RE: [CentOS-docs] Encrypting tmp swap and home
Another post asked if I have a wiki account. The answer is "no". I think that at this point it would be better if i did for this article. In response to some of the points by Tru: > to be verified: you need to make a GUI install, the text mode installation > method does not have the lvm creation feature. Very true, Tru. This detail is actually a hold-over from one of the documents that I used as a source. I have not actually tried a text-mode install but it should definitely be verified. >imho, should be emphasized -> and some figures hinted for the minimal size of >sda3 (swap+/) Emphasis is not a problem. As for the size of sda3, I can try to clarify the sizes. The document states that sda3 should be smaller than what will become sda2 so that there is room for the encryption overhead, but as for the sizes of things such as swap and other partitions, the best I know to do is refer to CentOS/RedHat documentation. I am open to other suggestions. > make patch file available a the command to apply it: > wget http://../mkinitrd.patch -O /tmp/mkintrd.patch > cd / && patch -p1 < /tmp/mkinitd.patch Is there a good place to make it available? Would something such as sourceforge be best? > non dd version? > vgextend + pvmove + vgreduce ? A quick google search found that this would be possible, but there is a trade-off. Section 4.1 of the page http://www.planamente.ch/emidio/docs/linux/dm-crypt/dm-crypt-4.html explains the trade-off. It's basically a single dm-crypt device with a single passphrase for the entire disk vs multiple dm-crypt devices each with it's own passphrase. If this type of option were to be added to the document, I think that it should probably go into the "Optional Configurations" section so that the main document can be a cookie-cutter step by step for people to follow. > > # pvresize –-setphysicalvolumesize [size of disk - /boot] /dev/mapper/lvm > why not just pvresize /dev/mapper/lvm ? > should it detect the size by itself? I believe that it will. I think I listed the command that way so that it would allude to the fact that you don't have to use the entire disk if you didn't want. You can increase the size of /dev/sda2 and still have some space on the disk for additional volumes, encrypted devices, etc. That's what the "Optional Configurations" area tries to detail a little more. > > NOTE: To make the encrypted system the default system, make the above lines > > the first block listed in grub.conf > or set the default value True. I phrased that section with the intent that the original grub entries would be removed along with the unencrypted install in which case the entry for the encrypted system would end up with the at the default value of 0. > > # lvextend -L +[size to increase the volume] /dev/VolGroup00/LogVol00 > > > same question, here (autodetection) if you only want to extend a single > logical volume. > lvextend /dev/VolGroup00/LogVol00 This was in case LVM was built with multiple logical volumes. You would want to specify the size of each volume that you want to increase so the first one doesn't take all space and leave no room for the others to grow. I probably need to clarify that point. Chris > Date: Fri, 17 Oct 2008 09:35:00 +0200 > From: [EMAIL PROTECTED] > To: centos-docs@centos.org > Subject: Re: [CentOS-docs] Encrypting tmp swap and home > > On Thu, Oct 16, 2008 at 09:41:12PM -0400, Chris * wrote: > > > > I had submitted a document to this list a few weeks back that gave > ... > nice write-up, minor typo/corrections in the text added below. > > Cheers, > > Tru > > Summary > ... > > > > Step One: Prepare the disk > > The first step is to prepare the disk. The installer partitioning software > > doesn't have the flexibility to be able to do this, so you will need to > > switch to the shell and perform the setup manually. > > to be verified: you need to make a GUI install, the text mode installation > method does not have the lvm creation feature. > > > Once the installer has moved into the GUI, press Ctrl-Alt-F2 to get a > > command prompt. > ... > > > > Use fdisk to create the partitions for install. You will need to create a > > /boot partition and an LVM partition at the end of the disk. The gap in > > between the two partitions will become your encrypted file-system. This > > document will refer to the boot partition as /dev/sda1 and the install > > partition at the end of the disk as /dev/sda3. The encrypted partition will > > become /dev/sda2. > > imho, should be emphasized -> and some figures hinted for the minimal size of > sda3 (swap+/) > > > The partition at the end of the disk should be smaller than the empty space > > between /boot and your LVM partition so that there is room for the meta-data > > associated with the encryption. The LVM partition really only needs to be > > large enough to install the system. You will be able to expand the system > > volumes if you like after you have
Re: [CentOS-docs] Encrypting tmp swap and home
On Thu, Oct 16, 2008 at 09:41:12PM -0400, Chris * wrote: > > I had submitted a document to this list a few weeks back that gave ... nice write-up, minor typo/corrections in the text added below. Cheers, Tru > Summary ... > > Step One: Prepare the disk > The first step is to prepare the disk. The installer partitioning software > doesn't have the flexibility to be able to do this, so you will need to > switch to the shell and perform the setup manually. to be verified: you need to make a GUI install, the text mode installation method does not have the lvm creation feature. > Once the installer has moved into the GUI, press Ctrl-Alt-F2 to get a command > prompt. ... > > Use fdisk to create the partitions for install. You will need to create a > /boot partition and an LVM partition at the end of the disk. The gap in > between the two partitions will become your encrypted file-system. This > document will refer to the boot partition as /dev/sda1 and the install > partition at the end of the disk as /dev/sda3. The encrypted partition will > become /dev/sda2. imho, should be emphasized -> and some figures hinted for the minimal size of sda3 (swap+/) > The partition at the end of the disk should be smaller than the empty space > between /boot and your LVM partition so that there is room for the meta-data > associated with the encryption. The LVM partition really only needs to be > large enough to install the system. You will be able to expand the system > volumes if you like after you have a working, encrypted system. > ... > > Step Two: Installing the OS > The installation must be done using the graphical installer because the text > installer doesn't allow a custom installation to use LVM. should be placed above, since the installer has already started. ... > > Step Three: Create the encrypted partition > > Step Four: Configure mkinitrd for encrypted system > > Make a backup copy of /sbin/mkinitrd. Future updates of the mkinitrd package > will overwrite it, but the changes will allow future kernel updates to > properly build an initrd. Modify /sbin/mkinitrd per the patch below. The > patch modifies the MODULES line so that initrd has the proper modules for > encryption, adds cryptsetup to initrd, and configures initrd to open the > encrypted file-system. > make patch file available a the command to apply it: wget http://../mkinitrd.patch -O /tmp/mkintrd.patch cd / && patch -p1 < /tmp/mkinitd.patch > Enter the pass-phrase. Now you can copy the contents of sda3 to the encrypted > sda2. > > # dd if=/dev/sda3 of=/dev/mapper/lvm non dd version? vgextend + pvmove + vgreduce ? > NOTE: To make the encrypted system the default system, make the above lines > the first block listed in grub.conf or set the default value > Once the encrypted system is confirmed to be working correctly, remove the > unencrypted system. Randomize /dev/hda3 by using either shred or dd. Once ^ sda3 > Use the fdisk command to resize sda2 to fill the entire disk. > ... > > # pvresize –-setphysicalvolumesize [size of disk - /boot] /dev/mapper/lvm why not just pvresize /dev/mapper/lvm ? should it detect the size by itself? > Extend the logical volumes of the system with lvextend. man lvextend for more > information on the command. > > # lvextend -L +[size to increase the volume] /dev/VolGroup00/LogVol00 > same question, here (autodetection) if you only want to extend a single logical volume. lvextend /dev/VolGroup00/LogVol00 -- Tru Huynh (mirrors, CentOS-3 i386/x86_64 Package Maintenance) http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B pgpOZJi01KE8Q.pgp Description: PGP signature ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Encrypting tmp swap and home
Max Hetrick wrote: To further explain things, MoinMoin starts off headers with = Title 1 = and here's the problem with the html2wiki converter, it actually doesn't convert the h1 correctly with how I would logically think it should work. I contacted the Perl developer of HTML-WikiConverter-MoinMoin and explained the problem. It's definitely a bug in the converter dialect. The author asked me to file a bug report for him on CPAN, so I did so. In the meantime, I'll use Filipe's sed script to get the output needed. In case anyone else is using this, I wanted to follow up. Changes were made to the encryption page, as well as corrections to the rest of my pages. When you get a chance, Marcus, take a look and make sure the formatting is correct. Thanks. Max ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
Re: [CentOS-docs] Encrypting tmp swap and home
Chris * wrote: > > I had submitted a document to this list a few weeks back that gave > instructions for whole disk encryption which would cover /tmp /home > /swap and everything other than /boot. I did not ask for space in the > wiki because i thought it was waiting for "peer review" for accuracy. > That entire thread seemed to simply die so I haven't pursued the wiki > any further. I already have this document in a wiki format at work > and would be happy to submit it to the CentOS wiki should it pass > muster. The contents of my last post are: Ooops, that must have slipped by me, sorry. Got a wiki account? > Whole (Most) Disk Encryption on CentOS 5 Good. I'm going to move the TipsAndTricks "EnctyptedFileSystem" to the HowTo section also, and we can create that page too. Cheers, Ralph pgpD8uenvDJwg.pgp Description: PGP signature ___ CentOS-docs mailing list CentOS-docs@centos.org http://lists.centos.org/mailman/listinfo/centos-docs
