Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 37

Thread: How2 install 12.3 encrypted LVM with TWO physical HD's

  1. #11
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,495
    Blog Entries
    3

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    Quote Originally Posted by robin_listas View Post
    For example, to manually mount an encrypted data partition, that is not
    mounted at boot, I currently do: ...
    Thanks for the clear explanation.

    Let me reword it. In addition to being used in the bootup procedure, "boot.crypto" could also be called as a script to mount a volume not normally mounted at boot (maybe with "noauto" in its "/etc/crypttab entry).

    So "systemd" has taken over the bootup procedure, and boot.crypto is no longer needed for that. But you still want something to mount a volume at a later time.

    Clearly, what is needed, is some sort of script probably to go in "/usr/sbin". The use of "boot.crypto" for this was probably always a bad idea. However, some people have been doing it that way, and need an alternative.

    Personally, I have always just used "cryptsetup" manually for that, so I never thought of scripting it. But that shouldn't be particularly hard.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  2. #12
    Join Date
    Sep 2012
    Posts
    5,026

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    Quote Originally Posted by robin_listas View Post

    > So I once more try to ask - what does *not* work?


    Again: how do I manually mount an encrypted partition at a moment of my
    choosing, not at boot? Ie, the command I posted, what is the systemd
    equivalent? Including the fsck, of course.
    Code:
    linux-vmd4:~ # cat /etc/fstab
    /dev/disk/by-id/md-uuid-6e84eb82:f000a5bb:6903dc87:58c42366 /                    ext4       acl,user_xattr        1 1
    /dev/sdb1 /boot            ext2       defaults  0 0
    /dev/sda1 /boot/efi            vfat       umask=0002,utf8=true  0 0
    proc                 /proc                proc       defaults              0 0
    sysfs                /sys                 sysfs      noauto                0 0
    debugfs              /sys/kernel/debug    debugfs    noauto                0 0
    devpts               /dev/pts             devpts     mode=0620,gid=5       0 0
    /dev/mapper/cr_sde1          /v1                  ext4       noauto,acl,user_xattr        1 2
    
    
    linux-vmd4:~ # cat /etc/crypttab
    cr_sde1         /dev/sde1            none       noauto
    
    linux-vmd4:~ # systemctl status systemd-cryptsetup@cr_sde1.service
    systemd-cryptsetup@cr_sde1.service - Cryptography Setup for cr_sde1
              Loaded: loaded (/etc/crypttab)
              Active: inactive (dead)
                Docs: man:systemd-cryptsetup@.service(8)
                      man:crypttab(5)
              CGroup: name=systemd:/system/systemd-cryptsetup@.service/cr_sde1
    
    
    linux-vmd4:~ # systemctl status v1.mount
    v1.mount - /v1
              Loaded: loaded (/etc/fstab)
              Active: inactive (dead)
               Where: /v1
                What: /dev/mapper/cr_sde1
              CGroup: name=systemd:/system/v1.mount
    
    
    linux-vmd4:~ # systemctl start v1.mount
    Please enter passphrase for disk VMware_Virtual_S (cr_sde1) on /v1! *****
    linux-vmd4:~ # systemctl status v1.mount
    v1.mount - /v1
              Loaded: loaded (/etc/fstab)
              Active: active (mounted) since Thu, 2013-04-04 16:32:11 MSK; 3s ago
               Where: /v1
                What: /dev/mapper/cr_sde1
             Process: 1726 ExecMount=/bin/mount /dev/mapper/cr_sde1 /v1 -t ext4 -o noauto,acl,user_xattr (code=exited, status=0/SUCCESS)
              CGroup: name=systemd:/system/v1.mount
    
    Apr 04 16:32:11 linux-vmd4.site systemd[1]: Mounted /v1.
    linux-vmd4:~ # systemctl status systemd-cryptsetup@cr_sde1.service
    systemd-cryptsetup@cr_sde1.service - Cryptography Setup for cr_sde1
              Loaded: loaded (/etc/crypttab)
              Active: active (exited) since Thu, 2013-04-04 16:32:10 MSK; 6s ago
                Docs: man:systemd-cryptsetup@.service(8)
                      man:crypttab(5)
             Process: 1675 ExecStart=/usr/lib/systemd/systemd-cryptsetup attach cr_sde1 /dev/sde1 none noauto (code=exited, status=0/SUCCESS)
              CGroup: name=systemd:/system/systemd-cryptsetup@.service/cr_sde1
    
    Apr 04 16:32:05 linux-vmd4.site systemd-cryptsetup[1675]: Set cipher aes, mod...
    Apr 04 16:32:10 linux-vmd4.site systemd[1]: Started Cryptography Setup for c....

    Unfortunately integration with LVM is incomplete, so in this case you will currently need to manually start all encrypted containers, do "pvscan; vgchange -a y" and then mount.

    > The
    > fact that systemd does not cache and reuse passphrase for multiple
    > containers is known, but it hardly qualifies as "broken".

    I would call that as a broken feature, yes. :-)
    Something needs to cache them. As 99% of users (on this forum) use GUI, GUI password agent looks like the most natural place to do it.

    In 12.2 password agent was broken. Needs to retest in 12.3.

  3. #13
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    On 2013-04-04 14:36, nrickert wrote:
    >
    > robin_listas;2544401 Wrote:
    >> For example, to manually mount an encrypted data partition, that is not
    >> mounted at boot, I currently do: ...

    > Thanks for the clear explanation.
    >
    > Let me reword it. In addition to being used in the bootup procedure,
    > "boot.crypto" could also be called as a script to mount a volume not
    > normally mounted at boot (maybe with "noauto" in its "/etc/crypttab
    > entry).


    Yes, exactly that.


    > So "systemd" has taken over the bootup procedure, and boot.crypto is no
    > longer needed for that. But you still want something to mount a volume
    > at a later time.


    Yes.

    > Clearly, what is needed, is some sort of script probably to go in
    > "/usr/sbin". The use of "boot.crypto" for this was probably always a
    > bad idea. However, some people have been doing it that way, and need an
    > alternative.


    Yes.

    I believe that "boot.crypto" was expanded to accommodate all those usage
    patterns.

    I have entered several bugzillas on this (systemv times) and AFAIK all
    were resolved satisfactorily. For example, I requested this trivial
    addition, and they did it:

    Code:
    
    > Telcontar:~ # which rccrypto
    > /sbin/rccrypto
    > Telcontar:~ # l /sbin/rccrypto
    > lrwxrwxrwx 1 root root 23 Aug 19  2012 /sbin/rccrypto -> /etc/init.d/boot.crypto*
    > Telcontar:~ #
    They never told us, in those bugzillas, not to use the script...

    > Personally, I have always just used "cryptsetup" manually for that, so
    > I never thought of scripting it. But that shouldn't be particularly
    > hard.


    I have thought of extracting the script from 11.4 and put it directly in
    12.3, if it works. Yes, I know how to use "cryptsetup" manually, that's
    how I create my partitions. But the script is very convenient. It does
    things like automatically running fsck on the filesytem when needed, for
    instance!

    I even have encrypted DVDs, XFS formatted, that I mount via that...

    True, the desktop automount feature also does that, to some extent
    (LUKS). Last time I tried, if you failed on entering the password, you
    had to remove the media to try again. With the script, you simply run it
    again. And it runs in plain text mode, of course, if needed.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.1 x86_64 "Asparagus" at Telcontar)

  4. #14
    Join Date
    Sep 2012
    Posts
    5,026

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    Quote Originally Posted by robin_listas View Post
    I have thought of extracting the script from 11.4 and put it directly in
    12.3, if it works.
    It could be converted into standalone utility in crypto utils package. Do you volunteer to maintain this script?

  5. #15

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    arvidjaar wrote:
    > Unfortunately integration with LVM is incomplete, so in this case you
    > will currently need to manually start all encrypted containers, do
    > "pvscan; vgchange -a y" and then mount.
    >
    >>> The
    >>> fact that systemd does not cache and reuse passphrase for multiple
    >>> containers is known, but it hardly qualifies as "broken".

    >> I would call that as a broken feature, yes. :-)

    >
    > Something needs to cache them. As 99% of users (on this forum) use GUI,
    > GUI password agent looks like the most natural place to do it.


    I'm confused and worried. Immediately above you were recommending using
    the command line to enable LVM, but then you want to switch to some GUI
    tool for passwords? What if it's a headless server?

    At least 99% of people on a web-based forum will be using a GUI (it
    implies 1% are using lnyx to view the forum but NNTP users may not be
    using a GUI. And those who choose not to use the forum but use instead
    the mailing lists are all openSUSE users too.

  6. #16
    Join Date
    Sep 2012
    Posts
    5,026

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    Quote Originally Posted by djh-novell View Post
    Immediately above you were recommending using
    the command line to enable LVM,
    I did not recommend anything. I simply pointed out lack of proper integration of LVM into systemd, that's all.

    but then you want to switch to some GUI
    tool for passwords?
    Where did you find word "switch"? Where have you got "want" from?

    I answered the question what is systemd equivalent to "rccrypto start crypto_device". I am not even sure whether "rccrypto start" will itself configure LVM, so it is quite possible that systemd is on par here ... checking 12.2 ... no, it does not.

    As for multiple password requests ... please explain, when you get them when manually starting rccrypto? This is honest question - I do not know.

    And multiple passphrases requests during boot are handled by Plymouth.

    To summarize
    1. During boot with plymouth (default setup when you install openSUSE) plymouth handles multiple password requests. And it can also be used in text, non framebuffer, mode.
    2. There is full systemd replacement for "rccrypto start single-crypto-container" when LVM is not used.
    3. When LVM is used neither will work for full stack (from device to filesystem), but you still have systemd tool to setup each encrypted device one by one. Just like you would do it with rccrypto.

  7. #17

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    arvidjaar wrote:
    > djh-novell;2544459 Wrote:
    >> Immediately above you were recommending using
    >> the command line to enable LVM,

    >
    > I did not recommend anything. I simply pointed out lack of proper
    > integration of LVM into systemd, that's all.
    >
    >> but then you want to switch to some GUI
    >> tool for passwords?

    >
    > Where did you find word "-switch-"? Where have you got "-want-" from?


    People can look at the thread and make their own mind up in context.

  8. #18

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    Sooo, back after x trials...

    As said before, I already tried to create two encrypted partitions and add them to a freshly created volume group. This worked, but password was asked several times. I don't want that.

    So I tried a new approach (with, I hope, one missing last step...):

    I installed OS 12.3 "normal", without encryption:

    /dev/sda1 ext2 /boot
    /dev/sda2 swap
    /dev/sda3 reiser /home (shall later be encrypted /)
    /dev/sda4 reiser / (shall later be enrypted /home)
    /dev/sdb1 reiser /home/fotos (will later be encrypted)

    Then I encrypted the swap partition:
    - created a file /etc/crypt-swap.key with 2048 bytes of random content
    - swapoff /dev/sda2
    - cryptsetup -v --key-size 256 luksFormat /dev/sda2 /etc/crypt-swap.key
    - created a file /etc/crypttab and entered:
    cr_sda2 /dev/disk/by-id/...-part2 /etc/crypt-swap.key swap
    - changed fstab, commented out existing swap entry and added
    /dev/mapper/cr_sda2 swap swap defaults 0 0

    rebooted, checked with "free" - and I worked, hurray!

    So I wanted to go on with /dev/sda3 but could not unmount it, although at logon I selected "console" where I logged in as root. Still it said /dev/sda3 (current /home) is in use. So started the Live-DVD and encrypted what was /home:
    - mounted /dev/sda4 (current /) to /mnt/altsys
    - prepared /dev/sda3 with random bytes
    - cryptsetup -v --key-size 256 luksFormat /dev/sda3 /mnt/altsys/etc/crypt-swap.key
    - added a second key, that I will use to type manually
    - checked with cryptsetup luksDump /dev/sda3, all ok
    - opened the partition: cryptsetup luksOpen /dev/sda3 root
    - installed file-system: /sbin/mkfs.reiserfs -j /dev/mapper/root /dev/mapper/root
    - mounted the encrypted partition: mount /dev/mapper/root /mnt/root
    and copied current / to new encrypted part: rsync -ax -v /mnt/altsys/ /mnt/root/
    - changed entry in /mnt/root/etc/fstab:
    commented out current /home line, added
    /dev/mapper/root / reiserfs acl,user_xattr 1 1
    changed current / line to / home and changed the flag at the end from 1 to 2:
    und den jetzigen / Eintrag ändern nach /home und am Schluss 1 2 (statt bisher 1 1):
    /dev/disk/by-id/...-part4 /home reiserfs acl,user_xattr 1 2

    So this is where I am stuck now.
    - How can I tell grub2 that it should use my /dev/mapper/root?
    - Do I have to enter something else to crypttab? What?
    - Do I have to run mkinitrd as I had to before? And then adjust something in the bootloader? What? Where?

    At the moment it boots only to console and uses the old / on /dev/sda4, which seems quite logical to mee: from where should it know what I have changed... How to I tell it?

    Please help! Thanks.

    Daniel

  9. #19
    Join Date
    Sep 2012
    Posts
    5,026

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    Quote Originally Posted by arvidjaar View Post
    Yes, this [adding more devices to LVM volume group] looks one of those YaST limitations (unrelated to systemd).
    Oh, stupid me! You go in YaST2 and say "Resize" for your Volume Group. The only feeble excuse for me is that I had only text mode YaST when I wrote it.

  10. #20
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: How2 install 12.3 encrypted LVM with TWO physical HD's

    On 2013-04-04 16:46, arvidjaar wrote:

    > As for multiple password requests ... please explain, when you get them
    > when manually starting rccrypto? This is honest question - I do not
    > know.


    On manual calls it is not cached. There is a trick, of course:

    Code:
    #  echo passphrase
    passphrase
    # rccrypto status cr_other
    .....
    # rccrypto status cr_otherbis
    .....
    #
    Notice the space before the echo.

    You copy-paste the password with the mouse - triple clicks selects the
    line -, then paste it on each script call.


    This is, of course, for manual mounting.

    For automated mounting during boot there was another method I read about
    for entering the passphrase just once if you had several partitions, but
    I have never used it, personally. YaST did not set it up, it used the
    encrypted LVM method instead. I read about the method in the security
    mail list once.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.1 x86_64 "Asparagus" at Telcontar)

Page 2 of 4 FirstFirst 1234 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •