system startup + cryptsetup

Gabor Walter gabor.walter at gmail.com
Tue Mar 28 06:59:22 UTC 2006 

> Gabor Walter wrote:
> > Hi,
> >
> > I want to encrypt my entire /home directory which is on a separate
> > partition. I used cryptsetup which is available in FC5. I successfully
> > created the encrypted partition and I also found a script at
> > http://www.saout.de/tikiwiki/tiki-index.php?page=luksopen which I would
> like
> > to incorporate into my startup. The question is, where exactly?
> > Should I (can I) modify rc.sysinit?
> > Or should I just put it into rc.local?
> > This is what I tried, but then I keep getting a message that /home needs
> a
> > file system check and is corrupt (this sounds logical, because at this
> point
> > the partition is neither opened nor mounted).
> > So it looks to me like a real catch-22.
> > TIA for any suggestions.
> >
> > Gabor Walter
> > Hungary
>
> I'm not on FC5 yet, so take the following with a grain of salt, in case
> FC5 includes the HAL modifications that have been discussed elsewhere.
> From the error message you are getting, which is presumably the result
> of FC5 attempting to auto mount the partition and not recognizing it as
> being encrypted, I presume not.
>
> If not, then you need to modify /etc/fstab so that the mounting
> information for /home is properly mapped to the new device and does not
> auto mount the /home partition before it is opened with the passphrase.
>
> Remove or comment out any existing line in /etc/fstab referring to
> /home. Then add something like the following line:
>
>    /dev/mapper/hdc5    /home         ext3    noauto   0 0
>
> This maps /home to the proper encrypted device, in my case hdc5. It sets
> 'noauto' so that the partition is not auto mounted at boot. You may or
> may not need to add either 'user' or 'users' to the options (noauto)
> field, depending upon the user restrictions you want on mounting the
> partition. Also, change the file system type as may be appropriate, if
> you are not using ext3. See 'man mount' for more info.
>
> As with Reinhard, I also added the luksopen script to rc.local and the
> system prompts me for the passphrase on boot.
>
> HTH,
>
> Marc Schwartz

Thanks to everyone for offering help, my system is now running fine.
A couple of notes in case somebody might find them useful:
1. grub.conf needs editing, that is I had to remove the rhgb option
2. selinux seemed to be complaining so I disabled that
3. the luksopen script from the url in my original posting might have a bug
in it (I am not much of a shell script guru) because when it reaches the
point where it attempts to open and mount the encrypted partitions, it will
just skip them even if I press 'y'. So I commented that out and explicitly
inserted the appropriate commands.

Gabor Walter
Hungary
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060328/e21a7299/attachment-0001.htm>

More information about the fedora-list mailing list