| View previous topic :: View next topic |
| Author |
Message |
Elleni
Veteran
Joined: 23 May 2006
Posts: 1270
|
 Posted: Thu Jun 08, 2017 9:49 pm Post subject: [solved] resize / grow luks encrypted systemdisk |
 |
|
My vps was upgraded today, and I got some more diskspace available.
It contains three partitions,
sda3 is on the beginning of the disk, and contains an ext4 luks encrypted system partition including boot. There is no lvm.
sda2 is a small 500 MB unencrypted partition which I was able to move to the end of the disk containing systemrescue iso which is bootable from grub
sda1 is a swap partition also moved to the end of the disk - right before sda2.
So now I have some gigs free space right after sda3 and I want to resize / grow sda3 without reinstalling or loosing data. Initramfs is containing a key to decrypt sda3 initially in order to let grub start. Grub asks me then for a password, and boots after successfully having authenticated.
As I am afraid of doing it wrongly I thought, I should ask here, what the correct steps are to grow sda3 and incorporate the free space in this system partition.
Is there a way to do it so I do not have to change the key in initramfs nor my password I use to set before grub boots the system?
I do not exactly remember how I had setup luks, I only remember that in genkernel conf I setup:
INITRAMS_OVERLAY="/key"
in order to get the key included whenever I create a new initramfs after a kernel upgrade.
And I do have a corresponding key file in
/key/mnt/key/
Thanks in advance for helping me not to screw my server when trying to grow my encrypted system partition 
Edit: I found the blog, which I was following to setup my encrypted partition:
copy/pasted it in case the blog would disapear
http://blog.guya.de/linux-gentoo-encrypted-boot-partition
| Quote: | Linux (gentoo) encrypted boot partition
27. September 2015 · by cb1 · Categories: Linux · 0 Comments
The common way of linux encrypting your harddrive is using LVM, DM and Luks. You’ll find most of the implementations used by popular distributions leaving the boot partition unencrypted as the kernel modules needed for opening the luks partition must first be loaded somehow. However, there is a way to encrypt the the whole disk including the boot partition and kernel: Make use of grubs cryptodisk feature.
Here is a rough sample how to setup full disk encryption with gentoo, LVM and Luks.
We use only one Luks-encrypted partition containing /boot and /root.
Before installing grub we take the following steps.
Get the UUID of the encrypted partition
# blkid /dev/sda1
/dev/sda1: UUID="057f8bad-c4d2-419c-95a0-f57aaa785a25" TYPE="crypto_LUKS" PARTUUID="0001c2d5-01"
Edit /etc/default/grub as follows
[...]
# Append parameters to the linux kernel command line
GRUB_CMDLINE_LINUX="root=/dev/ram0 crypt_root=UUID=057f8bad-c4d2-419c-95a0-f57aaa785a25 real_root=/dev/mapper/vg-root rootfstype=ext4 root_key=key dolvm"
[...]
GRUB_ENABLE_CRYPTODISK=y
Is this case our volume group is named „vg“ and the partition is „root“. Also we need „root_key“ set for the next steps.
Now we can install grub the usual way into the MBR.
# grub2-install /dev/sda
# grub2-mkconfig -o /boot/grub/grub.cfg
At this point grub will prompt for a passphrase for the encrypted partition just before loading the normal boot menu. By selecting the boot entry it will proceed with loading the kernel. But grub will not pass the passphrase to the kernel, meaning that the kernel will ask again for the key to open the luks partition.
To avoid the need of entering the password twice, we will place a keyfile in another key slot of our partition. And the trick: We will place the keyfile in the initramfs and tell the boot scripts to look for it. Sounds silly? Yes! But as the entire partition including the /boot directory is encrypted, the initramfs will be encrypted, too.
Gentoos boot script for luksOpen will look in /mnt/key/ for the keyfile. As we set the name „key“ in the kernel parameters, our keyfile in the initramfs will be /mnt/key/key.
The genkernel scripts know a parameter called „INITRAMFS_OVERLAY“ to put our own files in the initramfs. We create the folders /key/mnt/key/, put our keyfile in /key/mnt/key/key and tell genkernel to overlay the folder /key.
Edit /etc/genkernel.conf
INITRAMFS_OVERLAY="/key"
Genkernel will now copy the directory structure of /key/ in the initramfs and our keyfile will be placed in /mnt/key/key.
While booting the script will try to mount a key device but as we have not set one, it will simply use the key file in the initramfs. Dirty, but it works and seems to be update-save.
This article is just a quick summery but will be extended soon. Comments are appreciated.
|
Last edited by Elleni on Fri Jun 09, 2017 5:01 pm; edited 1 time in total |
|
| Back to top |
|
 |
Pravorskii Andrii
n00b
Joined: 06 Jun 2017
Posts: 6
|
| Posted: Fri Jun 09, 2017 4:54 pm Post subject: |
|
|
Post output:
|
|
| Back to top |
|
|
Elleni
Veteran
Joined: 23 May 2006
Posts: 1270
|
| Posted: Fri Jun 09, 2017 5:00 pm Post subject: |
|
|
After doing some reading I decided to just try it, crossed fingers, and did:
- boot systemrescue iso
- fired fdisk and deleted crypted partition
- re-created partition starting at same block
- rebooted to systemrescue iso again
- decrypted partition with:
cryptsetup luksOpen /dev/sda3 crypt-root
- checked filesystem with
e2fsck -f /dev/mapper/crypt-root
- resized with
resize2fs /dev/mapper/crypt-root
mounted partition and checked with df -h if it has been grown
umounted partition
closed with
cryptsetup luksClose crypt-root
And rebooted.
Everything went smoothly |
|
| Back to top |
|
|
jonathan183
Guru
Joined: 13 Dec 2011
Posts: 318
|
| Posted: Fri Jun 09, 2017 11:23 pm Post subject: |
|
|
Increasing the size of a luks encrypted partition should be fairly straight forward, reducing the size is a bit more of an issue as I indicated here. I found when shrinking and expanding a filesystem gave slightly different results to just creating a luks partition of the same size (see my last post in the link). Based on my experience of doing this I'd suggest a backup of data, create new partition and copy things over (quicker, safe and less potential for things to only be revealed as a problem later) - I can see from your post why you did not want to do this ... glad things worked out for you  |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Other Things Gentoo
