Am Samstag, 29. März 2008 schrieb Florian Philipp: > My goal is to open a Luks-mapping for /var with a gpg-encrypted file > on /boot and then open a mapping for /var/tmp with a plaintext file > on /var.
See below. But while we're at it, can anybody tell me what's the advantage of
a gpg-encrypted keyfile over a keyfile generated from /dev/urandom?
> I thought it would work with the following settings:
>
> /etc/conf.d/cryptfs
It's /etc/conf.d/dmcrypt nowadays.
> target=var
> source='/dev/mapper/vg-crypt_var'
> key='/boot/key.gpg:gpg'
>
> target=var_tmp
> source='/dev/mapper/vg-crypt_var_tmp'
> key='/var/lib/tmp_key'
>
>
> I've read the warning in /etc/conf.d/cryptfs about /usr on a separate
> partition and followed their advice.
Which warning, btw.? Works just fine here.
> However, the setup doesn't work. I'm not asked for the passphrase, the
> mappings are not created. What did I forget?
That the mappings are created all in one go before anything is mounted, so you
can't put the keyfile for /var into /boot. The only thing that would work is
to put the keyfile on the root fs, because that's the only one that is
mounted when the mappings are created, like:
target='c-usr'
source='/dev/evms/usr'
key='/etc/crypt/keyfile'
Bye...
Dirk
signature.asc
Description: This is a digitally signed message part.
