<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<html><body style='font-family: Verdana,Geneva,sans-serif'>
<p>Hello Dick,</p>
<p>Thanks for your answer :)</p>
<p>Yep, I got the same same password on both LV's, but I prefered to create a binary key following my own steps after reading some examples out there:<br /><br /><span style="font-family: courier new,courier;"># mkdir /etc/keys/luks</span><br /><span style="font-family: courier new,courier;"># chmod 700 /etc/keys/luks</span><br /><br /><span style="font-family: courier new,courier;"># dd if=/dev/urandom of=/etc/keys/luks/swap.key bs=1024 count=4</span><br /><br /><span style="font-family: courier new,courier;"># chmod 400 /etc/keys/luks/*</span><br /><span style="font-family: courier new,courier;"># cryptsetup luksAddKey /dev/mapper/sda_volgrp_crypt-logvol02_swap /etc/keys/luks/swap.key </span><br /><span style="font-family: courier new,courier;"># vi /etc/crypttab</span><br /><span style="font-family: courier new,courier;">#<target name> <source device> <key file> <options></span><br /><span style="font-family: courier new,courier;">sda_volgrp_crypt-logvol01_root_crypt /dev/mapper/sda_volgrp_crypt-logvol01_root none luks,tries=3</span><br /><span style="font-family: courier new,courier;">sda_volgrp_crypt-logvol02_swap_crypt /dev/mapper/sda_volgrp_crypt-logvol02_swap /etc/keys/luks/swap.key luks,swap,tries=3</span><br /><br /><span style="font-family: courier new,courier;"># grub-install /dev/sda</span><br /><span style="font-family: courier new,courier;"># update-grub && update-initramfs -u -k all</span></p>
<p> </p>
<p>Relating to the GnuTLS and RSA problem, it could be, but if it was that, Mandos will never authenticate my mandos-client host as it did two days ago. In addition, no apt's update was performed in both machines (mandos-server and mandos-client) for at least two weeks ago.</p>
<p>Is for that reason that I have no idea where the ball is, and where to look... :-S</p>
<p>Maybe Mandos has some kind of cache or propietary database where this kind of data relating to the mandos-clients is stored and could be purged, but apart the file /var/lib/mandos/clients.pickle (which does not exist on my mandos-server), I don't know where to search...</p>
<p>Could somebody help me, please?</p>
<p>Thank you very much in advance, once again :)</p>
<p>Kind regards,<br />Olivier Molinete</p>
<p> </p>
<div> </div>
<p>On 31/05/2014 18:16, Dick Middleton wrote:</p>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><!-- html ignored --><!-- head ignored --><!-- meta ignored -->
<pre>On 05/30/14 12:33, Olivier Molinete wrote:</pre>
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">
<blockquote type="cite" style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px">Once the system has started booting, Mandos is out of the picture, and is no longer relevant. In your situation, I would suggest that you save the password for other crypto devices, like your swap partition, in a keyfile (I would suggest putting it in something like /etc/keys/swap) and edit /etc/crypttab to reference that keyfile (in the third field).</blockquote>
</blockquote>
<pre dir="ltr">I'm not sure if this is relevant: I have the same arrangement as you with each
LV separately encrypted. (This is because in the early days using a LUKS
partition for a PV didn't work). I have my swap in a real partition but it
uses the same passphrase as the root disc. Rather than be prompted twice I do
this in the crypttab file:
swap UUID=..... root luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived<br /><br /></pre>
<pre dir="ltr">I've no idea how it works but it does!</pre>
<pre dir="ltr"><br />I've had a lot of problems in the past with mandos vs gnutls esp with rsa encryption. I think the problems have finally been solved but you do need to use recent versions of gnutls. The main symptom is it doesn't get the key from the mandos server even though everything is configured correctly.<br /><br />Dick <span class="sig">-- Dick Middleton<br /><a href="mailto:dick@fouter.net">dick@fouter.net</a> <br /><br />_______________________________________________<br />Mandos-Dev mailing list <a href="mailto:Mandos-Dev@recompile.se">Mandos-Dev@recompile.se<br /><br /></a><a href="https://mail.recompile.se/cgi-bin/mailman/listinfo/mandos-dev">https://mail.recompile.se/cgi-bin/mailman/listinfo/mandos-dev</a> </span></pre>
</blockquote>
</body></html>