Patrick Schoenfeld <[email protected]> 2010-09-26 13:04: > Hi, > > On Sun, Sep 26, 2010 at 01:00:46AM +0200, Michael Tautschnig wrote: > > Indeed, it was easy :-) - as of 4.0~beta2+experimental17 you should be able > > to > > use > > > > luks:"Your passphrase" / ... > > > > instead of just "luks" to get a device encrypted with the passphrase of your > > choice. The crypttab then has "none" for the keyfile name, which should > > make it > > ask you for a passphrase at bootup. Big fat WARNING: this is untested, but > > testing would be much appreciated :-) > > it seems that the implementation is wrong. I can see from the log that > it uses the passphrase to generate a key file. That is not right. > Unfortunately I see the dillemma. You either have to specify a keyfile > to luksFormat or enter the passphrase on generation, which will not work > without using expect or something. > > My suggestion: > - Use the keyfile to init the device > - After that: Add the passphrase via cryptsetup luksAddKey > - Remove the slot with the keyfile from luks > - Generate the crypttab in the way you've described > > I know its kind of ugly but probably the only way to go without > expect'ing the input of luksFormat. > > Regards, > Patrick
Late to the party... One other thing I had done a while ago is to randomly generate the passphrase (via pwgen) and email it to the "root user" along with the set of commands necessary for them to change it. Obviously who the "root user" is would have to be set somewhere and the NFSROOT built with that support. I'd also left the key file there rather than removing it. Somewhat as a fallback in case the passphrase was forgotten. I could see this being nice to have as an switch option (eg: lukskeyfile:generate+leave). Brian
signature.asc
Description: Digital signature
