On 02/08/17 04:33, Houtchen, Steven wrote:
I am trying to use "crypsetup" setup ant "parted" together.
I want to use "cryptsetup" to encrypt a whole solid state disk,
and then use "parted" to create partitions on it with a GPT partition
table. I have be able to do the first task, but not the second.
I've never done that.
Or vice versa. Create a few partitions, and then optionally
encrypt each one individually. I have be able to do the first
task, but not the second.
That's how I've done it.
So my question is, is "cryptsetup" compatible with parted and
GPT partition table? Or do need to use something like "lvm2"
to accomplish what I am trying to do?
I would suggest:
1. Use the manufacturer tool to do a secure erase of the SSD (this
could involve using a Microsoft Windows machine).
2. Use parted to create a MBR partition table.
3. Use parted to create one primary partition. Consider
under-provisioning.
4. Use cryptsetup luksFormat to put a LUKS container into the partition.
5. Use cryptsetup luksOpen to open the LUKS container. Add entry to
/etc/crypttab (Debian).
6. Either create a filesystem on the mapped device and add entry to
/etc/fstab (Debian), or feed the mapped device to LVM (it's been a while
for me; you'll have to figure that out).
I am using CentOS7 with
[root@dts1 ~]# cryptsetup --version
cryptsetup 1.6.7
[root@dts1 ~]#
[root@dts1 ~]# parted --version
parted (GNU parted) 3.1
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by <http://git.debian.org/?p=parted/parted.git;a=blob_plain;f=AUTHORS>.
[root@dts1 ~]#
On 02/08/17 05:44, Houtchen, Steven wrote:
I did get the scenario to seemingly work where I encrypt the whole block device, and use
parted to creates a partition on the device mapper device. I attached a file showing the
command sequence..
My questions here are:
Is this a valid use case,
I dont' know. If I did put a LUKS container on the raw disk and then
partitioned the mapped deviced, I don't know how I would specify such in
/etc/crypttab and /etc/fstab. I'd have to hack up scripts to set it up
on boot and tear it down on shutdown.
and also, can I set the starting block on my partition
On the device mapper device to be at 1 MB, or would that conflict
with any of the Luks header info on the actual drive?
The available space of the LUKS mapped device is going to be smaller
than the partition size. On one of my 3 TB drives, it's about ~44 GB
smaller (~1.6%). The LUKS meta-data is going to be in there, including
the header.
You should be able use all of the blocks in the mapped device however
you please; if LUKS breaks, then your LUKS is broken.
David
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
