From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dgbaley27@0x01b.net>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id dd6lGKTL_I74 for <dm-crypt@saout.de>;
 Wed, 26 Sep 2012 11:24:16 +0200 (CEST)
Received: from mail-oa0-f50.google.com (mail-oa0-f50.google.com
 [209.85.219.50])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mail.saout.de (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Wed, 26 Sep 2012 11:24:15 +0200 (CEST)
Received: by oagn16 with SMTP id n16so471189oag.37
 for <dm-crypt@saout.de>; Wed, 26 Sep 2012 02:24:14 -0700 (PDT)
Sender: Matthew Monaco <matt@0x01b.net>
Message-ID: <5062C9BB.5010900@0x01b.net>
Date: Wed, 26 Sep 2012 03:24:11 -0600
From: Matthew Monaco <dgbaley27@0x01b.net>
MIME-Version: 1.0
References: <CAK5fS_EtiBTgj7inr875UJ2N2s-1qY8qA4hHRxE5+0VhFXgaUA@mail.gmail.com>
 <CAK5fS_FEvCn6vorxdFqu72J-h8F9eeu+PNY=6xA1gHOGvF1hnw@mail.gmail.com>
 <5053D531.1000508@0x01b.net>
 <CAK5fS_HqO8vHrikfbAwvxY0ZvpwXQDVJwoF3-M0eWzXEwQkxJw@mail.gmail.com>
 <CAD98N_F3D59d9R4+mc3nypgHxbL-yz=jr2anAFRpkvyf_hpGMg@mail.gmail.com>
 <CAK5fS_G=tnaCHQiYafAE1SJOE0MAaeBSVKUZTY-iNC8noMNDjg@mail.gmail.com>
 <20120921100101.GA11357@tansi.org>
 <CAK5fS_Fc54S_1TwkXzbFaZC8fVfo5s6m3BEUj3Au=y-Ev98NQA@mail.gmail.com>
 <CAK5fS_GOEwQOkZAiTFqvmM9ZC3MOSrck4z-Ld+f1Bkh-j7L3iQ@mail.gmail.com>
 <CAK5fS_FmO91CX+b6E_OWemNf=_miohiFyD_HD80mZ=Xgw75=cw@mail.gmail.com>
 <50614FBC.80709@0x01b.net>
 <CAK5fS_FO7eBRX0Gk15Ekmv2zSZao1Pchq_8vpLEnp4ENxCXNtA@mail.gmail.com>
 <CAK5fS_Ebv=1-D7wz2_T5EU1HxAf+SPz8KWH8K3ZKQ26Ek+6XqA@mail.gmail.com>
 <506200BD.6010803@0x01b.net>
 <CAK5fS_Gow2pnR0Wm00wrws+9SdvYZFP+9UU1-Y+5LSRmwZsgLQ@mail.gmail.com>
 <50626485.5000109@0x01b.net>
 <CAK5fS_H4ZEuKhN1HMyyH+1J0t_oMh1=pEGoVENBizR5kYVbx7Q@mail.gmail.com>
In-Reply-To: <CAK5fS_H4ZEuKhN1HMyyH+1J0t_oMh1=pEGoVENBizR5kYVbx7Q@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] Encrypt all partitions with dm-crypt
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On 09/26/2012 02:23 AM, Stayvoid wrote:
>> You need to add "encrypt" to
>> the HOOKS setting in /etc/mkinitcpio.conf and run (as root)
>>
>> # mkinitcpio -p linux-libre
>>
>> This will add cryptsetup and the necessary modules to your initramfs.
> 
> It worked.
> 
>> You also MUST add root=/dev/mapper/ROOT cryptdevice=/dev/sdX#:ROOT to your
>> kernel command line (/boot/grub/menu.lst for grub-legacy,
>> /boot/grub/grub.cfg
>> for grub2). Where ROOT is whatever label you want and /dev/sdX# is your
>> encrypted block device. Furthermore, you need to set crypto= to your
>> specific
>> settings, but I don't remember the format off the top of my head.
> 
> I'd like to try mounting from a recovery shell.
> But there is no /media. Is it possible to add it?
> 

You can mount to wherever you like. Once you've mapped the block device to
/dev/mapper/NAME, you have a block device like any other.

> BTW, how to safely enable swap?
> Should I chroot into the system and decrypt / swapon there?
> 

The easiest thing is probably a swap file. However, you can also have a separate
swap partition which gets encrypted with a random key each boot. You define it
in /etc/crypttab.

swap  /dev/sdX# /dev/urandom swap

This maps /dev/sdX# to /dev/mapper/swap with a random password. The "swap" in
the forth column tells /etc/rc.sysinit to run mkswap on the device after it's
mapped.

>> Are you *sure* you don't want to use LUKS?
> 
> Yes.