LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 10-18-2011, 09:43 PM   #1
BashTin
Member
 
Registered: May 2003
Location: West Midlands, United Kingdom.
Distribution: Slackware 13.37
Posts: 252

Rep: Reputation: 32
LVM ontop of encrypted file system - 2 drives


Hi all, I know this is not strictly Slackware specific but as a Slacky I always get the answers from you guys so why change a winning formula :-)

So my 'master plan' is to have encrypted file system (cryptsetup) on two drives. Drive A is for the operating system and drive B is for backup of home dirs via a cron script. These encrypted drives will have LVM ontop for management.

So my question. How can I boot up on drive A (via lilo) and be prompted for one pw (for the encryption via cryptsetup) to unlock BOTH drive A and B before LVM initiates (which is across both drives)? I have an unencrypted partition for boot on drive A. Of course unlocking drive A is easy enough, just don't know how to do the two at the same time.

And if you want to know why not use mirroring via RAID. Well as I read somewhere the disadvantage of that is that whatever you do on one drive is immediately duplicated on the other drive. Accidentally delete a file, one is corrupted...... you loose it. So in that regard mirroring is not the most 'fool proof' backup strategy.

Any advise as always much appreciated, BashTin.
 
Old 10-19-2011, 02:59 AM   #2
cendryon
Member
 
Registered: Aug 2005
Location: France
Distribution: Slackware64 current
Posts: 78

Rep: Reputation: 27
Hi

I think initrd can only unlock the root partition, drive A.
According to README_CRYPT.TXT, drive B would have to be unlocked later in the boot process using /etc/crypttab, as detailed in chapter "Encrypting your '/home' partition".

I only use passwords, but you can try using key files and putting both on the same plugged in USB key: drive A and drive B would find their respective key file and be unlocked when the time comes in the boot process.

Cheers
 
Old 10-19-2011, 03:09 AM   #3
Alexx
LQ Newbie
 
Registered: Jul 2011
Posts: 3

Rep: Reputation: Disabled
Yes, I found it not very obvious how to set up multiple drives under the same password. I followed this link with multiple partitions on the same drive which comes to the same thing and it worked fine, one pw for all.

http://www.summet.com/blog/2011/03/2...-ubuntu-10-04/
 
Old 10-19-2011, 03:59 AM   #4
BashTin
Member
 
Registered: May 2003
Location: West Midlands, United Kingdom.
Distribution: Slackware 13.37
Posts: 252

Original Poster
Rep: Reputation: 32
Alexx, yeah I was aware of that but surely just adding the second drive as a lv will leave that drive unencrypted?
Password unlocks drive A only then mount your LVMs (of which drive B is a part but unencrypted?)

If I understand it right LVM would pass data through crypt for drive A but write 'straight' to-drive for B.

Cendryon... yes that looks like the way to go. Only issue there would be having to enter the pw twice. Need to look into it a little more.

BashTin
 
Old 10-19-2011, 04:53 AM   #5
BlackRider
Member
 
Registered: Aug 2011
Distribution: Slackware
Posts: 261

Rep: Reputation: 82
I think you should be able to place a binary key in A and edit /etc/crypttab, so when A is opened, B can be opened too with that binary key. This way, you will have to type one password only.

I don't know if this is natively supported, but you could script the process by yourself if you really need it.

Last edited by BlackRider; 10-19-2011 at 04:55 AM.
 
Old 10-19-2011, 06:03 AM   #6
Alexx
LQ Newbie
 
Registered: Jul 2011
Posts: 3

Rep: Reputation: Disabled
BashTin
I think you're right, thinking about it a bit more using the link I gave implies all the encypted stuff in one partition. And using two separate encrypted partations even with the same password would be a real pain.

Suggestion:
Only encrypt drive A ( all except /boot ) using the link I gave. Leave drive B unencrypted but use aespipe during backup to encrypt all the backup files individually so there are still hidden, the password would only be needed on drive A. This also has the advantage that if you subsequently copy the backups to removeable media they are still hidden. This is how I do backups to CD's once a month.

ps
I like the cron idea for backing up mre often.
 
Old 10-19-2011, 06:19 AM   #7
GazL
Senior Member
 
Registered: May 2008
Posts: 3,503

Rep: Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027
The initrd does support unlocking multiple devices. I had exactly the same requirement as you and wrote some code to add the feature, which found it's way into Slackware's official initrd script via Eric.


To unlock multiple devices from the initrd specify them on the -C option e.g. "-C /dev/sda2:/dev/sdb2". The downside of this approach is that it will prompt you for the password for each drive (doing anything else would have complicated the initrd code more than I wanted to and I also wanted to support the possibility of the passwords differing).

If you want to use both drives in the same volume group then you will have to use the above as both PVs will need to be available when the VG is activated.

If you are going to put the two drives in two different volumegroups then you can avoid the need to specify a second password by unlocking the first in the initrd as normal, and then use the crypttab and a key-file to unlock the second automatically. However, there's a catch. Crypttab processing in /etc/rc.d/rc.S runs after the LVM 'scan' code. The disk holding the secound volumegroup will still be locked when lvm scans for PVs. and it won't be available automatically. you'll need to add a second run of "vgscan --mknodes" and "vgchange -ay" to your system startup (perhaps via /etc/rc.d/rc.local). You'll probably also find that you won't be able to have fstab automount any of the filesystems on the second disk for the same reason. These issues were the motivation I had for rewriting the initrd code in the first place.

My advice would be to use the -C option to unlock both disks in the initrd and just live with the inconvenience of having to enter the password twice. Hopefully you don't boot all that often.

Hope that helps.

Last edited by GazL; 10-19-2011 at 06:20 AM.
 
Old 10-19-2011, 06:22 AM   #8
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,395

Rep: Reputation: Disabled
Please read the man page for mkinitrd... it is all explained there.

Code:
       -C device list
              A colon (:) delimited list of luks encrypted block devices to be
              unlocked  by the initrd using cryptsetup.  All devices that must
              be unlocked in order to access the root filesystem must be spec?
              ified. e.g.

                -C /dev/sda2:/dev/sda3

              Each unlocked device will be assigned an automatically generated
              luks device name of the form luks<device> where '<device>'  will
              be the basename of the encrypted device.  e.g.

                /dev/mapper/lukssda2
              As  a convenience to users, where -r specifies one of the device
              names listed on the -C option it will be automatically  adjusted
              to use the correct luks device name. i.e.

                "-C /dev/sda2 -r /dev/sda2" and
                "-C /dev/sda2 -r /dev/mapper/lukssda2"

              are equivalent.
              (Use with '-r' option).
I think this is what you are looking for.

Eric
 
Old 10-19-2011, 06:27 AM   #9
BashTin
Member
 
Registered: May 2003
Location: West Midlands, United Kingdom.
Distribution: Slackware 13.37
Posts: 252

Original Poster
Rep: Reputation: 32
Thanks for the replies. Thanks again Alien Bob, helped me out yet again. Also Gazl, that is of course exactly what is required.

Have been thinking about keeping the encryption on the second drive but ditching LVM as I don't really need it on that drive and it might simplify things too. (ie should the first drive fail/corrupt then it will make things easier to get at the backed up data on the second drive if it is not part of a LVM)

BashTin

Last edited by BashTin; 10-19-2011 at 10:06 AM.
 
Old 10-19-2011, 01:54 PM   #10
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,395

Rep: Reputation: Disabled
I had not even noticed that GazL had given the answer right before I did... we were probably typing our responses at the same time.

Eric
 
Old 10-19-2011, 02:29 PM   #11
GazL
Senior Member
 
Registered: May 2008
Posts: 3,503

Rep: Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027Reputation: 1027
No worries, Eric. That sort of thing happens a lot with this form of communication.
 
Old 10-19-2011, 03:21 PM   #12
fdeak
LQ Newbie
 
Registered: Jan 2007
Distribution: Slackware-14.0, Slackware-current
Posts: 21

Rep: Reputation: 2
Red Hat (or more exactly Scientific Linux) does that.

Even when I installed scientific linux to its own encrypted LVM it asked me if I want to add this password to my existing cryptsetup drive to fasten the boot.

I never checked how it handles under the init process, but it asks the password only once.

fdeak
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Recover Raid+LVM on non system drives after system failure spindley Linux - General 4 01-19-2011 05:18 PM
lvm ontop of raid10 or combine two raid1 via lvm? okar Linux - Server 3 09-11-2009 03:37 PM
File system corrupted, how to move LVM drives to another machine to recover files? Arodef Linux - Hardware 1 08-07-2009 07:19 PM
LXer: Set Up A Fully Encrypted Raid1 LVM System LXer Syndicated Linux News 0 12-08-2008 07:30 AM
Read-only file system error during bootup after installing Mandrake ontop of Suse fuoms Mandriva 1 11-27-2005 06:43 AM


All times are GMT -5. The time now is 09:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration