Re: encrypted home start-up problem with keyfile

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Heinz Diehl wrote:

Heinz,

thanks for your suggestions. As per your parallel mail, I did
(1) add boot.crypto as first entry in the # Required-Start line of /etc/init.d/boot.localfs (2) delete boot.localfs from the # Required-Start line of /etc/init.d/boot.crypto 
(3) run insserv -v as root
The /etc/init.d/.depend.boot was regenerated.


Your grub should be configured that it only contains the encrypted root:

...root=/dev/mapper/root luks_root="/dev/sda1" luks="root"



This was already in place.


Then you add the encrypted /home and swap to crypttab:

home /dev/disk/by-id/... keyfile none luks
swap /dev/disk/by-id/... keyfile swap
Already ok - as an aside: I find conflicting information on the use of options in the /etc/crypttab lines. My crypttab man page (openSUSE 11.0) says that each line should contain exactly 4 entries (options should be separated by ","). According to this man page, your first line above should give undefined behavior, or the options should read something like "none,luks". On the other hand, there are reports in mailing lists (http://lists.opensuse.org/opensuse/2008-04/msg02199.html) 
saying that this option should be "none" to get this to work.
I use "none" for the moment.



You have to turn on the boot.crypto script then,you can check the state by doing

chkconfig --list boot.crypto

and have possibly to turn it on by doing a

chckconfig boot.crypto on



OK, was done already.
All these changes together now made the process work: during reboot, I am asked the passphrase exactly once, and root/swap/home partitions are unlocked fine. 
Thanks for the help.
The openSUSE people should definitely change this in the boot process and/or this should also be added to the Encrypted_Root_File_System HOWTO at en.opensuse.org. 

Best regards
Bernd

--
=======================================================================
Bernd Speiser

=======================================================================

---------------------------------------------------------------------
dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/
To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx
For additional commands, e-mail: dm-crypt-help@xxxxxxxx
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux