1 |
Hi list! |
2 |
|
3 |
I'd like to have some advice on my situation: |
4 |
|
5 |
I have a custom init-script (derived from genkernel). What it already |
6 |
does is to let gpg ask for a passphrase to decrypt a file on /boot and |
7 |
then to use to content of that file as the key to a LUKS-formatted swap |
8 |
(logical volume) which is then used to resume from disk. |
9 |
|
10 |
What I would also like to do is to use the very same key for other |
11 |
lvm-volumes like /var and /var/tmp but that doesn't seem that easy. |
12 |
|
13 |
First idea: Just do the same as with the swap-volume. However, all other |
14 |
mappings are gone after resuming/booting. |
15 |
|
16 |
Second idea: Write the plaintext-keyfile to /boot and then use it |
17 |
via /etc/conf.d/cryptfs before removing it in a secure manner (srm, |
18 |
provided by app-misc/secure-delete). Problem: When resuming, /boot is |
19 |
already mounted. Writing to it and then resuming leads to filesystem |
20 |
corruption. |
21 |
|
22 |
Third idea: Using a dedicated volume for storing the plaintext key. |
23 |
Cumbersome, doesn't reduce the risk that srm isn't enough to protect the |
24 |
key. |
25 |
|
26 |
So ... what I'd need is a way to transfer data between an initial |
27 |
ramdisk and the real init. Ideally in form of tmpfs-mountpoint. |
28 |
|
29 |
I don't think my odds are very high but I just wanted to ask... |
30 |
|
31 |
Thanks in advance! |
32 |
|
33 |
Florian Philipp |