From: dhvvcb@lavabit.com
To: dm-crypt@saout.de
Subject: [dm-crypt] Boot from fully encrypted disk which looks like unused
Date: Sun, 22 May 2011 21:53:02 +0600 [thread overview]
Message-ID: <1306079582.2173.6.camel@localhost> (raw)
Using luks is the standard way of boot from an encrypted disk. However
luks header is not encrypted and it may cause a security issue when it
is necessary to hide the fact of encryption.
Usual section of grub.conf when root file system is placed on an
unencrypted disk has the form:
title Fedora 12
root (hd0,0)
kernel /boot/vmlinuz-2.6.31.12-174.2.3.fc12.i686.PAE ro root=/dev/sda1
LANG=ru_RU.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us
rhgb quiet
initrd /boot/initramfs-2.6.31.12-174.2.3.fc12.i686.PAE.img
Boot works.
After this I rsync this file system as a whole to a filesystem on an
encrypted virtual disk /dev/mapper/hdd2 corresponding to another
physical disk, for example /dev/sdb. Then I created an additional
section in grub.conf so as to make it possible to boot from /dev/sdb. It
looks the same as above, but with some distinctions. Location of
bootloader and kernel image is unchanged (1st sector and /boot
directory), only root filesystem is transferred onto an encrypted new
device.
title Fedora 12 NEW
root (hd0,0)
kernel /boot/vmlinuz-2.6.31.12-174.2.3.fc12.i686.PAE ro
root=/dev/mapper/hdd2 LANG=ru_RU.UTF-8 SYSFONT=latarcyrheb-sun16
KEYBOARDTYPE=pc KEYTABLE=us rhgb quiet
initrd /boot/initramfs-NEW.img
Two modifications of the initial section have been done:
1. root=/dev/sda1 ---> root=/dev/mapper/hdd2
2. initramfs-2.6.31.12-174.2.3.fc12.i686.PAE.img ---> initramfs-NEW.img
The second modification is needed to prepare /dev/mapper/hdd2 before
mounting it as a root filesystem. So changing initramfs is necessary. I
did it in the following way.
1. At the beginning of /mount/mount-root.sh, before 'mount' command, I
put the string:
cryptsetup -d /etc/key -c aes-cbc-essiv:sha256 -s 256 create
hdd2 /dev/sdb
2. key file is added to /etc
After this I reboot and select the second item in grub menu. During the
boot the messages appear:
WARNING: Deprecated config file /etc/modprobe.conf, all config files
belong into /etc/modprobe.d/.
(... the same string repeats a number of times ...)
No root device found
Boot has failed, sleeping forever
Please, give me a suggestion what should I do to solve the problem.
next reply other threads:[~2011-05-22 15:45 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-22 15:53 dhvvcb [this message]
2011-05-23 0:13 ` [dm-crypt] Boot from fully encrypted disk which looks like unused Arno Wagner
2011-05-23 3:35 ` dhvvcb
2011-05-23 7:09 ` Milan Broz
2011-05-23 17:20 ` PsiStormYamato
2011-05-24 4:33 ` dhvvcb
2011-05-23 7:45 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1306079582.2173.6.camel@localhost \
--to=dhvvcb@lavabit.com \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.