Hello All,
I have following problem:
Notebook Dell Latitude D630:
Disk partitoned:
fdisk -l
Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sda1 * 3866 3882 136552+ 83 Linux------------> /boot partition
/dev/sda2 * 16 3865 30925125 7 HPFS/NTFS---> windows
/dev/sda3 3883 13609 78132127+ 83 Linux ----------> partition for encrypted data
/dev/sda4 18600 19457 6891885 8e Linux LVM----> current CentOs installation
I am running kernel: 2.6.18-92.1.22.el5PAE
I tried to create encrypted partition with cryptsetup luks to encrypt whole root partition, and I exactly followed this manual:
http://lists.centos.org/pipermail/centos-docs/2008-September/001791.html
So everything was ok, I was able to do all of this:
cryptsetup -v -y -s 256 luksFormat /dev/sda3
cryptsetup luksOpen /dev/sda3 crypt
key slot 0 unlocked.
Command successful.
cryptsetup luksDump /dev/sda3
LUKS header information for /dev/sda3
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 1032
MK bits: 128
MK digest: 2c da d4 15 2b 0d d5 ed 6c 8a a6 e2 b9 fe 26 c8 da a5 90 b9
MK salt: bb 20 50 e4 73 df b6 31 8c a0 a8 69 9a e5 a6 a6
8d d4 fc 22 8b 46 7c 5a de 02 18 18 92 11 de 83
MK iterations: 10
UUID: 5a7a7b07-4a28-4c03-a913-c1313183c52a
Key Slot 0: ENABLED
Iterations: 212118
Salt: 91 20 0d 52 30 68 c6 1f a5 c0 6a 97 25 f6 85 31
c8 a1 98 33 57 2b b5 48 2b e7 c6 43 20 ba 14 3f
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 211126
Salt: 98 e6 4b d6 4f 7b 77 c9 ab 17 9f 3a 16 73 dc 07
d0 5c ad e2 1a 92 e0 77 32 0c 9c be fe 4b c4 93
Key material offset: 136
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
cryptsetup status crypt
/dev/mapper/crypt is active:
cipher: aes-cbc-essiv:sha256
keysize: 128 bits
device: /dev/sda3
offset: 1032 sectors
size: 156263223 sectors
mode: read/write
dmsetup status
vg00-lvol01: 0 9175040 linear
crypt: 0 156263223 crypt
vg00-lvol04: 0 1179648 linear
vg00-lvol03: 0 983040 linear
vg00-lvol02: 0 1179648 linear
ls -l /dev/mapper
total 0
crw------- 1 root root 10, 63 Jan 9 2009 control
brw-rw---- 1 root disk 253, 4 Jan 9 08:12 crypt
brw-rw---- 1 root disk 253, 0 Jan 9 08:08 vg00-lvol01---------> /
brw-rw---- 1 root disk 253, 2 Jan 9 08:08 vg00-lvol02---------->/home
brw-rw---- 1 root disk 253, 1 Jan 9 08:08 vg00-lvol03----------->/tmp
brw-rw---- 1 root disk 253, 3 Jan 9 2009 vg00-lvol04------------>/swap
cryptsetup luksClose crypt
I am also able to load modules without any problem:
modprobe dm-mod aes sha256 cbc
ok
I was able to create mkinitrd with "patched" mkinitrd for encrypted FS:
/sbin/mkinitrd -v /boot/initrd-2.6.18-92.1.22.el5PAE.crypt.img 2.6.18-92.1.22.el5PAE
Then in single user mode:
cryptsetup luksOpen /dev/sda3 crypt
dd if=/dev/sda4 of=/dev/mapper/crypt
cryptsetup luksClose crypt
everything ok!
But when I tried to boot from new initrd image:
The system correctly asks for passphrase and.....
ERROR:
========================================
device-mapper: table: 253:0: crypt unknown target type ---------> I found something about multipath issue.
Failed to setup dm-crypt key mapping.
Check kernel for support for aes-cbc-essiv:sha256 cipher spec and verify that /dev/sda3 contains at least 133 sectors.
Failed to read from key storage.
========================================
maybe also problem with mkinitrd ? You can find mine in attachement.
I tried to setup it all before on virtualbox (just kernel without PAE, but the same one) and it worked!
Please help me out with this or bring any idea how to fix this. Maybe it is possible bug also. I do now know.
But what I know for sure that I will have to suicide myself if this will not work until monday morning.
LVM ROOT encryption
-
breakcoder
- Posts: 3
- Joined: 2009/01/06 13:53:14
- Contact:
Re: LVM ROOT encryption - really nasty
Hi all,
(first for google)
(centos root encrypt cryptsetup luks dm-crypt) - hopefully will crawl this solution fast.
This is really great, that I can respond on my own question, and there is not a single hit for solution on this question from others ! :-)
So what needed to be done to be able encrypt root partiton on CentOs 5.2 and get it worked:
I found solution here:
http://agiletesting.blogspot.com/2008/05/encrypting-linux-root-partition-with.html
So Man, thank you! You are really Guru of Centos stuff.
But I used just part of it :-)
===========================================================
1. Start exactly here and RTFM first!
http://lists.centos.org/pipermail/centos-docs/2008-September/001791.html
When you get to step:
"Step Four: Configure mkinitrd for encrypted system"========STOP HERE========
just throw away what says in this manual and continue with these steps:
(It has been tested and worked on fresh CentOS 5.2 installation with updates.)
1. mkinitrd -v /boot/initrd-2.6.18-53.el5.crypt.img --with=aes --with=sha256 --with=dm-crypt 2.6.18-53.el5
(DO NOT FORGET TO REPLACE KERNEL NUMBERS WITH WHAT YOU CAN FOUND WITH COMMAND: uname -r"
So In our particular case command looks like this:
(BTW YOU DO NOT NEED TO PATCH MKINITRD!) USE THAT ONE INCLUDED IN SYSTEM.
mkinitrd -v /boot/initrd 2.6.18-92.1.22.el5PAE.crypt.img - --with=aes --with=sha256 --with=dm-crypt 2.6.18-92.1.22.el5PAE
if there is any problem you can verify if you are able to load all necessary modules simply trying:
#mobprobe dm-crypt aes sha256 ---> any problem here can be serious for the whole process.
..... but as I tried I have not found any with CentOs 5.2.
2.
Now we need to modify the initrd so that it will decrypt the partition at boot time
REPLACE KERNEL NUMBER WITH RESULT OF COMMAND "uname -r"
# cd /boot
# mkdir /boot/initrd-2.6.18-53.el5.crypt.dir
# cd /boot/initrd-2.6.18-53.el5.crypt.dir
# gunzip here it will ask you to overwrite lvm, press y for yes, you can overwrite it, it is ok.
I TESTED IT AND WITHOUT THIS STEP IT DID NOT WORKED! YOU WILL BE ABLE TO BOOT THE MACHINE WITH CREATED INITRD BUT WITHOUT ENCRYPTION :-(
...continue:
5.
Compress the new initrd
find ./ | cpio -H newc -o | gzip -9 > /boot/initrd-2.6.18-53.el5.crypt.img
Now you can continue with the manual for Centos since step editing /etc/grub.conf file:
There you go and f**king encryption is working.
Please honor me because I spent on this my last 10 days of my life :-) . (and finally so simple solution)
Finally do not forget to take the last step from manual, and have a beer if you do not drive!!!
Thanks all for respond :-)
Nice weekend at least for me.....
(first for google)
(centos root encrypt cryptsetup luks dm-crypt) - hopefully will crawl this solution fast.
This is really great, that I can respond on my own question, and there is not a single hit for solution on this question from others ! :-)
So what needed to be done to be able encrypt root partiton on CentOs 5.2 and get it worked:
I found solution here:
http://agiletesting.blogspot.com/2008/05/encrypting-linux-root-partition-with.html
So Man, thank you! You are really Guru of Centos stuff.
But I used just part of it :-)
===========================================================
1. Start exactly here and RTFM first!
http://lists.centos.org/pipermail/centos-docs/2008-September/001791.html
When you get to step:
"Step Four: Configure mkinitrd for encrypted system"========STOP HERE========
just throw away what says in this manual and continue with these steps:
(It has been tested and worked on fresh CentOS 5.2 installation with updates.)
1. mkinitrd -v /boot/initrd-2.6.18-53.el5.crypt.img --with=aes --with=sha256 --with=dm-crypt 2.6.18-53.el5
(DO NOT FORGET TO REPLACE KERNEL NUMBERS WITH WHAT YOU CAN FOUND WITH COMMAND: uname -r"
So In our particular case command looks like this:
(BTW YOU DO NOT NEED TO PATCH MKINITRD!) USE THAT ONE INCLUDED IN SYSTEM.
mkinitrd -v /boot/initrd 2.6.18-92.1.22.el5PAE.crypt.img - --with=aes --with=sha256 --with=dm-crypt 2.6.18-92.1.22.el5PAE
if there is any problem you can verify if you are able to load all necessary modules simply trying:
#mobprobe dm-crypt aes sha256 ---> any problem here can be serious for the whole process.
..... but as I tried I have not found any with CentOs 5.2.
2.
Now we need to modify the initrd so that it will decrypt the partition at boot time
REPLACE KERNEL NUMBER WITH RESULT OF COMMAND "uname -r"
# cd /boot
# mkdir /boot/initrd-2.6.18-53.el5.crypt.dir
# cd /boot/initrd-2.6.18-53.el5.crypt.dir
# gunzip here it will ask you to overwrite lvm, press y for yes, you can overwrite it, it is ok.
I TESTED IT AND WITHOUT THIS STEP IT DID NOT WORKED! YOU WILL BE ABLE TO BOOT THE MACHINE WITH CREATED INITRD BUT WITHOUT ENCRYPTION :-(
...continue:
5.
Compress the new initrd
find ./ | cpio -H newc -o | gzip -9 > /boot/initrd-2.6.18-53.el5.crypt.img
Now you can continue with the manual for Centos since step editing /etc/grub.conf file:
There you go and f**king encryption is working.
Please honor me because I spent on this my last 10 days of my life :-) . (and finally so simple solution)
Finally do not forget to take the last step from manual, and have a beer if you do not drive!!!
Thanks all for respond :-)
Nice weekend at least for me.....