| 1 |
Dirk Heinrichs writes: |
| 2 |
|
| 3 |
> Am Mittwoch 01 Juli 2009 12:40:20 schrieb Alex Schuster: |
| 4 |
> > The last two PCs (A and B) I installed are fully encrypted. I used |
| 5 |
> > different methods. I used genkernel --luks --lvm --install all to |
| 6 |
> > create kernel and initramfs. |
| 7 |
> |
| 8 |
> First, see one of my replies to David Shen's thread "Self created |
| 9 |
> initramfs cannot work" from last saturday. It has my init(ram)fs |
| 10 |
> creation scripts attached. |
| 11 |
|
| 12 |
Thanks, I will have a look. Although I'd like to use Gentoo's tool for |
| 13 |
that purpose, genkernel, which I used for the first time now. And it |
| 14 |
worked fine, except that it did not know I how to activate the other |
| 15 |
partitons (/usr, /var and many more) besides root and swap. |
| 16 |
|
| 17 |
|
| 18 |
> > I like to have everything as kernel modules, but the |
| 19 |
> > crypto stuff has to be directly in the kernel, unless I put these |
| 20 |
> > modules into the initramfs by hand. |
| 21 |
> |
| 22 |
> It doesn't make much sense to compile things as module which are needed |
| 23 |
> right after (or even for) booting. The reason distributions do this is |
| 24 |
> to give the most possible flexibility and useability on as much |
| 25 |
> different systems as possible. |
| 26 |
|
| 27 |
I know. I did it anyway, just out of curiosity if this would work, and |
| 28 |
which things could in principle be modules. No problem with building this |
| 29 |
stuff directly into the kernel. |
| 30 |
|
| 31 |
> having said that, you can even do w/o |
| 32 |
> initramfs, just put everything into /boot (which should be a separate |
| 33 |
> partition, then). Again, see my reply to David for the details. |
| 34 |
|
| 35 |
Interesting. Getting rid of initramfs looks like a simpler approach, no |
| 36 |
need to fiddle with cpio in order to change things. |
| 37 |
|
| 38 |
|
| 39 |
> > A: LVM -> LUKS |
| 40 |
> > Many partitions make two volume groups with many LVMs. Each LVM is |
| 41 |
> > LUKS- encrypted. This gives me maximum flexibility, who knows what |
| 42 |
> > other OSes I might need to install on that drive. The boot partition |
| 43 |
> > is on a USB stick and also holds the key. |
| 44 |
> |
| 45 |
> Why? LUKS means Linux Unified Key Storage. No need to store the key |
| 46 |
> elsewhere. Put a password based key on the root LV and encrypt |
| 47 |
> everything else with a random key you put somewhere into /etc (I use |
| 48 |
> /etc/crypt/keyfile). |
| 49 |
|
| 50 |
I do not want to have to enter a password every time my machine boots, so |
| 51 |
I put the key onto a stick. And simply made it the same for all |
| 52 |
partitions. And while I was at it, for maximum security, I also put /boot |
| 53 |
onto the stick. Sure, who would ever break into my house and modify my |
| 54 |
boot partition, replacing the kernel with kernel+keylogger or such... but |
| 55 |
then, I would probably also not need to encrypt my stuff at all. |
| 56 |
|
| 57 |
> > This did not work out of the box, I had to modify |
| 58 |
> > /lib/rcscripts/addons/dm-crypt-start.sh in order to open the other |
| 59 |
> > partitions than swap and root. |
| 60 |
> |
| 61 |
> Then you did something wrong. It works out of the box. |
| 62 |
|
| 63 |
Really? I know it does for root and swap (it works here), but how do I |
| 64 |
tell the system to also luskOpen all my other LVM volumes? |
| 65 |
|
| 66 |
|
| 67 |
> > B: LUKS -> LVM |
| 68 |
> > A simpler approach. sda1 is a small boot partition, sda2 (the rest of |
| 69 |
> > the drive) is a LUKS-formatted LVM physical volume with volume group |
| 70 |
> > 'pvcrypt' on it. This does not work yet, the initramfs does not find |
| 71 |
> > the LVM. |
| 72 |
> |
| 73 |
> Because in Gentoo, only A is implemented/supported. |
| 74 |
|
| 75 |
Oh. I thought this would be even easier than approach A. And looking at |
| 76 |
the /init code it seems to me it should just work. There's a call to |
| 77 |
startVolumes after the root partition is unlocked by cryptsetup, which I |
| 78 |
think should activate the LVM, but it does nothing, it does not even find |
| 79 |
regular physical LVM volumes that are not on top of a crypt setup. |
| 80 |
|
| 81 |
I'll have a look at my .config again. This may take a while, I only have |
| 82 |
remote access to that PC at the moment. |
| 83 |
|
| 84 |
> HTH... |
| 85 |
|
| 86 |
A little :) |
| 87 |
|
| 88 |
Thanks, |
| 89 |
|
| 90 |
Wonko |
Archives