[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Root filesystem encryption patch set

On 4/26/07, Bill Nottingham <notting redhat com> wrote:
Bruno Wolff III (bruno wolff to) said:
> I think there had been an assumption that this person had been watching
> the bugzilla entry for encrypted file systems and would include patches
> posted there once people reported they were working OK. That assumption seems
> to have been incorrect.

The patches, as posted, are broken:

- they introduce a new configuration file when mkinitrd already has one

Point taken, I checked and there's nothing that can't be done with the existing config file.  So, everything is optional with /etc/sysconfig/mkinitrd.    A new set of patches are available at the website.   I'll be updating the instructions today or tomorrow.

- they hardcode device names in the exact same way that /etc/crypttab
  does, meaning that it will fail in the exact same way with hotplugged
  drives or device ordering changes that /etc/crypttab does (and does
  with a vengeance in any FC6 -> F7 upgrade). Considering this is the
  root device, that's *bad*.

Current encryption support does have a drawback.  Either we can identify the device by taking the first/last X bytes of a raw device (if they do not change) as a UUID of sorts and scan all block devices for that "signature", or we have to know the target to decrypt.  I'm at a loss of how to scan all candidate devices for said identifier. 

I agree, /etc/crypttab works after mounting / and all has all the drawbacks you are mentioning. 

The early bird may get the worm, but the it's the second mouse that gets the cheese.
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]