Cannot decrypt swap partition with Mandos inside a LV (LVM)
Dick Middleton
dick at fouter.net
Sat May 31 18:16:27 CEST 2014
On 05/30/14 12:33, Olivier Molinete wrote:
>> Once the system has started booting, Mandos is out of the picture, and
>> is no longer relevant. In your situation, I would suggest that you save
>> the password for other crypto devices, like your swap partition, in a
>> keyfile (I would suggest putting it in something like /etc/keys/swap)
>> and edit /etc/crypttab to reference that keyfile (in the third field).
I'm not sure if this is relevant: I have the same arrangement as you with each
LV separately encrypted. (This is because in the early days using a LUKS
partition for a PV didn't work). I have my swap in a real partition but it
uses the same passphrase as the root disc. Rather than be prompted twice I do
this in the crypttab file:
swap UUID=..... root luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived
I've no idea how it works but it does!
I've had a lot of problems in the past with mandos vs gnutls esp with rsa
encryption. I think the problems have finally been solved but you do need to
use recent versions of gnutls. The main symptom is it doesn't get the key
from the mandos server even though everything is configured correctly.
Dick
--
Dick Middleton
dick at fouter.net
More information about the Mandos-Dev
mailing list