| 1 |
Am Samstag 04 Juli 2009 14:51:54 schrieb Alex Schuster: |
| 2 |
> Dirk Heinrichs writes: |
| 3 |
> > |
| 4 |
> > having said that, you can even do w/o |
| 5 |
> > initramfs, just put everything into /boot (which should be a separate |
| 6 |
> > partition, then). Again, see my reply to David for the details. |
| 7 |
> |
| 8 |
> Interesting. Getting rid of initramfs looks like a simpler approach, no |
| 9 |
> need to fiddle with cpio in order to change things. |
| 10 |
|
| 11 |
Also with initramfs, you don't need to fiddle with cpio. The kernel build |
| 12 |
system does this for you. |
| 13 |
|
| 14 |
> I do not want to have to enter a password every time my machine boots, so |
| 15 |
> I put the key onto a stick. |
| 16 |
|
| 17 |
And how do you protect the key on the stick? What if you loose it? |
| 18 |
|
| 19 |
> And simply made it the same for all |
| 20 |
> partitions. And while I was at it, for maximum security, I also put /boot |
| 21 |
> onto the stick. Sure, who would ever break into my house and modify my |
| 22 |
> boot partition, replacing the kernel with kernel+keylogger or such... but |
| 23 |
> then, I would probably also not need to encrypt my stuff at all. |
| 24 |
|
| 25 |
Encryption doesn't protect a _running_ system, because then, all needed LVs |
| 26 |
are readable. It only protects the system while switched of (so that an |
| 27 |
attacker can not acces your data after stealing the entire system, or after |
| 28 |
you sold your harddisk). |
| 29 |
|
| 30 |
> > Then you did something wrong. It works out of the box. |
| 31 |
> |
| 32 |
> Really? I know it does for root and swap (it works here), but how do I |
| 33 |
> tell the system to also luskOpen all my other LVM volumes? |
| 34 |
|
| 35 |
By listing them in /etc/conf.d/dmcrypt. |
Archives