Am Sonntag 05 Juli 2009 20:26:23 schrieb Alex Schuster: > > The LUKS key isn't stored as cleartext, it's encrypted. > > Um, I mean the passphrase I specify with --key-file to cryptsetup. Or which > would be asked at the prompt if I would not give it.
OK, now I get it. But those are two different beasts. The keyfile is usually
one
that consists of random data (created by reading from /dev/urandom). If you
don't protect that by some means, you don't gain any security.
The one you're asked for at the prompt is more like a password/-phrase.
So here's what I do, as an example:
I've got a small unencrypted /boot which holds the kernel and enough Linux to
open the LUKS encrypted root LV. So I'm prompted for the passphrase to unlock
it. Once unlocked and mounted, I get access to the random data keyfile stored
in /etc which is used to unlock all other LVs automatically.
Bye...
Dirk
signature.asc
Description: This is a digitally signed message part.
