Bug#378488: some additional ideas about a loop-aes-hook for
initramfs
S. Sakar
serkan.sakar at gmx.net
Wed Apr 11 00:39:52 UTC 2007
hello,
I've written a hook with a different approach. It is quite simple (and
works only on my machine :-) ).
To shortly summarize it:
* don't put gpgkeys or gpghome-directories for local partitions into
the initrd
* provide a crypttab like file, since losetup and mount of
loop-aes-utils can use fstab, a special fstab could be used only for
the initramfs boot phase, e.g. /etc/loopaes.fstab
* create all loop devices found in loopaes.fstab, not only the rootfs
as a result the normal fstab looks like
/dev/loop3 /home ext2 defaults 0 2
so that you can easily fsck them.
the counterpart in loopaes.fstab would look like
/dev/sda3 /home ext2
defaults,loop=/dev/loop3,encryption=AES256,gpgkey=foo.gpg,gpghome=/ 0 0
so that during initrd boot phase a simple "losetup -F /dev/loop3"
does the job
* use encrypted external media, the key for the media should be in the
initrd that external media contains all the necessary files (e.g.
plain passwords for using fd)
A typical initrd bootphase would be
- mount encrypted sd-card with gpgkey which is in initrd
- setup loop devices with keys from sd-card
- umount sd-card
- don't handle encrypted swap or tmp
Attached are some example files.
Regards,
Serkan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: examples.tar.bz2
Type: application/x-bzip
Size: 1939 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-loop-aes-maint/attachments/20070411/e4b3df8e/examples.tar.bin
More information about the Pkg-loop-aes-maint
mailing list