Bug#350615: [Pkg-cryptsetup-devel] Bug#350615: Add support for encrypted ssl-keys

Jonas Meurer jonas at freesources.org
Thu Feb 2 17:43:30 UTC 2006

On 30/01/2006 General Stone wrote:
> In the attachment is a patch and a tool.

i believe that the patch is rather ugly. it depends on openssl, and
therefore on a mounted /usr filesystem. what to do when /usr is an
encrypted filesystem?

> The patch include support to use encrypted ssl-key/s at the boot-up
> process. The modificated initscript will them ask for a password and
> decrypt it in a defined $PATH which is mounted as a tmpfs. If there are
> more keys with the same encrypted password, the initscript want to ask
> once.

I don't understand the aim of this patch. why do you want to use
encrypted keys for disk encryption? if this is really wanted, it should
be implemented in cryptsetup itself, without the need for openssl.
and the implementation should be cleaner, with support for keys on
removable devices, etc.

> The other modification is from the /etc/init.d/lvm-common script.
> It changes the usermod in /dev/mapper/<cdisks>.

i don't know whether i like this idea. i believe that ownership
configuration should be either done in cryptsetup directly, or at least
in /etc/crypttab. in any case, /etc/default/cryptdisks is the wrong
place for it.

> The tool create a double encrypted key with 'openssl' for use with the
> cryptsetup initscript.

i'm not sure how to think about this idea. i'dd like to wait for mount
dm-crypt support (see bugreport #290324) and then discuss this feature
with the cryptsetup upstream authors.

gebi, what do you think about it?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20060202/9f2608a6/attachment.pgp

More information about the Pkg-cryptsetup-devel mailing list