[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trouble with encrypted filesystems



On Wed, Feb 07, 2007 at 11:22:48 +0100, Dan H. wrote:
> Florian Kulzer wrote:
> 
> > The main advantage of pmount is that it allows all members of the
> > "plugdev" group to mount pluggable devices. This eliminates the need to
> > add entries for pluggable devices to /etc/fstab. Since I use pmount
> > anyway I like the fact that it automatically recognizes LUKS partitions
> > and asks for the passphrase.
> 
> Sounds good. Does that mean that as soon as I plug my disk into the USB
> slot, it gets recognized and I get asked for the passphrase? Does it
> automatically identify different devices/partitions and handles them
> accordingly? I know partitions have something unique called a UUID and
> that this can somehow be used to automatically detect and discern
> pluggable devices, but I haven't found any "beginner's tutorial" on how
> to use that feature.

It does not work quite like that yet. The behavior you describe is
working for unencrypted partitions, and they are nicely mounted via
their labels (if present). This should work for all DEs which follow the
freedesktop.org specification for removable devices. I am not sure,
though, if pmount is still involved or if hal-callouts are used these
days. For encrypted devices I still have to issue the pmount command
manually, but at least I do not have to mess around with crypt<whatever>
or device-mapper commands.

> > The main advantage of using LUKS is, AFAIK, that it allows you to change
> > your passphrase without having to re-encrypt all your data (while still
> > being "safe"). I do not know cryptmount well enough to compare it in
> > detail to cryptsetup; from the package description I get the feeling
> > that cryptmount has very similar features, except for LUKS support.
> > (Maybe it has another mechanism to achieve the same thing, though.)
> 
> Well, the data on the disk is encrypted using a non-changing key which
> is generated once by a random generator. This key, in turn, is scrambled
> with your passphrase, so you can indeed change the passphrase by
> re-encrypting just the key. I'm sure LUKS uses a similar method because
> otherwise it would indeed have to re-encrypt the entire disk.

That sounds very similar to what LUKS is doing (as fas as I understand
the details of the LUKS implementation). LUKS also allows you to have
more than one passphrase per volume, but I never really saw the point of
that.

> Does LUKS or the USB automount system have any "hooks" into which I can
> plug stuff I want to be automatically executed upon mounting a device?
> That would be neat because that's where I'd put the "renice" kludge.

I think you can use udev to run some external commands whenever a
certain device node is created. I have no problems with kjournald using
the cryptsetup/pmount method, therefore I never investigated this any
further with respect to encrypted devices.

-- 
Regards,
          Florian



Reply to: