Delayed encrypted partition mount
Lennart Poettering
mzerqung at 0pointer.de
Mon Mar 28 14:30:32 UTC 2011
On Mon, 21.03.11 13:17, Nathanael D. Noblet (nathanael at gnat.ca) wrote:
>
> On 03/21/2011 12:43 PM, Richard W.M. Jones wrote:
> > Off the same topic, I'd love a way to have a "key server" on my
> > network that machines can grab their keys from at boot. Obviously I
> > would then work on physically securing / hiding the key server so that
> > no one could steal it ...
>
> I think there are many possible improvements. I filed a bug with um F14
> with a patch for the initscripts that would fallback to a password when
> the configured key wasn't around.
I added this to the systemd TODO list now.
> I thought it would also be nice to have other options such as 'run X
> to get the key' etc. Ultimately the initscript change was rejected as
> F15 is going to systemd making it somewhat moot. Though I haven't
> looked at how systemd handles encrypted partitions
You can easily write your own password agent. Just watch
/var/run/systemd/ask-password with inotify and parse a simple
.ini-style file which is placed there for each password that is
asked. Then send the password back via a single AF_UNIX/SOCK_DGRAM to
the right socket mentioned in the file.
For more details:
http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents
Right now we have such agents installed by default to ask passwords via
plymouth, directly on the console, grahically on GNOME, via wall or
manually on a tty. You are welcome to add you own to fetch the password
from somewhere else, and it is trivial to do so: inotify is relatively
easy to use, .ini file parsers exist readily for most programming
languages (glib has one for example), and sending a single AF_UNIX
datagram is really easy too.
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the devel
mailing list