[COLUG] Linux Laptop
Josh Glover
jmglov at gmail.com
Mon Aug 7 19:09:27 EDT 2006
On 05/08/06, Duane <duane at cacert.org> wrote:
> On Sat, 2006-08-05 at 13:23 +0900, Josh Glover wrote:
>
> > I am not sure how we handle this at work--maybe we overwrite the key
> > in RAM before writing to disk. I know returning from a suspend
> > requires re-entering the private key passphrase. If you are
> > interested, I can ask our laptop guru how he does it.
>
> Most definitely interested... Be also interested in the complete setup,
> not just suspend to disk etc...
Here's what I found out:
"There are some good howtos out there on installing on an encrypted
rootfs, and encrypting swap:
https://help.ubuntu.com/community/EncryptedFilesystem
The trick is only that you encrypt swap with a real key, rather than a
throw-away key. When you suspend, memory contents are written out to
swap, and as long as you are using dm-crypt, and have a smart initrd,
you can bring up the dm-crypt tunnels before you mount swap, and before
you try to recover. The kernel and initrd have to be on a non-encrypted
partition. Using LUKS, the passphrase hash is stored in the headers of
the encrypted partition itself. So yes, the key to the encrypted
partition is stored on a non-encrypted portion of the disk, but it is
encrypted with the passphrase. Also using LUKS, you can have multiple
passphrases, and share passphrases across both partitions."
-Josh
More information about the colug432
mailing list