On Wed, 2014-01-01 at 05:48 +0100, Mourad De Clerck wrote: > So last time I tried, this just worked - my rootfs got mounted using a > keyscript in the initramfs, and there were no problems, not a peep from > systemd when it took over, no re-setup or anything. Sure... but that applies, AFAIU, only to the stuff mounted from within the initramfs (at most: rootfs / resume-fs).
While I think that for most attack-scenarios, where on-disk-encryption makes sense (the notably exception being: coincidental theft of your device), a fully encrypted system (i.e. including the root-fs) is the only thing that makes sense... it's still necessary to support additional encrypted devices to be brought up during boot (which is AFAIU then systemd's task). I've added few thoughts to #618862, with things that IMHO are necessary to get proper keyscript support with systemd. > Stacking causes no problems in my experience. There are of course still > problems with devices that aren't mounted in the initramfs but still > need some keyscript (f.e. decrypt_derived comes to mind). Well from inside the initramfs this definitely does not work out of the box... since they initramfs-scripts expect a specific order (i.e. MDADM first, and so on... and especially the lvm scripts are kinda bogus). Not that it would make much sense to put dmcrypt below MDADM (in the meantime not even performance-wise)... security wise this might be even disastrous. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
