-----Ursprüngliche Nachricht-----
Von:Carlos E. R. <robin.listas@telefonica.net> Gesendet: Sam 29 November 2014 17:52 The mandos client is installed in initrd, which is why it's so hard to get it running on anything that isn't Debian based. From what I've read Debian has lots of hooks to add things to initrd, but all other distributions don't. Source: https://www.centos.org/forums/viewtopic.php?t=28316#p133190
PS: I've manually replaced "AW" with "Re" in hopes of not breaking mail threading.
An: oS-en <opensuse@opensuse.org> Betreff: Re: [opensuse] Is there something like Debians Mandos for Opensuse?
On 2014-11-29 15:55, Anton Aylward wrote:
On 11/29/2014 09:05 AM, Carlos E. R. wrote:
I don't see how an encrypted root that automatically boots can be a good thing. If somebody steals the machine, they can "open" it completely!
How does that Mandos does the trick, where is the password stored?
It looks a bit like a Kerberos ticket server. The key is not stored on the machine with the encrypted ROOTFS. Rather the boot sequence - think of it as a shim within grub (or whatever) - contacts the key server much in the same way that a kerberos enabled session starts up.
I can imagine two possibilities.
one is that the initrd image contains the needed scripts/binaries to contact the mandos server.
Another is that grub2 itself, which has some decryption capabilities to boot from an encrypted root (without a plain /boot), includes itself the code needed for mandos.
This is not so simple as adding a package to the distribution.
It could also be a variation of tiny-ftp... it can be used for booting from network.
-- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)