You are not logged in.
Pages: 1
I have my netbook set up with several encrypted partitions (root, home, var) and I want to unlock all of them with only one password prompt at boot time. From the wiki, it seems that the standard way of doing this is to store the passphrases for the non-root ones in /etc/crypttab.
Is that still current? I'd rather not have passphrases stored like that, even though the file would be encrypted, because it's visible when the machine is running. It's conceivable that a rootkit or some yet-undiscovered exploit could grab that file from the live system, or that the time my netbook gets stolen happens to be the one time I neglected to lock the screen when I turned my back on it :P
Another option is key files, and I've seen a couple threads that go one farther and password-protect the keys, but carrying around the key medium all the time seems cumbersome (plus I'd have to fiddle with USB sticks when I hibernate to swap batteries). I suppose I could store the key on /boot and password-protect it, but the instructions seem pretty complicated.
What I'm thinking of doing instead is modifying the 'encrypt' initcpio hook so that the password prompt reads into a variable and then gets flushed out to a file on /run. Since /run is tmpfs, that means it's in RAM, so the passphrase shouldn't touch the disk, right? Then, I'll read that in as a --key-file argument (which, by the way, doesn't actually distinguish between passphrases and key files; they're the same thing), mount the rest of the filesystems, then shred/rm the file.
Are there any security holes I might open up by doing it this way?
~Felix.
Offline
Pages: 1