1 |
Am Sonntag 05 Juli 2009 20:26:23 schrieb Alex Schuster: |
2 |
|
3 |
> > The LUKS key isn't stored as cleartext, it's encrypted. |
4 |
> |
5 |
> Um, I mean the passphrase I specify with --key-file to cryptsetup. Or which |
6 |
> would be asked at the prompt if I would not give it. |
7 |
|
8 |
OK, now I get it. But those are two different beasts. The keyfile is usually one |
9 |
that consists of random data (created by reading from /dev/urandom). If you |
10 |
don't protect that by some means, you don't gain any security. |
11 |
|
12 |
The one you're asked for at the prompt is more like a password/-phrase. |
13 |
|
14 |
So here's what I do, as an example: |
15 |
|
16 |
I've got a small unencrypted /boot which holds the kernel and enough Linux to |
17 |
open the LUKS encrypted root LV. So I'm prompted for the passphrase to unlock |
18 |
it. Once unlocked and mounted, I get access to the random data keyfile stored |
19 |
in /etc which is used to unlock all other LVs automatically. |
20 |
|
21 |
Bye... |
22 |
|
23 |
Dirk |