Ludwig Nussel wrote:
Susan Dittmar wrote:
On an openSUSE 11.3 laptop, I set up all hard disk partitions (in the easiest case just root and swap) as encrypted partitions using luks as described in http://en.opensuse.org/SBD:Encrypted_root_file_system
Uh, that article should probably be removed. The preferred method to have an encrypted root is to just click the checkbox in yast during installation.
But my boss wants to insert the memstick at boot time, then remove it as soon as booting is done. Then he wants to insert it again for supend to disk. In principle that's fine with me. The problem with this is that
Sounds cumbersome and error prone. What's wrong with suspending to the built in hard disk?
What if the swap is not encrypted? If you want to go for minimum (or no) user input, you have to use some physical token (for resuming). In some aspects this resembles the traditional corporate practice of using smartcard enabled workstations. What about triggering the suspend process by media insert event (with the correct uuid). The script would search for specific data on the media - a key that would be used for encrypting the hibernation image to hard drive using the key from the memory stick. Upon boot from the memory stick, the key would be used to decrypt the image. Additionally, you could use asymmetric encryption*): encrypting the hibernation image with public key (no password needed). Decrypting could then require a password - depending on whether the private key is itself encrypted on the boot media. *) in the traditional way: generate random symmetric cipher key and encrypt with asymmetric algo.
So here's my question: As luks already prompted for the passphrase during boot, is there a way to access this passphrase during this re-mount of the memstick's swap partition? Any way of keeping this partition's information although the memstick is removed (and re-attached) in the time between boot and suspend-to-disk?
If you encrypt the hibernation image, you can safely keep all stuff (local - i.e. not usb etc. that might be removed prior to resume) mounted so no need to remount upon resume.
The passphrase is gone when cryptsetup finishes.
Theoretically it could be kept in /proc/keys, right? Cheers Petr -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org