linux.gentoo.user

--nextPart3950554.N21DoEpUzr
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Samstag, 29. M=C3=A4rz 2008 schrieb Florian Philipp:

> My goal is to open a Luks-mapping for /var with a gpg-encrypted file
> on /boot and then open a mapping for /var/tmp with a plaintext file
> on /var.

See below. But while we're at it, can anybody tell me what's the advantage =
of=20
a gpg-encrypted keyfile over a keyfile generated from /dev/urandom?

> I thought it would work with the following settings:
>
> /etc/conf.d/cryptfs

It's /etc/conf.d/dmcrypt nowadays.

> target=3Dvar
> source=3D'/dev/mapper/vg-crypt_var'
> key=3D'/boot/key.gpg:gpg'
>
> target=3Dvar_tmp
> source=3D'/dev/mapper/vg-crypt_var_tmp'
> key=3D'/var/lib/tmp_key'
>
>
> I've read the warning in /etc/conf.d/cryptfs about /usr on a separate
> partition and followed their advice.

Which warning, btw.? Works just fine here.

> However, the setup doesn't work. I'm not asked for the passphrase, the
> mappings are not created. What did I forget?

That the mappings are created all in one go before anything is mounted, so =
you=20
can't put the keyfile for /var into /boot. The only thing that would work i=
s=20
to put the keyfile on the root fs, because that's the only one that is=20
mounted when the mappings are created, like:

target=3D'c-usr'
source=3D'/dev/evms/usr'
key=3D'/etc/crypt/keyfile'

Bye...

Dirk

--nextPart3950554.N21DoEpUzr
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iD8DBQBH70Zd8NVtnsLkZ7sRAt54AJ9d2eV0006NSC6LtXyLfhfc7TB88QCfb1Kk
y1mbUSTF/6cCg7bIMH6XVxE=
=lS1m
-----END PGP SIGNATURE-----

--nextPart3950554.N21DoEpUzr--
--
gentoo-user@lists.gentoo.org mailing list