[arch-general] server with an encrypted non-root disk

[Roman Kyrylych]

On Thu, Aug 27, 2009 at 19:36, Dieter Plaetinck<dieter at plaetinck.be> wrote:
> Hi, I have a little server at home which has an encrypted disk mounted at /home/media/1tbdisk

I will be assuming you read the wiki:
http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt
so I just put what my config looks like below.

> I added it to crypttab and the decrypted dm device to fstab, but i have the following problems:
>
>
> 1) the keymap upon luksOpen is qwerty, even though i have my keymap set in rc.conf and added 'keymap' to hooks in rc.conf
> I ran `mkinitcpio -p kernel26` in the shell that the init(script) gave me when it tried to mount /dev/mapper/decrypted (after i mounted -o remount,ro /).  Do i really have to run mkinitcpio again from the real system and reboot? (i can do it, but would like to know what might have gone wrong here)

You did put keymap before encrypt in HOOKS, right?
You have to run mkinitcpio only after you have added the encrypt and
keymap hooks.

>
> 2) even when i'm sure i'm typing correct pass (in qwerty) it doesn't unlock. i added dm_crypt to modules in rc.conf but
> no change. it asks the pass 3 times and then fstab tries to mount the nonexisting device and i get the shell
>
> If i comment out the entries in crypttab and fstab and unlock+mount myself after boot, it works fine.

This seems to be related to the keymap problem.

> 3) even if for some reason one fails to unlock the volume, it would be
> nice that the boot process can continue. maybe there could also be a
> timeout: not unlocked within 60s, continue boot process.  is this possible to do or would it make things too complicated?

Hmm... Looks like a valid feature request.

> 4) suppose one can fix the stuff in the shell that you get from the fstab hook, is it possible to
> just resume boot instead of rebooting?

I have not tried this.
I have encrypted root with other partitions being decrypted using passwords
that are stored in crypttab, so I am not able to encounter #3 and #4
with my configuration.

> 5) any other thoughts about this kind of setup?  I know it's possible if you have IPMI to do serial over lan and type your password from anywhere around the globe during bootup.  but i don't have ipmi, so if no-one can unlock the volume in x seconds, it can continue booting.

Never used IPMI.

-- 
Roman Kyrylych (Роман Кирилич)