On Sun, 30 Mar 2008 09:50:47 +0200, Dirk Heinrichs wrote:

> > However, the setup doesn't work. I'm not asked for the passphrase, the
> > mappings are not created. What did I forget?
>
> That the mappings are created all in one go before anything is mounted,
> so you can't put the keyfile for /var into /boot. The only thing that
> would work is to put the keyfile on the root fs, because that's the
> only one that is mounted when the mappings are created, like:

You can if you add

pre_mount="mount /dev/mapper/boot /boot"

to the boot stanza of dmcrypt, it forces the filesystem to be mounted
immediately.

I ue a variant of this, where keys are stored on a dedicated partition.
The pre_mount and post_mount (which unmounts the filesystem) ensure that
the keys are only visible for as long as it takes to mount the other
filesystems.


--
Neil Bothwick

Thesaurus: ancient reptile with an excellent vocabulary