|
»
»
»
encrypted swap question
|
View:
New views
17 Messages
—
Rating Filter:
Alert me
|
 |
encrypted swap question
by Mike-610
::
Rate this Message:
I have a machine with f9 clean installed and encrypted /, encrypted swap
and encrypted /opt partitions. Of course during boot you are asked for the luks passphrase for all three partitions. I have been able to avoid the passphrase prompt for /opt, by placing a keyfile in /root and added this key to luks for /opt and referred from /etc/crypttab so that /opt gets mounted during boot without the need to have user input. That works fine. I would like to to the same with the swap partition - but if I make a second keyfile in /root and refer to it on the swap partition line in /etc/crypttab in the same way as for /opt then it ignores this during boot and asks the user for the luks passphrase for the swap partition after asking for the passphrase for the root partition. The /etc/crypttab line has luks-sda6 /dev/sda6 /root/keyfileswap where /root/keyfileswap has been added as another key to the swap partition using cryptsetup lukesAddKey I note from the man entry for crypttab that for swap partitions /dev/urandom should be allowable also but changing the cryptab line to luks-sda6 /dev/sda6 /dev/urandom still gives a prompt to enter the luks passphrase for this swap partition immediately after the analogous prompt for the / partition which opens fine. Does anyone know how to fix this? -- fedora-list mailing list fedora-list@... To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list |
|
|
Re: encrypted swap question
by Frank Cox-2
::
Rate this Message:
On Tue, 05 Aug 2008 16:21:39 +0000 (UTC)
Mike C <mike.cloaked@...> wrote: > Does anyone know how to fix this? What's the point of encrypting a partition and then keeping the key for that partition on the hard drive so you don't have to enter anything to access it? You would simplify your life by simply not encrypting that partition at all. -- MELVILLE THEATRE ~ Melville Sask ~ http://www.melvilletheatre.com -- fedora-list mailing list fedora-list@... To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list |
|
|
Re: encrypted swap question
by Deron Meranda
::
Rate this Message:
On Tue, Aug 5, 2008 at 12:21 PM, Mike C <mike.cloaked@...> wrote:
> I have a machine with f9 clean installed and encrypted /, encrypted swap > and encrypted /opt partitions. > > Of course during boot you are asked for the luks passphrase for all three > partitions. > > ... > > I would like to to the same with the swap partition - but if I make a > second keyfile in /root and refer to it on the swap partition line in > /etc/crypttab in the same way as for /opt then it ignores this during boot and > asks the user for the luks passphrase for the swap partition after asking for > the passphrase for the root partition. The / and primary swap partitions (or logical volumes) are handled a bit differently than say /opt. They are mounted very early in the boot process, and in fact are handled by the initrd's nash scripts. If you change the LUKS options for these, you'll need to rebuild the initrd (see mkinitrd) as well. Or, you could just wait until the next kernel update and it will correct things for you. I'd use /dev/urandom for swap; unless it's a laptop and you'll be doing suspend-to-ram (which I've heard could have LUKS issues). -- Deron Meranda -- fedora-list mailing list fedora-list@... To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list |
|
|
Re: encrypted swap question
by Mike-610
::
Rate this Message:
Deron Meranda <deron.meranda <at> gmail.com> writes:
> The / and primary swap partitions (or logical volumes) are handled a > bit differently than say /opt. They are mounted very early in the boot > process, and in fact are handled by the initrd's nash scripts. If you > change the LUKS options for these, you'll need to rebuild the initrd > (see mkinitrd) as well. Or, you could just wait until the next kernel > update and it will correct things for you. > > I'd use /dev/urandom for swap; unless it's a laptop and you'll Great - I understand now - yes I remember there were certainly mkinitrd issues in F8 which are hopefully corrected in f9. Indeed this is a laptop - I guess I can re-run mkinitrd manually and maybe this will work ahead of waiting for another kernel. Hence referring to the keyfile in /root will be better than /dev/urandom -- fedora-list mailing list fedora-list@... To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list |
|
|
Re: encrypted swap question
by Mike-610
::
Rate this Message:
Frank Cox <theatre <at> sasktel.net> writes:
> What's the point of encrypting a partition and then keeping the key for that > partition on the hard drive so you don't have to enter anything to access it? Well - if unencrypted then in principle in the even of theft the swap partition would have information in clear which could be read. If the root partition contains the luks keyfile and you need a luks passphrase to open the / partition then in principle there is no unencrypted information on any of the partitions that could easily be accessed since the / partition needs to be opened with a luks passphrase before the keyfile to open the swap partition could be accessed. -- fedora-list mailing list fedora-list@... To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list |
|
|
Re: encrypted swap question
by Tim-163
::
Rate this Message:
On Tue, 2008-08-05 at 16:21 +0000, Mike C wrote:
> I have a machine with f9 clean installed and encrypted /, encrypted > swap and encrypted /opt partitions. > > Of course during boot you are asked for the luks passphrase for all > three partitions. I came across the same thing, myself, on a laptop. In the end, I caved in and let Fedora use LVM on the box, which would seem to work by encrypting the whole volume group in the one go (root, swap, and all), rather than individually doing each volume inside it. -- [tim@localhost ~]$ uname -r 2.6.25.11-97.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@... To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list |
|
|
Re: encrypted swap question
by Mike-610
::
Rate this Message:
Deron Meranda <deron.meranda <at> gmail.com> writes:
> The / and primary swap partitions (or logical volumes) are handled a > bit differently than say /opt. They are mounted very early in the boot > process, and in fact are handled by the initrd's nash scripts. If you > change the LUKS options for these, you'll need to rebuild the initrd > (see mkinitrd) as well. Or, you could just wait until the next kernel > update and it will correct things for you. I rebuilt the initrd using mkinitrd but it made no difference - so I guess that when the next kernel update is released it will also be the same? I also tried suspending the machine but it would not come out of suspend and I had to reboot. Oh well having to enter the luks passphrases twice is not too much of a burden! -- fedora-list mailing list fedora-list@... To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list |
|
|
Re: encrypted swap question
by Bill Davidsen
::
Rate this Message:
Mike C wrote:
> Deron Meranda <deron.meranda <at> gmail.com> writes: > >> The / and primary swap partitions (or logical volumes) are handled a >> bit differently than say /opt. They are mounted very early in the boot >> process, and in fact are handled by the initrd's nash scripts. If you >> change the LUKS options for these, you'll need to rebuild the initrd >> (see mkinitrd) as well. Or, you could just wait until the next kernel >> update and it will correct things for you. >> >> I'd use /dev/urandom for swap; unless it's a laptop and you'll > > Great - I understand now - yes I remember there were certainly mkinitrd > issues in F8 which are hopefully corrected in f9. > > Indeed this is a laptop - I guess I can re-run mkinitrd manually > and maybe this will work ahead of waiting for another kernel. > Hence referring to the keyfile in /root will be better than /dev/urandom > LIKS password. Using /dev/urandom seems to avoid having a password where anyone could ever recover it, and I think using LUKS on swap will kill suspend in either case (it may work better than it did last time I tried it). -- Bill Davidsen <davidsen@...> "We have more to fear from the bungling of the incompetent than from the machinations of the wicked." - from Slashdot -- fedora-list mailing list fedora-list@... To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list |
|
|
Re: encrypted swap question
by Mike-610
::
Rate this Message:
Bill Davidsen <davidsen <at> tmr.com> writes:
> Better in what way? I think either case gets you out of typing a 2nd > LIKS password. Using /dev/urandom seems to avoid having a password where > anyone could ever recover it, and I think using LUKS on swap will kill > suspend in either case (it may work better than it did last time I tried > it). Yup - you are right - at least with the keyfile stored for swap - I cannot come out of suspend!! I am not sure this is working right at present as even regenerating the initial ramdisk file it still asks for the swap passphrase at boot - and it goes into suspend but won't come out! It is possible this is due to the hardware being quite old (around 5 years old) - which is my test system! -- fedora-list mailing list fedora-list@... To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list |
|
|
Re: encrypted swap question
by Mike-610
::
Rate this Message:
Mike C <mike.cloaked <at> gmail.com> writes:
> The /etc/crypttab line has > luks-sda6 /dev/sda6 /root/keyfileswap > where /root/keyfileswap has been added as another key to the swap partition > using cryptsetup lukesAddKey Seems this is in bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=448665 -- fedora-list mailing list fedora-list@... To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list |
|
|
Re: encrypted swap question
by IKnowNot
::
Rate this Message:
Mike wrote:
> Mike C <mike.cloaked <at> gmail.com> writes: > > >> The /etc/crypttab line has >> luks-sda6 /dev/sda6 /root/keyfileswap >> where /root/keyfileswap has been added as another key to the swap partition >> using cryptsetup lukesAddKey >> > > Seems this is in bugzilla: > https://bugzilla.redhat.com/show_bug.cgi?id=448665 > > > Either way it is annoying. As for the proposed fix, what if you don’t use crypttab? And what if you don’t use /dev/urandom? I have used a heavily modified rc.sysinit for the last several versions of Fedora calling a custom script to mount 5 LUKS partitions. mkinitrd in F9 now breaks everything. My solution ( work around ) has been to turn swap off and un-mapp the swap partition just before I do a kernel install. This way mkinitrd does not see it. Upon reboot it gets mounted through my scripts and fstab ( in your case crypttab ) There is also an option during install to use a global LUKS passphrase. Would that have been a solution for you ( Mike C. ) for your test box? Anyone know how and where Fedora stores that passphrase for use? Is it a security issue? -- fedora-list mailing list fedora-list@... To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list |
|
|
Re: encrypted swap question
by Bill Davidsen
::
Rate this Message:
Mike C wrote:
> Bill Davidsen <davidsen <at> tmr.com> writes: > >> Better in what way? I think either case gets you out of typing a 2nd >> LIKS password. Using /dev/urandom seems to avoid having a password where >> anyone could ever recover it, and I think using LUKS on swap will kill >> suspend in either case (it may work better than it did last time I tried >> it). > > Yup - you are right - at least with the keyfile stored for swap - I cannot > come out of suspend!! I am not sure this is working right at present as > even regenerating the initial ramdisk file it still asks for the swap > passphrase at boot - and it goes into suspend but won't come out! > > It is possible this is due to the hardware being quite old (around 5 years > old) - which is my test system! > you can't get the system up high enough to read the saved password. -- Bill Davidsen <davidsen@...> "We have more to fear from the bungling of the incompetent than from the machinations of the wicked." - from Slashdot -- fedora-list mailing list fedora-list@... To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list |
|
|
Re: encrypted swap question
by strooby
::
Rate this Message:
So, is it possible to read the passphrase from a USB drive at boot time?? :-?
Thanks. -- This is an email sent via the webforum on http://fcp.surfsite.org http://fcp.surfsite.org/modules/newbb/viewtopic.php?post_id=291274&topic_id=60130&forum=10#forumpost291274 If you think, this is spam, please report this to webmaster@.... -- fedora-list mailing list fedora-list@... To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines |
|
|
Re: encrypted swap question
by Patrick O'Callaghan-2
::
Rate this Message:
On Sun, 2008-09-21 at 07:18 +0200, DanMitton wrote:
> So, is it possible to read the passphrase from a USB drive at boot time?? :-? What passphrase? At boot time there are no users. poc -- fedora-list mailing list fedora-list@... To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines |
|
|
Re: encrypted swap question
by Chris Snook
::
Rate this Message:
DanMitton wrote:
> So, is it possible to read the passphrase from a USB drive at boot time?? :-? The proper way to do it is to read a *key* from a USB drive at boot time. In F8 it didn't take too much hacking in /etc/rc.sysinit to load the USB storage modules, wait a few seconds to detect the drive, mount it, and then do the luks magic to unlock the LVM partition. I haven't tried in F9. It would be really nice to have this supported by the installer. -- Chris -- fedora-list mailing list fedora-list@... To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines |
|
|
|
|
|
Re: encrypted swap question
by Todd Denniston
::
Rate this Message:
DanMitton wrote, On 09/21/2008 01:18 AM:
> So, is it possible to read the passphrase from a USB drive at boot time?? :-? > > Thanks. > An alternative to the Red Hat way[0] is to use tuxonice[1]. "If you do not have a smartcard, you can store a keyfile on external media such as a cd-rom or usb thumb drive."[2] Tech Note that I have not as _yet_ attempted either Chris's or Alon's method, so salt as desired. I will eventually have to use one of them. Bias Note: for ssh-agent with DoD smart card, I have only been able to get Alon's method working, and am not happy about fedora not including it or enough documentation to get their method working. [0] i.e., what Chris Snook was indicating. I suspect some of the pieces may already be there in fedora, but it seems at times there is a bit of friction between RH folks and anything Alon BarLev is involved with, so you will probably have to follow all the tuxonice build directions if you go that route. [1] http://wiki.tuxonice.net/EncryptedSwapAndRoot [2] http://wiki.tuxonice.net/EncryptedSwapAndRoot#head-4e7474b9357309c5f8be5563c0970e72f5483aed -- Todd Denniston Crane Division, Naval Surface Warfare Center (NSWC Crane) Harnessing the Power of Technology for the Warfighter -- fedora-list mailing list fedora-list@... To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines |
| Free Forum Powered by Nabble | Forum Help |