Am Sonntag 05 Juli 2009 20:26:23 schrieb Alex Schuster: > > The LUKS key isn't stored as cleartext, it's encrypted. > > Um, I mean the passphrase I specify with --key-file to cryptsetup. Or which > would be asked at the prompt if I would not give it.
OK, now I get it. But those are two different beasts. The keyfile is usually one that consists of random data (created by reading from /dev/urandom). If you don't protect that by some means, you don't gain any security. The one you're asked for at the prompt is more like a password/-phrase. So here's what I do, as an example: I've got a small unencrypted /boot which holds the kernel and enough Linux to open the LUKS encrypted root LV. So I'm prompted for the passphrase to unlock it. Once unlocked and mounted, I get access to the random data keyfile stored in /etc which is used to unlock all other LVs automatically. Bye... Dirk
signature.asc
Description: This is a digitally signed message part.