laptop security - encryption - does not work cleanly on F7
Mail List
lists at sapience.com
Sun Jul 8 18:30:32 UTC 2007
Attempting to improve laptop security using luks encrypted home partition.
Summary:
root is a non-starter -
/home can be made to work via custom rc.local but not
cleanly using /etc/crypttab.
Details:
Been struggling with this - sure could use some help. After much reading
and fiddlingI gave up trying to get fedora working with luks dm-crypted root
as it seems there are limitations with mkinitrd or something. Instead I have
swap (which does work aside from a resume error on boot) and encrytped /home
which is a problem and is not working quite right.
I cannot get machine to boot correctly and mount /home using the
standard /etc/crypttab /etc/fstab files.
If anyone can help I'd be very grateful - I know this should work - a friend
with ubuntu has root encrypted and it runs no prob - so I just need help with
the fedora magic.
Here's what is going on.
I created luks encrypted /home - put info in /etc/crypttab. Set fstab to now
mount /dev/mapper/XX onto /home. Hand mounts all work fine. So far so good.
Now try booting.
First problem was if fstab has fsck on - then on booting the /etc/crypttab
triggers a pass-phrase request - which appears to work (small yay) - next
fsck fails with bad superblock error. I suspect the fsck is done on /dev/sdaX
instead of /dev/mapper/xx. Obvisously this cannot work.
Q) what needs changing to fix this?
I edited fstab to skip any fsck - now boot proceeds further - then it says
re-mounting read write - now it prompts for pass phrase a second time (bug?).
That seems to fail anyway in that /dev/mapper/xx is not created and thus the
mount fails. Boot proceeds ok - but ends with no /dev/mapper/xx and /home
cannot be mounted.
Presumbaly
a) I did something wrong (most likely?)
b) fedora tools are just not ready encrytion (seems so in part)
Possible things to look at: rc.sysinit, mkinitrd
c) other.
Given the importance of laptop security these days I do so hope this can be
made to work smoothly and so would very much appreciate some help.
Since I cannot get even a non-root to boot smoothly - I have a ways to go
before attempting encrypted root - seems debian based distros may be ahead of
us in this regard.
For those interested - my work around - is to remove the /etc/crypttab
file - change fstab to noauto for /home and create a custom script which does
the crypto by hand - then run it out of rc.local. This gets me going but I
know there is a "proper" way to do this. I just dont know what it is!
If anyone is interested in all the details I can share.
thanks.
g/
More information about the fedora-list
mailing list