Dirk Heinrichs writes:
> Am Mittwoch 01 Juli 2009 12:40:20 schrieb Alex Schuster:
> > The last two PCs (A and B) I installed are fully encrypted. I used
> > different methods. I used genkernel --luks --lvm --install all to
> > create kernel and initramfs.
>
> First, see one of my replies to David Shen's thread "Self created
> initramfs cannot work" from last saturday. It has my init(ram)fs
> creation scripts attached.
Thanks, I will have a look. Although I'd like to use Gentoo's tool for
that purpose, genkernel, which I used for the first time now. And it
worked fine, except that it did not know I how to activate the other
partitons (/usr, /var and many more) besides root and swap.
> > I like to have everything as kernel modules, but the
> > crypto stuff has to be directly in the kernel, unless I put these
> > modules into the initramfs by hand.
>
> It doesn't make much sense to compile things as module which are needed
> right after (or even for) booting. The reason distributions do this is
> to give the most possible flexibility and useability on as much
> different systems as possible.
I know. I did it anyway, just out of curiosity if this would work, and
which things could in principle be modules. No problem with building this
stuff directly into the kernel.
> having said that, you can even do w/o
> initramfs, just put everything into /boot (which should be a separate
> partition, then). Again, see my reply to David for the details.
Interesting. Getting rid of initramfs looks like a simpler approach, no
need to fiddle with cpio in order to change things.
> > A: LVM -> LUKS
> > Many partitions make two volume groups with many LVMs. Each LVM is
> > LUKS- encrypted. This gives me maximum flexibility, who knows what
> > other OSes I might need to install on that drive. The boot partition
> > is on a USB stick and also holds the key.
>
> Why? LUKS means Linux Unified Key Storage. No need to store the key
> elsewhere. Put a password based key on the root LV and encrypt
> everything else with a random key you put somewhere into /etc (I use
> /etc/crypt/keyfile).
I do not want to have to enter a password every time my machine boots, so
I put the key onto a stick. And simply made it the same for all
partitions. And while I was at it, for maximum security, I also put /boot
onto the stick. Sure, who would ever break into my house and modify my
boot partition, replacing the kernel with kernel+keylogger or such... but
then, I would probably also not need to encrypt my stuff at all.
> > This did not work out of the box, I had to modify
> > /lib/rcscripts/addons/dm-crypt-start.sh in order to open the other
> > partitions than swap and root.
>
> Then you did something wrong. It works out of the box.
Really? I know it does for root and swap (it works here), but how do I
tell the system to also luskOpen all my other LVM volumes?
> > B: LUKS -> LVM
> > A simpler approach. sda1 is a small boot partition, sda2 (the rest of
> > the drive) is a LUKS-formatted LVM physical volume with volume group
> > 'pvcrypt' on it. This does not work yet, the initramfs does not find
> > the LVM.
>
> Because in Gentoo, only A is implemented/supported.
Oh. I thought this would be even easier than approach A. And looking at
the /init code it seems to me it should just work. There's a call to
startVolumes after the root partition is unlocked by cryptsetup, which I
think should activate the LVM, but it does nothing, it does not even find
regular physical LVM volumes that are not on top of a crypt setup.
I'll have a look at my .config again. This may take a while, I only have
remote access to that PC at the moment.
> HTH...
A little :)
Thanks,
Wonko
