[arch-general] server with an encrypted non-root disk
Hi, I have a little server at home which has an encrypted disk mounted at /home/media/1tbdisk I added it to crypttab and the decrypted dm device to fstab, but i have the following problems: 1) the keymap upon luksOpen is qwerty, even though i have my keymap set in rc.conf and added 'keymap' to hooks in rc.conf I ran `mkinitcpio -p kernel26` in the shell that the init(script) gave me when it tried to mount /dev/mapper/decrypted (after i mounted -o remount,ro /). Do i really have to run mkinitcpio again from the real system and reboot? (i can do it, but would like to know what might have gone wrong here) 2) even when i'm sure i'm typing correct pass (in qwerty) it doesn't unlock. i added dm_crypt to modules in rc.conf but no change. it asks the pass 3 times and then fstab tries to mount the nonexisting device and i get the shell If i comment out the entries in crypttab and fstab and unlock+mount myself after boot, it works fine. 3) even if for some reason one fails to unlock the volume, it would be nice that the boot process can continue. maybe there could also be a timeout: not unlocked within 60s, continue boot process. is this possible to do or would it make things too complicated? 4) suppose one can fix the stuff in the shell that you get from the fstab hook, is it possible to just resume boot instead of rebooting? 5) any other thoughts about this kind of setup? I know it's possible if you have IPMI to do serial over lan and type your password from anywhere around the globe during bootup. but i don't have ipmi, so if no-one can unlock the volume in x seconds, it can continue booting. Dieter
On Thu, Aug 27, 2009 at 19:36, Dieter Plaetinck<dieter@plaetinck.be> wrote:
Hi, I have a little server at home which has an encrypted disk mounted at /home/media/1tbdisk
I will be assuming you read the wiki: http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt so I just put what my config looks like below.
I added it to crypttab and the decrypted dm device to fstab, but i have the following problems:
1) the keymap upon luksOpen is qwerty, even though i have my keymap set in rc.conf and added 'keymap' to hooks in rc.conf I ran `mkinitcpio -p kernel26` in the shell that the init(script) gave me when it tried to mount /dev/mapper/decrypted (after i mounted -o remount,ro /). Do i really have to run mkinitcpio again from the real system and reboot? (i can do it, but would like to know what might have gone wrong here)
You did put keymap before encrypt in HOOKS, right? You have to run mkinitcpio only after you have added the encrypt and keymap hooks.
2) even when i'm sure i'm typing correct pass (in qwerty) it doesn't unlock. i added dm_crypt to modules in rc.conf but no change. it asks the pass 3 times and then fstab tries to mount the nonexisting device and i get the shell
If i comment out the entries in crypttab and fstab and unlock+mount myself after boot, it works fine.
This seems to be related to the keymap problem.
3) even if for some reason one fails to unlock the volume, it would be nice that the boot process can continue. maybe there could also be a timeout: not unlocked within 60s, continue boot process. is this possible to do or would it make things too complicated?
Hmm... Looks like a valid feature request.
4) suppose one can fix the stuff in the shell that you get from the fstab hook, is it possible to just resume boot instead of rebooting?
I have not tried this. I have encrypted root with other partitions being decrypted using passwords that are stored in crypttab, so I am not able to encounter #3 and #4 with my configuration.
5) any other thoughts about this kind of setup? I know it's possible if you have IPMI to do serial over lan and type your password from anywhere around the globe during bootup. but i don't have ipmi, so if no-one can unlock the volume in x seconds, it can continue booting.
Never used IPMI. -- Roman Kyrylych (Роман Кирилич)
On Thu, Aug 27, 2009 at 20:21, Roman Kyrylych<roman.kyrylych@gmail.com> wrote:
On Thu, Aug 27, 2009 at 19:36, Dieter Plaetinck<dieter@plaetinck.be> wrote:
Hi, I have a little server at home which has an encrypted disk mounted at /home/media/1tbdisk
I will be assuming you read the wiki: http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt so I just put what my config looks like below.
Oh, forgot to actually write my config in /etc/mkinitcpio.conf: HOOKS=(... encrypt ...) (I don't use keymap hook) You don't actually need encrypt unless your root partition is encrypted too. in /etc/crypttab: home /dev/sda8 <some password> I guess your crypttab has ASK instead of password (I can safely put the password here because the root is encrypted, and am very lazy to unlock every partition during the boot :-P) in /etc/fstab: /dev/mapper/home /home ext4 defaults,relatime 0 2 Everything works like a charm -- Roman Kyrylych (Роман Кирилич)
participants (2)
-
Dieter Plaetinck
-
Roman Kyrylych