Dan Mitton wrote:
At Monday 9/22/2008 09:39 AM, Chris Snook wrote:
DanMitton wrote:
So, is it possible to read the passphrase from a USB drive at boot
time?? :-?
The proper way to do it is to read a *key* from a USB drive at boot
time. In F8 it didn't take too much hacking in /etc/rc.sysinit to
load the USB storage modules, wait a few seconds to detect the drive,
mount it, and then do the luks magic to unlock the LVM partition. I
haven't tried in F9. It would be really nice to have this supported
by the installer.
-- Chris
Chris, Thanks for your reply. I'm not exactly following... what good
is hacking /etc/rc.sysinit, since it would be encrypted and unreadable
at boot time?? Do I have to rebuild the boot image? What is the "luks
magic" (I guess that's why it's magic)? I agree, this would be a very
nice feature to be supported by the installer. Can you be more specific
about what needs to go where?
Thanks,
Dan
I just remembered, I put /home, /var, and swap in an encrypted PV. Root was not
encrypted. We would need initrd magic, not rc.sysinit magic, to handle the
root-on-LVM case. I recall thinking that the ideal case, for how I wanted to
use it, was to embed the key in the initrd, such that you could put /boot on a
USB key, and put the entire internal disk in an encrypted PV. Then, if you're
traveling in a hostile security environment, you could mail your key to your
destination, and there's no passphrase to divulge. We'd need to teach HAL about
removable media with custom fstab mountpoints, but we really need to do that anyway.
-- Chris
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
