Re: yaird, kernel 2.6.17 and dm-crypted disks
* Miroslav Maiksnar <ml@mixi.cz> [2006-07-13 00:12:36 +0200]:
> Problems with /etc/crypttab are:
> 1) I'm not using it at all, because it is located on encrypted partition and
> at the moment, when it become accessible is everything already set up.
> 2) when I setup information in crypttab according to my needs, i got message
> "yaird error: encrypted device 'root' has keyfile specified
> in /etc/crypttab:6. This is not supported. (fatal)". And after some RTFM I
> found "If the source of the passphrase is something other than the console,
> abort. There are too many variables to support this reliably."
Correct. YAIRD doesn't want to mess up your system. This is a feature,
not a bug.
Consider this: If your system will boot from USB (sometimes that's a hidden
option - access your BIOS with a USB stick inserted to find out), why not put
the contents of /boot on the stick and do install grub to the MBR of the
stick?
The configuration change could be accomplished via the chroot jail as
earlier mentioned. Your /etc/fstab on the final system would look
something like this:
# /etc/fstab: static file system information.
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
/dev/mapper/vgdc-lvroot / ext3 defaults,errors=remount-ro
0 1
/dev/mapper/vgdc-lvusr /usr reiserfs defaults 0 2
/dev/mapper/vgdc-lvvar /var reiserfs defaults 0 2
/dev/mapper/vgdc-lvhome /home reiserfs defaults 0 2
/dev/mapper/vgdc-lvtmp /tmp ext3 defaults 0 2
/dev/mapper/swap none swap sw 0 0
# /dev/sda1 /boot ext2 defaults 0 2
/etc/crypttab like this:
# <target name> <source device> <key file> <options>
davescrunch /dev/hda5 none cipher=blahblahblah
swap /dev/hda2 /etc/keys/swapkey cipher=blahblahblah
The stick normally is not mounted at boot, only when you want to do a
kernel change by uncommenting the /dev/sda1 line and doing:
# mount /dev/sda1
the key is removed from the usbplug when the passphrase is asked for (this
indicates the kernel and ramdisk are loaded anyway). Pull the key, type
passphrase, machine boots all crypted devices unlocked. The entire system
is encrypted.
Been using this with yaird for quite some time now...
--
Cheers,
Dave
Reply to: