Hi Not sure what I've done can help you, but let me tell you. I'm using LUKS on some logical volumes of a LVM. That is, I do not encrypt my whole LVM, but only parts of it. For several reasons out of scope of your concern, I boot my PC only using a removable USB key. I let my hard disk MBR as provided by the manufacturer. I encrypted both my root and my home, each with its own LUKS key. I agree I did it more for the sake of getting experience then for a real need of data protection. Taking advantage of the need of a removable device to boot, I decided to store my LUKS keys on it. I included the two following lines in my /etc/crypttab : victor-root UUID=78576555-f0c2-4c80-af4f-d763cc7ae71d /dev/disk/by-uuid/4146dfad-26f0-4aec-99c3-8ab00c3e4297:/.victor-root:1 luks,keyscript=/lib/cryptsetup/scripts/passdev victor-home UUID=37447a61-f946-4d38-a398-5a886c4e3f22 /dev/disk/by-uuid/4146dfad-26f0-4aec-99c3-8ab00c3e4297:/.victor-home:1 luks,keyscript=/lib/cryptsetup/scripts/passdev The two keys are 512-byte random binary files stored at the root of the partition, named ".victor-root" and ".victor-home". As a USB key is rather fragile (loss, getting out of use), I stored my LUKS keys on several USB keys. I gave the same uuid to the partitions holding my LUKS files, so as the preceding lines would work for any one of my USB keys. My /etc/fstab files holds the following lines /dev/mapper/victor-root / ext4 errors=remount-ro 0 1 /dev/mapper/victor-home /home ext4 defaults 0 2 I suppressed the need of a password at login. After boot, I disconnect my USB key. Arbiel Le 17/01/2016 19:30, Sven Eschenberg a écrit : > Hi Dáire, > > While this is not really dm-crypt/cryptsetup related, but rather a > question of the used distro and desktopenvironment (etc.), I'll try to > give you some hints on this: > > As long as the volume is listed in crypttab and the key is provided > the crypto-mapping will be setup during boot. If you don't want that, > you'd have to revert those changes. (Automatic setup of crypto mapping > with a locally stored key is somewhat pointless, as you can imagine). > > It is not that easy by just looking at the commands you ran, to judge > what is going on right now. You'll certainly have to provide > additional info, but I am sure the Ubuntu community would be a greater > help, as it knows the intrinsics of the distro. > > One thing I want to add though is this: > You will NOT be able to do a single password entry for both decryption > and login. You could possibly disable passwords for login (if that > makes sense to you). You could skip the password for decryption, if > the 'passphrase/key' is stored on an external drive (usb thumg drive) > and you physically secure it and instead use a sign on password. And > if you really insist on a signle sign on, you'd have to have a some > sort of password cache daemon that provides the password at a later > stage, but then again this makes password based logins pointless. > > So, first choose your modus operandi, then try setting it up. > > Regards > > -Sven > > Am 16.01.2016 um 23:33 schrieb Dáire Fagan: >> I have tried following different guides on this but none seem to do >> exactly what I am trying so I had to work with different parts from >> different guides. >> >> Using the following I made it so Ubuntu would not boot, although I was >> able to remedy this by booting into Ubutnu recovery, dropping to a root >> shell, and putting fstab back as it was: HOWTO: Automatically unlock >> LUKS encrypted drives with a keyfile >> <http://ubuntuforums.org/showthread.php?t=837416> >> >> When I started I had just set up LUKS with LVM. I was able to mount the >> main volume hdd1 by clicking on it from the launcher in Ubuntu and >> entering my password, but I need to set it up to mount on boot. >> >> Even after the change I made in fstab - undoing what the guide >> recommended - now when I boot a volume is mounted of 973GB although I >> cannot write to it. Apart from that I am not sure if it is otherwise >> working as it should, or if say for instance it is left decrypted all of >> the time. >> >> Can you please look through the commands from my bash history and tell >> me anything I need to undo, the correct commands to do this, and any >> extra commands I need to enter to achieve what I am after, physical >> volume sda1 decrypted on boot, and the logical volumes swap and hdd1 >> automatically mounted, one password input on boot preferred, so I do not >> have to enter one to login and another to decrypt. This is all on a >> completely separate drive to my / and /home partitions. >> >> If relevant one of the commands used during LUKS and LVM setup was: >> >> pvcreate /dev/mapper enc-pv >> >> I mention that now as it is referenced in another command. >> >> The logical volumes: >> >> [CODE]dusf@roadrunner:~$ sudo lvdisplay >> --- Logical volume --- >> LV Path /dev/vg/swap >> LV Name swap >> VG Name vg >> LV UUID HBEt92-E8MQ-aCAu-DBDz-7VeJ-KLom-JeJ9k8 >> LV Write Access read/write >> LV Creation host, time roadrunner, 2016-01-16 20:36:42 +0000 >> LV Status available >> # open 0 >> LV Size 10.00 GiB >> Current LE 2560 >> Segments 1 >> Allocation inherit >> Read ahead sectors auto >> - currently set to 256 >> Block device 252:1 >> >> --- Logical volume --- >> LV Path /dev/vg/kali >> LV Name kali >> VG Name vg >> LV UUID BeWqMO-DQAf-zcAp-RJAf-vmaY-OZbt-GLQIWx >> LV Write Access read/write >> LV Creation host, time roadrunner, 2016-01-16 20:40:39 +0000 >> LV Status available >> # open 0 >> LV Size 15.00 GiB >> Current LE 3840 >> Segments 1 >> Allocation inherit >> Read ahead sectors auto >> - currently set to 256 >> Block device 252:2 >> >> --- Logical volume --- >> LV Path /dev/vg/HDD1 >> LV Name HDD1 >> VG Name vg >> LV UUID xFw2Yu-li8I-Ooav-Yjk2-P38q-CZeG-dmdhSl >> LV Write Access read/write >> LV Creation host, time roadrunner, 2016-01-16 20:51:00 +0000 >> LV Status available >> # open 1 >> LV Size 906.51 GiB >> Current LE 232066 >> Segments 1 >> Allocation inherit >> Read ahead sectors auto >> - currently set to 256 >> Block device 252:3 >> >> Commands I entered to try and automount: >> >> 156 sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4 >> 157 sudo chmod 0400 /root/keyfile >> 160 sudo cryptsetup luksAddKey /dev/sda1 /root/keyfile >> 161 sudo vi /etc/crypttab >> >> I added the line: enc-pv /dev/sda1 /root/keyfile luks >> >> 162 sudo vi /etc/fstab >> I added the line: /dev/mapper/enc-pv /media/sda1 ext4 defaults >> 0 2 >> >> 163 sudo mount -a >> 164 mkdir /media/sda1 >> 165 sudo mkdir /media/sda1 >> 166 sudo mount -a >> >> >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@xxxxxxxx >> http://www.saout.de/mailman/listinfo/dm-crypt >> > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt >
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
