encrypted root fs

Russell Coker russell at coker.com.au
Mon Aug 16 03:46:55 UTC 2004 

On Mon, 16 Aug 2004 01:23, Steve G <linux_4ever at yahoo.com> wrote:
> First comment, this sounds cool. I suspect you want feedback so here it 
goes:
> >It is hard-coded for the sevice names that I use (/dev/V0/fc2enc for
> >the encrypted LVM volume)
>
> This sounds very tied to fc2. I would recommend a name that's not tied to a
> distribution release number.

Naturally.  That just happens to be the name I used on my own system, it isn't 
expected to work for anyone else.  The Volume Group name "V0" is also 
specific to my system.  Anyone who wants to do the same will have to change 
the device name as appropriate for their system.

> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124789
>
> You may want to work with this effort.

One thing that has just occurred to me is that using a /etc/crypttab file in 
the same format as Debian will make things a lot easier.  Here is a sample 
crypttab:

# <target device> <source device> <key file> <options>
swap    /dev/V0/swap       /dev/random     swap
root    /dev/V0/fc2       /etc/root-key     defaults

For example the above file would specify that the device /dev/mapper/swap 
would be /dev/V0/swap encrypted with a key from /dev/random.  In Debian the 
"swap" parameter at the end of the line indicates that after the encrypted 
device is setup the command "mkswap" should be run on it.

Now mkinitrd could check /etc/fstab, see that the root device 
is /dev/mapper/root, look for the appropriate entry in /etc/crypttab then 
know it needs to put /etc/root-key in the initrd and do the mapping 
from /dev/V0/fc2 .

I've just added the above text to the bugzilla entry for 124789.

> >Currently the statically linked version of cryptsetup is 780K in size.
>
> I bet its not stripped either.

No, that's 780K stripped!

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

More information about the fedora-devel-list mailing list