Thu 02 of Sep, 2010 [15:27 UTC]
EncryptedLVM2Root
|
debian with root on dm-crypt and LVM2 and crypto-swap from scratch
|
|
Português Brasileiro |
debian with root on dm-crypt and LVM2 and crypto-swap
reasons:
(As of Apr 16th, yaird was not useable since it seemed to have not enough support for LVM. With mkinitramfs there were even segfaults with the vgchange binary for LVM setup.
mkinitrd worked just fine, though it had to be modified to use cryptsetup-luks instead of cryptsetup.)
I'm starting off with a debian-testing netinstall and a 60GB empty harddisk on a notebook.
We will need some space for the inital installation. Since there will be no use for this space lateron, we will resize it and use it as /boot as well as as swap partition.
install debian base-install on a small single partition (starting from the beginning) with no swap partition.
I will use a partition with 800MB, lateron I will split it up into 600MB swap and 200MB /boot.
boot into your newly installed debian, but install no further packages.
add a partition for dm-crypt, remember that one partition will be created for swap lateron (that's why we create /dev/hda3 instead of /dev/hda2)
edit /etc/lvm/lvm.conf to support lvm devices on device-mapper:
you might also want to filter harddisk partitions since we do not use them for lvm:
now you can set up LVM and the partition, remember that we will use the current root partition for /boot and swap lateron.
I use the rest of the LVM for my home partition:
(use vgdisplay to see how much space is left free)
let's see if everything it there
now we're ready to create the filesystems
mount the filesystems
now copy all data to the encrypted LVM partitions
bind /boot, sysfs and procfs so that we can chroot into the new system
not very pretty but we need to copy the contents of /boot to / since our current (unencrypted) root partition will be mounted as /boot by the crypted system.
you can chroot into the new system
edit /etc/crypttab so that next boot /dev/mapper/cryptdisk will be set up
automatically:
edit /etc/fstab so that /dev/hda1 is mounted as /boot next time and the crypto volumes are mounted as well.
edit /boot/grub/menu.lst to contain an entry for the crypted system.
(Don't rewrite the default boot entry for now, if something doesn't work it will be easier to get back into the system ;))
exit the chroot
and run grub-installer
you should now be able to boot into your crypto-root system.
remember that initrd uses the default US keylayout, so you will have to enter your passphrase accordingly.
If you managed to boot into the crypto-root system, you might want to change the initrd so that it loads a custom keymap.
To do that, I wrote a small script and added it to /etc/mkinitrd/scripts:
you might also have to customize your /boot/grub/menu.lst once again, since the paths for the kernel and the initrd are not correct.
(remember that /dev/hda1 (or (hd0,0)) is mounted at /boot).
If that works, one can start removing the base install which is still on /boot:
It might be a good idea to leave a minimal system in case something goes wrong with the initrd after an upgrade.
(If you remove the base system, you'll need a boot cd with support for dm-crypt and lvm2.)
To get rid of the huge /boot partition, we will now resize it.
Unfortunately the kernel lives on /boot, so we can not unmount and resize the partition.
In my case I had no other possibility than to use some rescue disk with parted on it.
(the one at http://www.sysresccd.org/Download is about 125MB to download).
You can now create a partition /dev/hda2 which will serve as swap.
(Update: you won't need any changes to the mountall.sh script if you correctly set up /etc/crypttab. see below)
To use it, edit /etc/init.d/mountall.sh and add the following commands right in front of the first "swapon":
add an entry to your /etc/crypttab:
Also add an entry to your /etc/fstab
if you find any typos, you may keep them ;)
Links:
Naked Chat Nude Chat Webcam Chat Online Chat Live Chat
reasons:
- I want to use LVM2 since it allows me to easily resize the partitions in case one of them gets too small.
- I want to use cryptsetup without LUKS support since I do not need multiple keys and though there is an inofficial cryptsetup-luks debian package, one would need to create a pretty much modified initrd. Due to the fact that I want to stay with debian package management it seems no good idea to start patching mkinitrd.
(As of Apr 16th, yaird was not useable since it seemed to have not enough support for LVM. With mkinitramfs there were even segfaults with the vgchange binary for LVM setup.
mkinitrd worked just fine, though it had to be modified to use cryptsetup-luks instead of cryptsetup.)
I'm starting off with a debian-testing netinstall and a 60GB empty harddisk on a notebook.
We will need some space for the inital installation. Since there will be no use for this space lateron, we will resize it and use it as /boot as well as as swap partition.
install debian base-install on a small single partition (starting from the beginning) with no swap partition.
I will use a partition with 800MB, lateron I will split it up into 600MB swap and 200MB /boot.
boot into your newly installed debian, but install no further packages.
# apt-get update # apt-get upgrade # apt-get install debian-archive-keyring cryptsetup lvm2
add a partition for dm-crypt, remember that one partition will be created for swap lateron (that's why we create /dev/hda3 instead of /dev/hda2)
# fdisk /dev/hda The number of cylinders for this disk is set to 7296. There is nothing wrong with that, but this is larger than 1024, and could in certain setups cause problems with: 1) software that runs at boot time (e.g., old versions of LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK) Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4): 3 First cylinder (98-7296, default 98): Using default value 98 Last cylinder or +size or +sizeM or +sizeK (98-7296, default 7296): Using default value 7296 Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. WARNING: Re-reading the partition table failed with error 16: Device or resource busy. The kernel still uses the old table. The new table will be used at the next reboot. Syncing disks. # modprobe dm-crypt aes-i586 # cryptsetup -y create cryptdisk /dev/hda3 Enter passphrase: Verify passphrase:
edit /etc/lvm/lvm.conf to support lvm devices on device-mapper:
types = [ "device-mapper", 16 ]
you might also want to filter harddisk partitions since we do not use them for lvm:
filter = [ "r|/dev/cdrom|", "r|/dev/hda*|" ]
# /etc/init.d/lvm restart Shutting down LVM Volume Groups... Incorrect metadata area header checksum Setting up LVM Volume Groups... Reading all physical volumes. This may take a while... No volume groups found No volume groups found No volume groups found
now you can set up LVM and the partition, remember that we will use the current root partition for /boot and swap lateron.
# pvcreate /dev/mapper/cryptdisk Physical volume "/dev/mapper/cryptdisk" successfully created # vgcreate vg_crypt /dev/mapper/cryptdisk Volume group "vg_crypt" successfully created # lvcreate -v -L 17G -n lv_root vg_crypt Logical volume "lv_root" created # lvcreate -L 20G -n lv_usr vg_crypt Logical volume "lv_usr" created
I use the rest of the LVM for my home partition:
(use vgdisplay to see how much space is left free)
# vgdisplay vg_crypt | grep "Free" Free PE / Size 4645 / 18.14 GB # lvcreate -v -l 4645 -n lv_home vg_crypt Logical volume "lv_home" created
let's see if everything it there
# ls -la /dev/mapper/ total 26 drwxr-xr-x 2 root root 1024 2006-04-16 03:49 . drwxr-xr-x 13 root root 24576 2006-04-16 03:46 .. crw------- 1 root root 10, 63 2006-04-16 03:29 control brw------- 1 root root 254, 0 2006-04-16 03:38 cryptdisk brw------- 1 root root 254, 3 2006-04-16 03:49 vg_crypt-lv_home brw------- 1 root root 254, 1 2006-04-16 03:46 vg_crypt-lv_root brw------- 1 root root 254, 2 2006-04-16 03:46 vg_crypt-lv_usr
now we're ready to create the filesystems
# apt-get install reiserfsprogs # mkfs.reiserfs /dev/mapper/vg_crypt-lv_root # mkfs.reiserfs /dev/mapper/vg_crypt-lv_home # mkfs.reiserfs /dev/mapper/vg_crypt-lv_usr
mount the filesystems
# mkdir /mnt/temp # mount /dev/mapper/vg_crypt-lv_root /mnt/temp # mkdir /mnt/temp/home # mkdir /mnt/temp/usr # mount /dev/mapper/vg_crypt-lv_home /mnt/temp/home # mount /dev/mapper/vg_crypt-lv_usr /mnt/temp/usr
now copy all data to the encrypted LVM partitions
# cp -a /usr/* /mnt/temp/usr/ # cp -a /home/* /mnt/temp/home/ # cd / # cp -a bin cdrom dev etc initrd* lib lost+found media opt root sbin srv tmp var vmlinuz /mnt/temp/ # mkdir /mnt/temp/boot # mkdir /mnt/temp/mnt # mkdir /mnt/temp/sys # mkdir /mnt/temp/proc
bind /boot, sysfs and procfs so that we can chroot into the new system
# mount --bind /boot /mnt/temp/boot/ # mount --bind /sys /mnt/temp/sys/ # mount --bind /proc /mnt/temp/proc/
not very pretty but we need to copy the contents of /boot to / since our current (unencrypted) root partition will be mounted as /boot by the crypted system.
# cp -a /boot/* /
you can chroot into the new system
# chroot /mnt/temp
edit /etc/crypttab so that next boot /dev/mapper/cryptdisk will be set up
automatically:
# cryptdisk /dev/hda3
edit /etc/fstab so that /dev/hda1 is mounted as /boot next time and the crypto volumes are mounted as well.
# proc /proc proc defaults 0 0 #/dev/hda1 / ext3 defaults,errors=remount-ro 0 1 /dev/hda1 /boot ext3 defaults 0 1 /dev/mapper/vg_crypt-lv_root / reiserfs notail 0 2 /dev/mapper/vg_crypt-lv_usr /usr reiserfs defaults 0 2 /dev/mapper/vg_crypt-lv_home /home reiserfs defaults 0 2 /dev/hdc /media/cdrom0 udf,iso9660 ro,user,noauto 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto 0 0make an initrd to make the new system bootable
# mkinitrd -o /boot/initrd.img-2.6.12-1-crypt File descriptor 3 left open File descriptor 4 left open File descriptor 5 left open File descriptor 6 left open File descriptor 7 left open Finding all volume groups Finding volume group "vg_crypt"
edit /boot/grub/menu.lst to contain an entry for the crypted system.
(Don't rewrite the default boot entry for now, if something doesn't work it will be easier to get back into the system ;))
... ### END DEBIAN AUTOMAGIC KERNELS LIST title Debian GNU/Linux, kernel 2.6.12-1-386 (cryptodisk) root (hd0,0) kernel /boot/vmlinuz-2.6.12-1-386 root=/dev/mapper/vg_crypt-lv_root ro initrd /boot/initrd.img-2.6.12-1-crypt savedefault boot
exit the chroot
# exit
and run grub-installer
# grub-install /dev/hda
you should now be able to boot into your crypto-root system.
remember that initrd uses the default US keylayout, so you will have to enter your passphrase accordingly.
If you managed to boot into the crypto-root system, you might want to change the initrd so that it loads a custom keymap.
To do that, I wrote a small script and added it to /etc/mkinitrd/scripts:
#!/bin/sh
#
# mne: install german keymap for us ;)
#
cp /bin/loadkeys \
$INITRDDIR/bin/loadkeys
mkdir $INITRDDIR/usr/share
mkdir $INITRDDIR/usr/share/keymaps
mkdir $INITRDDIR/usr/share/keymaps/i386
mkdir $INITRDDIR/usr/share/keymaps/i386/include
mkdir $INITRDDIR/usr/share/keymaps/i386/qwertz
cp /usr/share/keymaps/i386/qwertz/de.kmap.gz $INITRDDIR/usr/share/keymaps/i386/qwertz
cp /usr/share/keymaps/i386/include/* $INITRDDIR/usr/share/keymaps/i386/include
# add the required libs
PROGS="/bin/loadkeys"
LIBS=`unset LD_LIBRARY_PATH LD_PRELOAD; ldd $PROGS | \
grep -v 'linux-gate.so' | sort -u | awk '{print $3}'`
for i in $LIBS
do
if test -f /etc/ld.so.preload && grep -s ^$i\$ /etc/ld.so.preload; then
continue
fi
mkdir -p `dirname $INITRDDIR/$i`
cp $i $INITRDDIR/$i
done
touch $INITRDDIR/keyscripts/keymap.sh
chmod 755 $INITRDDIR/keyscripts/keymap.sh
exec >> $INITRDDIR/keyscripts/keymap.sh
cat < < "EOF"
#!/bin/sh
echo "installing keymap .."
loadkeys /usr/share/keymaps/i386/qwertz/de.kmap.gz
EOF
you might also have to customize your /boot/grub/menu.lst once again, since the paths for the kernel and the initrd are not correct.
(remember that /dev/hda1 (or (hd0,0)) is mounted at /boot).
... ### END DEBIAN AUTOMAGIC KERNELS LIST title Debian GNU/Linux, kernel 2.6.12-1-386 (cryptodisk) root (hd0,0) kernel /vmlinuz-2.6.12-1-386 root=/dev/mapper/vg_crypt-lv_root ro initrd /initrd.img-2.6.12-1-crypt savedefault boot
If that works, one can start removing the base install which is still on /boot:
# cd /boot # ls bin home media sys boot initrd mnt System.map-2.6.12-1-386 cdrom initrd.img opt tmp config-2.6.12-1-386 initrd.img-2.6.12-1-386 proc usr dev initrd.img-2.6.12-1-crypt root var etc lib sbin vmlinuz grub lost+found srv vmlinuz-2.6.12-1-386
It might be a good idea to leave a minimal system in case something goes wrong with the initrd after an upgrade.
(If you remove the base system, you'll need a boot cd with support for dm-crypt and lvm2.)
To get rid of the huge /boot partition, we will now resize it.
Unfortunately the kernel lives on /boot, so we can not unmount and resize the partition.
In my case I had no other possibility than to use some rescue disk with parted on it.
(the one at http://www.sysresccd.org/Download is about 125MB to download).
You can now create a partition /dev/hda2 which will serve as swap.
(Update: you won't need any changes to the mountall.sh script if you correctly set up /etc/crypttab. see below)
To use it, edit /etc/init.d/mountall.sh and add the following commands right in front of the first "swapon":
.... # # Execute swapon command again, in case we want to swap to # a file on a now mounted filesystem. # # Ignore 255 status due to swap already being enabled # if [ "$VERBOSE" = no ] then log_action_begin_msg "Activating swapfile swap" cryptsetup create --key-file=/dev/urandom swap0 /dev/hda3 mkswap /dev/mapper/swap0 swapon -a -e 2>/dev/null || : # Stifle "Device or resource busy" log_action_end_msg 0 else log_action_msg "Will now activate swapfile swap" cryptsetup create --key-file=/dev/urandom swap0 /dev/hda3 mkswap /dev/mapper/swap0 swapon -a -e -v || : log_success_msg "Done activating swapfile swap." fi
add an entry to your /etc/crypttab:
swap0 /dev/hda2 /dev/urandom swap
Also add an entry to your /etc/fstab
/dev/mapper/swap0 none swap sw 0 0
if you find any typos, you may keep them ;)
- Hospedagem de Sites
- Mercado Livre
- Hospedagem
- globo.com
- Servidor Dedicado
- AdWords
- Cloud
- Amazon
- Host
- orkut
Links:
Naked Chat Nude Chat Webcam Chat Online Chat Live Chat
Created by: mne last modification: Friday 30 of July, 2010 [11:58:03 UTC] by Anonymous
|
Page generated in: 0.13 seconds |
|
||||||||||||||
Login