[arch-general] How to encrypt /home, so it gets mounted during boot
Hi, I've encrypted my /home partition (which lays on a raid), basically just for the fun of it ;). I'm now encountering a problem, which isn't that easy to solve as it seems to me :(. I've got the following setup: /dev/sda1 -> /boot /dev/sda2 -> encryption -> lvm -> / /dev/sdb1 -> encryption -> lvm -> /home Now I want to get /home mounted during the bootup. However I have the following order of hooks, which works fine for my root partition: "[...] encrypt lvm2 resume filesystems" Now, while the root lv gets mounted, the initscripts then tries to mount anything within /etc/fstab, but here lies the problem, because the lvm2 hook hasn't unlocked /dev/sdb1, because it is encrypted, and gets unencrypted only afterwards (/etc/crypttab). So what is the procedure here? Is there any easy workaround? How do you solve these issues? Best regards, Karol Babioch
On Fri, Jan 28, 2011 at 7:32 PM, Karol Babioch <karol@babioch.de> wrote:
Now, while the root lv gets mounted, the initscripts then tries to mount anything within /etc/fstab, but here lies the problem, because the lvm2 hook hasn't unlocked /dev/sdb1, because it is encrypted, and gets unencrypted only afterwards (/etc/crypttab).
I'm not using the same setup as you, but looking at rc.sysinit, it should support a setup like the following (where any link in the chain can be skipped of course): raid -> lvm -> encrypt -> lvm -> fs So in principle your setup should work (notice that inside the crypttab stuff there is a call to activate_vgs). I don't know how to solve your particular problem though, just thought I'd let you know that it "should work" (TM). Cheers, Tom
Hi, Am 28.01.2011 20:19, schrieb Tom Gundersen:
notice that inside the crypttab stuff there is a call to activate_vgs
What do you mean by that? Is it something I have to take care of, or should it work automatically? I think that my setup isn't that unrealistic, so I would like to have it supported ;). Maybe someone else will get up with a working idea ;). Thanks anyway! Best regards, Karol Babioch
On Fri, Jan 28, 2011 at 8:30 PM, Karol Babioch <karol@babioch.de> wrote:
Am 28.01.2011 20:19, schrieb Tom Gundersen:
notice that inside the crypttab stuff there is a call to activate_vgs
What do you mean by that? Is it something I have to take care of, or should it work automatically?
The way I read the code (without trying it) it should work automatically. -t
Have you taken a look at the archwiki? It helped me out.. https://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-cryp...
Hi, Am 28.01.2011 21:16, schrieb RekahSoft:
Have you taken a look at the archwiki? It helped me out..
I've taken a look at that and setup a few boxes with full system encryption already, however I can't find any useful information for the setup of this box, because /home is on another drive, which is also encrypted. For me, it seems that this is something, which must be fixed within the sysinit scripts, basically lvm2 has to be executed twice, after encrypting the root partition and after encrypting devices according to /etc/crypttab. Best regards, Karol Babioch
Am 28.01.2011 21:35, schrieb Karol Babioch:
For me, it seems that this is something, which must be fixed within the sysinit scripts, basically lvm2 has to be executed twice, after encrypting the root partition and after encrypting devices according to /etc/crypttab.
Yes, it does. If you want to cover all cases (encryption on top of lvm, lvm on top of encryptio, or even lvm on top of encryption on top of lvm), you need to run it twice.
Hi, Am 28.01.2011 21:46, schrieb Thomas Bächler:
you need to run it twice
That doesn't work :(. It still says "fsck.ext4: No such file or directory while trying to open /dev/raid/home". When entering the maintenance console /dev/raid/home does exist and can easily be mounted either directly or by using fstab. Is there a easy way to solve this, or do I need to fiddle around with the lvm2 hook? Best regards, Karol Babioch
Hi again, it seems to work now, but I had to put "/dev/mapper/raid-home" in the fstab, instead of "/dev/raid/home". I guess its time to ask for the difference between those both, because I never really got it. My guess would be that the first one comes from device mapper, while the second one is being spawned by lvm. Interestingly enough my /etc/fstab contains some entries like this: /dev/lvm/var /var ext4 defaults,noatime,discard /dev/lvm/root / ext4 defaults,noatime,discard While /dev/lvm/root gets really mounted, its getting /dev/mapper/lvm-var which gets mounted for /var, seems quite odd for me? Can anyone elaborate on this? Best regards, Karol Babioch
On Fri, Jan 28, 2011 at 3:57 PM, Karol Babioch <karol@babioch.de> wrote:
While /dev/lvm/root gets really mounted, its getting /dev/mapper/lvm-var which gets mounted for /var, seems quite odd for me?
Can anyone elaborate on this?
i dont know the exact reason, or where it's happening, but ultimately everything is just symlinks anyway: lvm -> /dev/dmX md -> /dev/mdX .... .... udev is creating links to the above locations for you. afaik though, /dev/mapper is the standard/most regular, so i would stick to that. C Anthony
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 28.01.2011 22:57, schrieb Karol Babioch:
it seems to work now, but I had to put "/dev/mapper/raid-home" in the fstab, instead of "/dev/raid/home". I guess its time to ask for the difference between those both, because I never really got it.
Since I work with network block devices combined with luks encryption I can say that in /dev/mapper you can access the decrypted device files while /dev/raid has something to do with your raid configuration. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNRmHqAAoJEBoigEhhR7586DEIAJwmboMUNpUKK66XunR8QmvH 83dHAKRfR//mInfeBxv9Cot6aPovDAQ51gXe9TwP0Krlo/rV337IbY2yZL28trjj HZ0sBMiJ/HSiRQ89aUN6C/r0jdvt+LkD0KcLfxhujW+5FeLgNzPfeOOGblr0ABjk 6UDgIiWigUrkVgBq/q7ZRe5yxaK/nvuzVRZJY0YcwDBSoDeoWuGUDQX+76lacI2T TURQHbOXZrK5HJ/fTEocOldhVk7YTtMCC48qHyId7JYF3zgVZiBMmxK13CJg0+6J r+A8g5Lpk2Tl+rW6J5D6j1Xn9P/0dn0yXkuKTwG4f6pBOXPaU6FG+fYl0aUXwrY= =9ZGx -----END PGP SIGNATURE-----
Am 28.01.2011 22:57, schrieb Karol Babioch:
it seems to work now, but I had to put "/dev/mapper/raid-home" in the fstab, instead of "/dev/raid/home". I guess its time to ask for the difference between those both, because I never really got it.
Both should work the same, but there is a recent LVM bug that causes symlinks not to be created in time: https://mailman.archlinux.org/pipermail/arch-general/2011-January/018346.htm... https://mailman.archlinux.org/pipermail/arch-general/2011-January/018357.htm...
Am 28.01.2011 22:37, schrieb Karol Babioch:
Hi,
Am 28.01.2011 21:46, schrieb Thomas Bächler:
you need to run it twice
That doesn't work :(. It still says "fsck.ext4: No such file or directory while trying to open /dev/raid/home".
This is a (new?) lvm bug. If you edit rc.sysinit and add a 'sleep 1' directly before the fsck part, it will work. I'll have to talk to the LVM guys about this, but didn't get to it yet.
participants (6)
-
Aljosha Papsch
-
C Anthony Risinger
-
Karol Babioch
-
RekahSoft
-
Thomas Bächler
-
Tom Gundersen