stick. |
22 |
> |
23 |
> And how do you protect the key on the stick? What if you loose it? |
24 |
|
25 |
It's a long sentence from The Hichhiker's Guide To The Galaxy I can find |
26 |
again. And meanwhile I also have a gpg-encrypted backup of the stick's |
27 |
partition somewhere. |
28 |
|
29 |
|
30 |
> > And simply made it the same for all |
31 |
> > partitions. And while I was at it, for maximum security, I also put |
32 |
> > /boot onto the stick. Sure, who would ever break into my house and |
33 |
> > modify my boot partition, replacing the kernel with kernel+keylogger or |
34 |
> > such... but then, I would probably also not need to encrypt my stuff at |
35 |
> > all. |
36 |
> |
37 |
> Encryption doesn't protect a _running_ system, because then, all needed |
38 |
> LVs are readable. |
39 |
|
40 |
By me only. And when I leave, the screensaver kicks in and asks for a |
41 |
password. |
42 |
|
43 |
> It only protects the system while switched of (so that |
44 |
> an attacker can not acces your data after stealing the entire system, or |
45 |
> after you sold your harddisk). |
46 |
|
47 |
Right. |
48 |
|
49 |
> > > Then you did something wrong. It works out of the box. |
50 |
> > |
51 |
> > Really? I know it does for root and swap (it works here), but how do I |
52 |
> > tell the system to also luskOpen all my other LVM volumes? |
53 |
> |
54 |
> By listing them in /etc/conf.d/dmcrypt. |
55 |
|
56 |
Oh, thanks. I overlooked this. Did not find this mentioned in any of the |
57 |
guides I read, and I thought it only belonged to /etc/nit.d/dm-crypt, which |
58 |
is for baselayout 2. But I should have found it being used while editing |
59 |
/lib/rcscripts/addons/dm-crypt-start.sh. |
60 |
|
61 |
I think I will try that, then. With a little modification, I will try to add |
62 |
a & after dm_crypt_execute_${SVCNAME}, so all LVMs will be opened in |
63 |
parallel. Otherwise it takes a second for each LVM, and I have 12 of them. |
64 |
|
65 |
Wonko |