From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JfuiQ-0004o7-EQ for garchives@archives.gentoo.org; Sun, 30 Mar 2008 10:24:42 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F36D9E0508; Sun, 30 Mar 2008 10:24:40 +0000 (UTC) Received: from out4.smtp.messagingengine.com (out4.smtp.messagingengine.com [66.111.4.28]) by pigeon.gentoo.org (Postfix) with ESMTP id CF77FE0508 for ; Sun, 30 Mar 2008 10:24:40 +0000 (UTC) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id 89708E45AE; Sun, 30 Mar 2008 06:24:40 -0400 (EDT) Received: from heartbeat1.messagingengine.com ([10.202.2.160]) by compute1.internal (MEProxy); Sun, 30 Mar 2008 06:24:40 -0400 X-Sasl-enc: 34NEQ/2w3XJqojc2g4kXDQMzhER+tyFeG4UvU0RCEtUa 1206872679 Received: from [192.168.2.2] (dslb-088-072-144-179.pools.arcor-ip.net [88.72.144.179]) by mail.messagingengine.com (Postfix) with ESMTPSA id 821999FC7 for ; Sun, 30 Mar 2008 06:24:39 -0400 (EDT) Subject: Re: [gentoo-user] Cryptfs From: Florian Philipp To: gentoo-user@lists.gentoo.org In-Reply-To: <200803300950.53721.dirk.heinrichs@online.de> References: <1206811941.13252.13.camel@NOTE_GENTOO64.PHHEIMNETZ> <200803300950.53721.dirk.heinrichs@online.de> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-C6sk79oHr37tTtTbbMT3" Date: Sun, 30 Mar 2008 13:24:34 +0200 Message-Id: <1206876274.13252.19.camel@NOTE_GENTOO64.PHHEIMNETZ> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.12.3 X-Archives-Salt: 330053fa-6c7b-4f83-ba1e-190cdcb1fe2c X-Archives-Hash: b49a5c6c4820a2aecd766ae6a02448c5 --=-C6sk79oHr37tTtTbbMT3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sun, 2008-03-30 at 09:50 +0200, Dirk Heinrichs wrote: > Am Samstag, 29. M=C3=A4rz 2008 schrieb Florian Philipp: >=20 > > My goal is to open a Luks-mapping for /var with a gpg-encrypted file > > on /boot and then open a mapping for /var/tmp with a plaintext file > > on /var. >=20 > See below. But while we're at it, can anybody tell me what's the advantag= e of=20 > a gpg-encrypted keyfile over a keyfile generated from /dev/urandom? Keys for urandom work great for /tmp and swap but how should I use this for a partition which is supposed to keep its content between reboots? >=20 > > I thought it would work with the following settings: > > > > /etc/conf.d/cryptfs >=20 > It's /etc/conf.d/dmcrypt nowadays. Interesting, why is there no hint that cryptfs is deprecated/obsolete? >=20 > > target=3Dvar > > source=3D'/dev/mapper/vg-crypt_var' > > key=3D'/boot/key.gpg:gpg' > > > > target=3Dvar_tmp > > source=3D'/dev/mapper/vg-crypt_var_tmp' > > key=3D'/var/lib/tmp_key' > > > > > > I've read the warning in /etc/conf.d/cryptfs about /usr on a separate > > partition and followed their advice. >=20 > Which warning, btw.? Works just fine here. >=20 "# Note when using gpg keys and /usr on a separate partition, you will # have to copy /usr/bin/gpg to /bin/gpg so that it will work properly # and ensure that gpg has been compiled statically. # See http://bugs.gentoo.org/90482 for more information." > > However, the setup doesn't work. I'm not asked for the passphrase, the > > mappings are not created. What did I forget? >=20 > That the mappings are created all in one go before anything is mounted, s= o you=20 > can't put the keyfile for /var into /boot. The only thing that would work= is=20 > to put the keyfile on the root fs, because that's the only one that is=20 > mounted when the mappings are created, like: >=20 > target=3D'c-usr' > source=3D'/dev/evms/usr' > key=3D'/etc/crypt/keyfile' >=20 > Bye... >=20 > Dirk Thanks, I'll try it. --=-C6sk79oHr37tTtTbbMT3 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQBH73hyqs4uOUlOuU8RAmz8AJ9qAYVqJEdBVCJI7DHaGB+xM1MULQCfYPMM dr21UXeRbQ0OZ/SDPpLTko8= =G4ol -----END PGP SIGNATURE----- --=-C6sk79oHr37tTtTbbMT3-- -- gentoo-user@lists.gentoo.org mailing list