Key sharing
Dick MIddleton
dick at fouter.net
Sat Jul 23 12:32:33 CEST 2022
On 7/21/22 21:02, Teddy Hogeborn wrote:
> Dick Middleton <dick at lingbrae.com> writes:
Thanks for responding.
> I don’t see why you are specifying a keyscript in your crypttab at all.
Because I always have. I've been using Mandos since before systemd was invented! And I've
been using encrypted disks since before Mandos was invented. Remember Yaird?
As far as I can tell I don't have a password agent on my system (Mandos version 1.8.14)
but even if I had I wouldn't know how to configure it. I've either missed the upgrade
instructions or they don't exist.
> What we suggest is always to simply have a different, separate (randomly generated,
> secure) password to each of your secondary devices, and keep those passwords in files
> on the primary root file system (which is itself unlocked by Mandos).
But that doesn't work for the hibernate partition which has to be unlocked before boot.
That was the problem the keyscript=decrypt_keyctl solved.
I don't know how systemd-cryptsetup manages that because I don't know anything about
systemd-cryptsetup. I've only just discovered it exists. If you know of any useful
instructions on how to adapt the old way to the systemd way I'd appreciate a reference.
As always, thanks for your help.
Dick
More information about the Mandos-Dev
mailing list