Re: Password and key

[Garreau\, Alexandre]

Le 27/08/2014 à 17h22, Andrei Borzenkov a écrit :
> Wed, 27 Aug 2014 13:29:17 +0200 <address@hidden> wrote:
>> I don’t understand what are “cryptdevice” or “cryptkey” args…
>
> They are unrelated to grub and interpreted by initrd of your
> distribution.

Ok, I’ll ask there, thanks.

>> Also, he found a way to integrate the decryption key in the initramfs of
>> Parabola so that he only has to enter it within GRUB, and not again
>> while boot.
>
> OTOH having key in plain text (or even reversible encryption) laying
> on your disk somehow defeats its purpose ...

Only encrypted, the whole disk is encrypted here. As I said, here GRUB
is a payload for coreboot, so I don’t even need to have an unencrypted
/boot, everything is encrypted, and GRUB decrypt the root filesystem to
boot Linux. Then Linux need the key too… so I can either reenter a third
password, pass it as an argument (but I heard Linux arguments were
readable by all users when the system is running) or put it in the
initramfs which is anyway already on device encrypted with the key it
contains (so you need the key to get the key).

>> b) is there a way to set up the GRUB password and decryption key the
>> same so that the GRUB password can be used by cryptomount so that I only
>> enter one password once?
>
> Unfortunately, no - user authentication and cryptomount are not passing
> any information. Could be idea for next release.

Oh :/ So I’ll have anyway to type two passwords… I’d be glad that would
be fix in next release :D

Thank you!

signature.asc
Description: PGP signature