On 11/29/2014 09:05 AM, Carlos E. R. wrote:
I don't see how an encrypted root that automatically boots can be a good thing. If somebody steals the machine, they can "open" it completely!
How does that Mandos does the trick, where is the password stored?
It looks a bit like a Kerberos ticket server. The key is not stored on the machine with the encrypted ROOTFS. Rather the boot sequence - think of it as a shim within grub (or whatever) - contacts the key server much in the same way that a kerberos enabled session starts up. That's a pretty broad-brush explanation. My own Kerberos experience is with AIX machines and applications needing to authenticate to communicate with another machine. The irony is that these machines were all in a SPFrame with the common high speed fabric between them, a *very* closed subnet! The IBM FSE told me that the AS400 (or whatever they term it today) version of the application suite ran all on one machine, one CPU but different LPARs :-) -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org