On 19/12/14 08:04, Andrei Borzenkov wrote: > В Thu, 18 Dec 2014 23:28:08 -0800 > Diagon <[email protected]> пишет: > >> ---- On Thu, 18 Dec 2014 22:15:32 -0800 Andrei >> Borzenkov<[email protected]> wrote ---- >> > В Thu, 18 Dec 2014 16:52:46 -0800 >> > Jordan Uggla <[email protected]> пишет: >> >> > > Grub can read files from LUKS and GELI volumes, but only FreeBSD's >> > > kernel currently has a protocol for passing credentials from grub to >> > > the kernel, so if you're using GNU/Linux and you use grub's LUKS >> > > support to read your kernel from your LUKS encrypted root, you will >> > > need to enter your password twice at boot: Once for grub, and again >> > > for linux. >> >> > There are patches to support use of keyfile; this could improve >> > situation for by allowing shared keyfile between GRUB and Linux and >> > unattended decryption. >> >> That's interesting. Could you point me to the patches? >> > http://grub.johnlane.ie/ > >> Andrei - Jordan doesn't see a use case for this, though in my point of view >> I just want to get as much into my encrypted disk as possible, leaving as >> little visible as I can. Do you have a view on this? > I would not do it myself, but I see it as valid use case. > > _______________________________________________ > Help-grub mailing list > [email protected] > https://lists.gnu.org/mailman/listinfo/help-grub I thought I'd mention my specific use-case for using crypto routines in Grub.
I have some devices that are configured to boot from a USB drive that I keep attached to my keys and, usually, in my pocket :) These devices contain encrypted disks that have no boot sectors and cannot boot themselves. The unlocked disks are LVM and contain a root logical volume. This has a "/boot" directory containing the kernel and initramfs images. Booting Grub from the USB uses "cryptomount" to unlock the encrypted disk and this allows Grub's LVM to activate the root volume. Grub then uses the images in "/boot" on that volume to boot the system. There is no need to maintain copies of the boot images on the USB drive. I use a keyfile to avoid the duplicate passphrase entry issue. The keyfile is on the USB stick. It's also inside the initramfs so that the booting kernel can also unlock the disk. It's safe because the initramfs is on an encrypted volume. By having "/boot" on the root volume, it's easy to perform system updates in-situ without having to worry about copying images onto the USB stick (which may not be phyisically present when such an update is performed). I also use detached LUKS headers and keep them separately too. _______________________________________________ Help-grub mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-grub
