[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GRUB & crypto? (& generally, more info on undocumented modules?)
From: |
John Lane |
Subject: |
Re: GRUB & crypto? (& generally, more info on undocumented modules?) |
Date: |
Sun, 21 Dec 2014 13:46:05 +0000 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2 |
On 20/12/14 23:16, Diagon wrote:
>>> I use a keyfile to avoid the duplicate passphrase entry issue. The
>>> keyfile is on the USB stick. It's also inside the initramfs so that the
>>> booting kernel can also unlock the disk. It's safe because the initramfs
>>> is on an encrypted volume.
> John - does this mean that in your case, you never have to enter a
> passphrase? That is, it appears the keyfile on the USB opens your /boot, and
> then the keyfile in the initramfs opens your root.
that's right.
>
> I am a little leery of putting the keyfile on the USB. So if I were to just
> use:
>
> insmod luks
> cryptomount -H (hd0,1)/header hd1,1
>
> along with the keyfile in the initramfs, then I would be asked for the
> password only once, by grub, correct?
yes
>
> I'm not a guy who knows a lot about crypto, though I am aware that it can be
> quite delicate. So I do have to wonder about the safety of having the key
> sitting around on disk (in the initramfs) while the OS is running. Once
> decrypted by cryptomount, is there any way to pass that key on to the kernel?
> Is this even feasible?
I don't believe it's possible for the bootloader to pass an encryption
key to the Linux kernel. I believe BSD lets you do that but not Linux.
Doing so would be the sensible approach and I would do it if I could...
You should chmod 600 your initrd in /boot and chown it to root if you
haven't done so already. I think any encryption scheme falls back to the
protection offered by the OS when it is unlocked. I guess your comfort
level falls in line with your paranoia level. I'm personally not at the
point where someone accessing a root-protected file on a running sytsem
is a major concern. If someone's in my running system I'd have bigger
things to worry about ;)
>
>
> [...]
>
>> Whenever I update my OS, it installs new kernel and initramfs to /boot,
>> totally oblivious to how those files
>> get used.
> It may be me missing something, but it has appeared to me that at times the
> Ubuntu updated has updated grub; though it's possible I could be mistaken.
it probably likes to regenerate grub.cfg whenever the kernel is updated
but Grub itself doesn't change that often. That said, I don't use
debian. I use Arch where you're more "on your own" anyway...
> /D
>
- Re: GRUB & crypto? (& generally, more info on undocumented modules?), Diagon, 2014/12/19
- Re: GRUB & crypto? (& generally, more info on undocumented modules?), John Lane, 2014/12/19
- Re: GRUB & crypto? (& generally, more info on undocumented modules?), Diagon, 2014/12/20
- Re: GRUB & crypto? (& generally, more info on undocumented modules?),
John Lane <=
- Re: GRUB & crypto? (& generally, more info on undocumented modules?) - Blog with cyrptomount howto's, Diagon, 2014/12/22
- Re: GRUB & crypto? (& generally, more info on undocumented modules?), Jordan Uggla, 2014/12/22
- Re: GRUB & crypto? (& generally, more info on undocumented modules?), Diagon, 2014/12/24