1 |
On Sun, 2008-03-30 at 09:50 +0200, Dirk Heinrichs wrote: |
2 |
> Am Samstag, 29. März 2008 schrieb Florian Philipp: |
3 |
> |
4 |
> > My goal is to open a Luks-mapping for /var with a gpg-encrypted file |
5 |
> > on /boot and then open a mapping for /var/tmp with a plaintext file |
6 |
> > on /var. |
7 |
> |
8 |
> See below. But while we're at it, can anybody tell me what's the advantage of |
9 |
> a gpg-encrypted keyfile over a keyfile generated from /dev/urandom? |
10 |
|
11 |
Keys for urandom work great for /tmp and swap but how should I use this |
12 |
for a partition which is supposed to keep its content between reboots? |
13 |
|
14 |
> |
15 |
> > I thought it would work with the following settings: |
16 |
> > |
17 |
> > /etc/conf.d/cryptfs |
18 |
> |
19 |
> It's /etc/conf.d/dmcrypt nowadays. |
20 |
|
21 |
Interesting, why is there no hint that cryptfs is deprecated/obsolete? |
22 |
|
23 |
> |
24 |
> > target=var |
25 |
> > source='/dev/mapper/vg-crypt_var' |
26 |
> > key='/boot/key.gpg:gpg' |
27 |
> > |
28 |
> > target=var_tmp |
29 |
> > source='/dev/mapper/vg-crypt_var_tmp' |
30 |
> > key='/var/lib/tmp_key' |
31 |
> > |
32 |
> > |
33 |
> > I've read the warning in /etc/conf.d/cryptfs about /usr on a separate |
34 |
> > partition and followed their advice. |
35 |
> |
36 |
> Which warning, btw.? Works just fine here. |
37 |
> |
38 |
|
39 |
"# Note when using gpg keys and /usr on a separate partition, you will |
40 |
# have to copy /usr/bin/gpg to /bin/gpg so that it will work properly |
41 |
# and ensure that gpg has been compiled statically. |
42 |
# See http://bugs.gentoo.org/90482 for more information." |
43 |
|
44 |
|
45 |
> > However, the setup doesn't work. I'm not asked for the passphrase, the |
46 |
> > mappings are not created. What did I forget? |
47 |
> |
48 |
> That the mappings are created all in one go before anything is mounted, so you |
49 |
> can't put the keyfile for /var into /boot. The only thing that would work is |
50 |
> to put the keyfile on the root fs, because that's the only one that is |
51 |
> mounted when the mappings are created, like: |
52 |
> |
53 |
> target='c-usr' |
54 |
> source='/dev/evms/usr' |
55 |
> key='/etc/crypt/keyfile' |
56 |
> |
57 |
> Bye... |
58 |
> |
59 |
> Dirk |
60 |
|
61 |
Thanks, I'll try it. |