On Sun, May 22, 2011 at 09:53:02PM +0600, dhvvcb@xxxxxxxxxxx wrote: > Using luks is the standard way of boot from an encrypted disk. However > luks header is not encrypted and it may cause a security issue when it > is necessary to hide the fact of encryption. In practice it is basically never necessary to hide encryption. Either it is perfectly legal for you to refuse handing over the keys, or the presence of a large, random-looking partition or file is already enough that they can lock you up and demand the key. So there really is no security issue. I propose you do not try to jump through hoops for no effect. Maybe I should add this as a FAQ item. Arno > Usual section of grub.conf when root file system is placed on an > unencrypted disk has the form: > > title Fedora 12 > root (hd0,0) > kernel /boot/vmlinuz-2.6.31.12-174.2.3.fc12.i686.PAE ro root=/dev/sda1 > LANG=ru_RU.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us > rhgb quiet > initrd /boot/initramfs-2.6.31.12-174.2.3.fc12.i686.PAE.img > > Boot works. > > After this I rsync this file system as a whole to a filesystem on an > encrypted virtual disk /dev/mapper/hdd2 corresponding to another > physical disk, for example /dev/sdb. Then I created an additional > section in grub.conf so as to make it possible to boot from /dev/sdb. It > looks the same as above, but with some distinctions. Location of > bootloader and kernel image is unchanged (1st sector and /boot > directory), only root filesystem is transferred onto an encrypted new > device. > > title Fedora 12 NEW > root (hd0,0) > kernel /boot/vmlinuz-2.6.31.12-174.2.3.fc12.i686.PAE ro > root=/dev/mapper/hdd2 LANG=ru_RU.UTF-8 SYSFONT=latarcyrheb-sun16 > KEYBOARDTYPE=pc KEYTABLE=us rhgb quiet > initrd /boot/initramfs-NEW.img > > Two modifications of the initial section have been done: > 1. root=/dev/sda1 ---> root=/dev/mapper/hdd2 > 2. initramfs-2.6.31.12-174.2.3.fc12.i686.PAE.img ---> initramfs-NEW.img > > The second modification is needed to prepare /dev/mapper/hdd2 before > mounting it as a root filesystem. So changing initramfs is necessary. I > did it in the following way. > > 1. At the beginning of /mount/mount-root.sh, before 'mount' command, I > put the string: > cryptsetup -d /etc/key -c aes-cbc-essiv:sha256 -s 256 create > hdd2 /dev/sdb > > 2. key file is added to /etc > > After this I reboot and select the second item in grub menu. During the > boot the messages appear: > > WARNING: Deprecated config file /etc/modprobe.conf, all config files > belong into /etc/modprobe.d/. > (... the same string repeats a number of times ...) > No root device found > Boot has failed, sleeping forever > > Please, give me a suggestion what should I do to solve the problem. > > > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt > -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
