On Sun, 2008-03-30 at 09:50 +0200, Dirk Heinrichs wrote: > Am Samstag, 29. März 2008 schrieb Florian Philipp: > > > My goal is to open a Luks-mapping for /var with a gpg-encrypted file > > on /boot and then open a mapping for /var/tmp with a plaintext file > > on /var. > > See below. But while we're at it, can anybody tell me what's the advantage of > a gpg-encrypted keyfile over a keyfile generated from /dev/urandom?
Keys for urandom work great for /tmp and swap but how should I use this for a partition which is supposed to keep its content between reboots? > > > I thought it would work with the following settings: > > > > /etc/conf.d/cryptfs > > It's /etc/conf.d/dmcrypt nowadays. Interesting, why is there no hint that cryptfs is deprecated/obsolete? > > > target=var > > source='/dev/mapper/vg-crypt_var' > > key='/boot/key.gpg:gpg' > > > > target=var_tmp > > source='/dev/mapper/vg-crypt_var_tmp' > > key='/var/lib/tmp_key' > > > > > > I've read the warning in /etc/conf.d/cryptfs about /usr on a separate > > partition and followed their advice. > > Which warning, btw.? Works just fine here. > "# Note when using gpg keys and /usr on a separate partition, you will # have to copy /usr/bin/gpg to /bin/gpg so that it will work properly # and ensure that gpg has been compiled statically. # See http://bugs.gentoo.org/90482 for more information." > > However, the setup doesn't work. I'm not asked for the passphrase, the > > mappings are not created. What did I forget? > > That the mappings are created all in one go before anything is mounted, so > you > can't put the keyfile for /var into /boot. The only thing that would work is > to put the keyfile on the root fs, because that's the only one that is > mounted when the mappings are created, like: > > target='c-usr' > source='/dev/evms/usr' > key='/etc/crypt/keyfile' > > Bye... > > Dirk Thanks, I'll try it.
signature.asc
Description: This is a digitally signed message part
