:: Re: [DNG] some ASCII issues
トップ ページ
このメッセージを削除
このメッセージに返信
著者: Alessandro Selli
日付:  
To: dng
題目: Re: [DNG] some ASCII issues
On Wed, 28 Jun 2017 at 08:09:21 -0700
Rick Moen <rick@???> wrote:

> Quoting Stephan Seitz (stse+devuan@???):
>
> > That the kernel can’t find the root filesystem if it is encrypted?
> > And the kernel lacks the capability to ask you for the password.
>
> If you're correct that a kernal cannot find an encrypted rootfs, then by
> the same token it cannot find an encrypted initrd, either. So, what
> have you really gained?


The initramfs does not need to be encrypted, because it does not have the
key to decrypt the HD. It has the routine that prompts for the decryption
key and uses it to decrypt the root partition.

> In any event, I think you are incorrect. Here's a runthrough that Pavel
> Kogan wrote, and nothing he describes requires an initrd. He _does_
> use a RAMdisk to store the keyfile after booting, but that's a different
> matter. http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/


Here are the relevant lines:

    I tried various methods to get GRUB to load the keyfile into memory
    and pass it to the kernel, without success. Then, I realised that the
    initrd image is itself something GRUB loads into memory, and
    mkinitcpio.conf has a very convenient FILES option…


    FILES=/crypto_keyfile.bin


    Run mkinitcpio again, and when you reboot, you’ll only need to enter
    your password once.



>> >Anyway, I don't want to encrypt all discs on my Linux server for
>>
>> Well, server may be a special case.
>
> It's funny how all the new Linux kiddies keep wanting to dismiss what
> I've been doing since 1993 on Linux (and since the 1980s on other
> *nixes) as a 'special case'.


Servers are indeed a different matter. They are usually not kept home,
rather in a secure, dedicated and protected environment. Thus they are less
susceptible to be:

1) stolen in a house burglary;
2) impounded during a police raid into your home.

And you usually do not travel with your server inside your case, as
opposed to what you do with your laptop.