LinuxQuestions.org - encrypted rootfs on Slackware 12.0

encrypted rootfs on Slackware 12.0

**WARNING:** The procedure outlined below will destroy all data
that is currently stored on the first IDE device /dev/hda.

This is not some kind of documentation for dm-crypt on Slackware Linux 12.0, but a real world example. You can read this in addition to README_CRYPT.TXT (http://ftp.gwdg.de/pub/linux/slackwa...ADME_CRYPT.TXT) on your Slackware 12.0 disks (You should also read http://alien.slackbook.org/dokuwiki for latest hints and tips). First copy/rsync your data to a safe place ...

I booted my Thinkpad X30 with a USBinstaller (http://www.slackware.com/~alien/tools/usbinstall/12.0/) that worked for me (I failed on booting with the official usbboot method - http://ftp.gwdg.de/pub/linux/slackwa...README_USB.TXT). Than cleaned my harddisc over night with dd after logging in as root (just before setup).

Code:

# dd if=/dev/urandom of=/dev/hda

I like cfdisk for creating tables (reboot afterwards required).

Code:

# cfdisk

It looks like that. hda1 is /boot, hda2 is swap, hda3 is rootfs (/) and hda4 is /home.

Code:

# fdisk -l /dev/hda 



Platte /dev/hda: 40.0 GByte, 40060403712 Byte 

255 Köpfe, 63 Sektoren/Spuren, 4870 Zylinder 

Einheiten = Zylinder von 16065 × 512 = 8225280 Bytes 



Gerät boot. Anfang Ende Blöcke Id System 

/dev/hda1 * 1 4 32098+ 83 Linux 

/dev/hda2 5 40 289170 82 Linux Swap 

/dev/hda3 41 1620 12691350 83 Linux 

/dev/hda4 1621 4870 26105625 83 Linux

We need to encrypt the last two

Code:

# cryptsetup -s 256 -y luksFormat /dev/hda3

Code:

# cryptsetup -s 256 -y luksFormat /dev/hda4

And now we open them in order to be able to install on them.

Code:

# cryptsetup luksOpen /dev/hda3 cryptroot

Code:

# cryptsetup luksOpen /dev/hda4 crypthome

Now you can start the setup program. As you can see I did not encrypt the swap (hda2), we take care of this later.

During setup make sure to install to /dev/mapper/cryptroot rather then to /dev/hda3 (also /dev/mapper/crypthome for /home), but select /dev/hda2 as swap.

Don't reboot after setup, but chroot into your new system and edit /etc/fstab and /etc/crypttab accordingly.

Code:

# mount -o bind /proc /mnt/proc 

# mount -o bind /sys /mnt/sys 

# cp -a /dev/mapper /mnt/dev/ 

# chroot /mnt

Code:

# cat /etc/fstab 

/dev/mapper/cryptswap swap swap defaults 0 0 

/dev/mapper/cryptroot / ext3 defaults 1 1 

/dev/mapper/crypthome /home ext3 defaults 1 2 

/dev/hda1 /boot ext3 defaults 1 2 

#/dev/cdrom /mnt/cdrom auto noauto,owner,ro 0 0 

/dev/fd0 /mnt/floppy auto noauto,owner 0 0 

devpts /dev/pts devpts gid=5,mode=620 0 0 

proc /proc proc defaults 0 0

Code:

# cat /etc/crypttab 

cryptswap /dev/hda2 none swap 

crypthome /dev/hda4

As a last step before rebooting you need do get your initrd going in order do be able to mount your encrypted rootpartition during boot.

In the README_CRYPT.TXT they say run

Code:

# mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r cryptroot -C /dev/sda1 -L

We need to specify /dev/hda3 but we also do not need the -L flag because it enables LVM (we don't use it and it needs time during boot). Double check with

Code:

# ls -l /boot/vmlinuz

which kernel you use and than run

Code:

# mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r cryptroot -C /dev/hda3

accordingly. In order to use this initrd.gz you need to edit /etc/lilo.conf. The lilo.conf described in README_CRYPT.TXT did not work for me. My working lilo.conf looks like that:

Code:

# cat /etc/lilo.conf 



boot = /dev/hda 

compact # faster, but won't work on all systems. 

#prompt 

#timeout = 5 

# VESA framebuffer console @ 1024x768x256 

vga = 773 

image = /boot/vmlinuz 

  initrd = /boot/initrd.gz 

  root = /dev/hda1 

  label = Linux 

  read-only # Partitions should be mounted read-only for checking

Dont forget to run lilo in order to apply the changes. Have fun after reboot ...

Code:

# lilo

Code:

# shutdown -r now

Troubleshooting:
You get a kernel panic and it seems like you will not be able to boot into your system?
With your installation media you will be able to boot the installer and than log in as root. Than do:

Code:

# cryptsetup luksOpen /dev/hda3 cryptroot 

# mount /dev/mapper/cryptroot /mnt 

# mount -o bind /proc /mnt/proc 

# mount -o bind /sys /mnt/sys 

# cp -a /dev/mapper /mnt/dev/ 

# chroot /mnt 

# mount /boot

Now you are in your installed system, are able to edit your lilo.conf, make another initrd and so on ...