From: Arno Wagner <arno@wagner.name>
To: dm-crypt@saout.de
Subject: Re: [dm-crypt] Encrypted LVs /root, /home, and swap mount at boot, as does 'shared' data LV but without write access?
Date: Sun, 27 Apr 2014 22:32:16 +0200 [thread overview]
Message-ID: <20140427203216.GA29997@tansi.org> (raw)
In-Reply-To: <CAJ0AGf_S7iA-0_9qwcxS8KLKVYv_48Ptz+Hs-Fjm=-eUCKt+uw@mail.gmail.com>
Sounds like a problem you should complain to Ubuntu about.
This mailing list here is only for the raw "cryptsetup"
command...
Arno
On Sun, Apr 27, 2014 at 19:00:00 CEST, Dáire Fagan wrote:
> Hi
>
> Although the /dev/mapper/vg-shared volume mounts at boot automatically
> like /root and /home, and although I can open it without having to
> enter the passphrase again, I cannot create files on it.
>
> From the commands below, that I used to set up /root, /home, and swap
> mounting at boot with a single passphrase entry, I have tried
> replacing the command 'sudo mount /dev/vg/ubuntu-root /mnt' with 'sudo
> mount /dev/vg/shared /mnt' but then when i go onto the next command
> 'sudo chroot /mnt mount /proc' it gives me the error 'chroot: failed
> to run command ‘mount’: No such file or directory'.
>
> Can anyone tell me how I should edit the following commands so that
> /dev/vg/-shared not only mounts at boot, but I can also write to it?
> Is my encryption method below best practice, apart from needing to run
> cryptsetup first? Is there anyway to have the partition appear as
> /media/daire/shared instead of a long /media/daire/long-hex-string?
>
> sudo cryptsetup luksOpen /dev/sda6 enc-pv
> Enter passphrase for /dev/sda6:
> sudo mount /dev/vg/ubuntu-root /mnt
> sudo chroot /mnt mount /proc
> sudo mount --bind /dev /mnt/dev
> sudo chroot /mnt mount /boot
> sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none
> luks" | sudo tee -a /mnt/etc/crypttab
> enc-pv UUID=ad8b8a32-95ea-4add-abe6-
> 326d151e30fa none luks
> sudo chroot /mnt update-initramfs -u
> update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
> sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt
>
> Would it messy to just use something like sudo chown -R $daire:$daire
> /mnt/shared ?
>
> ==================================================================================
>
> If you need more information the following is how I have encrypted the
> /root, /home, and swap partitions on a disk already containing Windows
> 8.1 and only require a single passphrase entry on boot:
>
> (I have read the Ubuntu alternate install CD used to offer this option
> before Canonical cancelled it)
>
> I create 500 MiB ext4 sda5 partition that will later be assigned as
> /boot (UEFI Win 8.1 partitions on sda1, sda2, sda3, and sda4)
>
> sudo dd if=/dev/urandom of=/dev/sda6
>
> 12 hours elapse.
>
> dd: writing to ‘/dev/sda6’: No space left on device
> 660092929+0 records in
> 660092928+0 records out
> 337967579136 bytes (338 GB) copied, 39571.4 s, 8.5 MB/s[/CODE]
>
> [modprobe dm-crypt
> modprobe aes-x86_64
> modprobe sha256
>
> When I do this over I will run cryptsetup benchmark first to see which
> iteration and algorithm works best for my system.
>
> sudo cryptsetup luksFormat /dev/sda6
>
> WARNING!
> ========
> This will overwrite data on /dev/sda6 irrevocably.
>
> Are you sure? (Type uppercase yes): YES
> Enter passphrase:
> Verify passphrase:
> sudo cryptsetup luksOpen /dev/sda6 enc-pv
> Enter passphrase for /dev/sda6:
>
> sudo pvcreate /dev/mapper/enc-pv
> Physical volume "/dev/mapper/enc-pv" successfully created
> sudo vgcreate vg /dev/mapper/enc-pv
> Volume group "vg" successfully created
> sudo lvcreate -L 8.5G -n swap vg
> Logical volume "swap" created
> sudo lvcreate -L 20G -n ubuntu-root vg
> Logical volume "ubuntu-root" created
> sudo lvcreate -L 50G -n ubuntu-home vg
> Logical volume "ubuntu-home" created
> sudo lvcreate -L 140G -n shared vg
> Logical volume "shared" created
>
> sudo lvdisplay
> --- Logical volume ---
> LV Path /dev/vg/swap
> LV Name swap
> VG Name vg
> LV UUID EMSdc1-yTSS-FF9W-5vcv-jEwF-OeF7-5oOoEI
> LV Write Access read/write
> LV Creation host, time ubuntu, 2014-04-23 12:57:17 +0000
> LV Status available
> # open 0
> LV Size 8.50 GiB
> Current LE 2176
> Segments 1
> Allocation inherit
> Read ahead sectors auto
> - currently set to 256
> Block device 252:1
>
> --- Logical volume ---
> LV Path /dev/vg/ubuntu-root
> LV Name ubuntu-root
> VG Name vg
> LV UUID TCPIIE-fGv0-3tz8-XP3R-1c9Z-E18R-XTbcOd
> LV Write Access read/write
> LV Creation host, time ubuntu, 2014-04-23 12:58:41 +0000
> LV Status available
> # open 0
> LV Size 20.00 GiB
> Current LE 5120
> Segments 1
> Allocation inherit
> Read ahead sectors auto
> - currently set to 256
> Block device 252:2
>
> --- Logical volume ---
> LV Path /dev/vg/shared
> LV Name shared
> VG Name vg
> LV UUID dPHDeT-52zj-7bAx-xjzP-p4yC-kXoo-aw7Eac
> LV Write Access read/write
> LV Creation host, time ubuntu, 2014-04-23 12:59:50 +0000
> LV Status available
> # open 0
> LV Size 140.00 GiB
> Current LE 35840
> Segments 1
> Allocation inherit
> Read ahead sectors auto
> - currently set to 256
> Block device 252:4
>
> --- Logical volume ---
> LV Path /dev/vg/ubuntu-home
> LV Name ubuntu-home
> VG Name vg
> LV UUID pWFs3D-MXrh-bMez-68r0-4yPc-zMTo-MGhNF1
> LV Write Access read/write
> LV Creation host, time ubuntu, 2014-04-23 13:06:11 +0000
> LV Status available
> # open 0
> LV Size 50.00 GiB
> Current LE 12800
> Segments 1
> Allocation inherit
> Read ahead sectors auto
> - currently set to 256
> Block device 252:3
>
> sudo vgdisplay | grep -i free
> Free PE / Size 24641 / 96.25 GiB[/CODE]
>
> sudo mkfs.ext4 /dev/mapper/vg-shared
>
> mke2fs 1.42.9 (4-Feb-2014)
> Filesystem label=
> OS type: Linux
> Block size=4096 (log=2)
> Fragment size=4096 (log=2)
> Stride=0 blocks, Stripe width=0 blocks
> 9175040 inodes, 36700160 blocks
> 1835008 blocks (5.00%) reserved for the super user
> First data block=0
> Maximum filesystem blocks=4294967296
> 1120 block groups
> 32768 blocks per group, 32768 fragments per group
> 8192 inodes per group
> Superblock backups stored on blocks:
> 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
> 4096000, 7962624, 11239424, 20480000, 23887872
>
> Allocating group tables: done
> Writing inode tables: done
> Creating journal (32768 blocks): done
> Writing superblocks and filesystem accounting information: done
>
> There was similar output for:
>
> sudo mkfs.ext4 /dev/mapper/vg-ubuntu-root
> sudo mkfs.ext4 /dev/mapper/vg-ubuntu-home
>
> I may have needed to add an extra hyphen, like vg-ubuntu--root
>
> Next I opened the Ubuntu 14.04 installer and selected 'something
> else'. I assigned /boot to the 500 MiB partition on sda5 and then
> /root, /home, and swap to the logical /dev/mapper/vg volumes.
>
> After Ubuntu installs, before rebooting from the live USB, I entered
> the following:
>
> sudo cryptsetup luksOpen /dev/sda6 enc-pv
> Enter passphrase for /dev/sda6:
> sudo mount /dev/vg/ubuntu-root /mnt
> sudo chroot /mnt mount /proc
> sudo mount --bind /dev /mnt/dev
> sudo chroot /mnt mount /boot
> sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none
> luks" | sudo tee -a /mnt/etc/crypttab
> enc-pv UUID=ad8b8a32-95ea-4add-abe6-326d151e30fa none luks
> sudo chroot /mnt update-initramfs -u
> update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
> sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt
>
> On reboot Ubuntu boots asking for only one entry of the passphrase
> instead of three, one for each encrypted volume.
>
> ==================================================================
>
> Thanks
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. - Plato
next prev parent reply other threads:[~2014-04-27 20:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-27 17:00 [dm-crypt] Encrypted LVs /root, /home, and swap mount at boot, as does 'shared' data LV but without write access? Dáire Fagan
2014-04-27 20:32 ` Arno Wagner [this message]
2014-04-27 21:20 ` Dáire Fagan
2014-04-28 4:15 ` Milan Broz
-- strict thread matches above, loose matches on Subject: below --
2014-04-27 16:55 Dáire Fagan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140427203216.GA29997@tansi.org \
--to=arno@wagner.name \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox