From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from karen.lavabit.com (karen.lavabit.com [72.249.41.33]) by mail.saout.de (Postfix) with ESMTP for ; Sun, 22 May 2011 17:45:38 +0200 (CEST) Received: from b.earth.lavabit.com (b.earth.lavabit.com [192.168.111.11]) by karen.lavabit.com (Postfix) with ESMTP id 7F7CE11BDA8 for ; Sun, 22 May 2011 10:45:37 -0500 (CDT) Received: from 10.0.0.2 (109.169.23.181) by lavabit.com with ESMTP id LUK5VS8I77FZ for ; Sun, 22 May 2011 10:45:37 -0500 From: dhvvcb@lavabit.com Content-Type: text/plain; charset="UTF-8" Date: Sun, 22 May 2011 21:53:02 +0600 Message-Id: <1306079582.2173.6.camel@localhost> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [dm-crypt] Boot from fully encrypted disk which looks like unused List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Using luks is the standard way of boot from an encrypted disk. However luks header is not encrypted and it may cause a security issue when it is necessary to hide the fact of encryption. Usual section of grub.conf when root file system is placed on an unencrypted disk has the form: title Fedora 12 root (hd0,0) kernel /boot/vmlinuz-2.6.31.12-174.2.3.fc12.i686.PAE ro root=/dev/sda1 LANG=ru_RU.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us rhgb quiet initrd /boot/initramfs-2.6.31.12-174.2.3.fc12.i686.PAE.img Boot works. After this I rsync this file system as a whole to a filesystem on an encrypted virtual disk /dev/mapper/hdd2 corresponding to another physical disk, for example /dev/sdb. Then I created an additional section in grub.conf so as to make it possible to boot from /dev/sdb. It looks the same as above, but with some distinctions. Location of bootloader and kernel image is unchanged (1st sector and /boot directory), only root filesystem is transferred onto an encrypted new device. title Fedora 12 NEW root (hd0,0) kernel /boot/vmlinuz-2.6.31.12-174.2.3.fc12.i686.PAE ro root=/dev/mapper/hdd2 LANG=ru_RU.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us rhgb quiet initrd /boot/initramfs-NEW.img Two modifications of the initial section have been done: 1. root=/dev/sda1 ---> root=/dev/mapper/hdd2 2. initramfs-2.6.31.12-174.2.3.fc12.i686.PAE.img ---> initramfs-NEW.img The second modification is needed to prepare /dev/mapper/hdd2 before mounting it as a root filesystem. So changing initramfs is necessary. I did it in the following way. 1. At the beginning of /mount/mount-root.sh, before 'mount' command, I put the string: cryptsetup -d /etc/key -c aes-cbc-essiv:sha256 -s 256 create hdd2 /dev/sdb 2. key file is added to /etc After this I reboot and select the second item in grub menu. During the boot the messages appear: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. (... the same string repeats a number of times ...) No root device found Boot has failed, sleeping forever Please, give me a suggestion what should I do to solve the problem.