On 30/08/13 20:22, Glenn Washburn wrote: >> I'd still like GRUB to be able to read a key-file rather than a typed >> pass-phrase, and have the key-file hidden on a (second) small (1GB) >> randomised-data USB flash device (no file-system) so even the >> operator can't be sure where to find the bytes that unlock it. > > Again. If your initrd and kernel are unencrypted on the USB, then you > don't need keyfile support or any encryption support in grub.
The USB device(s) will be encrypted. >> If we can figure it out we'd like to be able to configure/unlock >> different LVM volumes based on which LUKS slot is used to unlock, >> too, and log the LUKS attempts from GRUB. > > This really doesn't make sense. LVM volumes aren't "unlocked", LUKS > volumes sure. There will be multiple layers of encryption using different keys. The LVMs within the whole-disk encryption will have different keys. Not all users will have access to the same collection of keys. It doesn't look too difficult to add patches to achieve what I'm aiming for. _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
