Hi. I'd like to setup a system where all partitions (including the root file system) are encrypted using dmcrypt. Of course I need some place where I can boot from, and I intended to use an USB-stick for that purpose.
Now I think there are (at least) the following two ways of doing this: 1) Traditional way Boot from the USB-Stick with and initramsdisk,.. that sets up dmcrypt and mounts the root-filesystem. -Has the advantages that it's pretty well supported by some distros (e.g. Debian) and it's very easy to setup. -Has the disadvantages, that I'll always have to update the contents of the stick when I install a new kernel (btw: does anybody know of an write-once USB-Stick? ;) ) After booting it should be possible to just plug out the stick (as the kernel and the modules are already loaded), or not? 2) using kexec. I could imagine that my USB-stick serves just as loader,... having a kernel and initrd that sets up dmcrypt/mounts root and calls kexec for the "real" working kernel and the corresponding initramdisk, that are both stored encrypted on e.g. the root filesystem in /boot/ or so... The initrd of the working kernel contains the dmcrypt keys and automatically sets up the mappings and mounts the filesystems. -Has the advantage that this is nearly transparent for the system, especially for tools that automatically create the initramdisk (stuff like update-initramfs in Debian) -And I would (nearly) never have to change the contents of the loader-USB-stick. Now I've read through the kexec documentation and I wonder wheter using kexec might have some negative impact? As the firmware is already initialised (by the loader kernel??) and the working kernel must be put on different addresses. I'm also not sure how to use the "architecture options" from the kexec userspace tools? Any ideas, help, suggestions, or threads ;) ? Thanks and best wishes, Chris. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
