Hi,I (login PatrickErnzer) do not seem to be in the correct group to edit <http://fedoraproject.org/wiki/Docs/Beats/FileSystems>, so I'll mail you. I just went over the crypt instructions and the following might make it clearer to end users.
[start what text should be]
{{{#!html
<h2>File Systems</h2>}}}
Fedora [[GetVal(DocsDict,BeatsVer)]] provides basic support for encrypted
swap partitions and non-root
file systems. To use it, add entries to `/etc/crypttab` and reference the created devices in `/etc/fstab`.[[Admonition("note", "Encrypted FS Support Unavailable During Install", "Enable file system encryption after installation. Anaconda does not have support for creating encrypted block devices.")]]
The following example shows a `/etc/crypttab` entry for a swap partition:
{{{my_swap /dev/hdb1 /dev/urandom swap,cipher=aes-cbc-essiv:sha256
}}}
This creates an encrypted block device `/dev/mapper/my_swap`, which can be
referenced in `/etc/fstab`. The next example shows an entry for a
filesystem volume:
{{{my_volume /dev/hda5 /etc/volume_key cipher=aes-cbc-essiv:sha256
}}}
The `/etc/volume_key` file contains a plaintext encryption key. You can
also specify {{{none}}} as the key file name, and the system instead asks
for
the encryption key during boot.
The recommended method is to use '''LUKS''' for file system volumes:
(using '''LUKS''' you can drop the cipher= part in crypttab)
* Create the encrypted volume using {{{cryptsetup luksFormat}}}
* Add the necessary entry to `/etc/crypttab`
* Set up the volume manually using {{{cryptsetup luksOpen}}} or reboot
* Create a filesystem on the encrypted volume
* Set up an `/etc/fstab` entry
Here is an example of changing one's existing `/home` to be encrypted. Mind
you that the following procedure will wipe all your existing data, so be
sure to have a '''tested''' backup before you start. This also requires you
to have a separate partition for `/home` (in my case that is
`/dev/VG00/LV_home`). All the following must be done as root. Any of these
steps failing means you must not continue until the step succeeded.
* enter runlevel1: {{{telinit 1}}}
* unmount your existing `/home`: {{{umount /home}}}
* if it fails use `fuser` to find and kill processes hogging `/home`:
{{{fuser -mvk /home}}}
* verify `/home` is not mounted any longer: {{{cat /proc/mounts | grep
home}}}
* fill your partition with random data: {{{dd if=/dev/urandom
of=/dev/VG00/LV_home}}}
* you're looking at a process that takes many hours, but it is imperative
to do this in order to have good protection against break-in attempts. Just
let it run overnight.
* initialise your partition: {{{cryptsetup --verbose --verify-passphrase
luksFormat /dev/VG00/LV_home}}}
* open the newly encrypted device: {{{cryptsetup luksOpen
/dev/VG00/LV_home home}}}
* check it's there: {{{ls -l /dev/mapper | grep home}}}
* create a filesystem: {{{mkfs.ext3 -j /dev/mapper/home}}}
* mount it: {{{mount /dev/mapper/home /home}}}
* check it's visible: {{{df -h | grep home}}}
* add the following to `/etc/crypttab`: {{{home /dev/VG00/LV_home none}}}
* edit your `/etc/fstab`, removing the old entry for `/home` and adding
{{{/dev/mapper/home /home ext3 defaults 1 2}}}
* verify your fstab entry: {{{mount /home}}}
* reboot: {{{shutdown -r now}}}
If all goes well with your `/etc/crypttab` entry, you will be asked your
'''luks''' passphrase on boot. Log in as root and restore your backup.
[end]All this was written directly in my mail client, so be sure to check I got the wiki tags right.
Alternatively, just add me to the edit group, I'll do the changes myself then.
RU PCFE -- Senior Consultant | IT executives: Red Hat still #1 for value Red Hat | http://www.redhat.com/promo/vendor/
Attachment:
pgpEvIHlWx8SI.pgp
Description: PGP signature
-- Fedora-relnotes-content mailing list Fedora-relnotes-content@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-relnotes-content
