Dirk Heinrichs writes: > Am Mittwoch 01 Juli 2009 12:40:20 schrieb Alex Schuster: > > The last two PCs (A and B) I installed are fully encrypted. I used > > different methods. I used genkernel --luks --lvm --install all to > > create kernel and initramfs. > > First, see one of my replies to David Shen's thread "Self created > initramfs cannot work" from last saturday. It has my init(ram)fs > creation scripts attached.
Thanks, I will have a look. Although I'd like to use Gentoo's tool for that purpose, genkernel, which I used for the first time now. And it worked fine, except that it did not know I how to activate the other partitons (/usr, /var and many more) besides root and swap. > > I like to have everything as kernel modules, but the > > crypto stuff has to be directly in the kernel, unless I put these > > modules into the initramfs by hand. > > It doesn't make much sense to compile things as module which are needed > right after (or even for) booting. The reason distributions do this is > to give the most possible flexibility and useability on as much > different systems as possible. I know. I did it anyway, just out of curiosity if this would work, and which things could in principle be modules. No problem with building this stuff directly into the kernel. > having said that, you can even do w/o > initramfs, just put everything into /boot (which should be a separate > partition, then). Again, see my reply to David for the details. Interesting. Getting rid of initramfs looks like a simpler approach, no need to fiddle with cpio in order to change things. > > A: LVM -> LUKS > > Many partitions make two volume groups with many LVMs. Each LVM is > > LUKS- encrypted. This gives me maximum flexibility, who knows what > > other OSes I might need to install on that drive. The boot partition > > is on a USB stick and also holds the key. > > Why? LUKS means Linux Unified Key Storage. No need to store the key > elsewhere. Put a password based key on the root LV and encrypt > everything else with a random key you put somewhere into /etc (I use > /etc/crypt/keyfile). I do not want to have to enter a password every time my machine boots, so I put the key onto a stick. And simply made it the same for all partitions. And while I was at it, for maximum security, I also put /boot onto the stick. Sure, who would ever break into my house and modify my boot partition, replacing the kernel with kernel+keylogger or such... but then, I would probably also not need to encrypt my stuff at all. > > This did not work out of the box, I had to modify > > /lib/rcscripts/addons/dm-crypt-start.sh in order to open the other > > partitions than swap and root. > > Then you did something wrong. It works out of the box. Really? I know it does for root and swap (it works here), but how do I tell the system to also luskOpen all my other LVM volumes? > > B: LUKS -> LVM > > A simpler approach. sda1 is a small boot partition, sda2 (the rest of > > the drive) is a LUKS-formatted LVM physical volume with volume group > > 'pvcrypt' on it. This does not work yet, the initramfs does not find > > the LVM. > > Because in Gentoo, only A is implemented/supported. Oh. I thought this would be even easier than approach A. And looking at the /init code it seems to me it should just work. There's a call to startVolumes after the root partition is unlocked by cryptsetup, which I think should activate the LVM, but it does nothing, it does not even find regular physical LVM volumes that are not on top of a crypt setup. I'll have a look at my .config again. This may take a while, I only have remote access to that PC at the moment. > HTH... A little :) Thanks, Wonko