Fedora Linux Support Community & Resources Center
  #1  
Old 20th November 2009, 08:54 AM
geugen Offline
Registered User
 
Join Date: Jul 2007
Posts: 4
linuxfedorafirefox
Fedora 12 + Luks

Hello,

following problem:

I devided my hard drive into several partitions.
sda1 - /boot
sda2 - /
sda 3 (secondary)
- sda5 - /home
- sda6 - swap

I am using LUKS encryption on 2, 5, 6. On boot the key for 2 is entered manually. Then, through /etc/crypttab and /etc/fstab, partitions 5 and 6 are decrypted through a key-file, which lays on sda2. That way I always needed to enter only one passphrase.
Now I installed Fedora 12. Even if I don't want to boot 5 and 6 (means I deactivated them in crypttab and fstab) the system still asks for a password during the boot.

What I tried was to install the kernel from Fedora 11 repository and boot with it and ... it works perfekt again! So, what's the problem with the new kernel from Fedora 12?
By the way, if I boot with Fedora12 kernel then after about two minutes of waiting and not entering the passphrases for 5 and 6 the boot process goes on as in Fedora 11 case and everything is loaded as it should be.

Thanks in advance

Eugen

Last edited by geugen; 20th November 2009 at 09:23 AM.
Reply With Quote
  #2  
Old 21st November 2009, 03:49 PM
Sayen Offline
Registered User
 
Join Date: Nov 2009
Posts: 9
linuxfedorafirefox
Hi
Take a look at man dracut.
You probably need one of flags to pass on kernel boot.
rd_NO_LUKS or if Your / is encrypted then rather rd_LUKS_UUID=<luks uuid>
/etc/crypttab is read later with rc.sysinit script, not init from initrd like image.

Regards
Jan
Reply With Quote
  #3  
Old 21st November 2009, 09:02 PM
geugen Offline
Registered User
 
Join Date: Jul 2007
Posts: 4
linuxfedorafirefox
Hello Jan,

thanks for the hint. I've never heard of it before. However, after reading through the dracut webpage it seems as if you were absolutely right. Too bad the whole thing is so new. I have no clue where to start.
So far I tried to generate a new initramfs-image using dracut:

Code:
dracut rd_LUKS_UUID=<root-UUID> initramfs-2.6.31.fc12.x86_64.img 2.6.31.5-127
according to: dracut <OPTIONS> <image> <kernel version>
However, after the file was created and I restarted my pc (grub.conf was of course edited before that) a lot of errors came up. Therefore I returned to the old initramfs image again. What am I doing wrong?

Thans as always in advance
Eugen
Reply With Quote
  #4  
Old 21st November 2009, 09:26 PM
Sayen Offline
Registered User
 
Join Date: Nov 2009
Posts: 9
linuxfedorafirefox
Hi
No need to create new initrd. Just edit Your /etc/grub.conf and adjust kernle line in correct section.
Sorry for being unclear.
Go to /usr/share/dracut if scripts can tell You how it all work
script cryptroot-ask.sh is lunched when requested from 90crypt/70-luks.rules (which is part of initrd udev rules, valid in time of booting)
Script checks if rd_LUKS_UUID is set and then asks for password only if uuid of device matches one in parameter list.
If there is rd_NO_LUKS parameter then 70-luks.rules is deleted before it become effective (parse-crypt.sh is responsible for that).

Regards
Jan
Reply With Quote
  #5  
Old 22nd November 2009, 01:39 PM
geugen Offline
Registered User
 
Join Date: Jul 2007
Posts: 4
linuxfedorafirefox
Hm, no luck! I have tried every possible combination and UUID in my grub.conf, but still, the system always wants the password for the other partitions. Maybe it's because of my x86_64 system, maybe because of something else.

Anyways, I really need a good working and secure system. However, at the moment fedora 12 doesn't seem offer it - a least not im my case. I am going to reinstall Fedora 11 and wait a while.

Thanks for the help. Really appreciated it!!!
Reply With Quote
  #6  
Old 22nd November 2009, 02:18 PM
gotencool Offline
Registered User
 
Join Date: Jul 2006
Age: 31
Posts: 17
linuxfedorafirefox
Quote:
Originally Posted by geugen View Post
Hm, no luck! I have tried every possible combination and UUID in my grub.conf, but still, the system always wants the password for the other partitions. Maybe it's because of my x86_64 system, maybe because of something else.

Anyways, I really need a good working and secure system. However, at the moment fedora 12 doesn't seem offer it - a least not im my case. I am going to reinstall Fedora 11 and wait a while.

Thanks for the help. Really appreciated it!!!
You must find the UUID of your LVM root partition:
[root@caleuche ~]# lvdisplay
--- Logical volume ---
LV Name /dev/VolGroupGC/LogVolRoot
VG Name VolGroupGC
LV UUID c9uMIe-Lqpk-6UOY-fMcf-6LEv-z1ZG-4edP2s
LV Write Access read/write
LV Status available
# open 1
LV Size 14,62 GB
Current LE 468
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 253:0
Then, you must edit /boot/grub/grub.conf and add the dracut flag:
title Fedora (2.6.31.5-127.fc12.x86_64)
root (hd0,2)
kernel /vmlinuz-2.6.31.5-127.fc12.x86_64 ro root=/dev/mapper/VolGroupGC-LogVolRoot rd_LUKS_UUID=<your lvm root uuid>
Reboot and test.
regards.
Reply With Quote
  #7  
Old 22nd November 2009, 07:06 PM
geugen Offline
Registered User
 
Join Date: Jul 2007
Posts: 4
linuxfedorafirefox
Ok, now I am a bit confused. Why do I need the LVM root partition? Shouldn't I be using the luks one?

My original grub conf:
Code:
title Fedora (2.6.31.5-127.fc12.x86_64)
	root (hd0,0)
	kernel /vmlinuz-2.6.31.5-127.fc12.x86_64 ro root=/dev/mapper/luks-7ad085ad-c93d-4e07-a420-775d8f2c3368
	initrd /initramfs-2.6.31.5-127.fc12.x86_64.img
Code:
[root@lenovo-t61 ~]# lvdisplay 
  --- Logical volume ---
  LV Name                /dev/vg_lenovot61/lv_root
  VG Name                vg_lenovot61
  LV UUID                oTdjT1-ZeKX-uUAX-4OoH-MiPX-jQkP-Y4XzNL
  LV Write Access        read/write
  LV Status              available
  # open                 1
  LV Size                15,00 GB
  Current LE             3840
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:0
Code:
[root@lenovo-t61 ~]# blkid
/dev/sda1: UUID="d1ed46ad-9750-4368-9d04-082dea0ef096" TYPE="ext4" 
/dev/sda2: UUID="CYJaay-qeEe-RjV1-8USU-vFtm-tzE2-RpzbR9" TYPE="LVM2_member" 
/dev/mapper/vg_lenovot61-lv_root: UUID="7ad085ad-c93d-4e07-a420-775d8f2c3368" TYPE="crypto_LUKS"
...
Maybe our encryption strategy differs.
I created the encrypted luks partition during the fedora installation. By the way, it was the first time I started using lvm. Before I had my partitions devided as described in the first post without lvm. After this didn't work, I reinstalled the whole thing and let fedora devide my harddrive automatically. sda2 became lvm-group, which had logical partitions: root, home and swap. Here I activated the encryption, however, only for root. home and swap were encrypted later. Was this maybe a mistake.

I am planing on reinstalling the whole thing and do following:

Create structure:
Code:
sda1 - primary (for /boot)
sda2
  - sda3 (for root)
  - sda4 (rest for /home)
  - sda5 (for swap)
Next I encrypt sda3, sda4, sda5. After that I install Fedora 12.


OR should I just use the options offered during the installation and encrypt everything at once?

Thanks again :-)
Reply With Quote
  #8  
Old 22nd November 2009, 09:05 PM
Sayen Offline
Registered User
 
Join Date: Nov 2009
Posts: 9
linuxfedorafirefox
Hi
I do not have such setup around. Just crypted partition with key, so rd_NO_LUKS was choice for me.

Maybe there is a bug in rd_LUKS_UUID implementation.
I do not like the lines in script cryptroot-ask.sh:
Code:
if [ -n "$LUKS" ]; then
    ask=0
    luuid=${2##luks-}
    for luks in $LUKS; do
        if [ "${luuid##$luks}" != "$2" ]; then
            ask=1
        fi
    done
fi
LUKS is set to rd_LUKS_UUID list. luuid is checked device uuid like:
UUID="7ad085ad-c93d-4e07-a420-775d8f2c3368" TYPE="crypto_LUKS"

then ask should be set to 1 if and only if this luuid matches one on list provided on boot.
Then in my opinion ${luuid##$luks} should be compared to empty string rather than to
$2. To be precise it will always be not equal to $2.
Maybe use something like:
Code:
        if [ -z "${luuid##$luks}" ]; then
            ask=1
        fi
would work better?
You can always try to update two scripts in /usr/share/dracut and then rebuilding initramfs, probably with something like dracut <imagename> <kernel version>
After that new scripts should be in init image, still keep backup as I did not test it.

Regards
Jan
Reply With Quote
Reply

Tags
fedora, luks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
LUKS pre-installed in Fedora 9 11Mikey Security and Privacy 16 3rd December 2008 06:09 PM
Lvm + Luks dsuchter Security and Privacy 1 1st April 2008 11:22 PM
How to hide luks device on desktop in Fedora 8 karel.hudan Using Fedora 3 4th March 2008 03:54 PM
USB HDD - LUKS and HAL funknor Using Fedora 0 3rd February 2007 09:31 PM
cryptsetup-luks in Fedora Core 5 techmum Security and Privacy 1 2nd April 2006 01:58 PM


Current GMT-time: 13:17 (Saturday, 01-11-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Rayside-Balfour Photos on Instagram - Syracuse Travel Photos on Instagram - Hamma Bouziane