Quoting Carlos E. R. (carlos.e.r@opensuse.org):
On Thursday, 2010-10-14 at 01:38 +0200, Christian Boltz wrote:
on Mittwoch, 13. Oktober 2010, Carlos E. R. wrote:
Using that method, however, during boot the system would ask for the passphrase twice or more: once for the root system (another for /home, if used), and another for swap ?¹?.
That should be avoidable ;-)
Create a file containing the encryption key for /home (and another one for swap) on your root partition (needless to say: restrict access to root only). This file can directly be generated from /dev/random and serve as an *additional* key/password for the partitions - LUKS supports up to 8 (IIRC) keys/passwords per partition. To get you started: cryptsetup luksAddKey /dev/sda1 (handing over the key file is left as exercise to the reader ;-)
The documentation about all this is, say, a little criptic :-)
Additional password means that both keys have to be suplied to enter, or just any one of them? Yesterday night I thought you meant both, today I think you mean one of them. One is saved into a file in root, so that it doesn't ask for it, right? I see... Interesting.
Note: This mail is IMHO and AFAIK - I do not have such a setup and therefore can't guarantee that it works.
But I think I read about this somewhere before - only that now I understood :-)
I like this method.
What about swap and hibernation?
If root is encripted, there has to be a plain /boot partition, so that the kernel can be loaded by grub - otherwise we need a grub that reads encripted filesystems.
Ok, so assume /boot is plain. Root is encripted, swap too. Now after hibernation the kernel boots, and... who asks for the password to open the swap before reading the hibernated image? It is not using "uswsusp", it is the entire swap.
Otherwise, we need to use "uswsusp". In that case, swap is plain, just the hibernated image is encripted. Do we then create two different swaps, one for each purpose? one plain for hibernation, one encripted for normal use?
That's ugly, even if we discover how to configure such a thing.
OK, I have a version of it up and running :-) It does not make use of uswsusp, though the suspend/resume swap would not need to be encrypted did I make use of uswsusp. I decided against this just because I was too lazy to dig into uswsusp, for no better reason. System now looks like this: - Plain /boot. (On memstick. Without memstick the laptop boots its first partition with an old Windows which does not recognize the linux partitions and does not show them. It's the second partition of the memstick by the way. A Windows user looking at my memstick will only see a standard-sized vfat partition with some unimportant files, like music or such.) It usually is *not* mounted. - Encrypted /root, /home, swap on harddisk. I used luks, supplied only key files for /home and swap (as they are needed only after /root has been unlocked), and supplied a human-typeable passphrase for /root. I had to make sure I know where to find the keyboard's keys for that, as the moment I am prompted for password german keyboard map is not yet active. That's a bit annoying... - encrypted suspend/resume swap on memstick (the third partition there). It's slow, so I do not want it active as swap during normal work. I use the same human-typeable passphrase as for /root, and an additional key-file. This partition can be unlocked by either the passphrase or the key file. I could have put that on the harddisk aswell. There was unused space on the memstick though, and it's the setup my boss wished for. It's his laptop... This swap usually is *not* active. - kernel boot parameters telling it to unlock /root and the suspend/resume swap upon booting. It's the initrd's scripts that prompt for passphrase for those two partitions. Then it either resumes or does full boot, depending on what is needed. In case of full boot, the other encrypted partitions are unlocked using the key files residing in the now unlocked /root. - For suspend to disk, I use a wrapper around powersave -U. It can be either called directly, or via the laptop's suspend-to-disk function key. This wrapper script * checks for and waits for the USB stick (maximum 10 seconds, after which it gives up) * mounts /boot in case it is not mounted * unlocks the suspend/resume swap partition in case it is not yet unlocked (here I need the key in the key file) * adds this suspend/resume swap partition to swap in case it is not yet active * calls powersave -U (rest of the script will not be executed until after resume) * removes suspend/resume swap partition from swap in case it had not been active before this script * removes suspend/resume swap partition from device mapper in case it was unlocked by this script * unmounts boot in case it was mounted by this script One thing I like with this setup is the fact that although /root and resume partitions need 'manual' unlocking, I only am prompted for one passphrase. This lowers the temptation to make the passphrase too short. (During tests I had a setup with the need of typing the passphrase 4 times for each boot. I was sorely tempted to reduce it to one-letter length ;-) In case people are interested in a step by step description of my solution, I can write it down. I have one for personal usage, but it's in german. I would need a place to publish it, though. A place where it will be found. Thanks a lot for all the help I received! Susan Dittmar -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org