[dm-crypt] Encrypted LVs /root, /home, and swap mount at boot, as does 'shared' data LV but without write access?

Dáire Fagan dairefagan at gmail.com
Sun Apr 27 23:20:20 CEST 2014


Hi

I have asked for support on the Ubuntu forums, and many non distro
linux forums, I thought someone here might be able to help me as I am
trying to mount a logical volume with write access that is part of a
crypsetup encrypted physical volume - I figured people on this mailing
list would have experience of this.

Is the encryption method I used best practice?

On 27 April 2014 21:32, Arno Wagner <arno at wagner.name> wrote:
> Sounds like a problem you should complain to Ubuntu about.
> This mailing list here is only for the raw "cryptsetup"
> command...
>
> Arno
>
> On Sun, Apr 27, 2014 at 19:00:00 CEST, Dáire Fagan wrote:
>> Hi
>>
>> Although the /dev/mapper/vg-shared volume mounts at boot automatically
>> like /root and /home, and although I can open it without having to
>> enter the passphrase again, I cannot create files on it.
>>
>> From the commands below, that I used to set up /root, /home, and swap
>> mounting at boot with a single passphrase entry, I have tried
>> replacing the command 'sudo mount /dev/vg/ubuntu-root /mnt' with 'sudo
>> mount /dev/vg/shared /mnt' but then when i go onto the next command
>> 'sudo chroot /mnt mount /proc' it gives me the error 'chroot: failed
>> to run command ‘mount’: No such file or directory'.
>>
>> Can anyone tell me how I should edit the following commands so that
>> /dev/vg/-shared not only mounts at boot, but I can also write to it?
>> Is my encryption method below best practice, apart from needing to run
>> cryptsetup first? Is there anyway to have the partition appear as
>> /media/daire/shared instead of a long /media/daire/long-hex-string?
>>
>> sudo cryptsetup luksOpen /dev/sda6 enc-pv
>> Enter passphrase for /dev/sda6:
>> sudo mount /dev/vg/ubuntu-root /mnt
>> sudo chroot /mnt mount /proc
>> sudo mount --bind /dev /mnt/dev
>> sudo chroot /mnt mount /boot
>> sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none
>> luks" | sudo tee -a /mnt/etc/crypttab
>> enc-pv UUID=ad8b8a32-95ea-4add-abe6-
>> 326d151e30fa none luks
>> sudo chroot /mnt update-initramfs -u
>> update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
>> sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt
>>
>> Would it messy to just use something like sudo chown -R $daire:$daire
>> /mnt/shared ?
>>
>> ==================================================================================
>>
>> If you need more information the following is how I have encrypted the
>> /root, /home, and swap partitions on a disk already containing Windows
>> 8.1 and only require a single passphrase entry on boot:
>>
>> (I have read the Ubuntu alternate install CD used to offer this option
>> before Canonical cancelled it)
>>
>> I create 500 MiB ext4 sda5 partition that will later be assigned as
>> /boot (UEFI Win 8.1 partitions on sda1, sda2, sda3, and sda4)
>>
>> sudo dd if=/dev/urandom of=/dev/sda6
>>
>> 12 hours elapse.
>>
>> dd: writing to ‘/dev/sda6’: No space left on device
>> 660092929+0 records in
>> 660092928+0 records out
>> 337967579136 bytes (338 GB) copied, 39571.4 s, 8.5 MB/s[/CODE]
>>
>> [modprobe dm-crypt
>> modprobe aes-x86_64
>> modprobe sha256
>>
>> When I do this over I will run cryptsetup benchmark first to see which
>> iteration and algorithm works best for my system.
>>
>> sudo cryptsetup luksFormat /dev/sda6
>>
>> WARNING!
>> ========
>> This will overwrite data on /dev/sda6 irrevocably.
>>
>> Are you sure? (Type uppercase yes): YES
>> Enter passphrase:
>> Verify passphrase:
>> sudo cryptsetup luksOpen /dev/sda6 enc-pv
>> Enter passphrase for /dev/sda6:
>>
>> sudo pvcreate /dev/mapper/enc-pv
>>  Physical volume "/dev/mapper/enc-pv" successfully created
>> sudo vgcreate vg /dev/mapper/enc-pv
>>  Volume group "vg" successfully created
>> sudo lvcreate -L 8.5G -n swap vg
>>  Logical volume "swap" created
>> sudo lvcreate -L 20G -n ubuntu-root vg
>>  Logical volume "ubuntu-root" created
>> sudo lvcreate -L 50G -n ubuntu-home vg
>>  Logical volume "ubuntu-home" created
>> sudo lvcreate -L 140G -n shared vg
>>  Logical volume "shared" created
>>
>> sudo lvdisplay
>>  --- Logical volume ---
>>  LV Path                /dev/vg/swap
>>  LV Name                swap
>>  VG Name                vg
>>  LV UUID                EMSdc1-yTSS-FF9W-5vcv-jEwF-OeF7-5oOoEI
>>  LV Write Access        read/write
>>  LV Creation host, time ubuntu, 2014-04-23 12:57:17 +0000
>>  LV Status              available
>>  # open                 0
>>  LV Size                8.50 GiB
>>  Current LE             2176
>>  Segments               1
>>  Allocation             inherit
>>  Read ahead sectors     auto
>>  - currently set to     256
>>  Block device           252:1
>>
>>  --- Logical volume ---
>>  LV Path                /dev/vg/ubuntu-root
>>  LV Name                ubuntu-root
>>  VG Name                vg
>>  LV UUID                TCPIIE-fGv0-3tz8-XP3R-1c9Z-E18R-XTbcOd
>>  LV Write Access        read/write
>>  LV Creation host, time ubuntu, 2014-04-23 12:58:41 +0000
>>  LV Status              available
>>  # open                 0
>>  LV Size                20.00 GiB
>>  Current LE             5120
>>  Segments               1
>>  Allocation             inherit
>>  Read ahead sectors     auto
>>  - currently set to     256
>>  Block device           252:2
>>
>>  --- Logical volume ---
>>  LV Path                /dev/vg/shared
>>  LV Name                shared
>>  VG Name                vg
>>  LV UUID                dPHDeT-52zj-7bAx-xjzP-p4yC-kXoo-aw7Eac
>>  LV Write Access        read/write
>>  LV Creation host, time ubuntu, 2014-04-23 12:59:50 +0000
>>  LV Status              available
>>  # open                 0
>>  LV Size                140.00 GiB
>>  Current LE             35840
>>  Segments               1
>>  Allocation             inherit
>>  Read ahead sectors     auto
>>  - currently set to     256
>>  Block device           252:4
>>
>>  --- Logical volume ---
>>  LV Path                /dev/vg/ubuntu-home
>>  LV Name                ubuntu-home
>>  VG Name                vg
>>  LV UUID                pWFs3D-MXrh-bMez-68r0-4yPc-zMTo-MGhNF1
>>  LV Write Access        read/write
>>  LV Creation host, time ubuntu, 2014-04-23 13:06:11 +0000
>>  LV Status              available
>>  # open                 0
>>  LV Size                50.00 GiB
>>  Current LE             12800
>>  Segments               1
>>  Allocation             inherit
>>  Read ahead sectors     auto
>>  - currently set to     256
>>  Block device           252:3
>>
>> sudo vgdisplay | grep -i free
>>  Free  PE / Size       24641 / 96.25 GiB[/CODE]
>>
>> sudo mkfs.ext4 /dev/mapper/vg-shared
>>
>> mke2fs 1.42.9 (4-Feb-2014)
>> Filesystem label=
>> OS type: Linux
>> Block size=4096 (log=2)
>> Fragment size=4096 (log=2)
>> Stride=0 blocks, Stripe width=0 blocks
>> 9175040 inodes, 36700160 blocks
>> 1835008 blocks (5.00%) reserved for the super user
>> First data block=0
>> Maximum filesystem blocks=4294967296
>> 1120 block groups
>> 32768 blocks per group, 32768 fragments per group
>> 8192 inodes per group
>> Superblock backups stored on blocks:
>>    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
>>    4096000, 7962624, 11239424, 20480000, 23887872
>>
>> Allocating group tables: done
>> Writing inode tables: done
>> Creating journal (32768 blocks): done
>> Writing superblocks and filesystem accounting information: done
>>
>> There was similar output for:
>>
>> sudo mkfs.ext4 /dev/mapper/vg-ubuntu-root
>> sudo mkfs.ext4 /dev/mapper/vg-ubuntu-home
>>
>> I may have needed to add an extra hyphen, like vg-ubuntu--root
>>
>> Next I opened the Ubuntu 14.04 installer and selected 'something
>> else'. I assigned /boot to the 500 MiB partition on sda5 and then
>> /root, /home, and swap to the logical /dev/mapper/vg volumes.
>>
>> After Ubuntu installs, before rebooting from the live USB, I entered
>> the following:
>>
>> sudo cryptsetup luksOpen /dev/sda6 enc-pv
>> Enter passphrase for /dev/sda6:
>> sudo mount /dev/vg/ubuntu-root /mnt
>> sudo chroot /mnt mount /proc
>> sudo mount --bind /dev /mnt/dev
>> sudo chroot /mnt mount /boot
>> sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none
>> luks" | sudo tee -a /mnt/etc/crypttab
>> enc-pv UUID=ad8b8a32-95ea-4add-abe6-326d151e30fa none luks
>> sudo chroot /mnt update-initramfs -u
>> update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
>> sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt
>>
>> On reboot Ubuntu boots asking for only one entry of the passphrase
>> instead of three, one for each encrypted volume.
>>
>> ==================================================================
>>
>> Thanks
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt at saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
>
> --
> Arno Wagner,     Dr. sc. techn., Dipl. Inform.,    Email: arno at wagner.name
> GnuPG: ID: CB5D9718  FP: 12D6 C03B 1B30 33BB 13CF  B774 E35C 5FA1 CB5D 9718
> ----
> A good decision is based on knowledge and not on numbers. -  Plato
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


More information about the dm-crypt mailing list