[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: loop-AES: Boot from CD-ROM + encrypted root partition
Doug Campbell wrote:
> I am using GRUB, do I just do something like the following?
>
> boot=/dev/loop7
> disk=/dev/loop7
> bios=0x00
> sectors=36
> heads=2
> cylinders=80
> geometric
> compact
> read-only
> prompt
> timeout=30
> vga=normal
> backup=/dev/null
> install=text
> map=/mnt/map
> title Linux using loop-AES
> root (hd0,0)
> kernel /vmlinuz ro root=/dev/ram0 init=/linuxrc rootfstype=minix
> initrd /initrd.gz
No. That is mixture of lilo config and grub config, and will work with
neither lilo nor grub.
> Question 2: In Step 12 it says:
>
> 12) Build new /boot/initrd.gz
>
> ./build-initrd.sh /boot/initrd.conf
>
> but I noticed that not all of the configuration options that I initially
> changed in build-initrd.sh are in the initrd.conf file in Step 10a. Do I
> add these to that file or will it use what I have set in the buid-initrd.sh
> file as defaults and only change the options that I have specifically set in
> initrd.conf?
Values set in build-initrd.sh are defaults. Additional configuration file
/boot/initrd.conf can override any defaults it wants.
Here I suggest that you put all your local changes to /boot/initrd.conf and
use unmodified build-initrd.sh from loop-AES tarball.
> Question 3: In Step 20 it says:
>
> 20) Clean up and reboot your computer. The 'dd' command attempts to
> overwrite gpg encrypted root partition key file and 'mkswap' command
> restores "temporary file system on swap" /dev/hda3 back to swap usage.
>
> dd if=/dev/zero of=/mnt/rootkey.gpg bs=64k count=1 conv=notrunc
> umount /mnt
> sync
> mkswap /dev/hda3
> sync
> reboot
>
> Am I rebooting the computer with my rescue disk again?
>
> If so, after doing so, do I need to first mount /dev/hda3 again? The dd
> command above seems to be trying to overwrite a file on a filesystem that
> isn't mounted. But maybe I am missing something here?
>
> If not, what am I rebooting the computer with? The boot CD that I just
> made?
You don't need to do any of above. If your root partition is already
encrypted and you want to create CD-ROM that boots to your existing
encrypted root partition, then only these steps are needed:
- step 7
- copy rootkey.gpg to /boot/iso/rootkey.gpg
- steps 10a to 13e
(Above step numbers refer to loop-AES-v2.1b README Example 6, and may be
different on newer or older loop-AES versions)
> Question 4: Do I need the /dev/hda1 or /boot parition after I finish? If
> so, I didn't seem to encrypt it yet so can I encrypt it in the same way that
> I did for /dev/hda2, the root partition?
Separate /boot partition is not needed on CD-ROM boot, but some tools still
want to find files from /boot directory.
Following "umount /boot" might not succeed because there may already be
processes with open files in /boot partition. To find out which processes
you need to kill before /boot can be unmounted, use this command:
lsof | grep /boot
You can copy those files to root partition, like this:
umount /boot
mkdir /boot-old
mount -t ext2 /dev/hda1 /boot-old
cp -dpR /boot-old/* /boot
umount /boot-old
rmdir /boot-old
And then remove /dev/hda1 mount line from /etc/fstab file.
After that /dev/hda1 is free unused partition.
--
Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/