| 1 |
Am Mittwoch 01 Juli 2009 12:40:20 schrieb Alex Schuster: |
| 2 |
|
| 3 |
> The last two PCs (A and B) I installed are fully encrypted. I used |
| 4 |
> different methods. I used genkernel --luks --lvm --install all to create |
| 5 |
> kernel and initramfs. |
| 6 |
|
| 7 |
First, see one of my replies to David Shen's thread "Self created initramfs |
| 8 |
cannot work" from last saturday. It has my init(ram)fs creation scripts |
| 9 |
attached. |
| 10 |
|
| 11 |
> I like to have everything as kernel modules, but the |
| 12 |
> crypto stuff has to be directly in the kernel, unless I put these modules |
| 13 |
> into the initramfs by hand. |
| 14 |
|
| 15 |
It doesn't make much sense to compile things as module which are needed right |
| 16 |
after (or even for) booting. The reason distributions do this is to give the |
| 17 |
most possible flexibility and useability on as much different systems as |
| 18 |
possible. having said that, you can even do w/o initramfs, just put everything |
| 19 |
into /boot (which should be a separate partition, then). Again, see my reply |
| 20 |
to David for the details. |
| 21 |
|
| 22 |
> A: LVM -> LUKS |
| 23 |
> Many partitions make two volume groups with many LVMs. Each LVM is LUKS- |
| 24 |
> encrypted. This gives me maximum flexibility, who knows what other OSes I |
| 25 |
> might need to install on that drive. The boot partition is on a USB stick |
| 26 |
> and also holds the key. |
| 27 |
|
| 28 |
Why? LUKS means Linux Unified Key Storage. No need to store the key elsewhere. |
| 29 |
Put a password based key on the root LV and encrypt everything else with a |
| 30 |
random key you put somewhere into /etc (I use /etc/crypt/keyfile). |
| 31 |
|
| 32 |
> This did not work out of the box, I had to modify |
| 33 |
> /lib/rcscripts/addons/dm-crypt-start.sh in order to open the other |
| 34 |
> partitions than swap and root. |
| 35 |
|
| 36 |
Then you did something wrong. It works out of the box. |
| 37 |
|
| 38 |
> I need to add something to close them when |
| 39 |
> shutting down, but it seems to work fine without this for the moment. Do |
| 40 |
> you know if there already is a solution for this? |
| 41 |
|
| 42 |
Well, it works fine here, so yes, there is. |
| 43 |
|
| 44 |
> B: LUKS -> LVM |
| 45 |
> A simpler approach. sda1 is a small boot partition, sda2 (the rest of the |
| 46 |
> drive) is a LUKS-formatted LVM physical volume with volume group 'pvcrypt' |
| 47 |
> on it. This does not work yet, the initramfs does not find the LVM. |
| 48 |
|
| 49 |
Because in Gentoo, only A is implemented/supported. |
| 50 |
|
| 51 |
HTH... |
| 52 |
|
| 53 |
Dirk |
Archives