1 |
Am Samstag 04 Juli 2009 14:51:54 schrieb Alex Schuster: |
2 |
> Dirk Heinrichs writes: |
3 |
> > |
4 |
> > having said that, you can even do w/o |
5 |
> > initramfs, just put everything into /boot (which should be a separate |
6 |
> > partition, then). Again, see my reply to David for the details. |
7 |
> |
8 |
> Interesting. Getting rid of initramfs looks like a simpler approach, no |
9 |
> need to fiddle with cpio in order to change things. |
10 |
|
11 |
Also with initramfs, you don't need to fiddle with cpio. The kernel build |
12 |
system does this for you. |
13 |
|
14 |
> I do not want to have to enter a password every time my machine boots, so |
15 |
> I put the key onto a stick. |
16 |
|
17 |
And how do you protect the key on the stick? What if you loose it? |
18 |
|
19 |
> And simply made it the same for all |
20 |
> partitions. And while I was at it, for maximum security, I also put /boot |
21 |
> onto the stick. Sure, who would ever break into my house and modify my |
22 |
> boot partition, replacing the kernel with kernel+keylogger or such... but |
23 |
> then, I would probably also not need to encrypt my stuff at all. |
24 |
|
25 |
Encryption doesn't protect a _running_ system, because then, all needed LVs |
26 |
are readable. It only protects the system while switched of (so that an |
27 |
attacker can not acces your data after stealing the entire system, or after |
28 |
you sold your harddisk). |
29 |
|
30 |
> > Then you did something wrong. It works out of the box. |
31 |
> |
32 |
> Really? I know it does for root and swap (it works here), but how do I |
33 |
> tell the system to also luskOpen all my other LVM volumes? |
34 |
|
35 |
By listing them in /etc/conf.d/dmcrypt. |