[Pkg-loop-aes-commits] r1346 - /branches/loop-aes-utils/initramfs-integration/debian/README

lmamane at users.alioth.debian.org lmamane at users.alioth.debian.org
Sat Dec 16 07:11:12 CET 2006 

Author: lmamane
Date: Sat Dec 16 07:11:12 2006
New Revision: 1346

URL: http://svn.debian.org/wsvn/pkg-loop-aes/?sc=1&rev=1346
Log:
Recomment keeping keys out of encrypted partition

Modified:
    branches/loop-aes-utils/initramfs-integration/debian/README

Modified: branches/loop-aes-utils/initramfs-integration/debian/README
URL: http://svn.debian.org/wsvn/pkg-loop-aes/branches/loop-aes-utils/initramfs-integration/debian/README?rev=1346&op=diff
==============================================================================
--- branches/loop-aes-utils/initramfs-integration/debian/README (original)
+++ branches/loop-aes-utils/initramfs-integration/debian/README Sat Dec 16 07:11:12 2006
@@ -38,7 +38,11 @@
   mkinitramfs to "auto" or "yes". The recommended setting is "auto".
   It checks at initramfs creation time if your root device in
   /etc/fstab has a "loop=/dev/loopN" option. You can also forcibly
-  activate the support with "yes" or force it off with "no".
+  activate the support with "yes" or force it off with "no". An
+  example of a reason to force it off would be because you have custom
+  scripts to handle a specific situation in your initramfs
+  (e.g. reading the keys from a removable media, from the network,
+  ...).
 
   Wether you set INITRAMFS_LOOPAES in the shell before running
   mkinitramfs or in /etc/initramfs-tools/initramfs.conf, don't forget
@@ -69,4 +73,20 @@
   the initramfs, obviously. For example:
   "loopaesopts=loop=/dev/loop5,encryption=AES,gpgkey=/keys/rootkeyfile.gpg"
 
+  To minimise risks of losing access to your computer in case of
+  root-on-loopaes, it is recommended to keep your (password-protected)
+  keys to your root partition elsewhere than in the said partition. In
+  this manner, you can still access your partition even if the keys
+  don't get copied into the initramfs for a reason or another
+  (configuration error, bug in our code, ...). /boot/keys is a good
+  choice. It also doesn't reduce security as keys will be in the
+  initramfs in /boot during normal operations anyway. Combine this
+  with INITRAMFS_LOOPAES=yes to always have the necessary modules and
+  loop-aes utilities available in the initramfs shell and/or being
+  able to use the loopaesopts kernel command-line option.
+
+  When doing the boot manually from the initramfs shell, remember you
+  don't have the loop-aes-utils version of mount; you need to use
+  losetup and then "mount /dev/loopN /root".
+
  -- Max Vozeler <xam at debian.org> and Lionel Elie Mamane <lmamane at debian.org>

More information about the Pkg-loop-aes-commits mailing list