You are not logged in.
Pages: 1
Hi,
I would like to have a non root partition and swap mounted on boot.
At the moment i do this via rc.local:
modprobe dm-crypt
modprobe aes-x86-64
cryptsetup -c aes-cbc-essiv:sha256 -h sha256 -s 256 -d /dev/urandom create swap /dev/md3
mkswap /dev/mapper/swap
swapon /dev/mapper/swap
cryptsetup luksOpen /dev/md4 data
mount /dev/mapper/data
Do I have to manually unmount/crypt remove those in rc.local.shutdown?
Is there a better option than rc.local?
I still want to be able to start the system, and then remotely login via ssh, which is why I don't use crypttab.
Thanks in advance
Julian
Offline
Checked this wiki article?
I made it long
as I lacked the time to make it short...
Offline
Thanks, but yes - I have.
http://wiki.archlinux.org/index.php/Sys … _partition
I think that this does not apply to me, as this init hook would get executed before any daemons, right?
Which means, I could not boot remotely anymore.
Offline
I still want to be able to start the system, and then remotely login via ssh, which is why I don't use crypttab.
Julian
what has crypttab to do with remote login ?
Zygfryd Homonto
Offline
As far as I know (please correct me if I'm wrong), crypttab is used only by /lib/initcpio/hooks/encrypt and /etc/rc.shutdown.
As hooks are executed *before* the ssh daemon is started (right?), one would be prompted for the passphrase, and as at that point I could only enter the password via the local keyboard, this prevents any further booting.
Last edited by dammannj (2009-01-28 09:59:53)
Offline
yes, it is in /etc/rc.sysinit which is before daemons
but in such case only phassphrase instead of prompt in /etc/crypttab
or your /etc/rc.local
but specially swap which is without password can be in /etc/crypttab
Zygfryd Homonto
Offline
Yes, I could add swap to crypttab
But putting the passphrase for my encrypted volume in the crypttab on the not encrypted root would kind of nullify encrypting at all, right?
That's why I want to use rc.local for that.
As i understand things, I would have to put
umount /data
cryptsetup remove data
in /etc/rc.local.shutdown
Is that about right?
Offline
actually, if you use /etc/rc.local and it asks for pass then it stops everything after, till you enter it
so, if you want to use encrypted i.e. /data, just don't do anything at all - let the system start without it, then ssh there and start it manually by means of script or whatever - using pass which you are going to enter from the keyboard
next reboot you will have to ssh there again - something for something - privacy or convinience
Zygfryd Homonto
Offline
Hmm...
I want convenience when I'm in front of the computer, and I want to start it via script when I am remote hehe
As rc.local gets executed last, it doesn't really matter to me if it doesn't finish, right?
But I'll try using something like a timeout, e.g. wait for confirmation, after timeout expires continue booting without setting up encrypted partitions
Offline
if you're worried about the encryption and mounting routines not exiting, put them in a script and then execute it in the background from rc.local with '&'.
[23:00:16] dr_kludge | i want to invent an olfactory human-computer interface, integrate it into the web standards, then produce my own forked browser.
[23:00:32] dr_kludge | can you guess what i'd call it?
[23:01:16] dr_kludge | nosilla.
[23:01:32] dr_kludge | i really should be going to bed. i'm giggling madly about that.
Offline
I like this thread.. interesting subject.
yes, it is in /etc/rc.sysinit which is before daemons
but in such case only phassphrase instead of prompt in /etc/crypttab
or your /etc/rc.local
but specially swap which is without password can be in /etc/crypttab
I've looked a bit around in /etc/rc.sysinit.
If i understand correctly, the initcpio takes care of encrypted *root* fs, while non-root encrypted volumes are taken care of through /etc/rc.sysinit?
< Daenyth> and he works prolifically
4 8 15 16 23 42
Offline
of course
rc.sysinit is in /etc so it is available only after / is mounted - decrypted in case of root-encrypted file system
actually I have my /home encrypted but I really don't see any reason to encrypt / - there is no private data there
so IMHO /home encryption would be enough for me
in my case /home is 150GB and I don't see any influence on computer performance while using cryptsetup for such partition
ok, one only: full backup of /home takes time, specially that backup hdd is fully encrypted as well :-)
Zygfryd Homonto
Offline
In my opinion there are 2 reasons to encrypt the root filesystem.
1. protecting passwords used by e.g. daemons like ppp, vpn, or if you automate cryptsetup of other filesystems via crypttab (as described above, passphrase in crypttab)
2. Integrity: You can be quite sure that no one (without your / encryption key) has compromised your system. (yea, cold boot, etcetc...but the average attacker with physical access will not be able to tamper with any data on / )
I now found a to me satisfieing solution.
Reminder: I want to be prompted for passphrase on system boot if I boot it locally, e.g. have physical access to the machine via keyboard, and I don't want this to happen when I boot it remotely, e.g. my only access to the machine after boot is via ssh.
Yea, this violates KISS
First, my setup:
I mount the encrypted partition as /data , and I have several daemons which depend on it being mounted.
The daemons that use this partition are nfs, (icecast), mpd.
I use a little "pseudo" (as no executable) daemon for that (I'm not good at inventing names, I called it "data") which starts those daemons (instead of putting them in rc.conf they go in here).
#!/bin/bash
. /etc/rc.conf
. /etc/rc.d/functions
case "$1" in
start)
stat_busy "Starting data daemon"
/root/bin/killer.sh 5 $$ &
echo -n "Enter to stop timeout"
read
if [ -f "/tmp/killer$$.pid" ]; then
kill `cat /tmp/killer$$.pid`
rm /tmp/killer$$.pid
fi
cryptsetup luksOpen /dev/md4 data
mount /dev/mapper/data
/etc/rc.d/portmap start
/etc/rc.d/nfslock start
/etc/rc.d/nfsd start
/etc/rc.d/icecast start
/etc/rc.d/mpd start
add_daemon data
stat_done
;;
stop)
stat_busy "Stopping data daemon"
/etc/rc.d/mpd stop
/etc/rc.d/icecast stop
/etc/rc.d/nfsd stop
/etc/rc.d/nfslock stop
/etc/rc.d/portmap stop
umount /data
cryptsetup remove data
rm_daemon data
stat_done
/etc/rc.d/nfsd stop
/etc/rc.d/nfslock stop
/etc/rc.d/portmap stop
umount /data
cryptsetup remove data
rm_daemon data
stat_done
;;
restart)
$0 stop
sleep 1
$0 start
;;
*)
echo "usage: $0 {start|stop|restart}"
esac
I use a little script killer.sh for the timeout:
#!/bin/bash
echo $$ > /tmp/killer$2.pid
sleep $1
kill $2
I don't write shell scripts often, and in fact am neither good at it nor have tried to really "learn" it.
Is there a simpler/better way to realize this timeout?
Offline
hi,
if you want to have been asked for the password when mounting encrypted volumes during boot, but without having the system bootup blocked in case you're not sitting in front of the machine in the moment, you can use the timeout feature of cryptsetup - simply add -t option in the crypttab
e.g.
data /dev/sda3 ASK -t 60
line in your /etc/crypttab makes the password question cancelled after a minute and your system continues to boot (without the encrypted partition mounted).
hth,
mykhal
Offline
Pages: 1