Christian Boltz wrote:
I wonder how I should implement LUKS encrypted swap with random encryption at every boot.
You can't.
I tried the example from man crypttab: cr_md0 /dev/md0 /dev/random swap
Result: Swap not active - probably because /dev/random can only provide some bytes at boot time.
Use /dev/urandom
I then tested with cr_md0 /dev/md0 /dev/urandom swap
This seems to work (tested with "boot.crypto start /dev/md0"), but the manpage contradicts itsself:
· The third column key file specifies the file to use for decrypting the encrypted data of the source device. It can also be a device name (e.g. /dev/urandom, which is useful for encrypted swap devices). Warning: luks does not support infinite streams (like /dev/urandom), it requires a fixed size key.
So the first paragraph says "you can use /dev/urandom", and the second says "do NOT use /dev/urandom".
Which part is correct? ;-)
Both are correct. You can't use /dev/urandom for luks volumes (you always need a passphrase for those) but you can use it for volumes without the luks metadata. Even without luks metadata you can still use the algorithm used by luks ie aes-cbc-essiv:sha256. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org