Am 04.09.2012 00:12, schrieb "Roland Häder": > Okay, I have made a little progress. I have generated my private key > using some random data + gpg: > > # head -c 3705 /dev/urandom | head -n 66 | tail -n 65 > key.out # gpg > --symmetric -a --s2k-count 8388608 key.out twice> # mv key.out.asc key.gpg # rm -f key.out > Two minor suggestions: 1. Maybe it would be a good idea to use an ASCII-only random string, for example by piping it through `base64 -w 0`. That way you don't loose any entropy (the key just gets longer) but it is easier to type the keyfile manually, in case you ever need to. You also don't have to worry about odd behavior of password prompts anymore. 2. You should `shred` key.out instead of `rm`. > Now I have to copy that file on my stick and setup > /etc/conf.d/dmcrypt: > > # whole root system encrypted with gpg key from removeable media > target=crypt-root source='/dev/hdaX' key='/key:gpg' # This is your > stick remdev='/dev/sda1' > > But what next? The example at [1] is based on key-only file (no > passphrase). I know, later on /etc/conf.d/dmcrypt must be placed on > the new root-fs but what now? I still have to setup it. cryptsetup > doesn't do anything with gpg. So I have setup a pipeline? > I'm not entirely sure I understand what you mean, therefore I just start babbling. ;-) The dmcrypt init script cannot be used for encrypting the root fs, a separate /usr or /etc. At least, I don't see a way to do it and I don't see it in the examples in my /etc/conf.d/dmcrypt. However, you can use it for all other directories containing sensitive data (/home, /srv, /var, /tmp). You might still need a skeleton directory structure of /var for the early boot stages but that's about it. Getting root encrypted is the sole responsibility of your initrd. Regards, Florian Philipp