Hey Jari, thanks for the quick response and my apologies for taking so long to get back to you. Just as I started testing your new script my hard drive failed, and I had to get a new one and reinstall fedora 15. So anyway, I am finally back to where I was when I first posted. I've now built the initrd with your new script and I'm in the process of encrypting the root partition as we speak. I will post again once it finishes and I've had a chance to test it. Thanks again! FG On Tue, May 31, 2011 at 5:59 AM, Jari Ruusu <jariruusu@xxxxxxxxxxxxxxxxxxxxx> wrote: > Frederick Gazerblezeebe wrote: >> I am trying to set up a Fedora 15 system (kernel 2.6.39) on which the >> root filesystem is encrypted with loop-aes (v3.6c). >> >> Can someone suggest the best location to place the initial losetup >> commands? This new version uses the systemd boot stuff and >> /etc/rc.d/rc.sysinit (where I placed the losetup commands before) no >> longer exists. I was partially successful placing them in >> /lib/systemd/fedora-readonly, meaning losetup successfully sets up the >> loop device, but attempts to actually mount a file system on this loop >> fail and the boot process terminates. I think I may be placing the >> losetup too late in the sequence and the system is attempting to mount >> on the loop before it is actually set up, but that's just a guess at >> this point. > > I am assuming you used loop-AES' build-initrd.sh script. I changed the > script so that it can be configured to set up more loop devices than the one > used by encrypted root partition. For example, if you want to set up > "no password entering required" /dev/loop6 and /dev/loop4, you can add these > lines to build-initrd.sh config: > > EXTRACOMMANDRUN1=1 > EXTRACOMMANDSTR1="/sbin/losetup -e AES128 -P /etc/cleartextkey-loop6.txt /dev/loop6 /dev/sda3" > EXTRACOMMANDRUN2=1 > EXTRACOMMANDSTR2="/sbin/losetup -e AES128 -P /etc/cleartextkey-loop4.txt /dev/loop4 /dev/sdd12" > > Limitations/rules: > 1) Commands are run after switching to encrypted root but before starting > /sbin/init > 2) Encrypted root partition is mounted read-only. Other file systems are not > mounted. > 3) udev is not running yet, so dynamic device nodes on tmpfs (created and > mounted by udev on top of /dev directory) are not available. > 4) If commands need /dev/* device nodes, you must make sure that static > device nodes exist on encrypted root partition on /dev directory. Use > mknod program to create those device nodes. Above example would need 4 > nodes: /dev/loop6, /dev/sda3, /dev/loop4 and /dev/sdd12. The tricky part > is putting them on the directory that is under udev mounted tmpfs file > system. > 5) /etc/cleartextkey-loop*.txt files (or whatever) on encrypted root > partition are protected by root partition encryption. Each of these files > contain 65 lines of key material that would normally be wrapped by and > protected by gpg encryption. > 6) Up to 8 extra commands can be configured. If you need more, make it run a > shell script somewhere on encrypted root partition. > > New version of the build-initrd.sh script is here: > http://loop-aes.sourceforge.net/updates/build-initrd.sh-20110531.bz2 > http://loop-aes.sourceforge.net/updates/build-initrd.sh-20110531.bz2.sign > > -- > Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD > -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
