Re: LVM2 logical volumes on Loop-AES

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Fog_Watch wrote:
> I am aiming to boot from logical volumes that are attached to
> an encrypted /dev/loop which is in turn attached to a /dev/hda.
> I hope to have all but /boot encrypted, yet retain the flexibility of
> lvm2. To date I have failed.
> 
> I can encrypt my root partition according to Example 5 in the
> readme.  And, I can create logical volumes on top of an encrypted
> loopback.  It is in the murky world of the init ram disk that a start
> clutching at shadows.
> 
> I'll start with a question that I am moderately sure of.  In
> build-initrd.conf, what should CRYPTROOT=?  CRYPTROOT=/dev/vg/root does
> not work (not surprising in retrospect).  Or, should I be using
> something different from build-initrd.sh?

One of the config options in build-initrd.sh is USEROOTSETUP. If you set
that to USEROOTSETUP=1 , then created initrd will mount BOOTDEV as /lib, and
run /lib/rootsetup program or script instead of /lib/losetup program. If
/lib/rootsetup is a shell script, then a shell (and its libraries) must be
manually copied to boot partition. The script then sets up needed logical
volume and calls losetup to do the loop setup work. rootsetup program/script
needs to able to both set up a device and also tear it down (in case mount
fails, and mount is tried again). rootsetup program/script gets same command
line parameters as losetup. In following example all command line parameters
are ignored, with exception of first one that used to determine whether the
script should set up a loop device or tear it down. Initrd image has only
few static device nodes. Additional needed device nodes need to be created
by the script. Any external program that the script uses (and their
libraries) you need to manually copy to boot partition.

Something like this: (completely untested!)

#!/lib/sh
if [ "$1" != "-d" ] ; then
    # INSERT LOGICAL VOLUME SETUP HERE
    /lib/losetup -e AES128 -K /lib/rootkey.gpg -G /lib /dev/loop5 /dev/vg/root
else
    /lib/losetup -d /dev/loop5
    # INSERT LOGICAL VOLUME TEARDOWN HERE
fi

-- 
Jari Ruusu  1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9  DB 1D EB E3 24 0E A9 DD

-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/
[Index of Archives]     [Kernel]     [Linux Crypto]     [Gnu Crypto]     [Gnu Classpath]     [Netfilter]     [Bugtraq]
  Powered by Linux