1 |
Am 04.09.2012 00:12, schrieb "Roland Häder": |
2 |
> Okay, I have made a little progress. I have generated my private key |
3 |
> using some random data + gpg: |
4 |
> |
5 |
> # head -c 3705 /dev/urandom | head -n 66 | tail -n 65 > key.out # gpg |
6 |
> --symmetric -a --s2k-count 8388608 key.out <Enter your password |
7 |
> twice> # mv key.out.asc key.gpg # rm -f key.out |
8 |
> |
9 |
|
10 |
Two minor suggestions: |
11 |
|
12 |
1. Maybe it would be a good idea to use an ASCII-only random string, for |
13 |
example by piping it through `base64 -w 0`. That way you don't loose any |
14 |
entropy (the key just gets longer) but it is easier to type the keyfile |
15 |
manually, in case you ever need to. You also don't have to worry about |
16 |
odd behavior of password prompts anymore. |
17 |
|
18 |
2. You should `shred` key.out instead of `rm`. |
19 |
|
20 |
> Now I have to copy that file on my stick and setup |
21 |
> /etc/conf.d/dmcrypt: |
22 |
> |
23 |
> # whole root system encrypted with gpg key from removeable media |
24 |
> target=crypt-root source='/dev/hdaX' key='/key:gpg' # This is your |
25 |
> stick remdev='/dev/sda1' |
26 |
> |
27 |
> But what next? The example at [1] is based on key-only file (no |
28 |
> passphrase). I know, later on /etc/conf.d/dmcrypt must be placed on |
29 |
> the new root-fs but what now? I still have to setup it. cryptsetup |
30 |
> doesn't do anything with gpg. So I have setup a pipeline? |
31 |
> |
32 |
|
33 |
I'm not entirely sure I understand what you mean, therefore I just start |
34 |
babbling. ;-) |
35 |
|
36 |
The dmcrypt init script cannot be used for encrypting the root fs, a |
37 |
separate /usr or /etc. At least, I don't see a way to do it and I don't |
38 |
see it in the examples in my /etc/conf.d/dmcrypt. |
39 |
|
40 |
However, you can use it for all other directories containing sensitive |
41 |
data (/home, /srv, /var, /tmp). You might still need a skeleton |
42 |
directory structure of /var for the early boot stages but that's about it. |
43 |
|
44 |
Getting root encrypted is the sole responsibility of your initrd. |
45 |
|
46 |
Regards, |
47 |
Florian Philipp |