* [dm-crypt] Automatically mount LUKS LVM on boot? @ 2016-01-16 22:33 Dáire Fagan 2016-01-17 18:30 ` Sven Eschenberg 0 siblings, 1 reply; 3+ messages in thread From: Dáire Fagan @ 2016-01-16 22:33 UTC (permalink / raw) To: dm-crypt [-- Attachment #1: Type: text/plain, Size: 3827 bytes --] I have tried following different guides on this but none seem to do exactly what I am trying so I had to work with different parts from different guides. Using the following I made it so Ubuntu would not boot, although I was able to remedy this by booting into Ubutnu recovery, dropping to a root shell, and putting fstab back as it was: HOWTO: Automatically unlock LUKS encrypted drives with a keyfile <http://ubuntuforums.org/showthread.php?t=837416> When I started I had just set up LUKS with LVM. I was able to mount the main volume hdd1 by clicking on it from the launcher in Ubuntu and entering my password, but I need to set it up to mount on boot. Even after the change I made in fstab - undoing what the guide recommended - now when I boot a volume is mounted of 973GB although I cannot write to it. Apart from that I am not sure if it is otherwise working as it should, or if say for instance it is left decrypted all of the time. Can you please look through the commands from my bash history and tell me anything I need to undo, the correct commands to do this, and any extra commands I need to enter to achieve what I am after, physical volume sda1 decrypted on boot, and the logical volumes swap and hdd1 automatically mounted, one password input on boot preferred, so I do not have to enter one to login and another to decrypt. This is all on a completely separate drive to my / and /home partitions. If relevant one of the commands used during LUKS and LVM setup was: pvcreate /dev/mapper enc-pv I mention that now as it is referenced in another command. The logical volumes: [CODE]dusf@roadrunner:~$ sudo lvdisplay --- Logical volume --- LV Path /dev/vg/swap LV Name swap VG Name vg LV UUID HBEt92-E8MQ-aCAu-DBDz-7VeJ-KLom-JeJ9k8 LV Write Access read/write LV Creation host, time roadrunner, 2016-01-16 20:36:42 +0000 LV Status available # open 0 LV Size 10.00 GiB Current LE 2560 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 252:1 --- Logical volume --- LV Path /dev/vg/kali LV Name kali VG Name vg LV UUID BeWqMO-DQAf-zcAp-RJAf-vmaY-OZbt-GLQIWx LV Write Access read/write LV Creation host, time roadrunner, 2016-01-16 20:40:39 +0000 LV Status available # open 0 LV Size 15.00 GiB Current LE 3840 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 252:2 --- Logical volume --- LV Path /dev/vg/HDD1 LV Name HDD1 VG Name vg LV UUID xFw2Yu-li8I-Ooav-Yjk2-P38q-CZeG-dmdhSl LV Write Access read/write LV Creation host, time roadrunner, 2016-01-16 20:51:00 +0000 LV Status available # open 1 LV Size 906.51 GiB Current LE 232066 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 252:3 Commands I entered to try and automount: 156 sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4 157 sudo chmod 0400 /root/keyfile 160 sudo cryptsetup luksAddKey /dev/sda1 /root/keyfile 161 sudo vi /etc/crypttab I added the line: enc-pv /dev/sda1 /root/keyfile luks 162 sudo vi /etc/fstab I added the line: /dev/mapper/enc-pv /media/sda1 ext4 defaults 0 2 163 sudo mount -a 164 mkdir /media/sda1 165 sudo mkdir /media/sda1 166 sudo mount -a [-- Attachment #2: Type: text/html, Size: 4756 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dm-crypt] Automatically mount LUKS LVM on boot? 2016-01-16 22:33 [dm-crypt] Automatically mount LUKS LVM on boot? Dáire Fagan @ 2016-01-17 18:30 ` Sven Eschenberg 2016-01-21 12:50 ` Arbiel (gmx) 0 siblings, 1 reply; 3+ messages in thread From: Sven Eschenberg @ 2016-01-17 18:30 UTC (permalink / raw) To: dm-crypt Hi Dáire, While this is not really dm-crypt/cryptsetup related, but rather a question of the used distro and desktopenvironment (etc.), I'll try to give you some hints on this: As long as the volume is listed in crypttab and the key is provided the crypto-mapping will be setup during boot. If you don't want that, you'd have to revert those changes. (Automatic setup of crypto mapping with a locally stored key is somewhat pointless, as you can imagine). It is not that easy by just looking at the commands you ran, to judge what is going on right now. You'll certainly have to provide additional info, but I am sure the Ubuntu community would be a greater help, as it knows the intrinsics of the distro. One thing I want to add though is this: You will NOT be able to do a single password entry for both decryption and login. You could possibly disable passwords for login (if that makes sense to you). You could skip the password for decryption, if the 'passphrase/key' is stored on an external drive (usb thumg drive) and you physically secure it and instead use a sign on password. And if you really insist on a signle sign on, you'd have to have a some sort of password cache daemon that provides the password at a later stage, but then again this makes password based logins pointless. So, first choose your modus operandi, then try setting it up. Regards -Sven Am 16.01.2016 um 23:33 schrieb Dáire Fagan: > I have tried following different guides on this but none seem to do > exactly what I am trying so I had to work with different parts from > different guides. > > Using the following I made it so Ubuntu would not boot, although I was > able to remedy this by booting into Ubutnu recovery, dropping to a root > shell, and putting fstab back as it was: HOWTO: Automatically unlock > LUKS encrypted drives with a keyfile > <http://ubuntuforums.org/showthread.php?t=837416> > > When I started I had just set up LUKS with LVM. I was able to mount the > main volume hdd1 by clicking on it from the launcher in Ubuntu and > entering my password, but I need to set it up to mount on boot. > > Even after the change I made in fstab - undoing what the guide > recommended - now when I boot a volume is mounted of 973GB although I > cannot write to it. Apart from that I am not sure if it is otherwise > working as it should, or if say for instance it is left decrypted all of > the time. > > Can you please look through the commands from my bash history and tell > me anything I need to undo, the correct commands to do this, and any > extra commands I need to enter to achieve what I am after, physical > volume sda1 decrypted on boot, and the logical volumes swap and hdd1 > automatically mounted, one password input on boot preferred, so I do not > have to enter one to login and another to decrypt. This is all on a > completely separate drive to my / and /home partitions. > > If relevant one of the commands used during LUKS and LVM setup was: > > pvcreate /dev/mapper enc-pv > > I mention that now as it is referenced in another command. > > The logical volumes: > > [CODE]dusf@roadrunner:~$ sudo lvdisplay > --- Logical volume --- > LV Path /dev/vg/swap > LV Name swap > VG Name vg > LV UUID HBEt92-E8MQ-aCAu-DBDz-7VeJ-KLom-JeJ9k8 > LV Write Access read/write > LV Creation host, time roadrunner, 2016-01-16 20:36:42 +0000 > LV Status available > # open 0 > LV Size 10.00 GiB > Current LE 2560 > Segments 1 > Allocation inherit > Read ahead sectors auto > - currently set to 256 > Block device 252:1 > > --- Logical volume --- > LV Path /dev/vg/kali > LV Name kali > VG Name vg > LV UUID BeWqMO-DQAf-zcAp-RJAf-vmaY-OZbt-GLQIWx > LV Write Access read/write > LV Creation host, time roadrunner, 2016-01-16 20:40:39 +0000 > LV Status available > # open 0 > LV Size 15.00 GiB > Current LE 3840 > Segments 1 > Allocation inherit > Read ahead sectors auto > - currently set to 256 > Block device 252:2 > > --- Logical volume --- > LV Path /dev/vg/HDD1 > LV Name HDD1 > VG Name vg > LV UUID xFw2Yu-li8I-Ooav-Yjk2-P38q-CZeG-dmdhSl > LV Write Access read/write > LV Creation host, time roadrunner, 2016-01-16 20:51:00 +0000 > LV Status available > # open 1 > LV Size 906.51 GiB > Current LE 232066 > Segments 1 > Allocation inherit > Read ahead sectors auto > - currently set to 256 > Block device 252:3 > > Commands I entered to try and automount: > > 156 sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4 > 157 sudo chmod 0400 /root/keyfile > 160 sudo cryptsetup luksAddKey /dev/sda1 /root/keyfile > 161 sudo vi /etc/crypttab > > I added the line: enc-pv /dev/sda1 /root/keyfile luks > > 162 sudo vi /etc/fstab > I added the line: /dev/mapper/enc-pv /media/sda1 ext4 defaults > 0 2 > > 163 sudo mount -a > 164 mkdir /media/sda1 > 165 sudo mkdir /media/sda1 > 166 sudo mount -a > > > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dm-crypt] Automatically mount LUKS LVM on boot? 2016-01-17 18:30 ` Sven Eschenberg @ 2016-01-21 12:50 ` Arbiel (gmx) 0 siblings, 0 replies; 3+ messages in thread From: Arbiel (gmx) @ 2016-01-21 12:50 UTC (permalink / raw) To: Sven Eschenberg, dm-crypt [-- Attachment #1: Type: text/plain, Size: 7823 bytes --] Hi Not sure what I've done can help you, but let me tell you. I'm using LUKS on some logical volumes of a LVM. That is, I do not encrypt my whole LVM, but only parts of it. For several reasons out of scope of your concern, I boot my PC only using a removable USB key. I let my hard disk MBR as provided by the manufacturer. I encrypted both my root and my home, each with its own LUKS key. I agree I did it more for the sake of getting experience then for a real need of data protection. Taking advantage of the need of a removable device to boot, I decided to store my LUKS keys on it. I included the two following lines in my /etc/crypttab : victor-root UUID=78576555-f0c2-4c80-af4f-d763cc7ae71d /dev/disk/by-uuid/4146dfad-26f0-4aec-99c3-8ab00c3e4297:/.victor-root:1 luks,keyscript=/lib/cryptsetup/scripts/passdev victor-home UUID=37447a61-f946-4d38-a398-5a886c4e3f22 /dev/disk/by-uuid/4146dfad-26f0-4aec-99c3-8ab00c3e4297:/.victor-home:1 luks,keyscript=/lib/cryptsetup/scripts/passdev The two keys are 512-byte random binary files stored at the root of the partition, named ".victor-root" and ".victor-home". As a USB key is rather fragile (loss, getting out of use), I stored my LUKS keys on several USB keys. I gave the same uuid to the partitions holding my LUKS files, so as the preceding lines would work for any one of my USB keys. My /etc/fstab files holds the following lines /dev/mapper/victor-root / ext4 errors=remount-ro 0 1 /dev/mapper/victor-home /home ext4 defaults 0 2 I suppressed the need of a password at login. After boot, I disconnect my USB key. Arbiel Le 17/01/2016 19:30, Sven Eschenberg a écrit : > Hi Dáire, > > While this is not really dm-crypt/cryptsetup related, but rather a > question of the used distro and desktopenvironment (etc.), I'll try to > give you some hints on this: > > As long as the volume is listed in crypttab and the key is provided > the crypto-mapping will be setup during boot. If you don't want that, > you'd have to revert those changes. (Automatic setup of crypto mapping > with a locally stored key is somewhat pointless, as you can imagine). > > It is not that easy by just looking at the commands you ran, to judge > what is going on right now. You'll certainly have to provide > additional info, but I am sure the Ubuntu community would be a greater > help, as it knows the intrinsics of the distro. > > One thing I want to add though is this: > You will NOT be able to do a single password entry for both decryption > and login. You could possibly disable passwords for login (if that > makes sense to you). You could skip the password for decryption, if > the 'passphrase/key' is stored on an external drive (usb thumg drive) > and you physically secure it and instead use a sign on password. And > if you really insist on a signle sign on, you'd have to have a some > sort of password cache daemon that provides the password at a later > stage, but then again this makes password based logins pointless. > > So, first choose your modus operandi, then try setting it up. > > Regards > > -Sven > > Am 16.01.2016 um 23:33 schrieb Dáire Fagan: >> I have tried following different guides on this but none seem to do >> exactly what I am trying so I had to work with different parts from >> different guides. >> >> Using the following I made it so Ubuntu would not boot, although I was >> able to remedy this by booting into Ubutnu recovery, dropping to a root >> shell, and putting fstab back as it was: HOWTO: Automatically unlock >> LUKS encrypted drives with a keyfile >> <http://ubuntuforums.org/showthread.php?t=837416> >> >> When I started I had just set up LUKS with LVM. I was able to mount the >> main volume hdd1 by clicking on it from the launcher in Ubuntu and >> entering my password, but I need to set it up to mount on boot. >> >> Even after the change I made in fstab - undoing what the guide >> recommended - now when I boot a volume is mounted of 973GB although I >> cannot write to it. Apart from that I am not sure if it is otherwise >> working as it should, or if say for instance it is left decrypted all of >> the time. >> >> Can you please look through the commands from my bash history and tell >> me anything I need to undo, the correct commands to do this, and any >> extra commands I need to enter to achieve what I am after, physical >> volume sda1 decrypted on boot, and the logical volumes swap and hdd1 >> automatically mounted, one password input on boot preferred, so I do not >> have to enter one to login and another to decrypt. This is all on a >> completely separate drive to my / and /home partitions. >> >> If relevant one of the commands used during LUKS and LVM setup was: >> >> pvcreate /dev/mapper enc-pv >> >> I mention that now as it is referenced in another command. >> >> The logical volumes: >> >> [CODE]dusf@roadrunner:~$ sudo lvdisplay >> --- Logical volume --- >> LV Path /dev/vg/swap >> LV Name swap >> VG Name vg >> LV UUID HBEt92-E8MQ-aCAu-DBDz-7VeJ-KLom-JeJ9k8 >> LV Write Access read/write >> LV Creation host, time roadrunner, 2016-01-16 20:36:42 +0000 >> LV Status available >> # open 0 >> LV Size 10.00 GiB >> Current LE 2560 >> Segments 1 >> Allocation inherit >> Read ahead sectors auto >> - currently set to 256 >> Block device 252:1 >> >> --- Logical volume --- >> LV Path /dev/vg/kali >> LV Name kali >> VG Name vg >> LV UUID BeWqMO-DQAf-zcAp-RJAf-vmaY-OZbt-GLQIWx >> LV Write Access read/write >> LV Creation host, time roadrunner, 2016-01-16 20:40:39 +0000 >> LV Status available >> # open 0 >> LV Size 15.00 GiB >> Current LE 3840 >> Segments 1 >> Allocation inherit >> Read ahead sectors auto >> - currently set to 256 >> Block device 252:2 >> >> --- Logical volume --- >> LV Path /dev/vg/HDD1 >> LV Name HDD1 >> VG Name vg >> LV UUID xFw2Yu-li8I-Ooav-Yjk2-P38q-CZeG-dmdhSl >> LV Write Access read/write >> LV Creation host, time roadrunner, 2016-01-16 20:51:00 +0000 >> LV Status available >> # open 1 >> LV Size 906.51 GiB >> Current LE 232066 >> Segments 1 >> Allocation inherit >> Read ahead sectors auto >> - currently set to 256 >> Block device 252:3 >> >> Commands I entered to try and automount: >> >> 156 sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4 >> 157 sudo chmod 0400 /root/keyfile >> 160 sudo cryptsetup luksAddKey /dev/sda1 /root/keyfile >> 161 sudo vi /etc/crypttab >> >> I added the line: enc-pv /dev/sda1 /root/keyfile luks >> >> 162 sudo vi /etc/fstab >> I added the line: /dev/mapper/enc-pv /media/sda1 ext4 defaults >> 0 2 >> >> 163 sudo mount -a >> 164 mkdir /media/sda1 >> 165 sudo mkdir /media/sda1 >> 166 sudo mount -a >> >> >> _______________________________________________ >> dm-crypt mailing list >> dm-crypt@saout.de >> http://www.saout.de/mailman/listinfo/dm-crypt >> > _______________________________________________ > dm-crypt mailing list > dm-crypt@saout.de > http://www.saout.de/mailman/listinfo/dm-crypt > [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 230 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-01-21 12:50 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-01-16 22:33 [dm-crypt] Automatically mount LUKS LVM on boot? Dáire Fagan 2016-01-17 18:30 ` Sven Eschenberg 2016-01-21 12:50 ` Arbiel (gmx)
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.