Dirk Heinrichs writes: > Am Samstag 04 Juli 2009 14:51:54 schrieb Alex Schuster: > > Dirk Heinrichs writes: > > > having said that, you can even do w/o > > > initramfs, just put everything into /boot (which should be a separate > > > partition, then). Again, see my reply to David for the details. > > > > Interesting. Getting rid of initramfs looks like a simpler approach, no > > need to fiddle with cpio in order to change things. > > Also with initramfs, you don't need to fiddle with cpio. The kernel build > system does this for you.
Right. But at my first attempts I had some problems, and investigated them by looking into /init in the initramfs. In order to understand this stuff, I need to see it :) > > I do not want to have to enter a password every time my machine boots, > > so I put the key onto a stick. > > And how do you protect the key on the stick? What if you loose it? It's a long sentence from The Hichhiker's Guide To The Galaxy I can find again. And meanwhile I also have a gpg-encrypted backup of the stick's partition somewhere. > > And simply made it the same for all > > partitions. And while I was at it, for maximum security, I also put > > /boot onto the stick. Sure, who would ever break into my house and > > modify my boot partition, replacing the kernel with kernel+keylogger or > > such... but then, I would probably also not need to encrypt my stuff at > > all. > > Encryption doesn't protect a _running_ system, because then, all needed > LVs are readable. By me only. And when I leave, the screensaver kicks in and asks for a password. > It only protects the system while switched of (so that > an attacker can not acces your data after stealing the entire system, or > after you sold your harddisk). Right. > > > Then you did something wrong. It works out of the box. > > > > Really? I know it does for root and swap (it works here), but how do I > > tell the system to also luskOpen all my other LVM volumes? > > By listing them in /etc/conf.d/dmcrypt. Oh, thanks. I overlooked this. Did not find this mentioned in any of the guides I read, and I thought it only belonged to /etc/nit.d/dm-crypt, which is for baselayout 2. But I should have found it being used while editing /lib/rcscripts/addons/dm-crypt-start.sh. I think I will try that, then. With a little modification, I will try to add a & after dm_crypt_execute_${SVCNAME}, so all LVMs will be opened in parallel. Otherwise it takes a second for each LVM, and I have 12 of them. Wonko