| 1 |
Am 04.09.2012 00:12, schrieb "Roland Häder": |
| 2 |
> Okay, I have made a little progress. I have generated my private key |
| 3 |
> using some random data + gpg: |
| 4 |
> |
| 5 |
> # head -c 3705 /dev/urandom | head -n 66 | tail -n 65 > key.out # gpg |
| 6 |
> --symmetric -a --s2k-count 8388608 key.out <Enter your password |
| 7 |
> twice> # mv key.out.asc key.gpg # rm -f key.out |
| 8 |
> |
| 9 |
|
| 10 |
Two minor suggestions: |
| 11 |
|
| 12 |
1. Maybe it would be a good idea to use an ASCII-only random string, for |
| 13 |
example by piping it through `base64 -w 0`. That way you don't loose any |
| 14 |
entropy (the key just gets longer) but it is easier to type the keyfile |
| 15 |
manually, in case you ever need to. You also don't have to worry about |
| 16 |
odd behavior of password prompts anymore. |
| 17 |
|
| 18 |
2. You should `shred` key.out instead of `rm`. |
| 19 |
|
| 20 |
> Now I have to copy that file on my stick and setup |
| 21 |
> /etc/conf.d/dmcrypt: |
| 22 |
> |
| 23 |
> # whole root system encrypted with gpg key from removeable media |
| 24 |
> target=crypt-root source='/dev/hdaX' key='/key:gpg' # This is your |
| 25 |
> stick remdev='/dev/sda1' |
| 26 |
> |
| 27 |
> But what next? The example at [1] is based on key-only file (no |
| 28 |
> passphrase). I know, later on /etc/conf.d/dmcrypt must be placed on |
| 29 |
> the new root-fs but what now? I still have to setup it. cryptsetup |
| 30 |
> doesn't do anything with gpg. So I have setup a pipeline? |
| 31 |
> |
| 32 |
|
| 33 |
I'm not entirely sure I understand what you mean, therefore I just start |
| 34 |
babbling. ;-) |
| 35 |
|
| 36 |
The dmcrypt init script cannot be used for encrypting the root fs, a |
| 37 |
separate /usr or /etc. At least, I don't see a way to do it and I don't |
| 38 |
see it in the examples in my /etc/conf.d/dmcrypt. |
| 39 |
|
| 40 |
However, you can use it for all other directories containing sensitive |
| 41 |
data (/home, /srv, /var, /tmp). You might still need a skeleton |
| 42 |
directory structure of /var for the early boot stages but that's about it. |
| 43 |
|
| 44 |
Getting root encrypted is the sole responsibility of your initrd. |
| 45 |
|
| 46 |
Regards, |
| 47 |
Florian Philipp |
Archives