encrypted swap question
Chris Snook
csnook at redhat.com
Tue Sep 23 16:37:49 UTC 2008
Dan Mitton wrote:
> At Monday 9/22/2008 09:39 AM, Chris Snook wrote:
>> DanMitton wrote:
>>> So, is it possible to read the passphrase from a USB drive at boot
>>> time?? :-?
>>
>> The proper way to do it is to read a *key* from a USB drive at boot
>> time. In F8 it didn't take too much hacking in /etc/rc.sysinit to
>> load the USB storage modules, wait a few seconds to detect the drive,
>> mount it, and then do the luks magic to unlock the LVM partition. I
>> haven't tried in F9. It would be really nice to have this supported
>> by the installer.
>>
>> -- Chris
>
> Chris, Thanks for your reply. I'm not exactly following... what good
> is hacking /etc/rc.sysinit, since it would be encrypted and unreadable
> at boot time?? Do I have to rebuild the boot image? What is the "luks
> magic" (I guess that's why it's magic)? I agree, this would be a very
> nice feature to be supported by the installer. Can you be more specific
> about what needs to go where?
>
> Thanks,
>
> Dan
I just remembered, I put /home, /var, and swap in an encrypted PV. Root was not
encrypted. We would need initrd magic, not rc.sysinit magic, to handle the
root-on-LVM case. I recall thinking that the ideal case, for how I wanted to
use it, was to embed the key in the initrd, such that you could put /boot on a
USB key, and put the entire internal disk in an encrypted PV. Then, if you're
traveling in a hostile security environment, you could mail your key to your
destination, and there's no passphrase to divulge. We'd need to teach HAL about
removable media with custom fstab mountpoints, but we really need to do that anyway.
-- Chris
More information about the fedora-list
mailing list