Root filesystem encryption patch set
Thomas Swan
thomas.swan at gmail.com
Mon Apr 30 06:03:31 UTC 2007
On 4/26/07, Bill Nottingham <notting at redhat.com> wrote:
>
> Bruno Wolff III (bruno at wolff.to) said:
> > I think there had been an assumption that this person had been watching
> > the bugzilla entry for encrypted file systems and would include patches
> > posted there once people reported they were working OK. That assumption
> seems
> > to have been incorrect.
>
> The patches, as posted, are broken:
>
> - they introduce a new configuration file when mkinitrd already has one
Point taken, I checked and there's nothing that can't be done with the
existing config file. So, everything is optional with
/etc/sysconfig/mkinitrd. A new set of patches are available at the
website. I'll be updating the instructions today or tomorrow.
- they hardcode device names in the exact same way that /etc/crypttab
> does, meaning that it will fail in the exact same way with hotplugged
> drives or device ordering changes that /etc/crypttab does (and does
> with a vengeance in any FC6 -> F7 upgrade). Considering this is the
> root device, that's *bad*.
Current encryption support does have a drawback. Either we can identify the
device by taking the first/last X bytes of a raw device (if they do not
change) as a UUID of sorts and scan all block devices for that "signature",
or we have to know the target to decrypt. I'm at a loss of how to scan all
candidate devices for said identifier.
I agree, /etc/crypttab works after mounting / and all has all the drawbacks
you are mentioning.
--
The early bird may get the worm, but the it's the second mouse that gets the
cheese.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20070430/bee9cdb4/attachment.htm>
More information about the fedora-devel-list
mailing list