| 1 |
Am Sonntag 05 Juli 2009 20:26:23 schrieb Alex Schuster: |
| 2 |
|
| 3 |
> > The LUKS key isn't stored as cleartext, it's encrypted. |
| 4 |
> |
| 5 |
> Um, I mean the passphrase I specify with --key-file to cryptsetup. Or which |
| 6 |
> would be asked at the prompt if I would not give it. |
| 7 |
|
| 8 |
OK, now I get it. But those are two different beasts. The keyfile is usually one |
| 9 |
that consists of random data (created by reading from /dev/urandom). If you |
| 10 |
don't protect that by some means, you don't gain any security. |
| 11 |
|
| 12 |
The one you're asked for at the prompt is more like a password/-phrase. |
| 13 |
|
| 14 |
So here's what I do, as an example: |
| 15 |
|
| 16 |
I've got a small unencrypted /boot which holds the kernel and enough Linux to |
| 17 |
open the LUKS encrypted root LV. So I'm prompted for the passphrase to unlock |
| 18 |
it. Once unlocked and mounted, I get access to the random data keyfile stored |
| 19 |
in /etc which is used to unlock all other LVs automatically. |
| 20 |
|
| 21 |
Bye... |
| 22 |
|
| 23 |
Dirk |
Archives