Am Samstag, 29. März 2008 schrieb Florian Philipp:

> My goal is to open a Luks-mapping for /var with a gpg-encrypted file
> on /boot and then open a mapping for /var/tmp with a plaintext file
> on /var.

See below. But while we're at it, can anybody tell me what's the advantage of 
a gpg-encrypted keyfile over a keyfile generated from /dev/urandom?

> I thought it would work with the following settings:
>
> /etc/conf.d/cryptfs

It's /etc/conf.d/dmcrypt nowadays.

> target=var
> source='/dev/mapper/vg-crypt_var'
> key='/boot/key.gpg:gpg'
>
> target=var_tmp
> source='/dev/mapper/vg-crypt_var_tmp'
> key='/var/lib/tmp_key'
>
>
> I've read the warning in /etc/conf.d/cryptfs about /usr on a separate
> partition and followed their advice.

Which warning, btw.? Works just fine here.

> However, the setup doesn't work. I'm not asked for the passphrase, the
> mappings are not created. What did I forget?

That the mappings are created all in one go before anything is mounted, so you 
can't put the keyfile for /var into /boot. The only thing that would work is 
to put the keyfile on the root fs, because that's the only one that is 
mounted when the mappings are created, like:

target='c-usr'
source='/dev/evms/usr'
key='/etc/crypt/keyfile'

Bye...

	Dirk