FC7 plan comments

Kevin Fenzi kevin at tummy.com
Wed Dec 20 22:03:08 UTC 2006 

On Wed, 20 Dec 2006 16:23:38 -0500
katzj at redhat.com (Jeremy Katz) wrote:

> On Wed, 2006-12-20 at 22:20 +0100, Ralf Ertzinger wrote:
> > Dave Jones <davej at redhat.com> wrote:
> > >  > J1) (possibly not FC7 material)  installer support for a few
> > >  > popular FUSE filesystems
> > > 
> > > Tricky, as the filesystems need to be in the installer image.
> > > What's the use-case for this ? The only one I can think of is for
> > > the fuse crypto stuff, and a better solution for crypto installs
> > > is probably going to be to use e2cryptfs.
> > 
> > I'd be happy for working dm-crypt support. The kernel bits work,
> > but I can neither install (sanely) on such a device, and initrd
> > support (for encrypted /) seems to be missing, too.
> 
> The problem is that how do you handle this in the initrd?  You want to
> be able to prompt a user (in their native language) as well as support
> their native keymap.  This could very easily require an X server and a
> lot of fonts and other bits.  At which point, exactly what are you
> trying to accomplish?
> 
> Encrypting data?  Very interesting.
> Encrypting the OS bits that anyone can download?  Much less
> interesting, IMHO

I use a method described by my compatriot Sean at: 

http://www.tummy.com/journals/entries/jafo_20060326_215808

It simply uses a small script in /etc/sysconfig/modules/ 
(which runs right after udev) that loads the dm_crypt modules, and runs
cyptsetup to prompt the user for the password on boot. 

If you have the encrypted volume mounted a boot it means you either
can't have unattended boot, or get things breaking that need to
access /home before it's mounted. If you mount at login time, you get
breakage for things that need /home (like mail delivery or the like if
you send it there). How do you handle multiple users? Remote logins? 
Backups? Lost passwords? 

This is not an easy problem to solve, but I think it's very important
to get some mindpower working on it. Having encrypted data is very
nice, especially for the expanding linux laptop market. 

We should probably move this discussion to a more appropriate list, but
I'm not sure what that would be. ;) 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-maintainers/attachments/20061220/9df24b41/attachment.sig>

More information about the Fedora-maintainers mailing list