[PLUG] Filesys encryption (was Re: Linux n00b question)

JP Vossen on 9 Jan 2011 12:19:12 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Filesys encryption (was Re: Linux n00b question)

From: JP Vossen <jp@jpsdomain.org>
To: plug@lists.phillylinux.org
Subject: [PLUG] Filesys encryption (was Re: Linux n00b question)
Date: Sun, 09 Jan 2011 15:19:07 -0500
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: plug-bounces@lists.phillylinux.org
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.15) Gecko/20101027 Thunderbird/3.0.10

On 01/09/2011 11:29 AM, plug-request@lists.phillylinux.org wrote:

Date: Sun, 9 Jan 2011 07:22:28 -0500
From: Art Alexion<art.alexion@gmail.com>

I got burnt with /home encryption, and am reluctant to use it again.
Of course, it was my fault, but it was an easy mistake to make.

Ubuntu makes setting this up and using it pretty easy and transparent
to the user, and that was the problem. That is, it was so transparent
that I forgot it was encrypted when I did a fresh install of the OS
and did nothing to preserve the keys in the process.


No backups?
<ducks>

For reasons above and that Rich and LeRoy already noted, I tend to usewhole-disk encryption instead of automagicically encrypting partitions.My idea of "whole-disk" includes swap but not /boot/ for obvious reasons.


Pro:
	* No worries about where data is encrypted; it *all* is
	* No worries about swap
	* No worries about keys, except to remember the password
Cons:
	* NO BOOT without someone at the console
		(likely show stopper for servers)
	* Performance?  (It works fine for me, even on a Mini9)
	* A bit harder to recover from problems

That last one needs a bit more explanation. For example I've had tore-install grub on a whole-disk encrypted drive. Depending on thedistro and/or LiveCD you use, you may need to install some packages thenload some modules. It's not hard, but you have an "oh crap" momentuntil you remember the extra steps.


To re-install grub on a CentOS-5 system using encrypted LVM:
(Note device names will vary.)

	1)  Boot a CentOS-5 LiveCD
	2)  yum install lvm2		# Not on LiveCD!
	3)  PATH="/sbin:$PATH"		# missing /sbin = annoying!
	4)  mdadm --auto-detect
	5)  cat /proc/mdstat		# sanity check & find part.
	6)  cryptsetup luksOpen /dev/md1 root
	7)  vgscan
	8)  vgchange -ay
	9)  mount /dev/mapper/vg_devimg/lv_root /mnt
	10) mount /dev/md0 /mnt/boot
	11) grub-install --root-directory=/mnt /dev/sda
	12) reboot


Later,
JP
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Filesys encryption (was Re: Linux n00b question)
  - From: Art Alexion <art.alexion@gmail.com>

Prev by Date: Re: [PLUG] Linux n00b question
Next by Date: Re: [PLUG] Linux n00b question
Previous by thread: Re: [PLUG] [Solved] eMail Delivery/Domain Name Problem
Next by thread: Re: [PLUG] Filesys encryption (was Re: Linux n00b question)
Index(es):
- Date
- Thread