| 1 |
Am Sonntag, 30. März 2008 schrieb Neil Bothwick: |
| 2 |
> On Sun, 30 Mar 2008 09:50:47 +0200, Dirk Heinrichs wrote: |
| 3 |
> > > However, the setup doesn't work. I'm not asked for the passphrase, the |
| 4 |
> > > mappings are not created. What did I forget? |
| 5 |
> > |
| 6 |
> > That the mappings are created all in one go before anything is mounted, |
| 7 |
> > so you can't put the keyfile for /var into /boot. The only thing that |
| 8 |
> > would work is to put the keyfile on the root fs, because that's the |
| 9 |
> > only one that is mounted when the mappings are created, like: |
| 10 |
> |
| 11 |
> You can if you add |
| 12 |
> |
| 13 |
> pre_mount="mount /dev/mapper/boot /boot" |
| 14 |
> |
| 15 |
> to the boot stanza of dmcrypt, it forces the filesystem to be mounted |
| 16 |
> immediately. |
| 17 |
> |
| 18 |
> I ue a variant of this, where keys are stored on a dedicated partition. |
| 19 |
> The pre_mount and post_mount (which unmounts the filesystem) ensure that |
| 20 |
> the keys are only visible for as long as it takes to mount the other |
| 21 |
> filesystems. |
| 22 |
|
| 23 |
I protect the root fs with a passphrase and all other volumes with a keyfile |
| 24 |
stored in this fs. No need to mount anything (however, I _do_ need an |
| 25 |
initramfs because of this). |
| 26 |
|
| 27 |
Bye... |
| 28 |
|
| 29 |
Dirk |
Archives