Re: Unusual LUKS setup
Le septidi 27 thermidor, an CCXXV, tomas@tuxteam.de a écrit :
> I tend to the other extreme: everything (save /boot) is encrypted,
> as one big (physical, in the LVM sense) volume. Partitions whithin
> it are logical (LVM) volumes. Yes, that's more or less the standard
> Debian way.
>
> Among other things this gives me peace of mind about (copies of)
> sensitive data hanging around /var (/var/lib/postgresql, for example,
> has a copy of my banking transactions history somewhere).
>
> This brings the "LUKS question" to the earliest point, namely when
> trying to mount /.
No, it is not the earliest point, it is after the POST, bootloader and
initrd. With my setup, it is approximatively halfway to the full boot,
which makes it the worst possible time for my objective.
> Now SSH... to fulfill that in this setting, the initramfs must have
> some ssh server capability. I've heard that you can bake in dropbear
> SSH in the initramfs, which sounds pretty elegant. Never tried, though.
>
> Downside would be that now you've got *two* sshd instances to take
> care of, security-wise.
It would also require duplicating the network setup in the initrd:
wpa_supplicant and wifi passwords, OpenVPN and certificates, plus
rebuilding the initrd every time the configuration gets updated. Not
workable.
> No idea about how (or whether) that interacts with systemd (and
> honestly, not very keen on finding out :)
You seem to be suffering from a systemd obsession, maybe you should
consult a therapist about that :-Þ
Thanks for the advice.
--
Nicolas George
Reply to: