From: Mr Dash Four <mr.dash.four-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
To: "Amadeusz Żołnowski" <aidecoe-2qtfh70TtYba5EbDDlwbIw@public.gmane.org>
Cc: initramfs <initramfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH] 90crypt: keys on external devices support
Date: Wed, 20 Oct 2010 15:48:19 +0100 [thread overview]
Message-ID: <4CBF0133.2070709@googlemail.com> (raw)
In-Reply-To: <1287583979-sup-416@etiriah>
>> I don't think this is such a good idea as having the crypto keys
>> reside in the same place as the kernel would completely defeats the
>> purpose of using crypto devices.
>>
>
> It does not. You can have kernel and initramfs on removable media. You
> have this media secure and don't need separate media for keys. It's
> even more secure than having kernel and initramfs on harddrive because
> it protects you from case when someone replaces your initramfs to stole
> the key (e.g. sends to some remote machine).
>
> And of course keys inside initramfs will be optional extra solution.
>
Good point - I haven't thought of that, it makes sense then.
> I hope I've answered to your concerns above in previous e-mail.
>
I did a reply - there are 2 configuration files in order to run/read
tokens and these configuration files should be easily tailored to each
user's settings without the need to rebuilt initrd.
>> One other thing I forgot to mention in my last post that with the
>> proposed parameter changes there is a third possible scenario with the
>> password authentication, in which case, the format of the parameter in
>> the kernel would simply be:
>>
>> c) rd.luks.<luks_uuid>[=]
>>
>
> You don't have to specify anything for password scenario. root=<dev> is
> just enough. Have you tried using crypt module?
>
I am using dracut-006 (I think - the last which comes out of FC13
repository) and currently I have to specify rd_LUKS_UUID=luks-<UUID> in
order to make it work, which is not very convenient.
next prev parent reply other threads:[~2010-10-20 14:48 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-19 13:54 [PATCH] 90crypt: keys on external devices support Mr Dash Four
[not found] ` <4CBDA328.40401-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-19 14:19 ` Amadeusz Żołnowski
2010-10-19 14:33 ` Mr Dash Four
[not found] ` <4CBDAC3D.7050906-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-20 1:24 ` Mr Dash Four
[not found] ` <4CBE44D3.6070000-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-20 14:12 ` Amadeusz Żołnowski
2010-10-20 14:44 ` Mr Dash Four
[not found] ` <4CBF004F.9070201-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-20 15:17 ` Amadeusz Żołnowski
2010-10-20 15:37 ` Mr Dash Four
[not found] ` <4CBF0CA3.1070801-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-22 16:51 ` Amadeusz Żołnowski
2010-10-21 13:29 ` Karel Zak
[not found] ` <20101021132916.GC22186-sHeGUpI7y9L/9pzu0YdTqQ@public.gmane.org>
2010-10-21 13:54 ` Mr Dash Four
[not found] ` <4CC0462E.20507-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-21 15:18 ` Karel Zak
[not found] ` <20101021151802.GD22186-sHeGUpI7y9L/9pzu0YdTqQ@public.gmane.org>
2010-10-21 15:48 ` Mr Dash Four
[not found] ` <4CC060B3.3050508-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-22 16:40 ` Amadeusz Żołnowski
2010-10-22 18:34 ` Karel Zak
2010-10-20 13:19 ` Amadeusz Żołnowski
2010-10-20 14:06 ` Mr Dash Four
[not found] ` <4CBEF768.90908-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-20 14:25 ` Amadeusz Żołnowski
2010-10-20 14:48 ` Mr Dash Four [this message]
[not found] ` <4CBF0133.2070709-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-20 15:26 ` Amadeusz Żołnowski
2010-10-20 15:39 ` Mr Dash Four
2010-10-22 11:50 ` Mr Dash Four
[not found] ` <4CC17A87.7050804-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-22 17:07 ` Amadeusz Żołnowski
2010-10-23 15:13 ` Mr Dash Four
2010-10-22 11:35 ` dracut Mr Dash Four
[not found] ` <4CC17713.4030504-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-22 17:13 ` dracut Amadeusz Żołnowski
2010-10-26 11:09 ` dracut Harald Hoyer
[not found] ` <4CC6B6E5.50402-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2010-10-26 11:23 ` dracut Amadeusz Żołnowski
2010-10-26 11:36 ` dracut Mr Dash Four
2010-10-26 11:26 ` dracut Mr Dash Four
[not found] ` <4CC6BB02.9040901-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
2010-10-29 21:40 ` dracut Mr Dash Four
2010-10-30 7:57 ` dracut Ambroz Bizjak
[not found] ` <AANLkTinO0edPay_HxUW93Dm2PpHkchxKDC1yezhV-u2K-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2010-10-30 11:18 ` dracut Mr Dash Four
-- strict thread matches above, loose matches on Subject: below --
2010-07-13 17:14 [PATCH] 90crypt: keys on external devices support Amadeusz Żołnowski
2010-07-21 11:41 ` Harald Hoyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CBF0133.2070709@googlemail.com \
--to=mr.dash.four-gm/ye1e23mwn+bqq9rbeug@public.gmane.org \
--cc=aidecoe-2qtfh70TtYba5EbDDlwbIw@public.gmane.org \
--cc=initramfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox