> No comment on dracut as I have no experience with it.
Okay, so I have to try it out myself. When I found something out, I expand the wiki with it.
> However, as I see it, you need no key file if you just use a pass
> phrase. In my opinion, a key file is only necessary for two improvements:
Entering just a pass phrase means that this pass phrase will be used to decrypt the device, if you decrypt a key before and then with that key decrypt all your volumes you have a much better security because that key will then be used as 'pass phrase' which is *way* much stronger (4096+ chars + ~10-20 chars you can remember).
> 1. Two-factor authentication (read: encrypted key file)
> 2. Avoiding re-typing the pass phrase for multiple dmcrypt partitions
> You can easily achieve the second point by putting an unencrypted key
> file on the first partition which you encrypt with a pass phrase. You
> don't even need dracut for this, /etc/conf.d/dmcrypt lets you configure
> it easily (as long as it doesn't affect /usr).
Okay, I look into this.
> However, I personally find it easier to put LVM on a single dmcrypt
> volume and be done this. All you need for this to work are two lines in
I'm new to LVM, does it setup key-based encryption (best is to put that key on an USB stick, so the attacker needs my stick).