John Maher wrote:
Marc Schwartz wrote:
You do want to encrypt swap and there is a reasonable argument to be
made that if you don't, there is almost no point in encrypting /home.
And it turns out that encrypting the swap is very easy. I've taken care
of that.
Good.
BTW, I took a look at the boot.cryptmap script. As far as I can see, it
is set up for dm-crypt use, but NOT for use with the LUKS extensions.
The process by which it gets the passphrase and then passes that to
cryptsetup (via a shell variable) is not compatible with LUKS, which
requires that the passphrase is explicitly prompted for or is in a key
file. I don't see (not fully tested) a way for cryptsetup LUKS to get
the passphrase otherwise (ie. via stdin redirection).
I didn't notice in the luksopen information anything written about boot
time prompts for the passphrase. If you place /sbin/luksopen in
/etc/rc.d/rc.local (after ensuring luksopen is in /sbin), does the boot
process pause and prompt for a passphrase automatically?
That's the point of the luksopen script and putting it in
/etc/rc.d/rc.local. It will run before booting is finished on FC4 and
you will be prompted for the LUKS passphrase.
Thank you. That worked well, but only experimentally for an additional
partition I had available for playing with. Encrypting /home is proving
to be more difficult. Can you direct me to any guidance/documentation
on encrypting /home? If there isn't any I hope to write some once I'm
successful and fully understand what's going on.
I figured out that I can log on as root and still be able to unmount
/home to encrypt it, but then what do I need to do in order to mount it
during boot? It gets mounted (I think) well before /etc/rc.d/rc.local
is run, which is where /sbin/luksopen is being launched. So, because
the partition is encrypted but not mapped, the boot process is abruptly
halted.
Can you shed some light on this problem?
I am going to guess that you have not modified /etc/fstab so that the
original partition mapping for /home is either removed or commented out.
If not, then the system (via HAL) will attempt to mount the original
/home partition at boot, which you of course don't want.
Open the /etc/fstab file (as root or via sudo) using your favorite text
editor.
Look for a line that looks something like:
LABEL=/home /home ext3 defaults 1 2
Either remove that line or prefix it with a "#" (better option), which
will comment it out. Thus:
# LABEL=/home /home ext3 defaults 1 2
If you want to make mounting easier, you can add a line that looks like
this:
/dev/mapper/hdc5 /home ext3 noauto,users 0 0
Replace the "hdc5" with the correct device mapping for your /home
partition as created when you set up the encryption.
The additional entries show that the device is mapped to /home, I am
using an ext3 file system on my encrypted /home partition, that I do not
want the partition automatically mounted at boot ("noauto") and that I
want regular "users" to be able to mount the partition.
More information on the various settings can be found in 'man mount'.
BTW, you should check on the same thing for the original swap partition,
which will look something like:
# /dev/shm /dev/shm tmpfs defaults 0 0
# LABEL=SWAP-hdc7 swap swap defaults 0 0
Note that I have prefixed both lines with "#" already.
You do not need to add an entry in /etc/fstab for swap if you have
correctly followed the instructions on the wiki for encrypting swap.
Hope that this gets you back on track.
Thank you, again.
Welcome,
Marc
---------------------------------------------------------------------
- http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
