On Sun, May 16, 2010 at 12:45 PM, thib
<thib@stammed.net> wrote:
...
but consider encrypting the logical volume instead of the physical volumes. It makes much more sense to me.
It seems to me that
Does anyone know the right way to get the drives decrypted first?
I (very) quickly overviewed the initscripts, it looks like the same code in /lib/cryptsetup/cryptdisks.functions is called twice by cryptdisks-early (before lvm2), and then by cryptdisks (after lvm2). Supposedly, the -early script can't decrypt some devices, I just don't know why. By the looks of it all, I wouldn't be surprised if there were some dependency problems for unusual setups; is the problematic device a raid volume or something?
I started looking in this direction myself last night. I am, for the life of me, unable to figure why or how drives are designated as early versus non-early. With the exception of adding "noearly" to the options in /etc/cryptab. However, I am unable to find a single partition on a single encrypted machine that uses this option. So theoretically, all of the drives should be designated as early. I also haven't done this in a couple of years, so maybe the encryption system has matured in the meantime.
If you mount your filesystems in your initramfs (which should really be done only for the root fs), you might be able to put some hooks in /etc/initramfs-tools. I'm not really comfortable with it, so you should read the initramfs-tools(8) manual page or wait for more help.
I'm really not comfortable with modifying something like that, not because I can't, but rather because I don't want to tweak something and have it break on the next upgrade. So I will take the latter suggestion. I want to build a test box to see if I can further troubleshoot the problem or if it still even exists.
Thanks for the suggestions, thib...
--b