Comment 15 for bug 238163
Revision history for this message
| Reinhard Tartler (siretart) wrote Re: [Bug 238163] Re: keyfile doesn't work in initramfs | #15 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0f7b58d
(Get the code!)
Nikolaus Rath <email address hidden> writes:
> Reinhard Tartler <email address hidden> writes:
>> Okay, now things become clearer.
>>
>> As explained before, you cannot expect to use a keyfile for the root
>> file system,
> [...]
>
> But that is not what I want to do. I want to use a keyfile for the
> *swap* filesystem.
Yes, I understand that.
>> Where should the key for unencrypting the device come from?
>
> Well, from the root file system I'd expect.
From the 'unencrypted' root filesystem, to be more correct.
> I'm afraid I still don't see why the warning is appropriate. I'd be
> glad if you could try to explain again why the swap filesystem cannot
> be decrypted using the key from the root filesystem (this can't be
> more difficult than using removable media, can it?).
It is not more difficult, but pointless. The key would need to be
unencrypted on the physical hard drive, so an attacker would be able to
directly grab and use it.
If you really want to do that anyway, it should be possible to use the
passdev script that is intended to be used with removable drives with
your root filesystem by entering the UUID of the root filesystem. I
didn't try this myself (because I still think this is rather pointless
security wise), but it should work.
--
Gruesse/greetings,
Reinhard Tartler, KeyID 945348A4