Boot from fully encrypted disk which looks like unused

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Using luks is the standard way of boot from an encrypted disk. However
luks header is not encrypted and it may cause a security issue when it
is necessary to hide the fact of encryption.

Usual section of grub.conf when root file system is placed on an
unencrypted disk has the form:

title Fedora 12
root (hd0,0)
kernel /boot/vmlinuz-2.6.31.12-174.2.3.fc12.i686.PAE ro root=/dev/sda1
LANG=ru_RU.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us
rhgb quiet
initrd /boot/initramfs-2.6.31.12-174.2.3.fc12.i686.PAE.img

Boot works.

After this I rsync this file system as a whole to a filesystem on an
encrypted virtual disk /dev/mapper/hdd2 corresponding to another
physical disk, for example /dev/sdb. Then I created an additional
section in grub.conf so as to make it possible to boot from /dev/sdb. It
looks the same as above, but with some distinctions. Location of
bootloader and kernel image is unchanged (1st sector and /boot
directory), only root filesystem is transferred onto an encrypted new
device.

title Fedora 12 NEW
root (hd0,0)
kernel /boot/vmlinuz-2.6.31.12-174.2.3.fc12.i686.PAE ro
root=/dev/mapper/hdd2 LANG=ru_RU.UTF-8 SYSFONT=latarcyrheb-sun16
KEYBOARDTYPE=pc KEYTABLE=us rhgb quiet
initrd /boot/initramfs-NEW.img

Two modifications of the initial section have been done:
1. root=/dev/sda1 ---> root=/dev/mapper/hdd2
2. initramfs-2.6.31.12-174.2.3.fc12.i686.PAE.img ---> initramfs-NEW.img

The second modification is needed to prepare /dev/mapper/hdd2 before
mounting it as a root filesystem. So changing initramfs is necessary. I
did it in the following way.

1. At the beginning of /mount/mount-root.sh, before 'mount' command, I
put the string:
cryptsetup -d /etc/key -c aes-cbc-essiv:sha256 -s 256 create
hdd2 /dev/sdb

2. key file is added to /etc

After this I reboot and select the second item in grub menu. During the
boot the messages appear:

WARNING: Deprecated config file /etc/modprobe.conf, all config files
belong into /etc/modprobe.d/.
(... the same string repeats a number of times ...)
No root device found
Boot has failed, sleeping forever 

Please, give me a suggestion what should I do to solve the problem.


_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux