I now have Fedora 15 (with selinux enabled) up and running from a loop-aes-encrypted root partition. In case it can prove useful to someone else running Fedora 15 (and/or some other systemd based linux) I will describe what I have done and the status of my issues here. The details (WARNING: LONG!!)... Motherboard: Foxconn Mars (Intel p35 chipset) Processor: Core2Duo E8400 OS: Fedora 15 with selinux enabled kernel: linux-2.6.39 (kernel.org) loop-aes-v3.6c aespipe-v2.4c util-linux-2.19.1 (kernel.org) util-linux-2.19.1-20110510.diff build-initrd.sh-20110531 After installing Fedora, the new kernel was downloaded and configured per the loop-aes README. Installation of loop-aes and util-linux proceeded without issue and I was able to mount and access my (previously created) encrypted devices. The swap partition was also encrypted at this point. Moving on to encrypting the root partition... Initially I was unable to boot into the encrypted root with the build-initrd.sh found in the loop-aes-v3.6c archive, but this was resolved very quickly with the modified script provided by Jari (thank you Jari!). (In retrospect, I can't be certain that the original script wouldn't have worked, because my hard disk was in the process of failing and that may have been part, if not all, of the problem; I have not gone back to check.) The configuration options for build-initrd.sh-20110531 were: USEDEVFS=0 USEPIVOT=2 BOOTDEV=/dev/sda1 BOOTTYPE=ext4 CRYPTROOT=/dev/sda2 ROOTTYPE=ext4 CIPHERTYPE=AES128 LOINIT="-I 0" USEGPGKEY=1 GPGKEYFILE=key.gpg EXTERNALGPGFILES=0 EXTERNALGPGDEV=/dev/fd0 EXTERNALGPGTYPE=ext2 USEMODULE=1 INITRDONLY=0 SOURCEROOT= DESTINATIONROOT= DESTINATIONPREFIX=/boot INITRDGZNAME=initrd-loopaes.gz ROOTLOOPINDEX=2 TEMPLOOPINDEX=7 LOOPMODPARAMS="max_loop=16" UTF8KEYBMODE=0 LOADNATIONALKEYB=0 INITMD=1 INITMDDELAY=1 INITIALDELAY=0 MOUNTDELAY=0 TOOLSPROMPT=0 USEROOTSETUP=0 USEDIETLIBC=1 GCC=gcc EXTRACOMMANDSTR1=1 EXTRACOMMANDSTR1="/sbin/losetup -e AES128 -P hkey.txt /dev/loop3 /dev/sda3" EXTRACOMMANDRUN2=1 EXTRACOMMANDSTR2="/sbin/losetup -e AES128 -P skey.txt /dev/loop5 /dev/sda5" The grub boot entry is: title Fedora 15 encrypted (2.6.39) root (hd0,0) kernel /vmlinuz-2.6.39 initrd /initrd-loopaes.gz NOTE: The vmlinuz-2.6.39 had to be a file, not a symbolic link as set up by the kernel 'make install' routine, or grub would fail. The fstab entries are: /dev/loop2 / ext4 defaults 0 1 /dev/loop3 /home ext4 defaults 0 2 /dev/sda5 swap swap sw,loop=/dev/loop5,encryption=AES128 0 0 In order to boot successfully I also had to create static nodes for a number of devices in /dev: mknod -m 660 /dev/tty c 5 0 mknod -m 660 /dev/console c 5 1 mknod -m 660 /dev/sda2 b 8 2 ## encrypted root mknod -m 660 /dev/sda3 b 8 3 ## encrypted home mknod -m 660 /dev/loop2 b 7 2 mknod -m 660 /dev/loop3 b 7 3 I also added these static nodes at some point, but can't recall when or if they were actually required to boot successfully: mknod -m 666 /mnt/dev/null c 1 3 mknod -m 666 /mnt/dev/zero c 1 5 I was able to boot successfully at this point, with the issue that the swap partition was being added, but did not appear to be encrypted (as shown by no entry for /dev/loop5 using losetup -a). This could be corrected after boot by issuing the commands 'swapoff -a' and 'swapon -a'. In an attempt to address this I added static nodes to /dev mknod -m 660 /dev/sda5 b 8 5 ## encrypted swap mknod -m 660 /dev/loop5 b 7 5 ...but this did not help. (My further attempts to troubleshoot this with Jari's help are omitted here as they are covered in another part of this discussion.) I then attempted to encrypt and mount /home. The following static nodes were added to /dev: mknod -m 660 /dev/sda3 b 8 3 ## encrypted /home mknod -m 660 /dev/loop3 b 7 3 Like the swap partition, the loop device is properly losetup'd at boot, but attempts to mount to it timeout during boot and are unsuccessful. So, the remaining issues I am attempting to resolve are: 1) Devices losetup'd at boot, even within the initrd built by Jari's new script, do not get mounted by the Fedora init scripts. This requires me to manually add swap and mount /home before logging in. I would like to figure this out, but it is really only a minor annoyance as I only reboot occassionally. 2) Once I have losetup'ed and mount'ed a loop device (defined in /etc/fstab), umount'ing it fails to detach the loop device, and attempts to 'losetup -d' it manually fail with the error 'ioctl: LOOP_CLR_FD: Device or resource busy'. 3) Although selinux is otherwise running/behaving properly, autorelabeling (of /home, /dev, /sys /run) fails at boot time; the system does boot successfully though. 4) Rebooting my (external) router causes all mounted loop devices, other than / and swap, to be umounted. I was able to fix this problem in Fedora 13 (in which case the loop devices also became detached) by disabling netfs, but that was kind of drastic and I'm hoping to avoid it this time around. So that is the current state of play and the issues I am currently working to resolve. I am reasonably certain at this point that the issues are related to Fedora 15 and the systemd init process, _not_ loop-aes. I will post back if/when I make some progress. FG -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html