On 20/12/14 23:16, Diagon wrote: >>> I use a keyfile to avoid the duplicate passphrase entry issue. The >>> keyfile is on the USB stick. It's also inside the initramfs so that the >>> booting kernel can also unlock the disk. It's safe because the initramfs >>> is on an encrypted volume. > John - does this mean that in your case, you never have to enter a > passphrase? That is, it appears the keyfile on the USB opens your /boot, and > then the keyfile in the initramfs opens your root. that's right. > > I am a little leery of putting the keyfile on the USB. So if I were to just > use: > > insmod luks > cryptomount -H (hd0,1)/header hd1,1 > > along with the keyfile in the initramfs, then I would be asked for the > password only once, by grub, correct? yes > > I'm not a guy who knows a lot about crypto, though I am aware that it can be > quite delicate. So I do have to wonder about the safety of having the key > sitting around on disk (in the initramfs) while the OS is running. Once > decrypted by cryptomount, is there any way to pass that key on to the kernel? > Is this even feasible? I don't believe it's possible for the bootloader to pass an encryption key to the Linux kernel. I believe BSD lets you do that but not Linux. Doing so would be the sensible approach and I would do it if I could...
You should chmod 600 your initrd in /boot and chown it to root if you haven't done so already. I think any encryption scheme falls back to the protection offered by the OS when it is unlocked. I guess your comfort level falls in line with your paranoia level. I'm personally not at the point where someone accessing a root-protected file on a running sytsem is a major concern. If someone's in my running system I'd have bigger things to worry about ;) > > > [...] > >> Whenever I update my OS, it installs new kernel and initramfs to /boot, >> totally oblivious to how those files >> get used. > It may be me missing something, but it has appeared to me that at times the > Ubuntu updated has updated grub; though it's possible I could be mistaken. it probably likes to regenerate grub.cfg whenever the kernel is updated but Grub itself doesn't change that often. That said, I don't use debian. I use Arch where you're more "on your own" anyway... > /D > _______________________________________________ Help-grub mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-grub
