-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Content-ID: <alpine.LNX.2.00.1010141323030.8680@Telcontar.valinor> On Thursday, 2010-10-14 at 01:38 +0200, Christian Boltz wrote:
Hello,
on Mittwoch, 13. Oktober 2010, Carlos E. R. wrote:
Using that method, however, during boot the system would ask for the passphrase twice or more: once for the root system (another for /home, if used), and another for swap ⁽¹⁾.
That should be avoidable ;-)
Create a file containing the encryption key for /home (and another one for swap) on your root partition (needless to say: restrict access to root only). This file can directly be generated from /dev/random and serve as an *additional* key/password for the partitions - LUKS supports up to 8 (IIRC) keys/passwords per partition. To get you started: cryptsetup luksAddKey /dev/sda1 (handing over the key file is left as exercise to the reader ;-)
The documentation about all this is, say, a little criptic :-) Additional password means that both keys have to be suplied to enter, or just any one of them? Yesterday night I thought you meant both, today I think you mean one of them. One is saved into a file in root, so that it doesn't ask for it, right? I see... Interesting.
Note: This mail is IMHO and AFAIK - I do not have such a setup and therefore can't guarantee that it works.
But I think I read about this somewhere before - only that now I understood :-) I like this method. What about swap and hibernation? If root is encripted, there has to be a plain /boot partition, so that the kernel can be loaded by grub - otherwise we need a grub that reads encripted filesystems. Ok, so assume /boot is plain. Root is encripted, swap too. Now after hibernation the kernel boots, and... who asks for the password to open the swap before reading the hibernated image? It is not using "uswsusp", it is the entire swap. Otherwise, we need to use "uswsusp". In that case, swap is plain, just the hibernated image is encripted. Do we then create two different swaps, one for each purpose? one plain for hibernation, one encripted for normal use? That's ugly, even if we discover how to configure such a thing. - -- Cheers, Carlos E. R. (from 11.2 x86_64 "Emerald" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) iEYEARECAAYFAky26RMACgkQtTMYHG2NR9V2lACfT5ongr/S4ngpYKKfMNC1NEVl xP0Anjrm8vBU1HM5xIQsX8AFPfBQXOHq =46tP -----END PGP SIGNATURE-----