encrypted root fs
Russell Coker
russell at coker.com.au
Mon Aug 16 03:46:55 UTC 2004
On Mon, 16 Aug 2004 01:23, Steve G <linux_4ever at yahoo.com> wrote:
> First comment, this sounds cool. I suspect you want feedback so here it
goes:
> >It is hard-coded for the sevice names that I use (/dev/V0/fc2enc for
> >the encrypted LVM volume)
>
> This sounds very tied to fc2. I would recommend a name that's not tied to a
> distribution release number.
Naturally. That just happens to be the name I used on my own system, it isn't
expected to work for anyone else. The Volume Group name "V0" is also
specific to my system. Anyone who wants to do the same will have to change
the device name as appropriate for their system.
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124789
>
> You may want to work with this effort.
One thing that has just occurred to me is that using a /etc/crypttab file in
the same format as Debian will make things a lot easier. Here is a sample
crypttab:
# <target device> <source device> <key file> <options>
swap /dev/V0/swap /dev/random swap
root /dev/V0/fc2 /etc/root-key defaults
For example the above file would specify that the device /dev/mapper/swap
would be /dev/V0/swap encrypted with a key from /dev/random. In Debian the
"swap" parameter at the end of the line indicates that after the encrypted
device is setup the command "mkswap" should be run on it.
Now mkinitrd could check /etc/fstab, see that the root device
is /dev/mapper/root, look for the appropriate entry in /etc/crypttab then
know it needs to put /etc/root-key in the initrd and do the mapping
from /dev/V0/fc2 .
I've just added the above text to the bugzilla entry for 124789.
> >Currently the statically linked version of cryptsetup is 780K in size.
>
> I bet its not stripped either.
No, that's 780K stripped!
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-devel-list
mailing list