Re: encrypted root fs on a slug and crypto-modules

[Kapil Hari Paranjape <kapil@imsc.res.in>]

Hello,

On Sat, 22 Mar 2008, Anders Lennartsson wrote:
> > On Tue, 11 Mar 2008 at 07:13:41 +0100, Admir Trakic <admir@trakic.com> wrote:
> snip
> > Anders,
> > 
> > Is there any way to incoporate this hint:
> > http://www.debian-administration.org/articles/579 where usage of
> > serial port would be avoided?
> > 
> > ;-)
> 
> After browsing the howto slightly my guess is that it would work.
> Busybox is available (in fact it is already in the initrd image) for
> the arm and so is dropbear. One concern is the available size on the
> flash in the NSLU2. Dropbear is a bit above 500 kB installed, but not
> all of it needs to be in the initrd image. I think it would fit.

Here is an alternative approach.

	1. Have an un-encrypted small bootable file system which
	   contains the encrypted key for booting the real
	   file-system and has ssh/dropbear installed. This
	   file system is mounted "read-only" a la Live-CD's.

	2. The sysadmin logs in via ssh and runs "kexec" to boot
	   the real-file system. The key for the real file-system
	   is given as a command line parameter to "kexec" (after
	   the sysadmin has de-crypted it).

Regards,

Kapil.
--