encrypted rootfs on Slackware 12.0
**WARNING:** The procedure outlined below will destroy all data
that is currently stored on the first IDE device /dev/hda.
This is not some kind of documentation for dm-crypt on Slackware Linux 12.0, but a real world example. You can read this in
addition to README_CRYPT.TXT (
http://ftp.gwdg.de/pub/linux/slackwa...ADME_CRYPT.TXT) on your Slackware 12.0 disks (You should also read
http://alien.slackbook.org/dokuwiki for latest hints and tips). First copy/rsync your data to a safe place ...
I booted my Thinkpad X30 with a USBinstaller (
http://www.slackware.com/~alien/tools/usbinstall/12.0/) that worked for me (I failed on booting with the official usbboot method -
http://ftp.gwdg.de/pub/linux/slackwa...README_USB.TXT). Than cleaned my harddisc over night with dd after logging in as root (just before setup).
Code:
# dd if=/dev/urandom of=/dev/hda
I like cfdisk for creating tables (reboot afterwards required).
It looks like that. hda1 is /boot, hda2 is swap, hda3 is rootfs (/) and hda4 is /home.
Code:
# fdisk -l /dev/hda
Platte /dev/hda: 40.0 GByte, 40060403712 Byte
255 Köpfe, 63 Sektoren/Spuren, 4870 Zylinder
Einheiten = Zylinder von 16065 × 512 = 8225280 Bytes
Gerät boot. Anfang Ende Blöcke Id System
/dev/hda1 * 1 4 32098+ 83 Linux
/dev/hda2 5 40 289170 82 Linux Swap
/dev/hda3 41 1620 12691350 83 Linux
/dev/hda4 1621 4870 26105625 83 Linux
We need to encrypt the last two
Code:
# cryptsetup -s 256 -y luksFormat /dev/hda3
Code:
# cryptsetup -s 256 -y luksFormat /dev/hda4
And now we open them in order to be able to install on them.
Code:
# cryptsetup luksOpen /dev/hda3 cryptroot
Code:
# cryptsetup luksOpen /dev/hda4 crypthome
Now you can start the setup program. As you can see I did not encrypt the swap (hda2), we take care of this later.
During setup make sure to install to /dev/mapper/cryptroot rather then to /dev/hda3 (also /dev/mapper/crypthome for /home), but select /dev/hda2 as swap.
Don't reboot after setup, but chroot into your new system and edit /etc/fstab and /etc/crypttab accordingly.
Code:
# mount -o bind /proc /mnt/proc
# mount -o bind /sys /mnt/sys
# cp -a /dev/mapper /mnt/dev/
# chroot /mnt
Code:
# cat /etc/fstab
/dev/mapper/cryptswap swap swap defaults 0 0
/dev/mapper/cryptroot / ext3 defaults 1 1
/dev/mapper/crypthome /home ext3 defaults 1 2
/dev/hda1 /boot ext3 defaults 1 2
#/dev/cdrom /mnt/cdrom auto noauto,owner,ro 0 0
/dev/fd0 /mnt/floppy auto noauto,owner 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
proc /proc proc defaults 0 0
Code:
# cat /etc/crypttab
cryptswap /dev/hda2 none swap
crypthome /dev/hda4
As a last step before rebooting you need do get your initrd going in order do be able to mount your encrypted rootpartition during boot.
In the README_CRYPT.TXT they say run
Code:
# mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r cryptroot -C /dev/sda1 -L
We need to specify /dev/hda3 but we also do not need the -L flag because it enables LVM (we don't use it and it needs time during boot). Double check with
Code:
# ls -l /boot/vmlinuz
which kernel you use and than run
Code:
# mkinitrd -c -k 2.6.21.5-smp -m ext3 -f ext3 -r cryptroot -C /dev/hda3
accordingly. In order to use this initrd.gz you need to edit /etc/lilo.conf. The lilo.conf described in README_CRYPT.TXT did not work for me. My working lilo.conf looks like that:
Code:
# cat /etc/lilo.conf
boot = /dev/hda
compact # faster, but won't work on all systems.
#prompt
#timeout = 5
# VESA framebuffer console @ 1024x768x256
vga = 773
image = /boot/vmlinuz
initrd = /boot/initrd.gz
root = /dev/hda1
label = Linux
read-only # Partitions should be mounted read-only for checking
Dont forget to run lilo in order to apply the changes. Have fun after reboot ...
Troubleshooting:
You get a kernel panic and it seems like you will not be able to boot into your system?
With your installation media you will be able to boot the installer and than log in as root. Than do:
Code:
# cryptsetup luksOpen /dev/hda3 cryptroot
# mount /dev/mapper/cryptroot /mnt
# mount -o bind /proc /mnt/proc
# mount -o bind /sys /mnt/sys
# cp -a /dev/mapper /mnt/dev/
# chroot /mnt
# mount /boot
Now you are in your installed system, are able to edit your lilo.conf, make another initrd and so on ...
