On 11/21/13 16:31, Vladimir 'phcoder'
Serbinenko wrote:
Why do you need offset and size options? keyfile option should
be repeteable. The whole array would be passed down and file
would be opened instead before reading password and concatebated
with it unless --no-password was specified as well. If you have
remaining questions feel free to ask here or on IRC.
See man 8 cryptsetup:
--keyfile-offset value
Skip value bytes at the beginning of the key
file. Works with all commands that accepts key files.
--keyfile-size, -l value
Read a maximum of value bytes from the key
file. Default is to read the whole file up to the compiled-in
maximum that can be queried with --help. Supplying more data than
the compiled-in maximum aborts the operation.
This option is useful to cut trailing newlines,
for example. If --keyfile-offset is also given, the size count
starts after the offset. Works with all commands that accepts key
files.
On Nov 20, 2013 12:43 AM, "Ralf Ramsauer"
< address@hidden>
wrote:
Hi,
yesterday I realised, that GRUB is already supporting LUKS and
even
simple DSA signature checking.
I was thinking about the following setup:
- fully encrypted harddisk (LUKS) (incl. rootfs).
- no bootloader on harddisk
- kernel + initrd inside encrypted partition
- optionally: signatures of the kernel + initrd
For "trusted" booting, I thought about an USB stick, that just
includes
GRUB, a public key for verification and a keyfile for LUKS.
Using that setup, no password input would be required during
boot. The
USB stick can be considered as "trusted environment".
Unfortunately, GRUB doesn't support keyfile for Luks up to
now. As I'm
quite familiar with dm-crypt and LUKS I tried to implement the
keyfile
feature to GRUB.
After spending several hours trying to get a deeper insight
into the
GRUB internas I finally resigned, as I was missing
documentation on
several things...
I was very confused about the way how GRUB2 is handling its
modules and
about the strategies how functions are exactly called.
The aim is to implement three additional options to
cryptodisk.c resp.
luks.c:
-k keyfile [e.g. (hd2,msdos3)/mysecretkey]
-o keyfile offset [optional, default: 0]
-s keyfile size [optional, default: keyfilesize]
Using LUKS, a keyfile can simply be treated like a passphrase,
which
basically is already implemented.
I would appreciate, if perhaps someone of you could help me
with this issue.
Thanks in advance!
Ralf
--
Ralf Ramsauer
PGP: 0x8F10049B
_______________________________________________
Grub-devel mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/grub-devel
_______________________________________________
Grub-devel mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/grub-devel
--
Ralf Ramsauer
PGP: 0x8F10049B
|