The 22C3 in Berlin is coming up and after helping a friend convert his notebook to dm-crypt/lvm, i'm ready to try it myself :)
It was not quite straightforward, so i'll describe the necessary steps here.
When i'm done, i'll have two physical partitions (hda1 and hda2). hda1 is /boot and must be unencrypted because it contains the kernel and initrd.
hda2 is an encrypted LVM physical volume which contains / and all other volumes.
Before we begin some packages need to be installed:
yaird (to build the initrd)
cryptsetup-luks (supports a partition header which containes the encrypted key)
lvm2 (to manage volumes)
yaird and lvm2 are in debian and cryptsetup-luks is avaible from http://luks.endorphin.org/ (a debian repository is at http://einsteinmg.dyndns.org/debian/).
We also need a kernel compiled with aes, dm-crypt and lvm.
This will initialize and open hda2 as pvcrypt
# cryptsetup luksFormat /dev/hda2
WARNING!
========
This will overwrite data on /dev/hda2 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
# cryptsetup luksOpen /dev/hda2 pvcrypt
Enter LUKS passphrase:
key slot 0 unlocked.
Now the usual lvm setup:
# pvcreate /dev/mapper/pvcrypt
Physical volume "/dev/mapper/pvcrypt" successfully created
# vgcreate vgcrypt /dev/mapper/pvcrypt
Volume group "vgcrypt" successfully created
# lvcreate -n lvroot -L 8G vgcrypt
Logical volume "lvroot" created
# lvcreate -n lvswap -L 1G vgcrypt
Logical volume "lvswap" created
# lvcreate -n lvhome -L 10G vgcrypt
Logical volume "lvhome" created
If this does not work, you may have an older version of lvm which does not allow mapped devices as pvs per default. You need to change this in /etc/lvm/lvm.conf.
To copy my data to the new filesystems i use rsync -avx. -x tells rsync to copy only one filesystem, so if you have more than one you need to call rsync for each. If you have everything on one filesystem which is mounted at /mnt/source, you can use:
# rsync -avx /mnt/source/ /mnt/target/
UDev uses a tmpfs mounted at /dev, so you may need to copy /dev/.static/dev by hand.
Now you need to make sure /mnt/target/sys and /mnt/target/proc exist. Before we can chroot to the new system we need to bind sys and proc:
# mount --bind /sys /mnt/target/sys
# mount --bind /proc /mnt/target/proc
Now we can enter the new system with chroot /mnt/target. The only thing left now is making the system bootable. I use grub because it allows me to change almost everthing at runtime.
Grub needs to load the kernels from /dev/hda1 (which grub calls (hd0,0)).
# grub-install /dev/hda1
You may also need to run update-grub and check /boot/grub/menu.list for incorrect paths.
Yaird needs a /etc/crypttab like this to find the encrypted volumes:
#
cryptpv /dev/hda4
Update your /etc/fstab to match the new layout.
Now we can build an initrd with yaird:
# yaird -o /boot/initrd-2.6.12.3
The current yaird has a problem with the new names for the AES kernel option. If you have AES compiled into the kernel, it will not look for the correct option. In /usr/lib/yaird/perl/KConfig.pm replace CONFIG_CRYPTO_AES with CONFIG_CRYPTO_AES_586 (or whatever else you have in your kernel config).
If you did not use a initrd before run update-grub again.
Now reboot your system and it should ask you for the password you entered while creating the encrypted volume. Don't forget to wipe your old data after verifying everything is correct.</http://einsteinmg.dyndns.org/debian/></http://luks.endorphin.org/>
I'm planning to do the same on a new (empty) harddisk.
There should be 2 partitions, namely the boot partition and the dm-crypt partition which will be the base for lvm2 logical partitions (as described).
I'm trying to install debian with the netinstall cd-rom, unfortunately all the crypto tools are not on it.
Thus I guess I need a temporary partition where I can do a minimal debian installation.
Once installed I can do all the crypto partition setup, copy the minimal installation on the newly created crypted lvm partitions and chroot.
The problem is that the temporary partition has no use lateron ;(
How did you do it ?
Maybe the mentioned initial install can be done on a temporary ramdisk ?
Another idea would be do a minimal debian install on a tiny harddisk partition and use this tiny harddisk partition as /boot lateron.
What can you suggest ?
It would be great to hear from you,
see you at 22c3 and greets,
max
You can use a live-cd like [http://kanotix.com/|Kanotix] to install debian with debootstrap. Kanotix includes the needed tools (except cryptsetup-luks, which you can install when you boot with unionfs).
Setup the partitions, crypt, lvm, mount, use debootstrap, chroot.
Now you need to configure /etc/fstab, /etc/crypttab, /etc/network/interfaces and so on. Look at [http://www.inittab.de/manuals/debootstrap.html] for some hints (but use grub instead).
Really appreciate this
Anonymous (not verified) — Wed, 2012-01-18 04:49Really appreciate this wonderful post that you have provided for us.Great site and a great topic as well i really get amazed to read this. leather pandora bracelet // genuine pandora charms // new pandora charms // pandora charms online // genuine pandora // pandora bracelets charms // retired pandora beads // discount pandora jewelry //
ugg outlet online
ugg outlet online (not verified) — Mon, 2012-01-16 08:56Read a lot of similar articles, but only found this article to my taste, thank you
cheapest boots
Cheap UGG (not verified) — Thu, 2012-01-12 09:18cheapest uggs ever Yinbai Jing Jing looked at him, no day is no guarantee that he will become so. glk24wt
cheap uggs for women Yin Bai said: "do not drive, I used cable car station."
where to purchase uggs online Shen wife smile, "it must be like me: Cantonese, Gengzhi stubborn, have a say."
www.cheapestbootsshop.com Afternoon, she received a letter.
It’s very great informative
Amir (not verified) — Mon, 2011-11-14 08:02It’s very great informative stuff shared here useful one for many others who needs this kind of stuff,… 11g dump<a/> 156-215.70 braindumps<a/> 156-215.71 dumps<a/> 156-315.71 braindump<a/> 199-01 dumps<a/> 1y0-a05 dumps<a/> 1y0-a08 dumps<a/> 1y0-a15 dumps<a/> </a/></a/></a/></a/></a/></a/></a/></a/>
Thanks!
Odżywki (not verified) — Mon, 2010-10-25 15:18Thanks a lot, I was searching it on polish website but can't find it. Greetings from Poland !
where to start ?
max (not verified) — Sat, 2005-12-24 10:19Hi,
I'm planning to do the same on a new (empty) harddisk. There should be 2 partitions, namely the boot partition and the dm-crypt partition which will be the base for lvm2 logical partitions (as described).
I'm trying to install debian with the netinstall cd-rom, unfortunately all the crypto tools are not on it. Thus I guess I need a temporary partition where I can do a minimal debian installation. Once installed I can do all the crypto partition setup, copy the minimal installation on the newly created crypted lvm partitions and chroot.
The problem is that the temporary partition has no use lateron ;(
How did you do it ? Maybe the mentioned initial install can be done on a temporary ramdisk ? Another idea would be do a minimal debian install on a tiny harddisk partition and use this tiny harddisk partition as /boot lateron. What can you suggest ?
It would be great to hear from you, see you at 22c3 and greets, max
Use debootstrap with Kanotix
Jan Lübbe — Sat, 2005-12-31 09:38You can use a live-cd like [http://kanotix.com/|Kanotix] to install debian with debootstrap. Kanotix includes the needed tools (except cryptsetup-luks, which you can install when you boot with unionfs). Setup the partitions, crypt, lvm, mount, use debootstrap, chroot. Now you need to configure /etc/fstab, /etc/crypttab, /etc/network/interfaces and so on. Look at [http://www.inittab.de/manuals/debootstrap.html] for some hints (but use grub instead).