From: dhvvcb@lavabit.com
To: dm-crypt@saout.de
Subject: [dm-crypt] Boot from fully encrypted disk which looks like unused
Date: Sun, 22 May 2011 21:53:02 +0600 [thread overview]
Message-ID: <1306079582.2173.6.camel@localhost> (raw)
Using luks is the standard way of boot from an encrypted disk. However
luks header is not encrypted and it may cause a security issue when it
is necessary to hide the fact of encryption.
Usual section of grub.conf when root file system is placed on an
unencrypted disk has the form:
title Fedora 12
root (hd0,0)
kernel /boot/vmlinuz-2.6.31.12-174.2.3.fc12.i686.PAE ro root=/dev/sda1
LANG=ru_RU.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us
rhgb quiet
initrd /boot/initramfs-2.6.31.12-174.2.3.fc12.i686.PAE.img
Boot works.
After this I rsync this file system as a whole to a filesystem on an
encrypted virtual disk /dev/mapper/hdd2 corresponding to another
physical disk, for example /dev/sdb. Then I created an additional
section in grub.conf so as to make it possible to boot from /dev/sdb. It
looks the same as above, but with some distinctions. Location of
bootloader and kernel image is unchanged (1st sector and /boot
directory), only root filesystem is transferred onto an encrypted new
device.
title Fedora 12 NEW
root (hd0,0)
kernel /boot/vmlinuz-2.6.31.12-174.2.3.fc12.i686.PAE ro
root=/dev/mapper/hdd2 LANG=ru_RU.UTF-8 SYSFONT=latarcyrheb-sun16
KEYBOARDTYPE=pc KEYTABLE=us rhgb quiet
initrd /boot/initramfs-NEW.img
Two modifications of the initial section have been done:
1. root=/dev/sda1 ---> root=/dev/mapper/hdd2
2. initramfs-2.6.31.12-174.2.3.fc12.i686.PAE.img ---> initramfs-NEW.img
The second modification is needed to prepare /dev/mapper/hdd2 before
mounting it as a root filesystem. So changing initramfs is necessary. I
did it in the following way.
1. At the beginning of /mount/mount-root.sh, before 'mount' command, I
put the string:
cryptsetup -d /etc/key -c aes-cbc-essiv:sha256 -s 256 create
hdd2 /dev/sdb
2. key file is added to /etc
After this I reboot and select the second item in grub menu. During the
boot the messages appear:
WARNING: Deprecated config file /etc/modprobe.conf, all config files
belong into /etc/modprobe.d/.
(... the same string repeats a number of times ...)
No root device found
Boot has failed, sleeping forever
Please, give me a suggestion what should I do to solve the problem.
next reply other threads:[~2011-05-22 15:45 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-22 15:53 dhvvcb [this message]
2011-05-23 0:13 ` [dm-crypt] Boot from fully encrypted disk which looks like unused Arno Wagner
2011-05-23 3:35 ` dhvvcb
2011-05-23 7:09 ` Milan Broz
2011-05-23 17:20 ` PsiStormYamato
2011-05-24 4:33 ` dhvvcb
2011-05-23 7:45 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1306079582.2173.6.camel@localhost \
--to=dhvvcb@lavabit.com \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox