I am self-studying for my RHCE (since i cannot afford 2.500 euros for full course) and i came a across with some issues regarding iscsi with cryptsetup.
Since i dont have an instructor to help me with the relevant issues i was hopping to get some help from here.
I am to the point where i am learning that you can encrypt an iscsi partition for better security and my question is:
1) Does the target (server) encrypts the block device and then the initiator (client) while attaches the iscsi drive locally it then encrypts it
The client mounts the iscsi drive, then create a partition, "LUKS IT", unlock it and mount it.
I tried the second approach, meaning i shared an iscsi drive from my server and then from my client pc (RHEL 6) i created a partition , encypted --> unlock --> created fs --> mount it.
It all went well but i am stuck automating the above procedure. My question is:
2) when automounting iscsi partition, you just add an entry on the fstab with the UUID of the iscsi block device with the important option of _netdev
which indicates that the relevant device is a network device hence the system will first bring up the network and then try to mount.
However on encrypted luks devices there is no option like _devnet on the /etc/crypttab file. How is this issue addressed?
So far what i have tried is the below:
added my iscsi block device for automatic unlocking during boot in /etc/crypttab
root@rhel6 ~]# cat /etc/crypttab
then added on the fstab an entry that would auto mount the unlocked partition
[root@rhel6 ~]# cat /etc/fstab
# Created by anaconda on Sun Feb 23 12:36:10 2014
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
/dev/mapper/vg_rhel6-lv_root / ext4 defaults 1 1
UUID=33fc8ec5-b0bb-45cd-8610-7bfa2c36cb83 /boot ext4 defaults 1 2
/dev/mapper/vg_rhel6-lv_swap swap swap defaults 0 0
tmpfs /dev/shm tmpfs defaults 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
sysfs /sys sysfs defaults 0 0
proc /proc proc defaults 0 0
/dev/mapper/iscsi_secret /storage ext4 _netdev 0 0
Upon reboot, the system prompts me to enter the password for the encrypted device but it doesn't accept the password! When i cancel the procedure and the system boots, i login, open a console and manually unlocking the partition without any issues. For some reason, on boot prompt for unlocking the device my password is not accepted.
Could this be an issue that the network might not be yet up and the system is trying to unlock a device that it is not there yet?