From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 2FE81138010 for ; Tue, 4 Sep 2012 18:35:59 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3DEE9E057F; Tue, 4 Sep 2012 18:35:39 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) by pigeon.gentoo.org (Postfix) with ESMTP id 94D9AE04ED for ; Tue, 4 Sep 2012 18:33:58 +0000 (UTC) Received: from compute5.internal (compute5.nyi.mail.srv.osa [10.202.2.45]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 544792097A for ; Tue, 4 Sep 2012 14:33:58 -0400 (EDT) Received: from frontend2.nyi.mail.srv.osa ([10.202.2.161]) by compute5.internal (MEProxy); Tue, 04 Sep 2012 14:33:58 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=binarywings.net; h=message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type; s=mesmtp; bh=gz0+I3CGGnvT95WGnt6ebZiF ieE=; b=JWktcMvMeWhFG1tporbDN5eyPu6GvR37XR0Ozmyb7Vlh0KyvCD0na4Yb 7IhKC5sISNwSqkGPVzmh9BIqYWGCoQXMlacttWtRpQu54WAsZERr6JfSxp8bBFYU N9xfggKI85xqhpNTZgZ8DdE8fHQE4lhaRWtu5rU/80C7kW6jWpc= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type; s=smtpout; bh=gz0+ I3CGGnvT95WGnt6ebZiFieE=; b=XG042I//svltM8ELBYTa52qa9p/4Wgyb1Zwg 5iUL6vltFYT5IMEuloGdETbObXxTa4sntfni3p9bJ8D1aBCr3smUqhcl+1LfkbvJ nMiS0GkBsSRzOFXvaXIfNHwOvMzf5ZoKqUFxDupPj9YsQT2rIMEtdizR7zi0UBUT +pS02c8= X-Sasl-enc: 6RIpH8Eh9EJpbQZhKHT49IFXBOGlkey7C0OFze/+MJ/z 1346783637 Received: from [10.198.57.214] (unknown [46.115.36.57]) by mail.messagingengine.com (Postfix) with ESMTPA id C61094836ED for ; Tue, 4 Sep 2012 14:33:56 -0400 (EDT) Message-ID: <5046498D.90104@binarywings.net> Date: Tue, 04 Sep 2012 20:33:49 +0200 From: Florian Philipp User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.6esrpre) Gecko/20120804 Thunderbird/10.0.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go? References: , <504518A3.7000207@binarywings.net>, In-Reply-To: X-Enigmail-Version: 1.3.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig228710185B08908C38035EF3" X-Archives-Salt: 07c3bedc-d779-4e28-8c7a-c151578cc463 X-Archives-Hash: 2cddd20463c718488956ec044365de05 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig228710185B08908C38035EF3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 04.09.2012 00:12, schrieb "Roland H=C3=A4der": > Okay, I have made a little progress. I have generated my private key > using some random data + gpg: >=20 > # head -c 3705 /dev/urandom | head -n 66 | tail -n 65 > key.out # gpg > --symmetric -a --s2k-count 8388608 key.out twice> # mv key.out.asc key.gpg # rm -f key.out >=20 Two minor suggestions: 1. Maybe it would be a good idea to use an ASCII-only random string, for example by piping it through `base64 -w 0`. That way you don't loose any entropy (the key just gets longer) but it is easier to type the keyfile manually, in case you ever need to. You also don't have to worry about odd behavior of password prompts anymore. 2. You should `shred` key.out instead of `rm`. > Now I have to copy that file on my stick and setup > /etc/conf.d/dmcrypt: >=20 > # whole root system encrypted with gpg key from removeable media=20 > target=3Dcrypt-root source=3D'/dev/hdaX' key=3D'/key:gpg' # This is you= r > stick remdev=3D'/dev/sda1' >=20 > But what next? The example at [1] is based on key-only file (no > passphrase). I know, later on /etc/conf.d/dmcrypt must be placed on > the new root-fs but what now? I still have to setup it. cryptsetup > doesn't do anything with gpg. So I have setup a pipeline? >=20 I'm not entirely sure I understand what you mean, therefore I just start babbling. ;-) The dmcrypt init script cannot be used for encrypting the root fs, a separate /usr or /etc. At least, I don't see a way to do it and I don't see it in the examples in my /etc/conf.d/dmcrypt. However, you can use it for all other directories containing sensitive data (/home, /srv, /var, /tmp). You might still need a skeleton directory structure of /var for the early boot stages but that's about it= =2E Getting root encrypted is the sole responsibility of your initrd. Regards, Florian Philipp --------------enig228710185B08908C38035EF3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlBGSZEACgkQqs4uOUlOuU+q2wCdEHZsjwwjNwT/Lz8jOaubAK3V XQMAn3W5ZfK2dhO3aXIjQrQO7xxanPwx =F6la -----END PGP SIGNATURE----- --------------enig228710185B08908C38035EF3--