On Sun, 2008-03-30 at 09:50 +0200, Dirk Heinrichs wrote:
> Am Samstag, 29. März 2008 schrieb Florian Philipp:
> 
> > My goal is to open a Luks-mapping for /var with a gpg-encrypted file
> > on /boot and then open a mapping for /var/tmp with a plaintext file
> > on /var.
> 
> See below. But while we're at it, can anybody tell me what's the advantage of 
> a gpg-encrypted keyfile over a keyfile generated from /dev/urandom?

Keys for urandom work great for /tmp and swap but how should I use this
for a partition which is supposed to keep its content between reboots?

> 
> > I thought it would work with the following settings:
> >
> > /etc/conf.d/cryptfs
> 
> It's /etc/conf.d/dmcrypt nowadays.

Interesting, why is there no hint that cryptfs is deprecated/obsolete?

> 
> > target=var
> > source='/dev/mapper/vg-crypt_var'
> > key='/boot/key.gpg:gpg'
> >
> > target=var_tmp
> > source='/dev/mapper/vg-crypt_var_tmp'
> > key='/var/lib/tmp_key'
> >
> >
> > I've read the warning in /etc/conf.d/cryptfs about /usr on a separate
> > partition and followed their advice.
> 
> Which warning, btw.? Works just fine here.
> 

"# Note when using gpg keys and /usr on a separate partition, you will
# have to copy /usr/bin/gpg to /bin/gpg so that it will work properly
# and ensure that gpg has been compiled statically.
# See http://bugs.gentoo.org/90482 for more information."


> > However, the setup doesn't work. I'm not asked for the passphrase, the
> > mappings are not created. What did I forget?
> 
> That the mappings are created all in one go before anything is mounted, so you 
> can't put the keyfile for /var into /boot. The only thing that would work is 
> to put the keyfile on the root fs, because that's the only one that is 
> mounted when the mappings are created, like:
> 
> target='c-usr'
> source='/dev/evms/usr'
> key='/etc/crypt/keyfile'
> 
> Bye...
> 
> 	Dirk

Thanks, I'll try it.