From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Encrypted LVs /root, /home, and swap mount at boot, as does 'shared' data LV but without write access?
Date: Sun, 27 Apr 2014 22:32:16 +0200 [thread overview]
Message-ID: <20140427203216.GA29997@tansi.org> (raw)
In-Reply-To: <CAJ0AGf_S7iA-0_9qwcxS8KLKVYv_48Ptz+Hs-Fjm=-eUCKt+uw@mail.gmail.com>
Sounds like a problem you should complain to Ubuntu about.
This mailing list here is only for the raw "cryptsetup"
command...
Arno
On Sun, Apr 27, 2014 at 19:00:00 CEST, Dáire Fagan wrote:
> Hi
>
> Although the /dev/mapper/vg-shared volume mounts at boot automatically
> like /root and /home, and although I can open it without having to
> enter the passphrase again, I cannot create files on it.
>
> From the commands below, that I used to set up /root, /home, and swap
> mounting at boot with a single passphrase entry, I have tried
> replacing the command 'sudo mount /dev/vg/ubuntu-root /mnt' with 'sudo
> mount /dev/vg/shared /mnt' but then when i go onto the next command
> 'sudo chroot /mnt mount /proc' it gives me the error 'chroot: failed
> to run command ‘mount’: No such file or directory'.
>
> Can anyone tell me how I should edit the following commands so that
> /dev/vg/-shared not only mounts at boot, but I can also write to it?
> Is my encryption method below best practice, apart from needing to run
> cryptsetup first? Is there anyway to have the partition appear as
> /media/daire/shared instead of a long /media/daire/long-hex-string?
>
> sudo cryptsetup luksOpen /dev/sda6 enc-pv
> Enter passphrase for /dev/sda6:
> sudo mount /dev/vg/ubuntu-root /mnt
> sudo chroot /mnt mount /proc
> sudo mount --bind /dev /mnt/dev
> sudo chroot /mnt mount /boot
> sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none
> luks" | sudo tee -a /mnt/etc/crypttab
> enc-pv UUID=ad8b8a32-95ea-4add-abe6-
> 326d151e30fa none luks
> sudo chroot /mnt update-initramfs -u
> update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
> sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt
>
> Would it messy to just use something like sudo chown -R $daire:$daire
> /mnt/shared ?
>
> ==================================================================================
>
> If you need more information the following is how I have encrypted the
> /root, /home, and swap partitions on a disk already containing Windows
> 8.1 and only require a single passphrase entry on boot:
>
> (I have read the Ubuntu alternate install CD used to offer this option
> before Canonical cancelled it)
>
> I create 500 MiB ext4 sda5 partition that will later be assigned as
> /boot (UEFI Win 8.1 partitions on sda1, sda2, sda3, and sda4)
>
> sudo dd if=/dev/urandom of=/dev/sda6
>
> 12 hours elapse.
>
> dd: writing to ‘/dev/sda6’: No space left on device
> 660092929+0 records in
> 660092928+0 records out
> 337967579136 bytes (338 GB) copied, 39571.4 s, 8.5 MB/s[/CODE]
>
> [modprobe dm-crypt
> modprobe aes-x86_64
> modprobe sha256
>
> When I do this over I will run cryptsetup benchmark first to see which
> iteration and algorithm works best for my system.
>
> sudo cryptsetup luksFormat /dev/sda6
>
> WARNING!
> ========
> This will overwrite data on /dev/sda6 irrevocably.
>
> Are you sure? (Type uppercase yes): YES
> Enter passphrase:
> Verify passphrase:
> sudo cryptsetup luksOpen /dev/sda6 enc-pv
> Enter passphrase for /dev/sda6:
>
> sudo pvcreate /dev/mapper/enc-pv
> Physical volume "/dev/mapper/enc-pv" successfully created
> sudo vgcreate vg /dev/mapper/enc-pv
> Volume group "vg" successfully created
> sudo lvcreate -L 8.5G -n swap vg
> Logical volume "swap" created
> sudo lvcreate -L 20G -n ubuntu-root vg
> Logical volume "ubuntu-root" created
> sudo lvcreate -L 50G -n ubuntu-home vg
> Logical volume "ubuntu-home" created
> sudo lvcreate -L 140G -n shared vg
> Logical volume "shared" created
>
> sudo lvdisplay
> --- Logical volume ---
> LV Path /dev/vg/swap
> LV Name swap
> VG Name vg
> LV UUID EMSdc1-yTSS-FF9W-5vcv-jEwF-OeF7-5oOoEI
> LV Write Access read/write
> LV Creation host, time ubuntu, 2014-04-23 12:57:17 +0000
> LV Status available
> # open 0
> LV Size 8.50 GiB
> Current LE 2176
> Segments 1
> Allocation inherit
> Read ahead sectors auto
> - currently set to 256
> Block device 252:1
>
> --- Logical volume ---
> LV Path /dev/vg/ubuntu-root
> LV Name ubuntu-root
> VG Name vg
> LV UUID TCPIIE-fGv0-3tz8-XP3R-1c9Z-E18R-XTbcOd
> LV Write Access read/write
> LV Creation host, time ubuntu, 2014-04-23 12:58:41 +0000
> LV Status available
> # open 0
> LV Size 20.00 GiB
> Current LE 5120
> Segments 1
> Allocation inherit
> Read ahead sectors auto
> - currently set to 256
> Block device 252:2
>
> --- Logical volume ---
> LV Path /dev/vg/shared
> LV Name shared
> VG Name vg
> LV UUID dPHDeT-52zj-7bAx-xjzP-p4yC-kXoo-aw7Eac
> LV Write Access read/write
> LV Creation host, time ubuntu, 2014-04-23 12:59:50 +0000
> LV Status available
> # open 0
> LV Size 140.00 GiB
> Current LE 35840
> Segments 1
> Allocation inherit
> Read ahead sectors auto
> - currently set to 256
> Block device 252:4
>
> --- Logical volume ---
> LV Path /dev/vg/ubuntu-home
> LV Name ubuntu-home
> VG Name vg
> LV UUID pWFs3D-MXrh-bMez-68r0-4yPc-zMTo-MGhNF1
> LV Write Access read/write
> LV Creation host, time ubuntu, 2014-04-23 13:06:11 +0000
> LV Status available
> # open 0
> LV Size 50.00 GiB
> Current LE 12800
> Segments 1
> Allocation inherit
> Read ahead sectors auto
> - currently set to 256
> Block device 252:3
>
> sudo vgdisplay | grep -i free
> Free PE / Size 24641 / 96.25 GiB[/CODE]
>
> sudo mkfs.ext4 /dev/mapper/vg-shared
>
> mke2fs 1.42.9 (4-Feb-2014)
> Filesystem label=
> OS type: Linux
> Block size=4096 (log=2)
> Fragment size=4096 (log=2)
> Stride=0 blocks, Stripe width=0 blocks
> 9175040 inodes, 36700160 blocks
> 1835008 blocks (5.00%) reserved for the super user
> First data block=0
> Maximum filesystem blocks=4294967296
> 1120 block groups
> 32768 blocks per group, 32768 fragments per group
> 8192 inodes per group
> Superblock backups stored on blocks:
> 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
> 4096000, 7962624, 11239424, 20480000, 23887872
>
> Allocating group tables: done
> Writing inode tables: done
> Creating journal (32768 blocks): done
> Writing superblocks and filesystem accounting information: done
>
> There was similar output for:
>
> sudo mkfs.ext4 /dev/mapper/vg-ubuntu-root
> sudo mkfs.ext4 /dev/mapper/vg-ubuntu-home
>
> I may have needed to add an extra hyphen, like vg-ubuntu--root
>
> Next I opened the Ubuntu 14.04 installer and selected 'something
> else'. I assigned /boot to the 500 MiB partition on sda5 and then
> /root, /home, and swap to the logical /dev/mapper/vg volumes.
>
> After Ubuntu installs, before rebooting from the live USB, I entered
> the following:
>
> sudo cryptsetup luksOpen /dev/sda6 enc-pv
> Enter passphrase for /dev/sda6:
> sudo mount /dev/vg/ubuntu-root /mnt
> sudo chroot /mnt mount /proc
> sudo mount --bind /dev /mnt/dev
> sudo chroot /mnt mount /boot
> sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none
> luks" | sudo tee -a /mnt/etc/crypttab
> enc-pv UUID=ad8b8a32-95ea-4add-abe6-326d151e30fa none luks
> sudo chroot /mnt update-initramfs -u
> update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
> sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt
>
> On reboot Ubuntu boots asking for only one entry of the passphrase
> instead of three, one for each encrypted volume.
>
> ==================================================================
>
> Thanks
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. - Plato
next prev parent reply other threads:[~2014-04-27 20:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-27 17:00 [dm-crypt] Encrypted LVs /root, /home, and swap mount at boot, as does 'shared' data LV but without write access? Dáire Fagan
2014-04-27 20:32 ` Arno Wagner [this message]
2014-04-27 21:20 ` Dáire Fagan
2014-04-28 4:15 ` Milan Broz
-- strict thread matches above, loose matches on Subject: below --
2014-04-27 16:55 Dáire Fagan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140427203216.GA29997@tansi.org \
--to=arno@wagner.name \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.