Dirk Heinrichs writes:
> Am Samstag 04 Juli 2009 14:51:54 schrieb Alex Schuster:
> > Dirk Heinrichs writes:
> > > having said that, you can even do w/o
> > > initramfs, just put everything into /boot (which should be a separate
> > > partition, then). Again, see my reply to David for the details.
> >
> > Interesting. Getting rid of initramfs looks like a simpler approach, no
> > need to fiddle with cpio in order to change things.
>
> Also with initramfs, you don't need to fiddle with cpio. The kernel build
> system does this for you.
Right. But at my first attempts I had some problems, and investigated them
by looking into /init in the initramfs. In order to understand this stuff, I
need to see it :)
> > I do not want to have to enter a password every time my machine boots,
> > so I put the key onto a stick.
>
> And how do you protect the key on the stick? What if you loose it?
It's a long sentence from The Hichhiker's Guide To The Galaxy I can find
again. And meanwhile I also have a gpg-encrypted backup of the stick's
partition somewhere.
> > And simply made it the same for all
> > partitions. And while I was at it, for maximum security, I also put
> > /boot onto the stick. Sure, who would ever break into my house and
> > modify my boot partition, replacing the kernel with kernel+keylogger or
> > such... but then, I would probably also not need to encrypt my stuff at
> > all.
>
> Encryption doesn't protect a _running_ system, because then, all needed
> LVs are readable.
By me only. And when I leave, the screensaver kicks in and asks for a
password.
> It only protects the system while switched of (so that
> an attacker can not acces your data after stealing the entire system, or
> after you sold your harddisk).
Right.
> > > Then you did something wrong. It works out of the box.
> >
> > Really? I know it does for root and swap (it works here), but how do I
> > tell the system to also luskOpen all my other LVM volumes?
>
> By listing them in /etc/conf.d/dmcrypt.
Oh, thanks. I overlooked this. Did not find this mentioned in any of the
guides I read, and I thought it only belonged to /etc/nit.d/dm-crypt, which
is for baselayout 2. But I should have found it being used while editing
/lib/rcscripts/addons/dm-crypt-start.sh.
I think I will try that, then. With a little modification, I will try to add
a & after dm_crypt_execute_${SVCNAME}, so all LVMs will be opened in
parallel. Otherwise it takes a second for each LVM, and I have 12 of them.
Wonko
