Problem booting encrypted /

Support for security such as Firewalls and securing linux
Post Reply
bodisha
Posts: 41
Joined: 2015/06/06 23:55:29

Problem booting encrypted /

Post by bodisha » 2015/06/07 04:34:55

Please note, this question is NOT about /usr/sbin/init or the /lib/systemd/systemd file... It's about a scripted text file named "init" that's part of initrd

Hello and thanks in advance for any assistance anyone can offer

I'm trying to familiarize myself with various cryptsetup encryption techniques. I've managed to get things to work no problem when I encrypt at install, and I've graduated to encrypting unencrypted file systems manually. I've successfully encrypted /tmp, /swap, /home, and random encrypted file systems. Unfortunately / isn't cooperating. I haven't found an overabundance of documentation on how to manually encrypt / on CentOS 7, so I've attempted to follow the directions in an old post on how to encrypt / on CentOS 5.

viewtopic.php?t=30503

I have created the encrypted / file system, moved the contents between the original and it with dd. I am able to open it with luksOpen, mount the opened luks files system, and view the contents of it. Unfortunately, the instructions after that don't seem to align with CentOS 7. At one point in the posts instructions, it say's to edit the "init script" within the initrd.img file and include the 'cryptsetup lukOpen' command in it for the / file system. Since CentOS 7 seems to use initramfs.img in the gurb2 meny entry, I unpack the initramfs.img file with skipcpio and I don't find this script. I've attempted various google searches and have found many references to this script within initrd (although no references specifically to CentOS 7), but no specifics beyond it's existence.

Is the "init script" within CentOS7 exist? Is there a different method to accomplish this in CentOS 7? Does anyone know of updated instructions for CentOS 7?
Does anyone have any opinion on the directions within the link? Once again, thanks for any help!
Last edited by bodisha on 2015/06/10 01:57:16, edited 3 times in total.

aks
Posts: 2844
Joined: 2014/09/20 11:22:14

Re: Problem booting encrypted /

Post by aks » 2015/06/08 18:26:46

Normally you have to be able to "tell" the thing that boots the system (init in centos before 7 and systemd in centos 7) about the shared secret so that the booter (init/systemd) can read (and write - dependong on how you've setup the filesystems) the contents of the / filesystem.
As a starting point have a look at the dracut program which is used to modify the initial boot image.

bodisha
Posts: 41
Joined: 2015/06/06 23:55:29

Re: Problem booting encrypted /

Post by bodisha » 2015/06/08 19:41:24

Thanks for the reply, but I don't think I was clear enough on what my question was about.

In the second post of the thread I've been following in an attempt to encrypt the / file system (viewtopic.php?t=30503), step 3 states that a text file named "init" should exist in the initrd.img file, and needs to be edited to include a "cryptsetup luksOpen" command.

While the author of the post doesn't clearly specify it, I feel he's stating the "init" script is different from the /usr/sbin/init file that's linked to the /lib/systemd/systemd file. If you look at the post it clearly says to "vi init". As /lib/systemd/systemd is a compiled shared object, I don't think he saying to vi /usr/sbin/init.

I'm not familiar enough with the contents of either initrd or initramfs to know if an "init" script should exist in it on CentOs 7. I've done multiple google searches to try and learn about it though. Like I said in my initial post, I've found multiple references to it. Where I've read about it, it's been made it sound like it's important to initrd to mount everything. Unfortunately, none of the references I've seen specified CentOS 7 or explain the format this file should be in.

This link specifies an example of what I mean (https://openvz.org/Modifying_initrd_image) about the existence of an init script and states " When kernel boots, it checks for initrd image, and if it exists starts init script that resides on this image. init script is usually written in nash".

If my understanding of the init file the post suggests to vi is incorrect, please feel free to set me straight. At this time though I guess my question is a multiple part question:

1) Does this "init" script have any relationship to initramfs on CentOS 7?
2) If it does, how can it be included in the initramfs? (I'll follow your suggestion and read more about dracut)
3) If anyone had the time, or inclination, could they review thread I linked to the instructions on how to encrypt /, and share their opinions on it.
4) As the directions I've been trying to follow are for CentOS 5, if anyone knows of an updated set of instructions on how to encrypt the / file system, could they post it please?

Once again, thank you for anyone's suggestions or advice.

aks
Posts: 2844
Joined: 2014/09/20 11:22:14

Re: Problem booting encrypted /

Post by aks » 2015/06/09 19:18:55

Short answer: init was replaced with systemd in CentOS 7 (init was in all versions of CentOS until version 7). The init program is "associated" with System V style startup, while systemd is "associated" with socket (and others) startup.

Post Reply

Return to “CentOS 7 - Security Support”