1 |
Am Sonntag, 30. März 2008 schrieb Neil Bothwick: |
2 |
> On Sun, 30 Mar 2008 09:50:47 +0200, Dirk Heinrichs wrote: |
3 |
> > > However, the setup doesn't work. I'm not asked for the passphrase, the |
4 |
> > > mappings are not created. What did I forget? |
5 |
> > |
6 |
> > That the mappings are created all in one go before anything is mounted, |
7 |
> > so you can't put the keyfile for /var into /boot. The only thing that |
8 |
> > would work is to put the keyfile on the root fs, because that's the |
9 |
> > only one that is mounted when the mappings are created, like: |
10 |
> |
11 |
> You can if you add |
12 |
> |
13 |
> pre_mount="mount /dev/mapper/boot /boot" |
14 |
> |
15 |
> to the boot stanza of dmcrypt, it forces the filesystem to be mounted |
16 |
> immediately. |
17 |
> |
18 |
> I ue a variant of this, where keys are stored on a dedicated partition. |
19 |
> The pre_mount and post_mount (which unmounts the filesystem) ensure that |
20 |
> the keys are only visible for as long as it takes to mount the other |
21 |
> filesystems. |
22 |
|
23 |
I protect the root fs with a passphrase and all other volumes with a keyfile |
24 |
stored in this fs. No need to mount anything (however, I _do_ need an |
25 |
initramfs because of this). |
26 |
|
27 |
Bye... |
28 |
|
29 |
Dirk |