John Maher wrote:
On 5/23/06, Marc Schwartz
<MSchwartz@xxxxxxxxx> wrote:
> I figured out that I can log on as root and still be able to unmount
> /home to encrypt it, but then what do I need to do in order to mount it
> during boot? It gets mounted (I think) well before /etc/rc.d/rc.local
> is run, which is where /sbin/luksopen is being launched. So, because
> the partition is encrypted but not mapped, the boot process is abruptly
> halted.
>
> Can you shed some light on this problem?
I am going to guess that you have not modified /etc/fstab so that the
original partition mapping for /home is either removed or commented out.
If not, then the system (via HAL) will attempt to mount the original
/home partition at boot, which you of course don't want.
I actually did modify /etc/fstab by changing from /dev/vg0/home mounted on
/home to new encrypted device /dev/mapper/home mounted on /home. Of
course,
because of this change, /home did not get mounted as expected, but then I
encountered two new problems. (1) udev was failing during the boot. I
have
not read up on udev, so I don't understand the significance of this, but I
know the boot stopped. (2) I am not being prompted by luksopen during the
boot when udev did not fail (udev did not fail all the time).
By the way, is that the best way to encyrpt /home? This is basically
what I
did: (1) log on as root, (2) userdel jmaher (/home/jmaher is getting wiped
anyway), (3) unmount /home, (4) encrypt /home, (5) re-mount /home, (6)
useradd -m jmaher. I used the following to encrypt:
cryptsetup -y luksFormat /dev/vg0/home
cryptsetup luksOpen /dev/vg0/home home
I'm still experimenting, but if you have any thoughts I welcome them.
There's a problem with the above device designation. It suggests that
you are using LVM.
The use of LVM entails additional issues, including device mapper
issues, with which I am not familiar as I don't use LVM or fully
understand its idiosyncrasies.
There are entries in the wiki regarding the use of LVM (though not all
with LUKS) and I would recommend that you review those before
proceeding, if this is indeed what you are doing.
There are also some entries as I recall in the list archives, which you
should also review and perhaps others here who may still be reading this
thread will chime in.
I would be hesitant to provide further guidance here for fear of
providing incorrect information.
BTW, you should check on the same thing for the original swap partition,
which will look something like:
# /dev/shm /dev/shm tmpfs defaults 0 0
# LABEL=SWAP-hdc7 swap swap defaults 0 0
I did modify the swap line in /etc/fstab from:
/dev/vg0/swap swap swap defaults 0 0
to:
/dev/mapper/swap0 swap swap defaults 0 0
but I was not aware that I needed to do anything with the tmpfs line.
Should I still change that line? It appears that encrypted swap is
functioning properly.
tmpfs is basically a virtual RAM drive. It's like setting aside an area
of RAM to function as a swap partition, rather than going directly to
the HD.
For example, some folks I know setup their system so that /tmp is a
separate partition as tmpfs rather than using HD space. I would guess
that there are tradeoffs depending upon how much RAM one has.
I did not see any need for it and decided to cover my bases by disabling
it. I have not noted any performance issues subsequent to the change,
though I have 2 GB of RAM and a 7200 RPM HD.
YMMV.
Hope that this gets you back on track.
I'm getting close.
Just need to clarify the LVM issues here.
Regards,
Marc
---------------------------------------------------------------------
- http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
