On 30/01/2006 General Stone wrote: > In the attachment is a patch and a tool.
i believe that the patch is rather ugly. it depends on openssl, and therefore on a mounted /usr filesystem. what to do when /usr is an encrypted filesystem? > The patch include support to use encrypted ssl-key/s at the boot-up > process. The modificated initscript will them ask for a password and > decrypt it in a defined $PATH which is mounted as a tmpfs. If there are > more keys with the same encrypted password, the initscript want to ask > once. I don't understand the aim of this patch. why do you want to use encrypted keys for disk encryption? if this is really wanted, it should be implemented in cryptsetup itself, without the need for openssl. and the implementation should be cleaner, with support for keys on removable devices, etc. > The other modification is from the /etc/init.d/lvm-common script. > It changes the usermod in /dev/mapper/<cdisks>. i don't know whether i like this idea. i believe that ownership configuration should be either done in cryptsetup directly, or at least in /etc/crypttab. in any case, /etc/default/cryptdisks is the wrong place for it. > The tool create a double encrypted key with 'openssl' for use with the > cryptsetup initscript. i'm not sure how to think about this idea. i'dd like to wait for mount dm-crypt support (see bugreport #290324) and then discuss this feature with the cryptsetup upstream authors. gebi, what do you think about it? ... jonas
signature.asc
Description: Digital signature