initramfs-tools scripts and initrd image for encrypted system

thespacemonkey · 10-08-2010, 08:01 AM

I'm trying to get my system encrypted with truecrypt but I'm facing some problems (please don't tell me to use luks or loop-aes, my objective is to use truecrypt).

The most blatant issue is the fact that the script that I put in /etc/initramfs-tools/scripts/local-top/local-top-truecrypt is not being executed at all. In fact, it's not even present in the generated initrd image. It's weird since my hooks script is being executed.
If I look at my initrd image the scripts folders only have init-bottom, local-premount and init-top (even though busybox says it executes scripts in /scripts/local-top)

Is /scripts/local-top/ deprecated or is it a bug in the initramfs tools?
Where exactly should I put the script responsible for modprobing the loop and fuse modules and then mounting the encrypted system by calling truecrypt?

As of the moment I have to manually try to mount the system when busybox fails when it tries to mount the root system (just after executing /scripts/local-top which doesn't exist).
I have to modprobe loop and fuse, create a mount point, and then try to mount there. But then I get an error about invalid mount options:
[ timestamp ] device-mapper: uvent: version 1.0.3
[ timestamp ] device-mapper: ioctl: 4.15.0-ioctl (2009-04-01) initialised: dm-devel@redhat.com
Error: Usage: mount [-r] [-w] [-o options] [-t type] [-f] [-i] [-n] device directory

I'm assuming this is because busybox mount is different than the "gnu/linux normal mount"

Another thing, if I wanted to customize my init script (the one inside initrd image) what would be the best way (in terms of maintenance)?
I'm starting to suspect I'll have to "stop... it's hammer time" the init script.

Another problem that I noticed is that busybox is not supporting UUIDs. It only has /dev/disk/by-path

I'm using debian squeeze, kernel 2.6.32.

Thanks for any help.

The MoD · 10-15-2010, 03:05 AM

Hi,

I've done something similar, thought it was based on luks ...

The description you'll find here

http://www.linuxquestions.org/questi...890/page4.html

First thing you should do: build your initrm, go the busybox prompt and try to load the modules loop and fuse manually and than run truecrypt. If that works, you can build it into the script.

The MoD

thespacemonkey · 10-15-2010, 03:55 PM

Hi,
thanks for the reply.

Fortunately (and after a lot of headbanging) I was able to get things working some days ago. I have to say I've learned a lot

However there is one thing I'm not sure if it's the correct way.
I specify the encrypted_device (/dev/sda1) and the decrypted_mount_point (/dev/mapper/truecrypt1) as boot parameters.
When init is executing it executes truecrypt which decrypts the device and maps it to /dev/mapper/truecrypt1. While init continues to execute it automatically mounts the decrypted mapped device.
The problem is that it never runs fsck automatically. I can fsck manually, but the fact that it doesn't do it automatically points that probably something is not as it should be.
Another thing I've noticed is that df -h says:

Code:

Filesystem  Mounted On
rootfs       /

While on a plain system I see the Filesystem as /dev/sda1. And on a system with loop-aes I can see /dev/mapper/sda5_crypt. I was expecting to see as Filesystem /dev/mapper/truecrypt1

As such, I'm not sure if my approach is 100% correct.
Apart from that, everything works fine.

EDIT:
mmm... maybe my fstab is missing something? I only have the /proc line there.
I've also read about a cryptab file. Do I need it?

EDIT2:
adding one line in fstab solved the fsck problem