Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I am trying to set up my laptop to have encrypted root and swap partitions. What I would like to do is have the boot process pause and prompt for the passphrase to unlock the swap and root partitions before attempting to mount. Although this sounds complicated, the majority of it isn't. Using cryptsetup with luks it is easy to encrypt a partition and establish a passphrase that unlocks the partition and thus creates a virtual device in /dev/mapper. Then I use mkinitrd to create a basic initrd with all the kernel modules required for this setup to work in the boot process. The problem lies in hacking the initrd. Fedora has moved to using nash as its boot "almost shell", which has some very useful built in commands, such as switchroot. But it will not stop for a prompt and blows right past cryptsetup when it asks for a passphrase. I've attempted to work around it by adding busybox and its built in shell msh (or ash, if you compile it yourself with that option) and wrote a small script to call cryptsetup, but, even then the initrd does not stop for user input. I've reversed it and wrote an init that is a msh script that, towards its end, calls a nash script to run switchroot, but, because it is not init and thus does not have a pid of 1, it fails to mount root and launch init, although everything else works, including the prompt. I am trying to avoid using pivot_root or klibc's run_init as that I'd like to stay as close to a standard Fedora boot process as possible. I have seen reference to other people who have managed to get this to work for them, but I have not received a reply to my emails. Can anyone make a suggestion?
Thanks for the reply, although this isn't exactly what I am looking for. This link is to a page to encrypt partitions using gpg and loop devices on Suse. It also doesn't speak to encrypting the root partition using luks, Fedora, or nash and how to get it allow scripts to pause for user input.