On 2014-11-29 15:55, Anton Aylward wrote:
On 11/29/2014 09:05 AM, Carlos E. R. wrote:
I don't see how an encrypted root that automatically boots can be a good thing. If somebody steals the machine, they can "open" it completely!
How does that Mandos does the trick, where is the password stored?
It looks a bit like a Kerberos ticket server. The key is not stored on the machine with the encrypted ROOTFS. Rather the boot sequence - think of it as a shim within grub (or whatever) - contacts the key server much in the same way that a kerberos enabled session starts up.
I can imagine two possibilities. one is that the initrd image contains the needed scripts/binaries to contact the mandos server. Another is that grub2 itself, which has some decryption capabilities to boot from an encrypted root (without a plain /boot), includes itself the code needed for mandos. This is not so simple as adding a package to the distribution. It could also be a variation of tiny-ftp... it can be used for booting from network. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)