[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

loop-AES: Boot from CD-ROM + encrypted root partition

To: <linux-crypto@xxxxxxxxxxxx>
Subject: loop-AES: Boot from CD-ROM + encrypted root partition
From: "Doug Campbell" <dcampbell@xxxxxxxxxxxx>
Date: Thu, 1 Jul 2004 02:20:42 +0800
Importance: Normal
List-archive: <http://mail.nl.linux.org/linux-crypto/>
List-help: <mailto:ecartis@nl.linux.org?Subject=help>
List-id: <linux-crypto.nl.linux.org>
List-owner: <mailto:riel@nl.linux.org>
List-post: <mailto:linux-crypto@nl.linux.org>
List-software: Ecartis version 1.0.0
List-subscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=subscribe>
List-unsubscribe: <mailto:linux-crypto-request@nl.linux.org?Subject=unsubscribe>
Sender: linux-crypto-bounce@xxxxxxxxxxxx

I successfully got the loop-AES to work encrypting my root partition.  I
know want to see if I can switch to booting from the CD-ROM so that my
entire drive can be encrypted.

As I looked over the direction in the loop-AES.Readme file, there were a few
things towards the end of the instructions that confused me.  I have four
questions below.

Question 1: Step 11 says to do the following:

11) Contents of /etc/lilo.conf configuration file are below. Two copies of
    '/dev/loop7' on first two lines refer to temporary file backed loop
    mount that is mounted on /mnt later in step 13a.

    boot=/dev/loop7
    disk=/dev/loop7
      bios=0x00
      sectors=36
      heads=2
      cylinders=80
    geometric
    compact
    read-only
    prompt
    timeout=30
    vga=normal
    backup=/dev/null
    install=text
    map=/mnt/map
    image=/mnt/vmlinuz
      label=Linux
      append="init=/linuxrc rootfstype=minix"
      initrd=/mnt/initrd.gz
      root=/dev/ram0


I am using GRUB, do I just do something like the following?

    boot=/dev/loop7
    disk=/dev/loop7
      bios=0x00
      sectors=36
      heads=2
      cylinders=80
    geometric
    compact
    read-only
    prompt
    timeout=30
    vga=normal
    backup=/dev/null
    install=text
    map=/mnt/map
title Linux using loop-AES
	root (hd0,0)
	kernel /vmlinuz ro root=/dev/ram0 init=/linuxrc rootfstype=minix
	initrd /initrd.gz


Question 2: In Step 12 it says:

12) Build new /boot/initrd.gz

        ./build-initrd.sh /boot/initrd.conf

but I noticed that not all of the configuration options that I initially
changed in build-initrd.sh are in the initrd.conf file in Step 10a.  Do I
add these to that file or will it use what I have set in the buid-initrd.sh
file as defaults and only change the options that I have specifically set in
initrd.conf?


Question 3:  In Step 20 it says:

20) Clean up and reboot your computer. The 'dd' command attempts to
    overwrite gpg encrypted root partition key file and 'mkswap' command
    restores "temporary file system on swap" /dev/hda3 back to swap usage.

        dd if=/dev/zero of=/mnt/rootkey.gpg bs=64k count=1 conv=notrunc
        umount /mnt
        sync
        mkswap /dev/hda3
        sync
        reboot

Am I rebooting the computer with my rescue disk again?

If so, after doing so, do I need to first mount /dev/hda3 again?  The dd
command above seems to be trying to overwrite a file on a filesystem that
isn't mounted.  But maybe I am missing something here?

If not, what am I rebooting the computer with?  The boot CD that I just
made?


Question 4:  Do I need the /dev/hda1 or /boot parition after I finish?  If
so, I didn't seem to encrypt it yet so can I encrypt it in the same way that
I did for /dev/hda2, the root partition?

I hope that these questions are clear and I am sorry that my understanding
is lacking.  Thanks for taking the time to help me out.

Doug


-
Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

Prev by Date: gcc 3.4
Previous by thread: gcc 3.4
Index(es):
- Date
- Thread