Cannot decrypt swap partition with Mandos inside a LV (LVM)
Teddy Hogeborn
teddy at recompile.se
Sat May 31 23:41:17 CEST 2014
Dick Middleton <dick at fouter.net> writes:
> On 05/30/14 12:33, Olivier Molinete wrote:
>
> > > Once the system has started booting, Mandos is out of the
> > > picture, and is no longer relevant. In your situation, I would
> > > suggest that you save the password for other crypto devices, like
> > > your swap partition, in a keyfile (I would suggest putting it in
> > > something like /etc/keys/swap) and edit /etc/crypttab to
> > > reference that keyfile (in the third field).
>
> I'm not sure if this is relevant: I have the same arrangement as you
> with each LV separately encrypted. (This is because in the early days
> using a LUKS partition for a PV didn't work). I have my swap in a real
> partition but it uses the same passphrase as the root disc. Rather
> than be prompted twice I do this in the crypttab file:
>
> swap UUID=..... root luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived
>
> I've no idea how it works but it does!
At the top of that decrypt_derived script is the following comment:
# WARNING: If you use the decrypt_derived keyscript for devices with
# persistent data (i.e. not swap or temp devices), then you will lose
# access to that data permanently if something damages the LUKS header
# of the LUKS device you derive from. The same applies if you luksFormat
# the device, even if you use the same passphrase(s). A LUKS header
# backup, or better a backup of the data on the derived device may be
# a good idea. See the Cryptsetup FAQ on how to do this right.
> I've had a lot of problems in the past with mandos vs gnutls esp with
> rsa encryption. I think the problems have finally been solved but you
> do need to use recent versions of gnutls.
Yes.
> The main symptom is it doesn't get the key from the mandos server even
> though everything is configured correctly.
The problem is something else this time. The server says it can't find
the client with such a fingerprint. This means there was no problem
with the GnuTLS handshake - the problem is that the server does not have
the client in its list.
/Teddy Hogeborn
--
The Mandos Project
http://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20140531/42dab2d7/attachment.sig>
More information about the Mandos-Dev
mailing list