JP Vossen on 9 Jan 2011 12:19:12 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Filesys encryption (was Re: Linux n00b question)

On 01/09/2011 11:29 AM, wrote:
Date: Sun, 9 Jan 2011 07:22:28 -0500
From: Art Alexion<>

I got burnt with /home encryption, and am reluctant to use it again.
Of course, it was my fault, but it was an easy mistake to make.

Ubuntu makes setting this up and using it pretty easy and transparent
to the user, and that was the problem. That is, it was so transparent
that I forgot it was encrypted when I did a fresh install of the OS
and did nothing to preserve the keys in the process.

No backups?

For reasons above and that Rich and LeRoy already noted, I tend to use whole-disk encryption instead of automagicically encrypting partitions. My idea of "whole-disk" includes swap but not /boot/ for obvious reasons.

	* No worries about where data is encrypted; it *all* is
	* No worries about swap
	* No worries about keys, except to remember the password
	* NO BOOT without someone at the console
		(likely show stopper for servers)
	* Performance?  (It works fine for me, even on a Mini9)
	* A bit harder to recover from problems

That last one needs a bit more explanation. For example I've had to re-install grub on a whole-disk encrypted drive. Depending on the distro and/or LiveCD you use, you may need to install some packages then load some modules. It's not hard, but you have an "oh crap" moment until you remember the extra steps.

To re-install grub on a CentOS-5 system using encrypted LVM:
(Note device names will vary.)

	1)  Boot a CentOS-5 LiveCD
	2)  yum install lvm2		# Not on LiveCD!
	3)  PATH="/sbin:$PATH"		# missing /sbin = annoying!
	4)  mdadm --auto-detect
	5)  cat /proc/mdstat		# sanity check & find part.
	6)  cryptsetup luksOpen /dev/md1 root
	7)  vgscan
	8)  vgchange -ay
	9)  mount /dev/mapper/vg_devimg/lv_root /mnt
	10) mount /dev/md0 /mnt/boot
	11) grub-install --root-directory=/mnt /dev/sda
	12) reboot

JP Vossen, CISSP            |:::======|
My Account, My Opinions     |=========|
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --