Re: [CentOS-docs] Encrypting tmp swap and home
Chris * wrote: I had submitted a document to this list a few weeks back that gave instructions for whole disk encryption which would cover /tmp /home /swap and everything other than /boot. I did not ask for space in the wiki because i thought it was waiting for peer review for accuracy. That entire thread seemed to simply die so I haven't pursued the wiki any further. I already have this document in a wiki format at work and would be happy to submit it to the CentOS wiki should it pass muster. The contents of my last post are: Ooops, that must have slipped by me, sorry. Got a wiki account? Whole (Most) Disk Encryption on CentOS 5 Good. I'm going to move the TipsAndTricks EnctyptedFileSystem to the HowTo section also, and we can create that page too. Cheers, Ralph pgpD8uenvDJwg.pgp Description: PGP signature ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Encrypting tmp swap and home
Max Hetrick wrote: To further explain things, MoinMoin starts off headers with = Title 1 = and here's the problem with the html2wiki converter, it actually doesn't convert the h1 correctly with how I would logically think it should work. I contacted the Perl developer of HTML-WikiConverter-MoinMoin and explained the problem. It's definitely a bug in the converter dialect. The author asked me to file a bug report for him on CPAN, so I did so. In the meantime, I'll use Filipe's sed script to get the output needed. In case anyone else is using this, I wanted to follow up. Changes were made to the encryption page, as well as corrections to the rest of my pages. When you get a chance, Marcus, take a look and make sure the formatting is correct. Thanks. Max ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Encrypting tmp swap and home
On Thu, Oct 16, 2008 at 09:41:12PM -0400, Chris * wrote: I had submitted a document to this list a few weeks back that gave ... nice write-up, minor typo/corrections in the text added below. Cheers, Tru Summary ... Step One: Prepare the disk The first step is to prepare the disk. The installer partitioning software doesn't have the flexibility to be able to do this, so you will need to switch to the shell and perform the setup manually. to be verified: you need to make a GUI install, the text mode installation method does not have the lvm creation feature. Once the installer has moved into the GUI, press Ctrl-Alt-F2 to get a command prompt. ... Use fdisk to create the partitions for install. You will need to create a /boot partition and an LVM partition at the end of the disk. The gap in between the two partitions will become your encrypted file-system. This document will refer to the boot partition as /dev/sda1 and the install partition at the end of the disk as /dev/sda3. The encrypted partition will become /dev/sda2. imho, should be emphasized - and some figures hinted for the minimal size of sda3 (swap+/) The partition at the end of the disk should be smaller than the empty space between /boot and your LVM partition so that there is room for the meta-data associated with the encryption. The LVM partition really only needs to be large enough to install the system. You will be able to expand the system volumes if you like after you have a working, encrypted system. ... Step Two: Installing the OS The installation must be done using the graphical installer because the text installer doesn't allow a custom installation to use LVM. should be placed above, since the installer has already started. ... Step Three: Create the encrypted partition Step Four: Configure mkinitrd for encrypted system Make a backup copy of /sbin/mkinitrd. Future updates of the mkinitrd package will overwrite it, but the changes will allow future kernel updates to properly build an initrd. Modify /sbin/mkinitrd per the patch below. The patch modifies the MODULES line so that initrd has the proper modules for encryption, adds cryptsetup to initrd, and configures initrd to open the encrypted file-system. make patch file available a the command to apply it: wget http://../mkinitrd.patch -O /tmp/mkintrd.patch cd / patch -p1 /tmp/mkinitd.patch Enter the pass-phrase. Now you can copy the contents of sda3 to the encrypted sda2. # dd if=/dev/sda3 of=/dev/mapper/lvm non dd version? vgextend + pvmove + vgreduce ? NOTE: To make the encrypted system the default system, make the above lines the first block listed in grub.conf or set the default value Once the encrypted system is confirmed to be working correctly, remove the unencrypted system. Randomize /dev/hda3 by using either shred or dd. Once ^ sda3 Use the fdisk command to resize sda2 to fill the entire disk. ... # pvresize –-setphysicalvolumesize [size of disk - /boot] /dev/mapper/lvm why not just pvresize /dev/mapper/lvm ? should it detect the size by itself? Extend the logical volumes of the system with lvextend. man lvextend for more information on the command. # lvextend -L +[size to increase the volume] /dev/VolGroup00/LogVol00 same question, here (autodetection) if you only want to extend a single logical volume. lvextend /dev/VolGroup00/LogVol00 -- Tru Huynh (mirrors, CentOS-3 i386/x86_64 Package Maintenance) http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xBEFA581B pgpOZJi01KE8Q.pgp Description: PGP signature ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
RE: [CentOS-docs] Encrypting tmp swap and home
Another post asked if I have a wiki account. The answer is no. I think that at this point it would be better if i did for this article. In response to some of the points by Tru: to be verified: you need to make a GUI install, the text mode installation method does not have the lvm creation feature. Very true, Tru. This detail is actually a hold-over from one of the documents that I used as a source. I have not actually tried a text-mode install but it should definitely be verified. imho, should be emphasized - and some figures hinted for the minimal size of sda3 (swap+/) Emphasis is not a problem. As for the size of sda3, I can try to clarify the sizes. The document states that sda3 should be smaller than what will become sda2 so that there is room for the encryption overhead, but as for the sizes of things such as swap and other partitions, the best I know to do is refer to CentOS/RedHat documentation. I am open to other suggestions. make patch file available a the command to apply it: wget http://../mkinitrd.patch -O /tmp/mkintrd.patch cd / patch -p1 /tmp/mkinitd.patch Is there a good place to make it available? Would something such as sourceforge be best? non dd version? vgextend + pvmove + vgreduce ? A quick google search found that this would be possible, but there is a trade-off. Section 4.1 of the page http://www.planamente.ch/emidio/docs/linux/dm-crypt/dm-crypt-4.html explains the trade-off. It's basically a single dm-crypt device with a single passphrase for the entire disk vs multiple dm-crypt devices each with it's own passphrase. If this type of option were to be added to the document, I think that it should probably go into the Optional Configurations section so that the main document can be a cookie-cutter step by step for people to follow. # pvresize –-setphysicalvolumesize [size of disk - /boot] /dev/mapper/lvm why not just pvresize /dev/mapper/lvm ? should it detect the size by itself? I believe that it will. I think I listed the command that way so that it would allude to the fact that you don't have to use the entire disk if you didn't want. You can increase the size of /dev/sda2 and still have some space on the disk for additional volumes, encrypted devices, etc. That's what the Optional Configurations area tries to detail a little more. NOTE: To make the encrypted system the default system, make the above lines the first block listed in grub.conf or set the default value True. I phrased that section with the intent that the original grub entries would be removed along with the unencrypted install in which case the entry for the encrypted system would end up with the at the default value of 0. # lvextend -L +[size to increase the volume] /dev/VolGroup00/LogVol00 same question, here (autodetection) if you only want to extend a single logical volume. lvextend /dev/VolGroup00/LogVol00 This was in case LVM was built with multiple logical volumes. You would want to specify the size of each volume that you want to increase so the first one doesn't take all space and leave no room for the others to grow. I probably need to clarify that point. Chris Date: Fri, 17 Oct 2008 09:35:00 +0200 From: [EMAIL PROTECTED] To: centos-docs@centos.org Subject: Re: [CentOS-docs] Encrypting tmp swap and home On Thu, Oct 16, 2008 at 09:41:12PM -0400, Chris * wrote: I had submitted a document to this list a few weeks back that gave ... nice write-up, minor typo/corrections in the text added below. Cheers, Tru Summary ... Step One: Prepare the disk The first step is to prepare the disk. The installer partitioning software doesn't have the flexibility to be able to do this, so you will need to switch to the shell and perform the setup manually. to be verified: you need to make a GUI install, the text mode installation method does not have the lvm creation feature. Once the installer has moved into the GUI, press Ctrl-Alt-F2 to get a command prompt. ... Use fdisk to create the partitions for install. You will need to create a /boot partition and an LVM partition at the end of the disk. The gap in between the two partitions will become your encrypted file-system. This document will refer to the boot partition as /dev/sda1 and the install partition at the end of the disk as /dev/sda3. The encrypted partition will become /dev/sda2. imho, should be emphasized - and some figures hinted for the minimal size of sda3 (swap+/) The partition at the end of the disk should be smaller than the empty space between /boot and your LVM partition so that there is room for the meta-data associated with the encryption. The LVM partition really only needs to be large enough to install the system. You will be able to expand the system volumes if you like after you have a working, encrypted system. ... Step Two: Installing the OS The installation must
RE: [CentOS-docs] Encrypting tmp swap and home
-passphrase --cipher aes-cbc-essiv:sha256 luksFormat /dev/sda3 # /sbin/cryptsetup luksOpen /dev/sda3 myencryptedpartition # /sbin/cryptsetup luksClose myencryptedpartition OPTIONAL - Add additional pass-phrases. A key file can be used to prevent the need for typing in a pass-phrase every time the file-system is mounted. # /sbin/cryptsetup luksAddKey /dev/sda3 or # /sbin/cryptsetup luksAddKey /dev/sda3 /path/and/keyfile A.5: Configure encrypted partitions to mount at boot This step simplifies the use of an encrypted file system. It will allow the encrypted file system to be treated as any non-encrypted system. The file /etc/crypttab will automate the luksOpen commands that were used earlier. The format of the /etc/crypttab is mappingnamedevicenamepassword_file_pathoptions Not all fields are needed. Most of the possible options for the options field are ignored for LUKS volumes, because LUKS volumes have all the necessary information about the cipher, key size, and hash in the volume header. Also, if the password_file_path field is empty or has the value “none”, the system will prompt for the pass-phrase when mounting the file system. Create /etc/crypttab myencryptedpartition/dev/sda3/path/and/keyfile or myencryptedpartition/dev/sda3none It is usually a bad idea to store the pass-phrase in a plain text file, however, an encrypted root partition does alleviate some of the concern. Under no circumstances should a pass-phrase be stored on an unencrypted partition such as /boot. Modify /etc/fstab to add the line /dev/mapper/myencryptedparition /myFileSystemext3defaults 1 2 The encrypted partition is now configured to mount at boot. Date: Wed, 15 Oct 2008 07:52:40 -0400 From: [EMAIL PROTECTED] To: centos-docs@centos.org Subject: [CentOS-docs] Encrypting tmp swap and home Hi everyone, I added a page under the HowTos for Encryption, and then added a guide for encrypting /tmp /swap and /home using cryptsetup and LUKS keys on LVM, when you already have partitions setup. http://wiki.centos.org/HowTos/EncryptTmpSwapHome Regards, Max ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs _ You live life beyond your PC. So now Windows goes beyond your PC. http://clk.atdmt.com/MRT/go/115298556/direct/01/___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
[CentOS-docs] Encrypting tmp swap and home
Hi everyone, I added a page under the HowTos for Encryption, and then added a guide for encrypting /tmp /swap and /home using cryptsetup and LUKS keys on LVM, when you already have partitions setup. http://wiki.centos.org/HowTos/EncryptTmpSwapHome Regards, Max ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Encrypting tmp swap and home
Marcus Moeller wrote: Please try to follow the wiki styling guidelines: http://wiki.centos.org/HowToContribute/EditingCentOSWiki That means you should e.g. use headings for titles and subtitles. Take a look at existing pages to see what I mean. I write my stuff in HTML, and then use html2wiki to format it. My headings are formatted for my website, which saves me from writing two sets of documents since both places are identical in content to the page. It's never been a problem before with all the pages I've contributed to, at least no one has spoke up with the other pages. Max ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Encrypting tmp swap and home
Marcus Moeller wrote: We are just trying to offer a common look feel on the wiki. I am going to rework you page so that you can see what I mean. I understand and know what you mean, but it can be cumbersome and time consuming to have to write pages in multiple formats. I like writing docs for CentOS, but I also host them on my website where they are written in HTML first. I find wiki syntax to be annoying to write first drafts in, because that's just my preference. I'll try to more mindful about it in the future, on future posts and pages. Would you prefer to have documentation submitted by the community and people like myself who volunteer docs to delegated members to format uniformly on the wiki, rather than posting it myself? Regards, Max ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Encrypting tmp swap and home
On Wed, 15 Oct 2008, Max Hetrick wrote: Marcus Moeller wrote: We are just trying to offer a common look feel on the wiki. I am going to rework you page so that you can see what I mean. I understand and know what you mean, but it can be cumbersome and time consuming to have to write pages in multiple formats. I like writing docs for CentOS, but I also host them on my website where they are written in HTML first. I find wiki syntax to be annoying to write first drafts in, because that's just my preference. I'll try to more mindful about it in the future, on future posts and pages. Would you prefer to have documentation submitted by the community and people like myself who volunteer docs to delegated members to format uniformly on the wiki, rather than posting it myself? Would it be possible to change the resulting output of your html2wiki script to something the CentOS Wiki uses ? I don't think it can be that hard as it mainly is the syntax for the headings. -- -- dag wieers, [EMAIL PROTECTED], http://dag.wieers.com/ -- [Any errors in spelling, tact or fact are transmission errors] ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Encrypting tmp swap and home
Marcus Moeller wrote: First I just want to make one thing clear: I really appreciate your work which is well done. There are just some small formatting rules you should mind of. As mentioned it's mostly about headings. I am going to rework it for you. In general I (and a few other wiki contributors) try to take care of the styling and re-work pages to fulfill our needs. But (at least me) always add changelog notes on style modification to line out what I have done and try to talk to the original contributor so that she/he could do in on her/his own on future additions. I'm not trying to start an argument, so let's just drop this conversation and I'll deal with it. When I get time, I'll re-work all my pages on the wiki with what you want, but I can't guarantee when that will be. Thanks, Max ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Encrypting tmp swap and home
Dag Wieers wrote: Would it be possible to change the resulting output of your html2wiki script to something the CentOS Wiki uses ? I don't think it can be that hard as it mainly is the syntax for the headings. Dag, I don't know, honestly. It's a Perl program I found, and I'm not a programmer. There seem to be no options for changing the output of what headings you want equaling to the outcome. http://search.cpan.org/dist/HTML-WikiConverter/bin/html2wiki You just choose a wiki dialect and it spits out the formatting, without much option for anything else. Max ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Encrypting tmp swap and home
Marcus Moeller wrote: There are just some small formatting rules you should mind of. Fixed. I also fixed all my other pages while I was at it, so I didn't have to worry about them. In the future, I'll make sure the formatting is correct on any new material I submit. Thanks, Max ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Encrypting tmp swap and home
Filipe Brandenburger wrote: html2wiki --dialect MoinMoin my_file.html | sed '/^=/s/==\(=*\)/\1/g' Thanks, Filipe. That changes all the headings to = Title 1 =. I think I'll contact the maintainer of html2wiki and see if they know whether or not the MoinMoin dialect is behaving the way it is. Once I investigated it, I really think it's not behaving the way it should for MoinMoin. In the meantime, I'll play around with your sed one-liner there. Thanks! Max ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Encrypting tmp swap and home
On Wed, Oct 15, 2008 at 18:40, Max Hetrick [EMAIL PROTECTED] wrote: html2wiki --dialect MoinMoin my_file.html | sed '/^=/s/==\(=*\)/\1/g' That changes all the headings to = Title 1 =. No it doesn't. It removes two = from each line that starts with a = (i.e. is a title line). So it transforms === title 3 ===into = title 1 = title 4 into == title 2 == = title 5 =into === title 3 === Wasn't that what you needed? Filipe ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Encrypting tmp swap and home
Filipe Brandenburger wrote: No it doesn't. It removes two = from each line that starts with a = (i.e. is a title line). So it transforms === title 3 ===into = title 1 = title 4 into == title 2 == = title 5 =into === title 3 === Ahhh, crap! You're right. I realized I just ran it on the file that I corrected into proper formatting, that I used to change the guide into what the wiki format needs. It's been a long day. Thanks, again. I'll use this until I get my things fixed up, and then I'll still contact the html2wiki developer to get this corrected for good. Thanks a bunch. Max ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs