> No comment on dracut as I have no experience with it. Okay, so I have to try it out myself. When I found something out, I expand the wiki with it.
> > However, as I see it, you need no key file if you just use a pass > phrase. In my opinion, a key file is only necessary for two improvements: Entering just a pass phrase means that this pass phrase will be used to decrypt the device, if you decrypt a key before and then with that key decrypt all your volumes you have a much better security because that key will then be used as 'pass phrase' which is *way* much stronger (4096+ chars + ~10-20 chars you can remember). > > 1. Two-factor authentication (read: encrypted key file) > > 2. Avoiding re-typing the pass phrase for multiple dmcrypt partitions See above. :) > You can easily achieve the second point by putting an unencrypted key > file on the first partition which you encrypt with a pass phrase. You > don't even need dracut for this, /etc/conf.d/dmcrypt lets you configure > it easily (as long as it doesn't affect /usr). Okay, I look into this. > > However, I personally find it easier to put LVM on a single dmcrypt > volume and be done this. All you need for this to work are two lines in > /etc/rc.conf: > rc_dmcrypt_before="lvm" > rc_dmcrypt_after="udev" I'm new to LVM, does it setup key-based encryption (best is to put that key on an USB stick, so the attacker needs my stick). Regards, Roland
