On Wed, 28 Jun 2017 at 08:09:21 -0700 Rick Moen <r...@linuxmafia.com> wrote:
> Quoting Stephan Seitz (stse+dev...@fsing.rootsland.net): > > > That the kernel can’t find the root filesystem if it is encrypted? > > And the kernel lacks the capability to ask you for the password. > > If you're correct that a kernal cannot find an encrypted rootfs, then by > the same token it cannot find an encrypted initrd, either. So, what > have you really gained? The initramfs does not need to be encrypted, because it does not have the key to decrypt the HD. It has the routine that prompts for the decryption key and uses it to decrypt the root partition. > In any event, I think you are incorrect. Here's a runthrough that Pavel > Kogan wrote, and nothing he describes requires an initrd. He _does_ > use a RAMdisk to store the keyfile after booting, but that's a different > matter. http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/ Here are the relevant lines: I tried various methods to get GRUB to load the keyfile into memory and pass it to the kernel, without success. Then, I realised that the initrd image is itself something GRUB loads into memory, and mkinitcpio.conf has a very convenient FILES option… FILES=/crypto_keyfile.bin Run mkinitcpio again, and when you reboot, you’ll only need to enter your password once. >> >Anyway, I don't want to encrypt all discs on my Linux server for >> >> Well, server may be a special case. > > It's funny how all the new Linux kiddies keep wanting to dismiss what > I've been doing since 1993 on Linux (and since the 1980s on other > *nixes) as a 'special case'. Servers are indeed a different matter. They are usually not kept home, rather in a secure, dedicated and protected environment. Thus they are less susceptible to be: 1) stolen in a house burglary; 2) impounded during a police raid into your home. And you usually do not travel with your server inside your case, as opposed to what you do with your laptop. _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng