1 |
Dirk Heinrichs writes: |
2 |
|
3 |
> Am Mittwoch 01 Juli 2009 12:40:20 schrieb Alex Schuster: |
4 |
> > The last two PCs (A and B) I installed are fully encrypted. I used |
5 |
> > different methods. I used genkernel --luks --lvm --install all to |
6 |
> > create kernel and initramfs. |
7 |
> |
8 |
> First, see one of my replies to David Shen's thread "Self created |
9 |
> initramfs cannot work" from last saturday. It has my init(ram)fs |
10 |
> creation scripts attached. |
11 |
|
12 |
Thanks, I will have a look. Although I'd like to use Gentoo's tool for |
13 |
that purpose, genkernel, which I used for the first time now. And it |
14 |
worked fine, except that it did not know I how to activate the other |
15 |
partitons (/usr, /var and many more) besides root and swap. |
16 |
|
17 |
|
18 |
> > I like to have everything as kernel modules, but the |
19 |
> > crypto stuff has to be directly in the kernel, unless I put these |
20 |
> > modules into the initramfs by hand. |
21 |
> |
22 |
> It doesn't make much sense to compile things as module which are needed |
23 |
> right after (or even for) booting. The reason distributions do this is |
24 |
> to give the most possible flexibility and useability on as much |
25 |
> different systems as possible. |
26 |
|
27 |
I know. I did it anyway, just out of curiosity if this would work, and |
28 |
which things could in principle be modules. No problem with building this |
29 |
stuff directly into the kernel. |
30 |
|
31 |
> having said that, you can even do w/o |
32 |
> initramfs, just put everything into /boot (which should be a separate |
33 |
> partition, then). Again, see my reply to David for the details. |
34 |
|
35 |
Interesting. Getting rid of initramfs looks like a simpler approach, no |
36 |
need to fiddle with cpio in order to change things. |
37 |
|
38 |
|
39 |
> > A: LVM -> LUKS |
40 |
> > Many partitions make two volume groups with many LVMs. Each LVM is |
41 |
> > LUKS- encrypted. This gives me maximum flexibility, who knows what |
42 |
> > other OSes I might need to install on that drive. The boot partition |
43 |
> > is on a USB stick and also holds the key. |
44 |
> |
45 |
> Why? LUKS means Linux Unified Key Storage. No need to store the key |
46 |
> elsewhere. Put a password based key on the root LV and encrypt |
47 |
> everything else with a random key you put somewhere into /etc (I use |
48 |
> /etc/crypt/keyfile). |
49 |
|
50 |
I do not want to have to enter a password every time my machine boots, so |
51 |
I put the key onto a stick. And simply made it the same for all |
52 |
partitions. And while I was at it, for maximum security, I also put /boot |
53 |
onto the stick. Sure, who would ever break into my house and modify my |
54 |
boot partition, replacing the kernel with kernel+keylogger or such... but |
55 |
then, I would probably also not need to encrypt my stuff at all. |
56 |
|
57 |
> > This did not work out of the box, I had to modify |
58 |
> > /lib/rcscripts/addons/dm-crypt-start.sh in order to open the other |
59 |
> > partitions than swap and root. |
60 |
> |
61 |
> Then you did something wrong. It works out of the box. |
62 |
|
63 |
Really? I know it does for root and swap (it works here), but how do I |
64 |
tell the system to also luskOpen all my other LVM volumes? |
65 |
|
66 |
|
67 |
> > B: LUKS -> LVM |
68 |
> > A simpler approach. sda1 is a small boot partition, sda2 (the rest of |
69 |
> > the drive) is a LUKS-formatted LVM physical volume with volume group |
70 |
> > 'pvcrypt' on it. This does not work yet, the initramfs does not find |
71 |
> > the LVM. |
72 |
> |
73 |
> Because in Gentoo, only A is implemented/supported. |
74 |
|
75 |
Oh. I thought this would be even easier than approach A. And looking at |
76 |
the /init code it seems to me it should just work. There's a call to |
77 |
startVolumes after the root partition is unlocked by cryptsetup, which I |
78 |
think should activate the LVM, but it does nothing, it does not even find |
79 |
regular physical LVM volumes that are not on top of a crypt setup. |
80 |
|
81 |
I'll have a look at my .config again. This may take a while, I only have |
82 |
remote access to that PC at the moment. |
83 |
|
84 |
> HTH... |
85 |
|
86 |
A little :) |
87 |
|
88 |
Thanks, |
89 |
|
90 |
Wonko |