Crypto during FAI install

Doug Spencer doug at securitybulletins.com
Sun Feb 8 18:30:30 CET 2009 

On Sun, 8 Feb 2009 13:52:19 +0100
Michael Tautschnig <mt at debian.org> wrote:

> Hi!
> 
> [...]
> > So far, I got the mirrored LVM working after hacking the FAI GRUB install script so GRUB would boot correctly with md devices. The setup-storage command doesn't seem to allow encryption to be specified on an md device, particularly since Parser.pm requires a mountpoint be specified, which isn't relevant on a RAID1 disk_config setting. 
> > 
> 
> Ok, that has been fixed in 3.2.17+experimental4 (see
> http://faiwiki.debian.net/index.php/Main_Page#getting_FAI for more information
> about the experimental builds).
> 
> [...]
> Thanks,
> Michael

Michael -

I just tried 3.2.17+experimental4 and I see Parser.pm has some updated
code if I search for :encrypt. Unfortunately, it still shows:

ERROR (line 17): Invalid file: Was expecting /\Z/ but found "raid1
-:encrypt sda2,sdb2 - -" instead

I will run in debug mode and send you a private follow up message with
that.

Also, my suggestion regarding XML, or some type of dependency ability,
is due to the increase flexibility it would allow. For instance, if you
wanted to setup DRBD replication, CLVM, GFS, or any of the other
storage possibilities you could define it with a dependency tree. It
allows you to stack your storage in any way you want, such as encrypted
storage backing a DRBD device with LVM or CLVM running on it.

I currently have a workaround for the encryption issue as follows:

# cat ./scripts/LAST/70-encryptmd2

#! /bin/bash

error=0 ; trap "error=$((error|1))" ERR

yes 'PassPhrase' | cryptsetup -q luksFormat /dev/md2 -c aes-cbc-essiv:sha256 -s 256 
yes 'PassPhrase' | cryptsetup luksOpen /dev/md2 md2_crypt 
pvcreate /dev/mapper/md2_crypt 
vgcreate XenVM /dev/mapper/md2_crypt
printf "md2_crypt /dev/md2  none luks\n" >> $target/etc/crypttab

exit $error

Which works for the XenVM VG. I haven't implemented it for the root
partition yet, which is also my goal. I'm thinking another way to implement
the root encryption is to create a 1 device root LVM VG, then create a md
device that I encrypt, add the encrypted device to the LVM PV, then
move all the LV resources to that encrypted device and add the original
device back as a mirror to the encrypted md device. It would work, but is 
a bit time consuming when this process can be done with the right initial 
processing.

Thanks,
Doug

More information about the linux-fai mailing list