[dm-crypt] Encrypted LVs /root, /home, and swap mount at boot, as does 'shared' data LV but without write access?

Dáire Fagan dairefagan at gmail.com
Sun Apr 27 18:55:34 CEST 2014


Hi

Although the /dev/mapper/vg-shared volume mounts at boot automatically
like /root and /home, and although I can open it without having to
enter the passphrase again, I cannot create files on it.

>From the commands below, that I used to set up /root, /home, and swap
mounting at boot with a single passphrase entry, I have tried
replacing the command 'sudo mount /dev/vg/ubuntu-root /mnt' with 'sudo
mount /dev/vg/shared /mnt' but then when i go onto the next command
'sudo chroot /mnt mount /proc' it gives me the error 'chroot: failed
to run command ‘mount’: No such file or directory'.

Can anyone tell me how I should edit the following commands so that
/dev/vg/-shared not only mounts at boot, but I can also write to it?
Is my encryption method below best practice, apart from needing to run
cryptsetup first? Is there anyway to have the partition appear as
/media/daire/shared instead of a long /media/daire/long-hex-string?

sudo cryptsetup luksOpen /dev/sda6 enc-pv
Enter passphrase for /dev/sda6:
sudo mount /dev/vg/ubuntu-root /mnt
sudo chroot /mnt mount /proc
sudo mount --bind /dev /mnt/dev
sudo chroot /mnt mount /boot
sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none
luks" | sudo tee -a /mnt/etc/crypttab
enc-pv UUID=ad8b8a32-95ea-4add-abe6-326d151e30fa none luks
sudo chroot /mnt update-initramfs -u
update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt

Would it messy to just use something like sudo chown -R $daire:$daire
/mnt/shared ?

==================================================================================

If you need more information the following is how I have encrypted the
/root, /home, and swap partitions on a disk already containing Windows
8.1 and only require a single passphrase entry on boot:

(I have read the Ubuntu alternate install CD used to offer this option
before Canonical cancelled it)

I create 500 MiB ext4 sda5 partition that will later be assigned as
/boot (UEFI Win 8.1 partitions on sda1, sda2, sda3, and sda4)

sudo dd if=/dev/urandom of=/dev/sda6

12 hours elapse.

dd: writing to ‘/dev/sda6’: No space left on device
660092929+0 records in
660092928+0 records out
337967579136 bytes (338 GB) copied, 39571.4 s, 8.5 MB/s[/CODE]

[modprobe dm-crypt
modprobe aes-x86_64
modprobe sha256

When I do this over I will run cryptsetup benchmark first to see which
iteration and algorithm works best for my system.

sudo cryptsetup luksFormat /dev/sda6

WARNING!
========
This will overwrite data on /dev/sda6 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
sudo cryptsetup luksOpen /dev/sda6 enc-pv
Enter passphrase for /dev/sda6:

sudo pvcreate /dev/mapper/enc-pv
 Physical volume "/dev/mapper/enc-pv" successfully created
sudo vgcreate vg /dev/mapper/enc-pv
 Volume group "vg" successfully created
sudo lvcreate -L 8.5G -n swap vg
 Logical volume "swap" created
sudo lvcreate -L 20G -n ubuntu-root vg
 Logical volume "ubuntu-root" created
sudo lvcreate -L 50G -n ubuntu-home vg
 Logical volume "ubuntu-home" created
sudo lvcreate -L 140G -n shared vg
 Logical volume "shared" created

sudo lvdisplay
 --- Logical volume ---
 LV Path                /dev/vg/swap
 LV Name                swap
 VG Name                vg
 LV UUID                EMSdc1-yTSS-FF9W-5vcv-jEwF-OeF7-5oOoEI
 LV Write Access        read/write
 LV Creation host, time ubuntu, 2014-04-23 12:57:17 +0000
 LV Status              available
 # open                 0
 LV Size                8.50 GiB
 Current LE             2176
 Segments               1
 Allocation             inherit
 Read ahead sectors     auto
 - currently set to     256
 Block device           252:1

 --- Logical volume ---
 LV Path                /dev/vg/ubuntu-root
 LV Name                ubuntu-root
 VG Name                vg
 LV UUID                TCPIIE-fGv0-3tz8-XP3R-1c9Z-E18R-XTbcOd
 LV Write Access        read/write
 LV Creation host, time ubuntu, 2014-04-23 12:58:41 +0000
 LV Status              available
 # open                 0
 LV Size                20.00 GiB
 Current LE             5120
 Segments               1
 Allocation             inherit
 Read ahead sectors     auto
 - currently set to     256
 Block device           252:2

 --- Logical volume ---
 LV Path                /dev/vg/shared
 LV Name                shared
 VG Name                vg
 LV UUID                dPHDeT-52zj-7bAx-xjzP-p4yC-kXoo-aw7Eac
 LV Write Access        read/write
 LV Creation host, time ubuntu, 2014-04-23 12:59:50 +0000
 LV Status              available
 # open                 0
 LV Size                140.00 GiB
 Current LE             35840
 Segments               1
 Allocation             inherit
 Read ahead sectors     auto
 - currently set to     256
 Block device           252:4

 --- Logical volume ---
 LV Path                /dev/vg/ubuntu-home
 LV Name                ubuntu-home
 VG Name                vg
 LV UUID                pWFs3D-MXrh-bMez-68r0-4yPc-zMTo-MGhNF1
 LV Write Access        read/write
 LV Creation host, time ubuntu, 2014-04-23 13:06:11 +0000
 LV Status              available
 # open                 0
 LV Size                50.00 GiB
 Current LE             12800
 Segments               1
 Allocation             inherit
 Read ahead sectors     auto
 - currently set to     256
 Block device           252:3

sudo vgdisplay | grep -i free
 Free  PE / Size       24641 / 96.25 GiB[/CODE]

sudo mkfs.ext4 /dev/mapper/vg-shared

mke2fs 1.42.9 (4-Feb-2014)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
9175040 inodes, 36700160 blocks
1835008 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
1120 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
   32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
   4096000, 7962624, 11239424, 20480000, 23887872

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

There was similar output for:

sudo mkfs.ext4 /dev/mapper/vg-ubuntu-root
sudo mkfs.ext4 /dev/mapper/vg-ubuntu-home

I may have needed to add an extra hyphen, like vg-ubuntu--root

Next I opened the Ubuntu 14.04 installer and selected 'something
else'. I assigned /boot to the 500 MiB partition on sda5 and then
/root, /home, and swap to the logical /dev/mapper/vg volumes.

After Ubuntu installs, before rebooting from the live USB, I entered
the following:

sudo cryptsetup luksOpen /dev/sda6 enc-pv
Enter passphrase for /dev/sda6:
sudo mount /dev/vg/ubuntu-root /mnt
sudo chroot /mnt mount /proc
sudo mount --bind /dev /mnt/dev
sudo chroot /mnt mount /boot
sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none
luks" | sudo tee -a /mnt/etc/crypttab
enc-pv UUID=ad8b8a32-95ea-4add-abe6-326d151e30fa none luks
sudo chroot /mnt update-initramfs -u
update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt

On reboot Ubuntu boots asking for only one entry of the passphrase
instead of three, one for each encrypted volume.

==================================================================

Thanks

Dáire.


More information about the dm-crypt mailing list