Re: whole disk encryption -- not prompting for passphrase
- To: debian-user@lists.debian.org
- Subject: Re: whole disk encryption -- not prompting for passphrase
- From: Hatta <hatta00@fastmail.fm>
- Date: Sun, 02 Nov 2008 14:25:49 -0600
- Message-id: <[🔎] 490E0CCD.4040304@fastmail.fm>
- In-reply-to: <ge00db$ppa$1@ger.gmane.org>
- References: <48FBC2DD.9080806@fastmail.fm> <gdhg0h$aap$1@ger.gmane.org> <48FD1088.4060201@fastmail.fm> <200810222120.54373.reidac@bellatlantic.net> <ge00db$ppa$1@ger.gmane.org>
I appreciate all the pointers I've been given. I've looked pretty carefully
at my initramfs, and I've mostly been able to fix it. I still have a few
questions though.
I did have to create an /etc/crypttab before updating the initramfs. I'm
not quite sure how to recreate the configuration the debian installer
did. The debian installer created a physical partition hda1 for /boot.
It also created hda2, which would be encrypted. On hda2, it created a
volume group 'debian' and 3 logical volumes, 'home', 'root', and 'swap_1'.
So at this point, what should my crypttab look like? Since hda2 is the only
encrypted partition, it should be the only line in /etc/crypttab right?
I set
up crypttab as follows:
# <target name> <source device> <key file> <options>
hda2_crypt /dev/hda2 none luks
So I update my initramfs. To check I extracted the image to /tmp and
inspected conf/conf.d/cryptroot. It looked like this:
target=hda2_crypt,source=/dev/hda2,key=none,lvm=debian-root
Does this look right? How did it know about the lvm volume debian-root?
Is the target name important, other than being the name of the device
created
in /dev/mapper? Specifically, is it important that it is the same as it
was when
the debian installer set up the devices?
Anyway, I reboot, and the messages look like this:
Begin: Mounting root file system... ...
Begin: Running /scripts/local-top ...
device-mapper: uevent: version 1.0.3
device-mapper: ioctl: 4.13.0-ioctl (2007-10-02) initialised:
dm-devel@redhat.com
Volume group "debian" not found
Volume group "debian" not found
Setting up cryptographic volume hda2_crypt (based on /dev/hda2)
Enter LUKS passphrase:
This is good, at least it's prompting me for a passphrase. I enter my
passphrase, and
it appears to work, but not quite perfectly. After I enter my
passphrase it boots but
I get this on the console:
Starting early crypto disks...done.
Setting up LVM Volume Groups Reading all physical volumes. This
may take a while...
Found volume group "debian" using metadata type lvm2
Device '/dev/dm-0' has been left open.
Device '/dev/dm-0' has been left open.
3 logical volumes in volume group "debian" now active
.
Starting remaining crypto disks...done.
When I shutdown I get this:
Unmounting local filesystems...done.
Stopping remaining crypto disks...done.
Shutting down LVM Volume Groups Can't deactivate volume group
"debian" with 2 open logical volume(s)
failed!
Stopping early crypto disks...done.
So my question is, why aren't those volumes correctly deactivated on
shutdown? How does /dev/dm-0
figure into this when I'm mounting /dev/mapper/debian-root as /? Can I
safely ignore this message, or
is closing these devices important? When I try to mount /dev/dm-0 it
tells me "mount: unknown filesystem
type 'lvm2pv'". /dev/dm-1, 2, and 3 are debian-root debian-swap_1 and
debian-home respectively.
Any hints, tips, suggestions on FMs to R are appreciated. I learned a
lot already in this process. My
next challenge is to resize my swap to match all the RAM I have now so I
can s2disk safely.
Reply to: