Gentoo Archives: gentoo-user

From: Florian Philipp <lists@××××××××××××××××××.net>
To: Gentoo-User <gentoo-user@l.g.o>
Subject: [gentoo-user] Initrd-script questions
Date: Tue, 18 Mar 2008 16:56:35
Message-Id: 1205859390.7981.16.camel@NOTE_GENTOO64.PHHEIMNETZ
1 Hi list!
3 I'd like to have some advice on my situation:
5 I have a custom init-script (derived from genkernel). What it already
6 does is to let gpg ask for a passphrase to decrypt a file on /boot and
7 then to use to content of that file as the key to a LUKS-formatted swap
8 (logical volume) which is then used to resume from disk.
10 What I would also like to do is to use the very same key for other
11 lvm-volumes like /var and /var/tmp but that doesn't seem that easy.
13 First idea: Just do the same as with the swap-volume. However, all other
14 mappings are gone after resuming/booting.
16 Second idea: Write the plaintext-keyfile to /boot and then use it
17 via /etc/conf.d/cryptfs before removing it in a secure manner (srm,
18 provided by app-misc/secure-delete). Problem: When resuming, /boot is
19 already mounted. Writing to it and then resuming leads to filesystem
20 corruption.
22 Third idea: Using a dedicated volume for storing the plaintext key.
23 Cumbersome, doesn't reduce the risk that srm isn't enough to protect the
24 key.
26 So ... what I'd need is a way to transfer data between an initial
27 ramdisk and the real init. Ideally in form of tmpfs-mountpoint.
29 I don't think my odds are very high but I just wanted to ask...
31 Thanks in advance!
33 Florian Philipp


File name MIME type
signature.asc application/pgp-signature


Subject Author
Re: [gentoo-user] Initrd-script questions Neil Bothwick <neil@××××××××××.uk>