From: Mr Dash Four <mr.dash.four-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
To: "Amadeusz Żołnowski" <aidecoe-2qtfh70TtYba5EbDDlwbIw@public.gmane.org>
Cc: initramfs <initramfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH] 90crypt: keys on external devices support
Date: Wed, 20 Oct 2010 15:48:19 +0100 [thread overview]
Message-ID: <4CBF0133.2070709@googlemail.com> (raw)
In-Reply-To: <1287583979-sup-416@etiriah>
>> I don't think this is such a good idea as having the crypto keys
>> reside in the same place as the kernel would completely defeats the
>> purpose of using crypto devices.
>>
>
> It does not. You can have kernel and initramfs on removable media. You
> have this media secure and don't need separate media for keys. It's
> even more secure than having kernel and initramfs on harddrive because
> it protects you from case when someone replaces your initramfs to stole
> the key (e.g. sends to some remote machine).
>
> And of course keys inside initramfs will be optional extra solution.
>
Good point - I haven't thought of that, it makes sense then.
> I hope I've answered to your concerns above in previous e-mail.
>
I did a reply - there are 2 configuration files in order to run/read
tokens and these configuration files should be easily tailored to each
user's settings without the need to rebuilt initrd.
>> One other thing I forgot to mention in my last post that with the
>> proposed parameter changes there is a third possible scenario with the
>> password authentication, in which case, the format of the parameter in
>> the kernel would simply be:
>>
>> c) rd.luks.<luks_uuid>[=]
>>
>
> You don't have to specify anything for password scenario. root=<dev> is
> just enough. Have you tried using crypt module?
>
I am using dracut-006 (I think - the last which comes out of FC13
repository) and currently I have to specify rd_LUKS_UUID=luks-<UUID> in
order to make it work, which is not very convenient.
next prev parent reply other threads:[~2010-10-20 14:48 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-19 13:54 [PATCH] 90crypt: keys on external devices support Mr Dash Four
[not found] ` <4CBDA328.40401-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-19 14:19 ` Amadeusz Żołnowski
2010-10-19 14:33 ` Mr Dash Four
[not found] ` <4CBDAC3D.7050906-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-20 1:24 ` Mr Dash Four
[not found] ` <4CBE44D3.6070000-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-20 14:12 ` Amadeusz Żołnowski
2010-10-20 14:44 ` Mr Dash Four
[not found] ` <4CBF004F.9070201-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-20 15:17 ` Amadeusz Żołnowski
2010-10-20 15:37 ` Mr Dash Four
[not found] ` <4CBF0CA3.1070801-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-22 16:51 ` Amadeusz Żołnowski
2010-10-21 13:29 ` Karel Zak
[not found] ` <20101021132916.GC22186-sHeGUpI7y9L/9pzu0YdTqQ@public.gmane.org>
2010-10-21 13:54 ` Mr Dash Four
[not found] ` <4CC0462E.20507-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-21 15:18 ` Karel Zak
[not found] ` <20101021151802.GD22186-sHeGUpI7y9L/9pzu0YdTqQ@public.gmane.org>
2010-10-21 15:48 ` Mr Dash Four
[not found] ` <4CC060B3.3050508-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-22 16:40 ` Amadeusz Żołnowski
2010-10-22 18:34 ` Karel Zak
2010-10-20 13:19 ` Amadeusz Żołnowski
2010-10-20 14:06 ` Mr Dash Four
[not found] ` <4CBEF768.90908-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-20 14:25 ` Amadeusz Żołnowski
2010-10-20 14:48 ` Mr Dash Four [this message]
[not found] ` <4CBF0133.2070709-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-20 15:26 ` Amadeusz Żołnowski
2010-10-20 15:39 ` Mr Dash Four
2010-10-22 11:50 ` Mr Dash Four
[not found] ` <4CC17A87.7050804-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-22 17:07 ` Amadeusz Żołnowski
2010-10-23 15:13 ` Mr Dash Four
2010-10-22 11:35 ` dracut Mr Dash Four
[not found] ` <4CC17713.4030504-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-22 17:13 ` dracut Amadeusz Żołnowski
2010-10-26 11:09 ` dracut Harald Hoyer
[not found] ` <4CC6B6E5.50402-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2010-10-26 11:23 ` dracut Amadeusz Żołnowski
2010-10-26 11:36 ` dracut Mr Dash Four
2010-10-26 11:26 ` dracut Mr Dash Four
[not found] ` <4CC6BB02.9040901-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-29 21:40 ` dracut Mr Dash Four
2010-10-30 7:57 ` dracut Ambroz Bizjak
[not found] ` <AANLkTinO0edPay_HxUW93Dm2PpHkchxKDC1yezhV-u2K-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-10-30 11:18 ` dracut Mr Dash Four
-- strict thread matches above, loose matches on Subject: below --
2010-07-13 17:14 [PATCH] 90crypt: keys on external devices support Amadeusz Żołnowski
2010-07-21 11:41 ` Harald Hoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CBF0133.2070709@googlemail.com \
--to=mr.dash.four-gm/ye1e23mwn+bqq9rbeug@public.gmane.org \
--cc=aidecoe-2qtfh70TtYba5EbDDlwbIw@public.gmane.org \
--cc=initramfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.