| 1 |
Hi list! |
| 2 |
|
| 3 |
I'd like to have some advice on my situation: |
| 4 |
|
| 5 |
I have a custom init-script (derived from genkernel). What it already |
| 6 |
does is to let gpg ask for a passphrase to decrypt a file on /boot and |
| 7 |
then to use to content of that file as the key to a LUKS-formatted swap |
| 8 |
(logical volume) which is then used to resume from disk. |
| 9 |
|
| 10 |
What I would also like to do is to use the very same key for other |
| 11 |
lvm-volumes like /var and /var/tmp but that doesn't seem that easy. |
| 12 |
|
| 13 |
First idea: Just do the same as with the swap-volume. However, all other |
| 14 |
mappings are gone after resuming/booting. |
| 15 |
|
| 16 |
Second idea: Write the plaintext-keyfile to /boot and then use it |
| 17 |
via /etc/conf.d/cryptfs before removing it in a secure manner (srm, |
| 18 |
provided by app-misc/secure-delete). Problem: When resuming, /boot is |
| 19 |
already mounted. Writing to it and then resuming leads to filesystem |
| 20 |
corruption. |
| 21 |
|
| 22 |
Third idea: Using a dedicated volume for storing the plaintext key. |
| 23 |
Cumbersome, doesn't reduce the risk that srm isn't enough to protect the |
| 24 |
key. |
| 25 |
|
| 26 |
So ... what I'd need is a way to transfer data between an initial |
| 27 |
ramdisk and the real init. Ideally in form of tmpfs-mountpoint. |
| 28 |
|
| 29 |
I don't think my odds are very high but I just wanted to ask... |
| 30 |
|
| 31 |
Thanks in advance! |
| 32 |
|
| 33 |
Florian Philipp |
Archives