| 1 |
Am Sonntag, 30. März 2008 schrieb ext Neil Bothwick: |
| 2 |
> On Sun, 30 Mar 2008 18:50:59 +0200, Dirk Heinrichs wrote: |
| 3 |
> > I protect the root fs with a passphrase and all other volumes with a |
| 4 |
> > keyfile stored in this fs. No need to mount anything (however, I _do_ |
| 5 |
> > need an initramfs because of this). |
| 6 |
> |
| 7 |
> That still means your keys are readable all the time, |
| 8 |
|
| 9 |
By root only, chmod 400 is your friend. |
| 10 |
|
| 11 |
> whereas mine |
| 12 |
> disappear long before the network comes up. |
| 13 |
|
| 14 |
So what? If somebody cracks into your box and gains root access, he can't |
| 15 |
mount /boot and take the keys? You'll need SELinux to prevent this. |
| 16 |
|
| 17 |
Bye... |
| 18 |
|
| 19 |
Dirk |
| 20 |
-- |
| 21 |
Dirk Heinrichs | Tel: +49 (0)162 234 3408 |
| 22 |
Configuration Manager | Fax: +49 (0)211 47068 111 |
| 23 |
Capgemini Deutschland | Mail: dirk.heinrichs@×××××××××.com |
| 24 |
Wanheimerstraße 68 | Web: http://www.capgemini.com |
| 25 |
D-40468 Düsseldorf | ICQ#: 110037733 |
| 26 |
GPG Public Key C2E467BB | Keyserver: www.keyserver.net |
Archives