Crypto during FAI install
Doug Spencer
doug at securitybulletins.com
Thu Feb 12 00:40:53 CET 2009
The basic config works fine for creating RAID1, LVM, etc. The -:encrypt
mount point option to the RAID1 is what has been problematic when I have
tried it. I'll check experimental9 soon and report my findings.
In the meantime, I use the following post install script I wrote to convert
the system from mirrored root to encrypted root:
#!/bin/bash
mdadm /dev/md1 --fail /dev/sdb2 || exit 1
sleep 5
mdadm /dev/md1 --remove /dev/sdb2 || exit 1
sleep 5
pvcreate /dev/sdb2 || exit 1
vgextend RootVG0 /dev/sdb2 || exit 1
pvmove /dev/md1 || exit 1
vgreduce RootVG0 /dev/md1 || exit 1
pvremove /dev/md1 || (echo "Reboot and run $0 script 2 "; exit 1)
echo "PassPhrase Here" | cryptsetup -q luksFormat /dev/md1 -c aes-cbc-essiv:sha256 -s 256 || exit 1
echo "PassPhrase Here" | cryptsetup luksOpen /dev/md1 md1_crypt || exit 1
pvcreate /dev/mapper/md1_crypt || exit 1
printf "md1_crypt /dev/md1 none luks\n" >> $target/etc/crypttab || exit 1
vgextend RootVG0 /dev/mapper/md1_crypt || exit 1
pvmove /dev/sdb2 || exit 1
vgreduce RootVG0 /dev/sdb2 || exit 1
pvremove /dev/sdb2 || exit 1
mdadm /dev/md1 --add /dev/sdb2 || exit 1
update-initramfs -u -k all || exit 1
That script works well. The pvremove command seems to have occasional
issues with getting a device lock if the md device hasn't fully mirrored
before I begin the process.
Running an optional sfill from the secure-delete package at the end of
the process will write random data into the unused space, making spotting
the encrypted data more difficult. The current Lenny Debian installer does wipe
the disk as part of the encryption configuration.
Doug Spencer
http://SecurityBulletins.com/
On Thu, 12 Feb 2009 00:02:53 +0100
Michael Tautschnig <mt at debian.org> wrote:
> Hi Doug,
>
> > Experimental5 had the same issue as experimental4 when I tried it
> > yesterday.
> >
>
> I finally got around to try your config and on my system the parser nicely
> accepted it. Could you please retry using experimental9 and report back? In case
> it still fails while parsing, please supply the error message and attach your
> config file (please don't paste it, there may be some strange whitespace issue).
> Thanks!
--- Cut
> Best,
> Michael
>
>
More information about the linux-fai
mailing list