Unlocking several crypto discs during boot
Volker Wysk
post at volker-wysk.de
Sat Oct 14 22:51:44 UTC 2017
Am Samstag, 14. Oktober 2017, 21:04:48 CEST schrieb Xen:
> Volker Wysk schreef op 14-10-2017 20:28:
> > This could be done automatically. No configuration needed.
>
> That means the unlocker tool needs to scan all the headers and see if
> volumes have headers that are identically hashed. Possible yes.
The unlocker tool could work like this:
"Hi! The volumes sda1, sda4 and sdb1 need unlocking. Please specify a
passphrase."
Then it would try to unlock all the volumes with this passphrase. The volumes
which could be successfully unlocked would then be removed from the list. When
no ones are left, we're done. If not, we ask again, with the new list of
devices.
> Then what if someone DOESN'T want to unlock a secondary drive
> automatically?
You'd configure that the same way as it is now. I'm not sure, but probably by
specifying /dev/null as the keyfile in /etc/crypttab. A new special value, just
like "none" could also be introduce. For instance "locked".
> > This would be better: The /dev/sda3 partition is a PV, and the root LV
> > is made
> > inside it. Then the root LV gets encrypted. This way, a keyfile could
> > be used,
> > and no second password was needed. (I believe, not quite sure).
>
> Not even a keyfile.
>
> If you put LUKS into your root LV, and then CACHE the root LV, obviously
> the CACHED DATA will ALSO be encrypted because on the outside it would
> ALSO be scrambled data.
>
> So the cache device would only see scrambled data.
You're right.
This way, we could also unite several hard disks for the root-LV. I wasn't
able to use both of my harddisks, when I installed Kubuntu 16.04.
(more follows later)
Volker
More information about the ubuntu-users
mailing list