Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 161912 Details for
Bug 124789
[PATCH] Add encrypted root filesystem support to mkinitrd
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
HOWTO: Creating an encrypted Physical Volume using Fedora and patched mkinitrd
EncryptedPVForRootAndSwap-HOWTO (text/plain), 4.09 KB, created by
Kevin R. Page
on 2007-08-20 18:14:00 UTC
(
hide
)
Description:
HOWTO: Creating an encrypted Physical Volume using Fedora and patched mkinitrd
Filename:
MIME Type:
Creator:
Kevin R. Page
Created:
2007-08-20 18:14:00 UTC
Size:
4.09 KB
patch
obsolete
> >HOWTO: Creating an encrypted Physical Volume (PV) using a second hard drive and pvmove and Fedora LiveCD > >I've successfully tried this with a second internal IDE hard drive; it should also work with a USB hard drive caddy or even a spare partition on the primary hard drive. > >With a few more steps the same trick could be used to move an existing installation to an encrypted PV - first using pvmove to transfer the installed system to a temporary PV on a second drive, before removing the original PV from the Volume Group, encrypting that partition, then pvmove-ing the installation back (as below). > >The machine in this example has two hard drive, /dev/sda and /dev/sdb >| >|- /dev/sda >| |- /dev/sda1 /boot >| |- /dev/sda2 -> /dev/mapper/cryptpv : encrypted partition which will eventually hold /dev/vg0 >| >|- /dev/sdb > |- /dev/sdb1 : temporary unencrypted partition used to install /dev/vg0 > >Fedora will be installed to the LVM Volume Group "vg0" which will contain two Logical Volume: "lv_root" (i.e. /dev/vg0/lv_root) for the root directory, and "lv_swap" (i.e. /dev/vg0/lv_swap) for swap. > > >1) Install Fedora directly to the second hard drive whilst it's plugged into the target machine. However, create /boot on the primary hard drive of the target machine (e.g. /dev/sda1). Install everything else (root, swap, /home etc.) to a single PV on the second drive (e.g. /dev/sdb1). This should be no larger than the PV on the target machine's primary hard drive which will eventually be encrypted (i.e. the remaining space on the primary hard drive). > >2) Bring this install up to date with a 'yum update' etc. > >3) Build and/or install your patched copy of mkinitrd, nash, etc. > >4) pvmove cannot be used on a live root volume [Ref 1]. However, the Fedora LiveCD contains the lvm and cryptsetup binaries. Boot to the LiveCD. > >5) Make sure the Volume Group (VG) on the second disk is visible to the running LiveCD OS. e.g. > # vgdisplay vg0 > >6) On the spare larger partition of the target machine's primary hard drive (e.g. /dev/sda2) create the encrypted partition which will hold the install. Don't forget the passphrase - you'll need this every time you boot the target machine. Then luksOpen the encrypted partition. e.g. > # cryptsetup --verbose --verify-passphrase luksFormat --cipher aes-cbc-essiv:sha256 --key-size 256 /dev/sda2 > # cryptsetup --verbose luksOpen /dev/sda2 cryptpv > >7) Initialise the crypt device as a physical volume, and add it to the volume group of the installation on the primary disk. e.g. > # pvcreate --verbose /dev/mapper/cryptpv > # vgextend --verbose vg0 /dev/mapper/cryptpv > >8) pvmove the install on the second disk so it's completely held on the crypt disk (which is not part of that volume group). e.g. > # pvmove --verbose /dev/sdb1 /dev/mapper/cryptpv > >9) Make sure pvmove has finished! Then remove the PV on the second disk from the VG. e.g. > # vgreduce --verbose vg0 /dev/sdb1 > # pvremove --verbose /dev/sdb1 > >10) chroot to the installed version, now moved to the encrypted PV. Don't forget to mount /boot. Backup the volume group metadata. e.g. > # swapoff -a > # mkdir /mnt/tmp > # mount /dev/vg0/lv_root /mnt/tmp > # cp -ax /dev/* /mnt/tmp/dev > # chroot /mnt/tmp > (chroot) # mount -t proc proc /proc > (chroot) # mount -t sysfs sysfs /sys > (chroot) # mount /boot > (chroot) # swapon -a > (chroot) # vgcfgbackup > >11) Run mkinitrd (this should be the patched version!). You'll probably want to build for the latest kernel installed, not the running LiveCD kernel version (which 'uname -r' will report). Check it recognises the encrypted PV in the verbose output. e.g. > (chroot) # mkinitrd -v /boot/initrd-2.6.22.1-41.fc7-crypt.img 2.6.22.1-41.fc7 > >12) Unmount and exit the chroot, e.g. > (chroot) # swapoff -a > (chroot) # umount /boot > (chroot) # umount /proc > (chroot) # umount /sys > (chroot) # exit > # umount /mnt/tmp > >13) If you haven't overwritten the standard initrd image, remember to amend your grub.conf. Reboot! > >14) You'll probably want to 'scrub' the temporary install partition (e.g. /dev/sdb1) > >[Ref 1] http://sources.redhat.com/lvm2/wiki/FrequentlyAskedQuestions > >Kevin R. Page, August 2007 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=161912">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 124789
:
100700
|
101270
|
101644
|
102779
|
103215
|
103216
|
103419
|
105456
|
107752
|
107778
|
108173
|
113508
|
115668
|
117763
|
133932
|
134108
|
134534
|
134535
|
134536
|
134537
|
134538
|
135006
|
135462
|
135894
|
136049
|
141591
|
143860
|
144351
|
147835
|
148297
|
154948
|
155547
|
155901
|
159957
|
161831
|
161832
|
161909
|
161910
| 161912 |
255221
|
269101
|
289833