laptop security - encryption - does not work cleanly on F7

Mail List lists at sapience.com
Sun Jul 8 18:30:32 UTC 2007 

  
Attempting to improve laptop security using  luks encrypted home partition.

 Summary:

                   root is a non-starter -
                  /home can be made to work via custom rc.local but not 
cleanly using  /etc/crypttab.

Details:

  Been struggling with this - sure could use some  help. After much reading 
and fiddlingI gave up trying to get fedora working with luks dm-crypted root 
as it seems there are limitations with mkinitrd or something. Instead I have 
swap (which does work aside from a resume error on boot) and encrytped /home 
which is a problem and is not working quite right.

  I cannot get machine to boot correctly and mount /home using the 
standard /etc/crypttab /etc/fstab files.

  If anyone can help I'd be very grateful - I know this should work - a friend 
with ubuntu has root encrypted and it runs no prob - so I just need help with 
the fedora magic.

 Here's what is going on.

  I created luks encrypted /home - put info in /etc/crypttab. Set fstab to now 
mount /dev/mapper/XX onto /home. Hand mounts all work fine. So far so good.

 Now try booting.

 First problem was if fstab has fsck on - then on booting the /etc/crypttab 
triggers a pass-phrase request - which appears to work (small yay) - next 
fsck fails with bad superblock error. I suspect the fsck is done on /dev/sdaX 
instead of /dev/mapper/xx. Obvisously this cannot work.

 Q) what needs changing to fix this?

I edited fstab to skip any fsck - now boot proceeds further - then it says 
re-mounting read write - now it prompts for pass phrase a second time (bug?). 
That seems to fail anyway in that /dev/mapper/xx is not created and thus the 
mount fails. Boot proceeds ok - but ends with no /dev/mapper/xx and /home 
cannot be mounted.

 Presumbaly 

       a) I did something wrong (most likely?)

       b) fedora tools are just not ready encrytion (seems so in part)
           Possible things to look at: rc.sysinit, mkinitrd

       c) other.

 Given the importance of laptop security these days I do so hope this can be 
made to work smoothly and so would very much appreciate some help.

   Since I cannot get even a non-root to boot smoothly - I have a ways to go 
before attempting encrypted root - seems debian based distros may be ahead of 
us in this regard.

   For those interested - my work around - is to remove the /etc/crypttab 
file - change fstab to noauto for /home and create a custom script which does 
the crypto by hand - then run it out of rc.local. This gets me going but I 
know there is a "proper" way to do this. I just dont know what it is!

  If anyone is interested in all the details I can share.

thanks.

g/

More information about the fedora-list mailing list