View previous topic :: View next topic |
Author |
Message |
JeverTM n00b
Joined: 21 May 2014 Posts: 3
|
Posted: Wed May 21, 2014 4:37 pm Post subject: Installation with LVM/cryptsetup on multiple drives |
|
|
Hi all,
I have a special problem:
I'm running a configuration with cryptsetup and LVM on one HDD:
sda
|->sda1: boot
|->sda2: cryptsetup
--|->LVM with / and /home and swap
(quite common)
Now I want to add a HDD with encryption for files every user shares and mount it at /home/Media.
Without encryption it's easy, I make an entry in fstab.
Manually I can mount the encrypted partition:
# cryptsetup luksOpen /dev/sdc1 MEDIA
enter PW for /dev/sdc1:
# mount /dev/mapper/MEDIA /home/Media/
Is there a way to have MEDIA mounted at boot or login without
- storing the PW in a (skript) file
- spanning the LVM or crypt-partition over both HDDs, I want to be able to replace one of them easily so I need to be sure only and all files in /home/Media are stored on sdc
- and if possible: typing the PW for sda2 and sdc1 separately
I would appreciate any suggestions.
Jörg |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Wed May 21, 2014 6:20 pm Post subject: Re: Installation with LVM/cryptsetup on multiple drives |
|
|
JeverTM wrote: | Is there a way to have MEDIA mounted at boot or login without
- storing the PW in a (skript) file
- spanning the LVM or crypt-partition over both HDDs, I want to be able to replace one of them easily so I need to be sure only and all files in /home/Media are stored on sdc
- and if possible: typing the PW for sda2 and sdc1 separately |
Jörg ... yes, I assume that currently your encypted root is luksOpen'd via initramfs, so add the details for sdc1 to /etc/conf.d/dmcrypt and add dmcypt to the boot runlevel. You would then provide the password for sda2 from the initramfs, and then the password for sdc1 further in the boot process.
HTH & best ... khay |
|
Back to top |
|
|
JeverTM n00b
Joined: 21 May 2014 Posts: 3
|
Posted: Thu May 22, 2014 7:57 pm Post subject: |
|
|
Thank you khayyam. That is exactly what I did but I'm not 100% satisfied.
At the end everyone has to type the PW for all partitions separately. That is not as convenient as I wish it would be.
Isn't there a way to use the same PW for all partitions and type it once; like truecrypt works for Windows with system favorites?
Since passing the parameter 'crypt_root=/dev/sda2,/dev/sdc1' to the kernel at boot does not work maybe editing the initramfs manually could? Does dracut help with a genkernel generated initramfs?
Or I have to change the source code of the package itself to understand 'crypt_root=/dev/sda2,/dev/sdc1' - but what package would I have to change?
Has anyone else thought about such a scenario? Maybe we can do something for it. |
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Thu May 22, 2014 8:37 pm Post subject: |
|
|
JeverTM wrote: | At the end everyone has to type the PW for all partitions separately. That is not as convenient as I wish it would be. |
JeverTM ... no, just twice, once for sda2 (during initramfs stage) and once for sdc1 (during boot) ... and this is what you asked for:
JeverTM wrote: | - and if possible: typing the PW for sda2 and sdc1 separately |
... but now it seems you don't want this ...
JeverTM wrote: | Isn't there a way to use the same PW for all partitions and type it once |
JeverTM wrote: | Since passing the parameter 'crypt_root=/dev/sda2,/dev/sdc1' to the kernel at boot does not work maybe editing the initramfs manually could? Does dracut help with a genkernel generated initramfs? |
I don't use either genkernel or dracut so I can't comment on them.
JeverTM wrote: | Or I have to change the source code of the package itself to understand 'crypt_root=/dev/sda2,/dev/sdc1' - but what package would I have to change? |
I doubt this is the intended use of 'crypt_root', if its function is the same as its name then it refers to the rootfs, but again I'm not familiar with genkernel. If you want something like the above then better-initramfs supports "enc_root=/dev/sda2:/dev/sdb2:/dev/sdc2" but this will not use the same password, it calls luksOpen for each item in the variable. You could probably adapt the init within the initramfs to ask for the pass and use this as input to the luksOpen command, but you would then need to use the same passphrase for each luks volume.
HTH & best ... khay |
|
Back to top |
|
|
wraeth Developer
Joined: 08 May 2007 Posts: 72 Location: Australia
|
Posted: Sat May 24, 2014 3:55 am Post subject: |
|
|
DMCrypt has the ability to use a keyfile for unlocking crypted containers.
You could create a random-generated keyfile and add it to a keyslot for the container and store the file somewhere secure (eg /root/keyfile). This should allow only the single password required for the root partition, and when dm-crypt loads it will use the keyfile to unlock the shared media partition transparently.
Code: | dd if=/dev/urandom of=/root/keyfile bs=1M count=4
chmod 400 /root/keyfile
cryptsetup luksAddKey /dev/sdc1 /root/keyfile
# Check the keyfile
cryptsetup -d /root/keyfile open /dev/sdc1 media
|
Provided that works, you would configure DMCrypt and add it to your boot or default runlevel (the file is well commented). This way, you have your media partition transparently mounted; you don't have a cleartext passphrase and the key is stored securely. This is the only method I am aware of without requiring entering the a passphrase for each device. |
|
Back to top |
|
|
JeverTM n00b
Joined: 21 May 2014 Posts: 3
|
Posted: Sat May 24, 2014 7:39 pm Post subject: |
|
|
@wreath
This sounds like a very good idea.
I thought about a skript getting the key via secret-tool and opening/mounting the device at login. But I had problems with user rights, root doesn't get the PW and user cannot run cryptsetup.
I'll go with the keyfile for now.
Thank you folks. |
|
Back to top |
|
|
|