[dm-crypt] Encrypted root on Fedora 13

[dm-crypt] Encrypted root on Fedora 13

[Heinz Diehl]

Hi,

is there any possibility in cryptsetup-1.1.3 to maintain / restore the uuid of an encrypted root
partition on a Fedora 13 system? 

What I've planned to do is to switch the standard encryption the Fedora
installer has put on a laptops root partition from aes-xts-plain to
twofish-xts-plain, because twofish is about 25% faster on this machine.
So I'll boot from CD, take a copy of the root fs, reformat it with the new
specs, and restore from backup. 

However, the uuid of the partition gets changed by this process, and I'm
curious if writing the new uuid into fstab/crypttab/grub.conf is enough 
to boot the system properly. 

I tried to chroot into the Fedora root directory from the boot CD and 
rebuild the initramfs via dracut, but the root partition could not be
found any more. I guess the uuid of the encrypted root partition is
included in the initramfs, which means that I have to build an initramfs 
from the active system, which isn't possible.

So is there a possibility (maybe in cryptsetup) that allows to customize
the uuid? It's possible with xfs_admin to do that, but only the uuid of
the mapped partition, the uuid of the device itself doesn't get changed,
of course.

What am I missing?

Thanks,
Heinz.

Re: [dm-crypt] Encrypted root on Fedora 13

[Milan Broz]

On 10/25/2010 06:52 PM, Heinz Diehl wrote:
> is there any possibility in cryptsetup-1.1.3 to maintain / restore the uuid of an encrypted root
> partition on a Fedora 13 system? 

I think I added UUID into API (so you can specify UUID when formatting drive)
but I probably forgot to add it to CLI (cryptsetup binary) yet.

But there should be also way how to change it later.
(I saw that request for other things - like changing UUID of LUKS snapshot.)

If you want to track this, please add issue to cryptsetup page. I am just trying to
fix some long term requests for new release, this is one of candidates to fix.

But because UUID is encoded in header as string, you can probably
easily modify it using hexaeditor as workaround for now.

> I tried to chroot into the Fedora root directory from the boot CD and 
> rebuild the initramfs via dracut, but the root partition could not be
> found any more. I guess the uuid of the encrypted root partition is
> included in the initramfs, which means that I have to build an initramfs 
> from the active system, which isn't possible.

You can always extract initramfs, change it inside and compile it again.
(it is just cpio.gz archive)
(I have no encrypted fedora handy unfortunately to check whats needed.)

For now, I suggest to boot into dracut shell, activate system manually
(singleuser is ok) and recreate ramdisk.

see http://fedoraproject.org/wiki/Dracut/Debugging and
http://sourceforge.net/apps/trac/dracut/wiki/manpage

It should be 5 minutes job if you know how to do it:-)

Milan

Re: [dm-crypt] Encrypted root on Fedora 13

[Heinz Diehl]

On 25.10.2010, Milan Broz wrote: 

> For now, I suggest to boot into dracut shell, activate system manually
> (singleuser is ok) and recreate ramdisk.

Thanks a lot for your help, Milan! 
I guess I'll do it that way, this is quite ok for me :-)

Thanks,
Heinz.

Re: [dm-crypt] Encrypted root on Fedora 13

[Heinz Diehl]

On 25.10.2010, Milan Broz wrote: 

> For now, I suggest to boot into dracut shell, activate system manually
> (singleuser is ok) and recreate ramdisk.

> It should be 5 minutes job if you know how to do it:-)

Huh, did it, that was easy and effective, worked great. Thanks again ;-)