Salvatore Iovene (<[EMAIL PROTECTED]>) wrote: > I have more than one encrypted partition (using dm-crypt), and so, at > boot time, I'm propted for all of their passphrases. > > Is there a way to set a sort of master passphrase so that I'll only > input it once?
Yes and no. What you can do: - Create one big partition, and encrypt it. Build an LVM on that partition and divide it as you want. That way you will only need one password, which unlocks the big partition that holds the LVM. - Store keyfiles on the first encrypted partition. Enter the password for that partition, tell cryptsetup that this partition needs to be mounted for the other ones to be accessed. > Another question: is there a way to use a USB pendrive to store the > information needed to LUKS to decrypt the partitions? (so that I > wouldn't have to fill in any password, just plug the USB pendrive) Yes, there is. For any partition *except* the root partition, you need to make the following changes: - add the key to the luks-Partitions using cryptsetup luksAddKey - make an entry for your stick in your fstab, e.g. /media/key - copy the keyfile to the stick, e.g. to /media/key/keyfile - change your crypttab to use the keyfile, e.g. usr-crypt /dev/hda7 /media/key/keyfile luks - change CRYPTDISKS_MOUNT in /etc/defaults/cryptsetup to include your USB stick, e.g. CRYPTDISKS_MOUNT="/media/key" - rebuild your initrd using update-initramfs -u As far as I know using a key on an USB stick for your root partition is a little more complicated. I needed to make the following extra changes: - change /etc/initramfs-tools/modules to make sure initramfs includes the necessary modules for the fat file system and codepages (not needed if you use ext2 as the file system on your stick, usb mass storage and scsi disk support were included by default) I hat to add the following lines: nls_cp437 nls_iso8859_1 vfat - write a keyscript that takes care of mounting the stick, gets the key file, writes it to stdout and unmounts the stick. The script I use is this one: #!/bin/sh modprobe usb-storage #load usb mass storage driver sleep 5 #wait for recognized devices to settle mkdir /keydev 1>&2 mount -t vfat -o ro,umask=077 /dev/sda1 /keydev 1>&2 cat /keydev/key umount /keydev 1>&2 Note that all normal output is redirected to stderr so it doesn't get mixed up with the key file. - save the keyscript to /sbin and change the crypttab entry for my root partition: root_crypt /dev/hda6 none luks,keyscript=/sbin/keyscript Note that using /sbin is not required, you can save the keyscript anywhere you like and adapt your crypttap accordingly. - rebuild the initrd using update-initramfs -u. It will include your keyscript automatically, no need to copy anything on your own. That's it. Another thing you should keep in mind when changing crypto settings for your root partition: when you do something wrong and rebuild the initrd, after rebooting you won't be able to mount the root partition anymore, except with the help of some external Linux system, e.g. from a live CD like grml or knoppix. Keep a backup of your initrd with the settings still using passwords and add an entry for it to your boot loader configuration - that way as long as you are not sure that everything works you can still boot into your system using your passwords. Took me more that an hour of rebooting grml, cryptsetupping, mounting, chrooting my root fs and rebuilding initrds until I had the idea to do it another way. regards Andreas Janssen -- Andreas Janssen <[EMAIL PROTECTED]> PGP-Key-ID: 0xDC801674 ICQ #17079270 Registered Linux User #267976 http://www.andreas-janssen.de/debian-tipps-sarge.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]