My notes on making encrypted filesystems 'Just Work(tm)'

W. Michael Petullo mike at
Mon Dec 13 08:33:50 PST 2004

>> Incidentially we talked about exactly the same issue on the Ubuntu
>> conference and I would very much like to cooperate with you on this
>> issue.

> Cool, there's plenty of space on this server if you need CVS; my initial
> thought was to store it in the sesame module right next to hal.

I am game too.  I would like to help with this effort.

>>> 2) Support encryption of root file systems; e.g. encrypt all data on a
>>> laptop computer

I have some experience with this.  I have been doing work to bring
encrypted root filesystems to Fedora.  See [1] for patches that add
encryption support to mkinitrd.  Right now encryption parameters are
stored on the encrypted root in /etc/crypttab and in an initrd on a
removable boot key.  The January 2005 issue of the Linux Journal will also
have an article about this.  I'll spend some time studying the ideas in
this thread -- they seem promising.

>> With a flexible amount of metadata it would be possible to implement a
>> "keyring", i. e. a structure which maps user ids to the device
>> password encrypted with the user's password. This could then be
>> integrated nicely with libpam-mount for e. g. encrypted /home
>> partition support.

I'm currently the maintainer of pam-mount.

Right now, my only fear would be that unlocking an encrypted device on
various computers means that you must fully trust ALL of the computers
that you unlock it on.  I trust my own laptop but that is about it.  It is
important that we do not make any claims on the overall system based on
the fact that a removable drive is encrypted.



hal mailing list
hal at

More information about the Hal mailing list