Mailinglist Archive: opensuse (1620 mails)

< Previous Next >
Re: [opensuse] Is there something like Debians Mandos for Opensuse?
On 2014-11-29 15:55, Anton Aylward wrote:
On 11/29/2014 09:05 AM, Carlos E. R. wrote:
I don't see how an encrypted root that automatically boots can be a good
thing. If somebody steals the machine, they can "open" it completely!

How does that Mandos does the trick, where is the password stored?

It looks a bit like a Kerberos ticket server.
The key is not stored on the machine with the encrypted ROOTFS.
Rather the boot sequence - think of it as a shim within grub (or
whatever) - contacts the key server much in the same way that a kerberos
enabled session starts up.

I can imagine two possibilities.

one is that the initrd image contains the needed scripts/binaries to
contact the mandos server.

Another is that grub2 itself, which has some decryption capabilities to
boot from an encrypted root (without a plain /boot), includes itself the
code needed for mandos.

This is not so simple as adding a package to the distribution.

It could also be a variation of tiny-ftp... it can be used for booting
from network.

Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 "Bottle" at Telcontar)

< Previous Next >
Follow Ups