Frederick Gazerblezeebe wrote: > I am trying to set up a Fedora 15 system (kernel 2.6.39) on which the > root filesystem is encrypted with loop-aes (v3.6c). > > Can someone suggest the best location to place the initial losetup > commands? This new version uses the systemd boot stuff and > /etc/rc.d/rc.sysinit (where I placed the losetup commands before) no > longer exists. I was partially successful placing them in > /lib/systemd/fedora-readonly, meaning losetup successfully sets up the > loop device, but attempts to actually mount a file system on this loop > fail and the boot process terminates. I think I may be placing the > losetup too late in the sequence and the system is attempting to mount > on the loop before it is actually set up, but that's just a guess at > this point. I am assuming you used loop-AES' build-initrd.sh script. I changed the script so that it can be configured to set up more loop devices than the one used by encrypted root partition. For example, if you want to set up "no password entering required" /dev/loop6 and /dev/loop4, you can add these lines to build-initrd.sh config: EXTRACOMMANDRUN1=1 EXTRACOMMANDSTR1="/sbin/losetup -e AES128 -P /etc/cleartextkey-loop6.txt /dev/loop6 /dev/sda3" EXTRACOMMANDRUN2=1 EXTRACOMMANDSTR2="/sbin/losetup -e AES128 -P /etc/cleartextkey-loop4.txt /dev/loop4 /dev/sdd12" Limitations/rules: 1) Commands are run after switching to encrypted root but before starting /sbin/init 2) Encrypted root partition is mounted read-only. Other file systems are not mounted. 3) udev is not running yet, so dynamic device nodes on tmpfs (created and mounted by udev on top of /dev directory) are not available. 4) If commands need /dev/* device nodes, you must make sure that static device nodes exist on encrypted root partition on /dev directory. Use mknod program to create those device nodes. Above example would need 4 nodes: /dev/loop6, /dev/sda3, /dev/loop4 and /dev/sdd12. The tricky part is putting them on the directory that is under udev mounted tmpfs file system. 5) /etc/cleartextkey-loop*.txt files (or whatever) on encrypted root partition are protected by root partition encryption. Each of these files contain 65 lines of key material that would normally be wrapped by and protected by gpg encryption. 6) Up to 8 extra commands can be configured. If you need more, make it run a shell script somewhere on encrypted root partition. New version of the build-initrd.sh script is here: http://loop-aes.sourceforge.net/updates/build-initrd.sh-20110531.bz2 http://loop-aes.sourceforge.net/updates/build-initrd.sh-20110531.bz2.sign -- Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
