1 |
Am Samstag, 29. März 2008 schrieb Florian Philipp: |
2 |
|
3 |
> My goal is to open a Luks-mapping for /var with a gpg-encrypted file |
4 |
> on /boot and then open a mapping for /var/tmp with a plaintext file |
5 |
> on /var. |
6 |
|
7 |
See below. But while we're at it, can anybody tell me what's the advantage of |
8 |
a gpg-encrypted keyfile over a keyfile generated from /dev/urandom? |
9 |
|
10 |
> I thought it would work with the following settings: |
11 |
> |
12 |
> /etc/conf.d/cryptfs |
13 |
|
14 |
It's /etc/conf.d/dmcrypt nowadays. |
15 |
|
16 |
> target=var |
17 |
> source='/dev/mapper/vg-crypt_var' |
18 |
> key='/boot/key.gpg:gpg' |
19 |
> |
20 |
> target=var_tmp |
21 |
> source='/dev/mapper/vg-crypt_var_tmp' |
22 |
> key='/var/lib/tmp_key' |
23 |
> |
24 |
> |
25 |
> I've read the warning in /etc/conf.d/cryptfs about /usr on a separate |
26 |
> partition and followed their advice. |
27 |
|
28 |
Which warning, btw.? Works just fine here. |
29 |
|
30 |
> However, the setup doesn't work. I'm not asked for the passphrase, the |
31 |
> mappings are not created. What did I forget? |
32 |
|
33 |
That the mappings are created all in one go before anything is mounted, so you |
34 |
can't put the keyfile for /var into /boot. The only thing that would work is |
35 |
to put the keyfile on the root fs, because that's the only one that is |
36 |
mounted when the mappings are created, like: |
37 |
|
38 |
target='c-usr' |
39 |
source='/dev/evms/usr' |
40 |
key='/etc/crypt/keyfile' |
41 |
|
42 |
Bye... |
43 |
|
44 |
Dirk |