Encrypt 2nd drive without 2nd boot time passphrase: How?
Sorry, if this has been asked and answered elsewhere, already, but my research using the LQ search and a web search engine has not delivered the clear response I need.
How do I encrypt the second (non-system) disk, when I don't like being asked for two passphrases at boot time? Background I have a computer with two different hard disks, HD1 and HD2. HD1 is the LUKS encrypted system drive, with /, /boot, /home and swap set up as logical volumes. HD2 is currently empty (JFS formatted, ie). I would like to encrypt this drive, too, and put it under LVM control. Thanks! gargamel |
consult man cryptsetup and man crypttab. /etc/crypttab should do what i think you are after if distro-supported.
Code:
mkdir /etc/cryptkeys Code:
luksHD2 /dev/HD2 /etc/cryptkeys/HD2.key :study: |
Thanks!
One question (I don't seem to have a man page for cryttab on my system): What real or mapped device name does HD2 translate to? (My 2nd HD is /dev/hdb, first one is /dev/hda). Thanks again gargamel |
i used HD2 since that is how you identified it.
using hdb as device it could look something like this in crypttab: Code:
luks_arbitrary_name /dev/hdb1 /etc/cryptkeys/HD2.key |
Thansks again. I am on Slackware 12.2, here, installed all on /dev/hda using LVM and LUKS.
/dev/hda is the "system disc": /boot, /, /home and swap are all on this disc. With the exception of /boot, /dev/hda is LUKS encrypted. /dev/hdb is going to be a "data disc". A method to encrypt it, so that it is automatically decrypted after entering the passphrase for /dev/hda2 (root), without having to use crypttab would be great! Do you have an idea? gargamel |
I have a 2 disk lvm setup on slackware exactly as you describe.
The disks are split into 2 volume groups: sysvg and datavg. The PV for sysvg is unlocked manually by entering the password. The PV for datavg is unlocked by using a keyfile and crypttab exactly as rayfordj has described above. The manual page for crypttab is indeed missing in slackware 12.2 but if you google for it you'll find it without too much trouble and despite the missing man-page, crypttab is supported during slackware startup so you can still use it as described. However, if you're planning to encrypt at the lvm PV rather than the LV level then you'll need to patch rc.S as the startup scripts in slackware aren't setup to cope with more than one encrypted lvm PV. If you don't want to use the patch, then you'll have to encrypt the LVs rather than PVs which will avoid the problem. Here's the patch I wrote to resolve the issue (submitted to Pat a week or two before 12.2 came out): Code:
# rc.S Patch to support multiple encrypted lvm Physical Volumes. |
Thanks! I'll try this, then.
But I have two more question for better understanding. With LVM it should in principal be possible to combine multiple hard discs to one logical volume, that can be managed as one big partition, then. Now, with LUKS and dm-crypt I can encrypt this logical volume. What would happen, if one of the discs crashes? Would I have a chance to access the data on the other discs? My current understanding is, that the failure of one of the discs is likely to cause the loss of the data on all discs or partitions of the logical volume. Is this correct? Probably this would even be the case, if the volume was not encrypted. My 2nd question is: If I encrypt a physical volume that is not on the system disk (here I mean hard disc) using the crypttab method, and want to move the data disk to another computer, can I unlock it there, by just copying over the crypttab and key files? My current understanding is, that this should be possible, as LUKS can to my knowledge be used for portable drives, such as external USB harddiscs. BTW: What's the correct spelling (English is not my native language): Hard disc Hard disk Harddisc Harddisk ;) Thanks again! gargamel |
Quote:
Only, whenever I learned something about all this (LVM, LUKS etc.), new questions arise. ;) If I read the README_CRYP.TXT correctly, it describes LVM PV level encryption. If I would prefer not to use the patch (e. g. because I don't like to touch the init scripts, as this might cause conflicts in case of 'official' patches that might appear) and wanted to encrypt at LV level: How would I go about this? Assumption: Code:
# pvcreate /dev/mapper/dataluks Code:
dataluks /dev/datavg/data /etc/cryptkeys/lvdata.key But where do I associate the physical device with the mapped device, i. e. /dev/sdb1 with /dev/mapper/dataluks? Thanks a lot again! gargamel |
Q1 If you have two physical disks, each formatted as an lvm pv and you add them both to the same volume group then if one fails then with manual intervention you should be able to recover any logical volumes which remain on the unaffected disk, however any LVs that were on the bad disk and any LVs that spread across both disks will be destroyed in the process. This is true whether the LVs are encrypted or not.
LVM recovery can be a little involved, which is why many people don't recommend its use, especially for those who don't fully understand it's concepts and how to manage it properly. Q2. To use a luks encrypted device on another machine, all you need is a way to unlock it. It's crypttab entry and keyfile should be enough. Personally, what I always do is give the luks device both a key and a manual passphrase (make it a good strong one). That way if you lose the key, you can still unlock it with the passphrase. A luks device can have upto 10 keys/passphrases if memory serves me correctly. As for the correct spelling, I believe it's 'Hard Disk'. The correct British english spelling of 'disk' is 'disc', but much of computing technology has an american origin therefore 'disk' has become the one everyone uses, even for those of us who know how to spell colour correctly. ;) The correct spelling 'disc' still remains in places, such as optical media like "Compact Disc", probably because it was invented by a european company (with a little help from a japanese one) so no americanization that time. Now, onto your second post. I'm afraid you've got it a bit messed up. If you're going to encrypt an LV what you're actually doing is encrypting a filesystem, which just happens to be on an LV and not a real partition. The LV itself is unencrypted (It's what's on it that's encrypted). You set it up just as you would a normal(non-lvm) luks encrypted filesystem except that instead of the partition name, you use the LV name. You don't pvcreate or even lvcreate on the luks device in this case, you use a normal unencrypted lvm setup. Think of it as layers on layers like this: hda2 (Partition) <--> hda2 (PV) <--> datavg (VG) <--> /dev/datavg/data (LV) <--> /dev/mapper/luksdata (LUKSdev) <--> /data (filesystem) Now contrast that to PV encryption: hda2 (Partition) <--> /dev/mapper/pvhda2 (LUKSdev) <--> /dev/mapper/pvhda2 (PV) <--> datavg (VG) <--> /dev/datavg/data (LV) <--> /data (filesystem) The red shows which objects can be considered encrypted in each case. I've tried to explain the concepts rather than just tell you how to do it, as you really need to understand this stuff well if you're going to use it safely. |
gargamel,
GazL is absolutely accurate with his information as I understand the technologies being explained. GazL, Well said. Honestly, I'm not certain I would have been able to articulate it as well as you did. I'm still working on being able to clearly articulate and express opinions and ideas, so thoroughly enjoy reading posts such as yours. Thanks! On another note, we'll just have to agree to disagree on the spelling of color ;) |
Thanks again for your patience, your advice is much appreciated!
In fact I am trying to get a better understanding of these things and their interdependencies, and of the way the device mapper works and can be used. Your explanation really brought me more than one step forward, here! However, I don't have it working, still. My system boots properly, but /data is not opened and/or mounted. I have one primary partition on /dev/hdb. I did: Code:
# pvcreate /dev/hdb1 Code:
# mount /dev/vgdata/data /data Thanks a lot! gargamel |
Quote:
gargamel |
there may still be some confusion on where the pieces fit or how they layer.
based on the information you've provided, i think this might be what you are after Code:
pvcreate /dev/hdb1 the crypttab might look something like this Code:
luksdatalv /dev/datavg/data /etc/cryptkeys/lvdata.key once you have that working you can add the necessary information to fstab so that it is automatically mounted (for luksdatalv) and swap activated (for luksswaplv) at boot. |
Thanks for the kind words Rayford. Anyone who takes pride in the way they write and makes a stand against the creeping evils of l33t5p34k or txt-speak can spell colour with three Ls and a V as far as I'm concerned! ;)
Gaz. PS. Wanna go 10 rounds on hood/bonnet, trunk/boot and petrol/gasoline? ;) edit: @gargamel. I see Rayford has already done a good job of putting you right with what you're doing. Just want to add that as this is your second vg, you don't need to have the swap stuff on it as you should already have a swap partition on your hda disk/sysvg. |
You guys are so great!!! So many thanks, it works now!
While you, GazL, described the way precisely, I was stubborn, and although I read your explanation more than once, somehow I simply didn't get it, before I saw (and copied, to be honest) the solution elaborated by you, Rayford. You demonstrated the difference between a sucker (me) and a real slacker (you): You are both very knowledgable, and very patient with stubborn guys who can, but refuse to read. ;) I apologise for just not accepting the obvious. What is more: I like your sense of humor. @GazL: As it happens I am collecting stuff like what you mentioned and occasionally post it on my personal web site. I enjoy idiomatic phrases that would get a totally different meaning if anyone tried to translate them word by word, and I find it quite entertaining to improve my Englisch, including learning the differences of the various variants. My favourite single-language dictionary is Chambers, BTW. ;) Most of the stuff I collect is in my mother tongue (German), but maybe I'll post a little bit of English on my personal web site (http://www.iverbi.de). It's not a good web site by any measures, just a link list. But if you have some input, e.g. about entertaining differences between genuine (i. e. British) English and American English, I'd be interested to hear from you (no stuff for LQ.org, but for personal mail, obviously). gargamel |
All times are GMT -5. The time now is 07:13 AM. |