laptop security - encryption - does not work cleanly on F7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

  
Attempting to improve laptop security using  luks encrypted home partition.

 Summary:

                   root is a non-starter -
                  /home can be made to work via custom rc.local but not 
cleanly using  /etc/crypttab.

Details:

  Been struggling with this - sure could use some  help. After much reading 
and fiddlingI gave up trying to get fedora working with luks dm-crypted root 
as it seems there are limitations with mkinitrd or something. Instead I have 
swap (which does work aside from a resume error on boot) and encrytped /home 
which is a problem and is not working quite right.

  I cannot get machine to boot correctly and mount /home using the 
standard /etc/crypttab /etc/fstab files.

  If anyone can help I'd be very grateful - I know this should work - a friend 
with ubuntu has root encrypted and it runs no prob - so I just need help with 
the fedora magic.

 Here's what is going on.

  I created luks encrypted /home - put info in /etc/crypttab. Set fstab to now 
mount /dev/mapper/XX onto /home. Hand mounts all work fine. So far so good.

 Now try booting.

 First problem was if fstab has fsck on - then on booting the /etc/crypttab 
triggers a pass-phrase request - which appears to work (small yay) - next 
fsck fails with bad superblock error. I suspect the fsck is done on /dev/sdaX 
instead of /dev/mapper/xx. Obvisously this cannot work.

 Q) what needs changing to fix this?

I edited fstab to skip any fsck - now boot proceeds further - then it says 
re-mounting read write - now it prompts for pass phrase a second time (bug?). 
That seems to fail anyway in that /dev/mapper/xx is not created and thus the 
mount fails. Boot proceeds ok - but ends with no /dev/mapper/xx and /home 
cannot be mounted.

 Presumbaly 

       a) I did something wrong (most likely?)

       b) fedora tools are just not ready encrytion (seems so in part)
           Possible things to look at: rc.sysinit, mkinitrd

       c) other.

 Given the importance of laptop security these days I do so hope this can be 
made to work smoothly and so would very much appreciate some help.

   Since I cannot get even a non-root to boot smoothly - I have a ways to go 
before attempting encrypted root - seems debian based distros may be ahead of 
us in this regard.

   For those interested - my work around - is to remove the /etc/crypttab 
file - change fstab to noauto for /home and create a custom script which does 
the crypto by hand - then run it out of rc.local. This gets me going but I 
know there is a "proper" way to do this. I just dont know what it is!

  If anyone is interested in all the details I can share.

thanks.

g/


   

  

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux