fai and cryptsetup
Patrick Schoenfeld
patrick.schoenfeld at googlemail.com
Sun Sep 26 13:04:55 CEST 2010
Hi,
On Sun, Sep 26, 2010 at 01:00:46AM +0200, Michael Tautschnig wrote:
> Indeed, it was easy :-) - as of 4.0~beta2+experimental17 you should be able to
> use
>
> luks:"Your passphrase" / ...
>
> instead of just "luks" to get a device encrypted with the passphrase of your
> choice. The crypttab then has "none" for the keyfile name, which should make it
> ask you for a passphrase at bootup. Big fat WARNING: this is untested, but
> testing would be much appreciated :-)
it seems that the implementation is wrong. I can see from the log that
it uses the passphrase to generate a key file. That is not right.
Unfortunately I see the dillemma. You either have to specify a keyfile
to luksFormat or enter the passphrase on generation, which will not work
without using expect or something.
My suggestion:
- Use the keyfile to init the device
- After that: Add the passphrase via cryptsetup luksAddKey
- Remove the slot with the keyfile from luks
- Generate the crypttab in the way you've described
I know its kind of ugly but probably the only way to go without
expect'ing the input of luksFormat.
Regards,
Patrick
More information about the linux-fai
mailing list