* [dm-crypt] Encrypted LVs /root, /home, and swap mount at boot, as does 'shared' data LV but without write access?
@ 2014-04-27 16:55 Dáire Fagan
0 siblings, 0 replies; 5+ messages in thread
From: Dáire Fagan @ 2014-04-27 16:55 UTC (permalink / raw)
To: dm-crypt
Hi
Although the /dev/mapper/vg-shared volume mounts at boot automatically
like /root and /home, and although I can open it without having to
enter the passphrase again, I cannot create files on it.
From the commands below, that I used to set up /root, /home, and swap
mounting at boot with a single passphrase entry, I have tried
replacing the command 'sudo mount /dev/vg/ubuntu-root /mnt' with 'sudo
mount /dev/vg/shared /mnt' but then when i go onto the next command
'sudo chroot /mnt mount /proc' it gives me the error 'chroot: failed
to run command ‘mount’: No such file or directory'.
Can anyone tell me how I should edit the following commands so that
/dev/vg/-shared not only mounts at boot, but I can also write to it?
Is my encryption method below best practice, apart from needing to run
cryptsetup first? Is there anyway to have the partition appear as
/media/daire/shared instead of a long /media/daire/long-hex-string?
sudo cryptsetup luksOpen /dev/sda6 enc-pv
Enter passphrase for /dev/sda6:
sudo mount /dev/vg/ubuntu-root /mnt
sudo chroot /mnt mount /proc
sudo mount --bind /dev /mnt/dev
sudo chroot /mnt mount /boot
sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none
luks" | sudo tee -a /mnt/etc/crypttab
enc-pv UUID=ad8b8a32-95ea-4add-abe6-326d151e30fa none luks
sudo chroot /mnt update-initramfs -u
update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt
Would it messy to just use something like sudo chown -R $daire:$daire
/mnt/shared ?
==================================================================================
If you need more information the following is how I have encrypted the
/root, /home, and swap partitions on a disk already containing Windows
8.1 and only require a single passphrase entry on boot:
(I have read the Ubuntu alternate install CD used to offer this option
before Canonical cancelled it)
I create 500 MiB ext4 sda5 partition that will later be assigned as
/boot (UEFI Win 8.1 partitions on sda1, sda2, sda3, and sda4)
sudo dd if=/dev/urandom of=/dev/sda6
12 hours elapse.
dd: writing to ‘/dev/sda6’: No space left on device
660092929+0 records in
660092928+0 records out
337967579136 bytes (338 GB) copied, 39571.4 s, 8.5 MB/s[/CODE]
[modprobe dm-crypt
modprobe aes-x86_64
modprobe sha256
When I do this over I will run cryptsetup benchmark first to see which
iteration and algorithm works best for my system.
sudo cryptsetup luksFormat /dev/sda6
WARNING!
========
This will overwrite data on /dev/sda6 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
sudo cryptsetup luksOpen /dev/sda6 enc-pv
Enter passphrase for /dev/sda6:
sudo pvcreate /dev/mapper/enc-pv
Physical volume "/dev/mapper/enc-pv" successfully created
sudo vgcreate vg /dev/mapper/enc-pv
Volume group "vg" successfully created
sudo lvcreate -L 8.5G -n swap vg
Logical volume "swap" created
sudo lvcreate -L 20G -n ubuntu-root vg
Logical volume "ubuntu-root" created
sudo lvcreate -L 50G -n ubuntu-home vg
Logical volume "ubuntu-home" created
sudo lvcreate -L 140G -n shared vg
Logical volume "shared" created
sudo lvdisplay
--- Logical volume ---
LV Path /dev/vg/swap
LV Name swap
VG Name vg
LV UUID EMSdc1-yTSS-FF9W-5vcv-jEwF-OeF7-5oOoEI
LV Write Access read/write
LV Creation host, time ubuntu, 2014-04-23 12:57:17 +0000
LV Status available
# open 0
LV Size 8.50 GiB
Current LE 2176
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 252:1
--- Logical volume ---
LV Path /dev/vg/ubuntu-root
LV Name ubuntu-root
VG Name vg
LV UUID TCPIIE-fGv0-3tz8-XP3R-1c9Z-E18R-XTbcOd
LV Write Access read/write
LV Creation host, time ubuntu, 2014-04-23 12:58:41 +0000
LV Status available
# open 0
LV Size 20.00 GiB
Current LE 5120
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 252:2
--- Logical volume ---
LV Path /dev/vg/shared
LV Name shared
VG Name vg
LV UUID dPHDeT-52zj-7bAx-xjzP-p4yC-kXoo-aw7Eac
LV Write Access read/write
LV Creation host, time ubuntu, 2014-04-23 12:59:50 +0000
LV Status available
# open 0
LV Size 140.00 GiB
Current LE 35840
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 252:4
--- Logical volume ---
LV Path /dev/vg/ubuntu-home
LV Name ubuntu-home
VG Name vg
LV UUID pWFs3D-MXrh-bMez-68r0-4yPc-zMTo-MGhNF1
LV Write Access read/write
LV Creation host, time ubuntu, 2014-04-23 13:06:11 +0000
LV Status available
# open 0
LV Size 50.00 GiB
Current LE 12800
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 252:3
sudo vgdisplay | grep -i free
Free PE / Size 24641 / 96.25 GiB[/CODE]
sudo mkfs.ext4 /dev/mapper/vg-shared
mke2fs 1.42.9 (4-Feb-2014)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
9175040 inodes, 36700160 blocks
1835008 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
1120 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
There was similar output for:
sudo mkfs.ext4 /dev/mapper/vg-ubuntu-root
sudo mkfs.ext4 /dev/mapper/vg-ubuntu-home
I may have needed to add an extra hyphen, like vg-ubuntu--root
Next I opened the Ubuntu 14.04 installer and selected 'something
else'. I assigned /boot to the 500 MiB partition on sda5 and then
/root, /home, and swap to the logical /dev/mapper/vg volumes.
After Ubuntu installs, before rebooting from the live USB, I entered
the following:
sudo cryptsetup luksOpen /dev/sda6 enc-pv
Enter passphrase for /dev/sda6:
sudo mount /dev/vg/ubuntu-root /mnt
sudo chroot /mnt mount /proc
sudo mount --bind /dev /mnt/dev
sudo chroot /mnt mount /boot
sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none
luks" | sudo tee -a /mnt/etc/crypttab
enc-pv UUID=ad8b8a32-95ea-4add-abe6-326d151e30fa none luks
sudo chroot /mnt update-initramfs -u
update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt
On reboot Ubuntu boots asking for only one entry of the passphrase
instead of three, one for each encrypted volume.
==================================================================
Thanks
Dáire.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [dm-crypt] Encrypted LVs /root, /home, and swap mount at boot, as does 'shared' data LV but without write access?
@ 2014-04-27 17:00 Dáire Fagan
2014-04-27 20:32 ` Arno Wagner
0 siblings, 1 reply; 5+ messages in thread
From: Dáire Fagan @ 2014-04-27 17:00 UTC (permalink / raw)
To: dm-crypt
Hi
Although the /dev/mapper/vg-shared volume mounts at boot automatically
like /root and /home, and although I can open it without having to
enter the passphrase again, I cannot create files on it.
From the commands below, that I used to set up /root, /home, and swap
mounting at boot with a single passphrase entry, I have tried
replacing the command 'sudo mount /dev/vg/ubuntu-root /mnt' with 'sudo
mount /dev/vg/shared /mnt' but then when i go onto the next command
'sudo chroot /mnt mount /proc' it gives me the error 'chroot: failed
to run command ‘mount’: No such file or directory'.
Can anyone tell me how I should edit the following commands so that
/dev/vg/-shared not only mounts at boot, but I can also write to it?
Is my encryption method below best practice, apart from needing to run
cryptsetup first? Is there anyway to have the partition appear as
/media/daire/shared instead of a long /media/daire/long-hex-string?
sudo cryptsetup luksOpen /dev/sda6 enc-pv
Enter passphrase for /dev/sda6:
sudo mount /dev/vg/ubuntu-root /mnt
sudo chroot /mnt mount /proc
sudo mount --bind /dev /mnt/dev
sudo chroot /mnt mount /boot
sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none
luks" | sudo tee -a /mnt/etc/crypttab
enc-pv UUID=ad8b8a32-95ea-4add-abe6-
326d151e30fa none luks
sudo chroot /mnt update-initramfs -u
update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt
Would it messy to just use something like sudo chown -R $daire:$daire
/mnt/shared ?
==================================================================================
If you need more information the following is how I have encrypted the
/root, /home, and swap partitions on a disk already containing Windows
8.1 and only require a single passphrase entry on boot:
(I have read the Ubuntu alternate install CD used to offer this option
before Canonical cancelled it)
I create 500 MiB ext4 sda5 partition that will later be assigned as
/boot (UEFI Win 8.1 partitions on sda1, sda2, sda3, and sda4)
sudo dd if=/dev/urandom of=/dev/sda6
12 hours elapse.
dd: writing to ‘/dev/sda6’: No space left on device
660092929+0 records in
660092928+0 records out
337967579136 bytes (338 GB) copied, 39571.4 s, 8.5 MB/s[/CODE]
[modprobe dm-crypt
modprobe aes-x86_64
modprobe sha256
When I do this over I will run cryptsetup benchmark first to see which
iteration and algorithm works best for my system.
sudo cryptsetup luksFormat /dev/sda6
WARNING!
========
This will overwrite data on /dev/sda6 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
sudo cryptsetup luksOpen /dev/sda6 enc-pv
Enter passphrase for /dev/sda6:
sudo pvcreate /dev/mapper/enc-pv
Physical volume "/dev/mapper/enc-pv" successfully created
sudo vgcreate vg /dev/mapper/enc-pv
Volume group "vg" successfully created
sudo lvcreate -L 8.5G -n swap vg
Logical volume "swap" created
sudo lvcreate -L 20G -n ubuntu-root vg
Logical volume "ubuntu-root" created
sudo lvcreate -L 50G -n ubuntu-home vg
Logical volume "ubuntu-home" created
sudo lvcreate -L 140G -n shared vg
Logical volume "shared" created
sudo lvdisplay
--- Logical volume ---
LV Path /dev/vg/swap
LV Name swap
VG Name vg
LV UUID EMSdc1-yTSS-FF9W-5vcv-jEwF-OeF7-5oOoEI
LV Write Access read/write
LV Creation host, time ubuntu, 2014-04-23 12:57:17 +0000
LV Status available
# open 0
LV Size 8.50 GiB
Current LE 2176
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 252:1
--- Logical volume ---
LV Path /dev/vg/ubuntu-root
LV Name ubuntu-root
VG Name vg
LV UUID TCPIIE-fGv0-3tz8-XP3R-1c9Z-E18R-XTbcOd
LV Write Access read/write
LV Creation host, time ubuntu, 2014-04-23 12:58:41 +0000
LV Status available
# open 0
LV Size 20.00 GiB
Current LE 5120
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 252:2
--- Logical volume ---
LV Path /dev/vg/shared
LV Name shared
VG Name vg
LV UUID dPHDeT-52zj-7bAx-xjzP-p4yC-kXoo-aw7Eac
LV Write Access read/write
LV Creation host, time ubuntu, 2014-04-23 12:59:50 +0000
LV Status available
# open 0
LV Size 140.00 GiB
Current LE 35840
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 252:4
--- Logical volume ---
LV Path /dev/vg/ubuntu-home
LV Name ubuntu-home
VG Name vg
LV UUID pWFs3D-MXrh-bMez-68r0-4yPc-zMTo-MGhNF1
LV Write Access read/write
LV Creation host, time ubuntu, 2014-04-23 13:06:11 +0000
LV Status available
# open 0
LV Size 50.00 GiB
Current LE 12800
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 252:3
sudo vgdisplay | grep -i free
Free PE / Size 24641 / 96.25 GiB[/CODE]
sudo mkfs.ext4 /dev/mapper/vg-shared
mke2fs 1.42.9 (4-Feb-2014)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
9175040 inodes, 36700160 blocks
1835008 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
1120 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
There was similar output for:
sudo mkfs.ext4 /dev/mapper/vg-ubuntu-root
sudo mkfs.ext4 /dev/mapper/vg-ubuntu-home
I may have needed to add an extra hyphen, like vg-ubuntu--root
Next I opened the Ubuntu 14.04 installer and selected 'something
else'. I assigned /boot to the 500 MiB partition on sda5 and then
/root, /home, and swap to the logical /dev/mapper/vg volumes.
After Ubuntu installs, before rebooting from the live USB, I entered
the following:
sudo cryptsetup luksOpen /dev/sda6 enc-pv
Enter passphrase for /dev/sda6:
sudo mount /dev/vg/ubuntu-root /mnt
sudo chroot /mnt mount /proc
sudo mount --bind /dev /mnt/dev
sudo chroot /mnt mount /boot
sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none
luks" | sudo tee -a /mnt/etc/crypttab
enc-pv UUID=ad8b8a32-95ea-4add-abe6-326d151e30fa none luks
sudo chroot /mnt update-initramfs -u
update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt
On reboot Ubuntu boots asking for only one entry of the passphrase
instead of three, one for each encrypted volume.
==================================================================
Thanks
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] Encrypted LVs /root, /home, and swap mount at boot, as does 'shared' data LV but without write access?
2014-04-27 17:00 [dm-crypt] Encrypted LVs /root, /home, and swap mount at boot, as does 'shared' data LV but without write access? Dáire Fagan
@ 2014-04-27 20:32 ` Arno Wagner
2014-04-27 21:20 ` Dáire Fagan
0 siblings, 1 reply; 5+ messages in thread
From: Arno Wagner @ 2014-04-27 20:32 UTC (permalink / raw)
To: dm-crypt
Sounds like a problem you should complain to Ubuntu about.
This mailing list here is only for the raw "cryptsetup"
command...
Arno
On Sun, Apr 27, 2014 at 19:00:00 CEST, Dáire Fagan wrote:
> Hi
>
> Although the /dev/mapper/vg-shared volume mounts at boot automatically
> like /root and /home, and although I can open it without having to
> enter the passphrase again, I cannot create files on it.
>
> From the commands below, that I used to set up /root, /home, and swap
> mounting at boot with a single passphrase entry, I have tried
> replacing the command 'sudo mount /dev/vg/ubuntu-root /mnt' with 'sudo
> mount /dev/vg/shared /mnt' but then when i go onto the next command
> 'sudo chroot /mnt mount /proc' it gives me the error 'chroot: failed
> to run command ‘mount’: No such file or directory'.
>
> Can anyone tell me how I should edit the following commands so that
> /dev/vg/-shared not only mounts at boot, but I can also write to it?
> Is my encryption method below best practice, apart from needing to run
> cryptsetup first? Is there anyway to have the partition appear as
> /media/daire/shared instead of a long /media/daire/long-hex-string?
>
> sudo cryptsetup luksOpen /dev/sda6 enc-pv
> Enter passphrase for /dev/sda6:
> sudo mount /dev/vg/ubuntu-root /mnt
> sudo chroot /mnt mount /proc
> sudo mount --bind /dev /mnt/dev
> sudo chroot /mnt mount /boot
> sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none
> luks" | sudo tee -a /mnt/etc/crypttab
> enc-pv UUID=ad8b8a32-95ea-4add-abe6-
> 326d151e30fa none luks
> sudo chroot /mnt update-initramfs -u
> update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
> sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt
>
> Would it messy to just use something like sudo chown -R $daire:$daire
> /mnt/shared ?
>
> ==================================================================================
>
> If you need more information the following is how I have encrypted the
> /root, /home, and swap partitions on a disk already containing Windows
> 8.1 and only require a single passphrase entry on boot:
>
> (I have read the Ubuntu alternate install CD used to offer this option
> before Canonical cancelled it)
>
> I create 500 MiB ext4 sda5 partition that will later be assigned as
> /boot (UEFI Win 8.1 partitions on sda1, sda2, sda3, and sda4)
>
> sudo dd if=/dev/urandom of=/dev/sda6
>
> 12 hours elapse.
>
> dd: writing to ‘/dev/sda6’: No space left on device
> 660092929+0 records in
> 660092928+0 records out
> 337967579136 bytes (338 GB) copied, 39571.4 s, 8.5 MB/s[/CODE]
>
> [modprobe dm-crypt
> modprobe aes-x86_64
> modprobe sha256
>
> When I do this over I will run cryptsetup benchmark first to see which
> iteration and algorithm works best for my system.
>
> sudo cryptsetup luksFormat /dev/sda6
>
> WARNING!
> ========
> This will overwrite data on /dev/sda6 irrevocably.
>
> Are you sure? (Type uppercase yes): YES
> Enter passphrase:
> Verify passphrase:
> sudo cryptsetup luksOpen /dev/sda6 enc-pv
> Enter passphrase for /dev/sda6:
>
> sudo pvcreate /dev/mapper/enc-pv
> Physical volume "/dev/mapper/enc-pv" successfully created
> sudo vgcreate vg /dev/mapper/enc-pv
> Volume group "vg" successfully created
> sudo lvcreate -L 8.5G -n swap vg
> Logical volume "swap" created
> sudo lvcreate -L 20G -n ubuntu-root vg
> Logical volume "ubuntu-root" created
> sudo lvcreate -L 50G -n ubuntu-home vg
> Logical volume "ubuntu-home" created
> sudo lvcreate -L 140G -n shared vg
> Logical volume "shared" created
>
> sudo lvdisplay
> --- Logical volume ---
> LV Path /dev/vg/swap
> LV Name swap
> VG Name vg
> LV UUID EMSdc1-yTSS-FF9W-5vcv-jEwF-OeF7-5oOoEI
> LV Write Access read/write
> LV Creation host, time ubuntu, 2014-04-23 12:57:17 +0000
> LV Status available
> # open 0
> LV Size 8.50 GiB
> Current LE 2176
> Segments 1
> Allocation inherit
> Read ahead sectors auto
> - currently set to 256
> Block device 252:1
>
> --- Logical volume ---
> LV Path /dev/vg/ubuntu-root
> LV Name ubuntu-root
> VG Name vg
> LV UUID TCPIIE-fGv0-3tz8-XP3R-1c9Z-E18R-XTbcOd
> LV Write Access read/write
> LV Creation host, time ubuntu, 2014-04-23 12:58:41 +0000
> LV Status available
> # open 0
> LV Size 20.00 GiB
> Current LE 5120
> Segments 1
> Allocation inherit
> Read ahead sectors auto
> - currently set to 256
> Block device 252:2
>
> --- Logical volume ---
> LV Path /dev/vg/shared
> LV Name shared
> VG Name vg
> LV UUID dPHDeT-52zj-7bAx-xjzP-p4yC-kXoo-aw7Eac
> LV Write Access read/write
> LV Creation host, time ubuntu, 2014-04-23 12:59:50 +0000
> LV Status available
> # open 0
> LV Size 140.00 GiB
> Current LE 35840
> Segments 1
> Allocation inherit
> Read ahead sectors auto
> - currently set to 256
> Block device 252:4
>
> --- Logical volume ---
> LV Path /dev/vg/ubuntu-home
> LV Name ubuntu-home
> VG Name vg
> LV UUID pWFs3D-MXrh-bMez-68r0-4yPc-zMTo-MGhNF1
> LV Write Access read/write
> LV Creation host, time ubuntu, 2014-04-23 13:06:11 +0000
> LV Status available
> # open 0
> LV Size 50.00 GiB
> Current LE 12800
> Segments 1
> Allocation inherit
> Read ahead sectors auto
> - currently set to 256
> Block device 252:3
>
> sudo vgdisplay | grep -i free
> Free PE / Size 24641 / 96.25 GiB[/CODE]
>
> sudo mkfs.ext4 /dev/mapper/vg-shared
>
> mke2fs 1.42.9 (4-Feb-2014)
> Filesystem label=
> OS type: Linux
> Block size=4096 (log=2)
> Fragment size=4096 (log=2)
> Stride=0 blocks, Stripe width=0 blocks
> 9175040 inodes, 36700160 blocks
> 1835008 blocks (5.00%) reserved for the super user
> First data block=0
> Maximum filesystem blocks=4294967296
> 1120 block groups
> 32768 blocks per group, 32768 fragments per group
> 8192 inodes per group
> Superblock backups stored on blocks:
> 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
> 4096000, 7962624, 11239424, 20480000, 23887872
>
> Allocating group tables: done
> Writing inode tables: done
> Creating journal (32768 blocks): done
> Writing superblocks and filesystem accounting information: done
>
> There was similar output for:
>
> sudo mkfs.ext4 /dev/mapper/vg-ubuntu-root
> sudo mkfs.ext4 /dev/mapper/vg-ubuntu-home
>
> I may have needed to add an extra hyphen, like vg-ubuntu--root
>
> Next I opened the Ubuntu 14.04 installer and selected 'something
> else'. I assigned /boot to the 500 MiB partition on sda5 and then
> /root, /home, and swap to the logical /dev/mapper/vg volumes.
>
> After Ubuntu installs, before rebooting from the live USB, I entered
> the following:
>
> sudo cryptsetup luksOpen /dev/sda6 enc-pv
> Enter passphrase for /dev/sda6:
> sudo mount /dev/vg/ubuntu-root /mnt
> sudo chroot /mnt mount /proc
> sudo mount --bind /dev /mnt/dev
> sudo chroot /mnt mount /boot
> sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none
> luks" | sudo tee -a /mnt/etc/crypttab
> enc-pv UUID=ad8b8a32-95ea-4add-abe6-326d151e30fa none luks
> sudo chroot /mnt update-initramfs -u
> update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
> sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt
>
> On reboot Ubuntu boots asking for only one entry of the passphrase
> instead of three, one for each encrypted volume.
>
> ==================================================================
>
> Thanks
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. - Plato
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] Encrypted LVs /root, /home, and swap mount at boot, as does 'shared' data LV but without write access?
2014-04-27 20:32 ` Arno Wagner
@ 2014-04-27 21:20 ` Dáire Fagan
2014-04-28 4:15 ` Milan Broz
0 siblings, 1 reply; 5+ messages in thread
From: Dáire Fagan @ 2014-04-27 21:20 UTC (permalink / raw)
To: dm-crypt
Hi
I have asked for support on the Ubuntu forums, and many non distro
linux forums, I thought someone here might be able to help me as I am
trying to mount a logical volume with write access that is part of a
crypsetup encrypted physical volume - I figured people on this mailing
list would have experience of this.
Is the encryption method I used best practice?
On 27 April 2014 21:32, Arno Wagner <arno@wagner.name> wrote:
> Sounds like a problem you should complain to Ubuntu about.
> This mailing list here is only for the raw "cryptsetup"
> command...
>
> Arno
>
> On Sun, Apr 27, 2014 at 19:00:00 CEST, Dáire Fagan wrote:
>> Hi
>>
>> Although the /dev/mapper/vg-shared volume mounts at boot automatically
>> like /root and /home, and although I can open it without having to
>> enter the passphrase again, I cannot create files on it.
>>
>> From the commands below, that I used to set up /root, /home, and swap
>> mounting at boot with a single passphrase entry, I have tried
>> replacing the command 'sudo mount /dev/vg/ubuntu-root /mnt' with 'sudo
>> mount /dev/vg/shared /mnt' but then when i go onto the next command
>> 'sudo chroot /mnt mount /proc' it gives me the error 'chroot: failed
>> to run command ‘mount’: No such file or directory'.
>>
>> Can anyone tell me how I should edit the following commands so that
>> /dev/vg/-shared not only mounts at boot, but I can also write to it?
>> Is my encryption method below best practice, apart from needing to run
>> cryptsetup first? Is there anyway to have the partition appear as
>> /media/daire/shared instead of a long /media/daire/long-hex-string?
>>
>> sudo cryptsetup luksOpen /dev/sda6 enc-pv
>> Enter passphrase for /dev/sda6:
>> sudo mount /dev/vg/ubuntu-root /mnt
>> sudo chroot /mnt mount /proc
>> sudo mount --bind /dev /mnt/dev
>> sudo chroot /mnt mount /boot
>> sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none
>> luks" | sudo tee -a /mnt/etc/crypttab
>> enc-pv UUID=ad8b8a32-95ea-4add-abe6-
>> 326d151e30fa none luks
>> sudo chroot /mnt update-initramfs -u
>> update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
>> sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt
>>
>> Would it messy to just use something like sudo chown -R $daire:$daire
>> /mnt/shared ?
>>
>> ==================================================================================
>>
>> If you need more information the following is how I have encrypted the
>> /root, /home, and swap partitions on a disk already containing Windows
>> 8.1 and only require a single passphrase entry on boot:
>>
>> (I have read the Ubuntu alternate install CD used to offer this option
>> before Canonical cancelled it)
>>
>> I create 500 MiB ext4 sda5 partition that will later be assigned as
>> /boot (UEFI Win 8.1 partitions on sda1, sda2, sda3, and sda4)
>>
>> sudo dd if=/dev/urandom of=/dev/sda6
>>
>> 12 hours elapse.
>>
>> dd: writing to ‘/dev/sda6’: No space left on device
>> 660092929+0 records in
>> 660092928+0 records out
>> 337967579136 bytes (338 GB) copied, 39571.4 s, 8.5 MB/s[/CODE]
>>
>> [modprobe dm-crypt
>> modprobe aes-x86_64
>> modprobe sha256
>>
>> When I do this over I will run cryptsetup benchmark first to see which
>> iteration and algorithm works best for my system.
>>
>> sudo cryptsetup luksFormat /dev/sda6
>>
>> WARNING!
>> ========
>> This will overwrite data on /dev/sda6 irrevocably.
>>
>> Are you sure? (Type uppercase yes): YES
>> Enter passphrase:
>> Verify passphrase:
>> sudo cryptsetup luksOpen /dev/sda6 enc-pv
>> Enter passphrase for /dev/sda6:
>>
>> sudo pvcreate /dev/mapper/enc-pv
>> Physical volume "/dev/mapper/enc-pv" successfully created
>> sudo vgcreate vg /dev/mapper/enc-pv
>> Volume group "vg" successfully created
>> sudo lvcreate -L 8.5G -n swap vg
>> Logical volume "swap" created
>> sudo lvcreate -L 20G -n ubuntu-root vg
>> Logical volume "ubuntu-root" created
>> sudo lvcreate -L 50G -n ubuntu-home vg
>> Logical volume "ubuntu-home" created
>> sudo lvcreate -L 140G -n shared vg
>> Logical volume "shared" created
>>
>> sudo lvdisplay
>> --- Logical volume ---
>> LV Path /dev/vg/swap
>> LV Name swap
>> VG Name vg
>> LV UUID EMSdc1-yTSS-FF9W-5vcv-jEwF-OeF7-5oOoEI
>> LV Write Access read/write
>> LV Creation host, time ubuntu, 2014-04-23 12:57:17 +0000
>> LV Status available
>> # open 0
>> LV Size 8.50 GiB
>> Current LE 2176
>> Segments 1
>> Allocation inherit
>> Read ahead sectors auto
>> - currently set to 256
>> Block device 252:1
>>
>> --- Logical volume ---
>> LV Path /dev/vg/ubuntu-root
>> LV Name ubuntu-root
>> VG Name vg
>> LV UUID TCPIIE-fGv0-3tz8-XP3R-1c9Z-E18R-XTbcOd
>> LV Write Access read/write
>> LV Creation host, time ubuntu, 2014-04-23 12:58:41 +0000
>> LV Status available
>> # open 0
>> LV Size 20.00 GiB
>> Current LE 5120
>> Segments 1
>> Allocation inherit
>> Read ahead sectors auto
>> - currently set to 256
>> Block device 252:2
>>
>> --- Logical volume ---
>> LV Path /dev/vg/shared
>> LV Name shared
>> VG Name vg
>> LV UUID dPHDeT-52zj-7bAx-xjzP-p4yC-kXoo-aw7Eac
>> LV Write Access read/write
>> LV Creation host, time ubuntu, 2014-04-23 12:59:50 +0000
>> LV Status available
>> # open 0
>> LV Size 140.00 GiB
>> Current LE 35840
>> Segments 1
>> Allocation inherit
>> Read ahead sectors auto
>> - currently set to 256
>> Block device 252:4
>>
>> --- Logical volume ---
>> LV Path /dev/vg/ubuntu-home
>> LV Name ubuntu-home
>> VG Name vg
>> LV UUID pWFs3D-MXrh-bMez-68r0-4yPc-zMTo-MGhNF1
>> LV Write Access read/write
>> LV Creation host, time ubuntu, 2014-04-23 13:06:11 +0000
>> LV Status available
>> # open 0
>> LV Size 50.00 GiB
>> Current LE 12800
>> Segments 1
>> Allocation inherit
>> Read ahead sectors auto
>> - currently set to 256
>> Block device 252:3
>>
>> sudo vgdisplay | grep -i free
>> Free PE / Size 24641 / 96.25 GiB[/CODE]
>>
>> sudo mkfs.ext4 /dev/mapper/vg-shared
>>
>> mke2fs 1.42.9 (4-Feb-2014)
>> Filesystem label=
>> OS type: Linux
>> Block size=4096 (log=2)
>> Fragment size=4096 (log=2)
>> Stride=0 blocks, Stripe width=0 blocks
>> 9175040 inodes, 36700160 blocks
>> 1835008 blocks (5.00%) reserved for the super user
>> First data block=0
>> Maximum filesystem blocks=4294967296
>> 1120 block groups
>> 32768 blocks per group, 32768 fragments per group
>> 8192 inodes per group
>> Superblock backups stored on blocks:
>> 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
>> 4096000, 7962624, 11239424, 20480000, 23887872
>>
>> Allocating group tables: done
>> Writing inode tables: done
>> Creating journal (32768 blocks): done
>> Writing superblocks and filesystem accounting information: done
>>
>> There was similar output for:
>>
>> sudo mkfs.ext4 /dev/mapper/vg-ubuntu-root
>> sudo mkfs.ext4 /dev/mapper/vg-ubuntu-home
>>
>> I may have needed to add an extra hyphen, like vg-ubuntu--root
>>
>> Next I opened the Ubuntu 14.04 installer and selected 'something
>> else'. I assigned /boot to the 500 MiB partition on sda5 and then
>> /root, /home, and swap to the logical /dev/mapper/vg volumes.
>>
>> After Ubuntu installs, before rebooting from the live USB, I entered
>> the following:
>>
>> sudo cryptsetup luksOpen /dev/sda6 enc-pv
>> Enter passphrase for /dev/sda6:
>> sudo mount /dev/vg/ubuntu-root /mnt
>> sudo chroot /mnt mount /proc
>> sudo mount --bind /dev /mnt/dev
>> sudo chroot /mnt mount /boot
>> sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none
>> luks" | sudo tee -a /mnt/etc/crypttab
>> enc-pv UUID=ad8b8a32-95ea-4add-abe6-326d151e30fa none luks
>> sudo chroot /mnt update-initramfs -u
>> update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
>> sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt
>>
>> On reboot Ubuntu boots asking for only one entry of the passphrase
>> instead of three, one for each encrypted volume.
>>
>> ==================================================================
>>
>> Thanks
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt@saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
>
> --
> Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
> GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
> ----
> A good decision is based on knowledge and not on numbers. - Plato
> _______________________________________________
> dm-crypt mailing list
> dm-crypt@saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [dm-crypt] Encrypted LVs /root, /home, and swap mount at boot, as does 'shared' data LV but without write access?
2014-04-27 21:20 ` Dáire Fagan
@ 2014-04-28 4:15 ` Milan Broz
0 siblings, 0 replies; 5+ messages in thread
From: Milan Broz @ 2014-04-28 4:15 UTC (permalink / raw)
To: Dáire Fagan, dm-crypt
On 04/27/2014 11:20 PM, Dáire Fagan wrote:
> Hi
>
> I have asked for support on the Ubuntu forums, and many non distro
> linux forums, I thought someone here might be able to help me as I am
> trying to mount a logical volume with write access that is part of a
> crypsetup encrypted physical volume - I figured people on this mailing
> list would have experience of this.
According to list of your devices, it is activated as read/write.
(Check it from the bottom to up - use lsblk to display volume stack
and then "dmsetup info", "cryptsetup status <dev>", lvs/lvdisplay, mount
should verify that all layers are activated properly.)
Anyway, it is distro specific how to properly update initramfs
to activate volume on boot...
(On Debian this works quite nice so I see no reason Ubuntu should differ here,
but really, this is not Ubuntu support forum.)
Check /etc/fstab and /etc/crypttab (crypt device must be there).
Also check access rights to device nodes and directory where are you mounting fs.
BTW you can probably change activated name in /etc/crypttab.
> Is the encryption method I used best practice?
...
>>> When I do this over I will run cryptsetup benchmark first to see which
>>> iteration and algorithm works best for my system.
Be sure you understand consequences of switching parameters
(it is not only about speed).
It is better to stick with defaults if you are not sure.
Milan
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-04-28 4:15 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-27 17:00 [dm-crypt] Encrypted LVs /root, /home, and swap mount at boot, as does 'shared' data LV but without write access? Dáire Fagan
2014-04-27 20:32 ` Arno Wagner
2014-04-27 21:20 ` Dáire Fagan
2014-04-28 4:15 ` Milan Broz
-- strict thread matches above, loose matches on Subject: below --
2014-04-27 16:55 Dáire Fagan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox