Linux.com

dusf

dusf

  • Linux.com Member
  • Posts: 1
  • Member Since: 26 Apr
  • Last Logged In: 26 Apr

Latest Posts

Posted by
Topic
Post Preview
Posted
  • dusf
    Encrypted /root, /home, and swap mount at boot as does LV shared but no write access?
    The following is how I have encrypted the /root, /home, and swap partitions on a disk already containing Windows 8.1 and only require a single passphrase entry on boot: Create 500 MiB ext4 sda5 partition that will later be assigned as /boot [CODE]sudo dd if=/dev/urandom of=/dev/sda6[/CODE] 12 hours elapse. [CODE]dd: writing to ‘/dev/sda6’: No space left on device 660092929+0 records in 660092928+0 records out 337967579136 bytes (338 GB) copied, 39571.4 s, 8.5 MB/s[/CODE] [CODE]modprobe dm-crypt modprobe aes-x86_64 modprobe sha256[/CODE] When I do this over I will run crptysetup benchmark first to see which aes and sha works best for my system. [CODE]sudo cryptsetup luksFormat /dev/sda6 WARNING! ======== This will overwrite data on /dev/sda6 irrevocably. Are you sure? (Type uppercase yes): YES Enter passphrase: Verify passphrase: sudo cryptsetup luksOpen /dev/sda6 enc-pv Enter passphrase for /dev/sda6: sudo pvcreate /dev/mapper/enc-pv Physical volume "/dev/mapper/enc-pv" successfully created sudo vgcreate vg /dev/mapper/enc-pv Volume group "vg" successfully created sudo lvcreate -L 8.5G -n swap vg Logical volume "swap" created sudo lvcreate -L 20G -n ubuntu-root vg Logical volume "ubuntu-root" created sudo lvcreate -L 50G -n ubuntu-home vg Logical volume "ubuntu-home" created sudo lvcreate -L 140G -n shared vg Logical volume "shared" created sudo lvdisplay --- Logical volume --- LV Path /dev/vg/swap LV Name swap VG Name vg LV UUID EMSdc1-yTSS-FF9W-5vcv-jEwF-OeF7-5oOoEI LV Write Access read/write LV Creation host, time ubuntu, 2014-04-23 12:57:17 +0000 LV Status available # open 0 LV Size 8.50 GiB Current LE 2176 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 252:1 --- Logical volume --- LV Path /dev/vg/ubuntu-root LV Name ubuntu-root VG Name vg LV UUID TCPIIE-fGv0-3tz8-XP3R-1c9Z-E18R-XTbcOd LV Write Access read/write LV Creation host, time ubuntu, 2014-04-23 12:58:41 +0000 LV Status available # open 0 LV Size 20.00 GiB Current LE 5120 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 252:2 --- Logical volume --- LV Path /dev/vg/shared LV Name shared VG Name vg LV UUID dPHDeT-52zj-7bAx-xjzP-p4yC-kXoo-aw7Eac LV Write Access read/write LV Creation host, time ubuntu, 2014-04-23 12:59:50 +0000 LV Status available # open 0 LV Size 140.00 GiB Current LE 35840 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 252:4 --- Logical volume --- LV Path /dev/vg/ubuntu-home LV Name ubuntu-home VG Name vg LV UUID pWFs3D-MXrh-bMez-68r0-4yPc-zMTo-MGhNF1 LV Write Access read/write LV Creation host, time ubuntu, 2014-04-23 13:06:11 +0000 LV Status available # open 0 LV Size 50.00 GiB Current LE 12800 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 252:3 sudo vgdisplay | grep -i free Free PE / Size 24641 / 96.25 GiB[/CODE] [CODE]sudo mkfs.ext4 /dev/mapper/vg-shared mke2fs 1.42.9 (4-Feb-2014) Filesystem label= OS type: Linux Block size=4096 (log=2) Fragment size=4096 (log=2) Stride=0 blocks, Stripe width=0 blocks 9175040 inodes, 36700160 blocks 1835008 blocks (5.00%) reserved for the super user First data block=0 Maximum filesystem blocks=4294967296 1120 block groups 32768 blocks per group, 32768 fragments per group 8192 inodes per group Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, 4096000, 7962624, 11239424, 20480000, 23887872 Allocating group tables: done Writing inode tables: done Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done [/CODE] There was similar output for: [CODE]sudo mkfs.ext4 /dev/mapper/vg-ubuntu-root sudo mkfs.ext4 /dev/mapper/vg-ubuntu-home[/CODE] I may have needed to add an extra hyphen, like vg-ubuntu--root Next I opened the Ubuntu 14.04 installer and selected 'something else'. I assigned /boot to the 500 MiB partition on sda5 and then /root, /home, and swap to the logical /dev/mapper/vg volumes. After Ubuntu installs, before rebooting from the live USB I entered the following: [CODE]sudo cryptsetup luksOpen /dev/sda6 enc-pv Enter passphrase for /dev/sda6: sudo mount /dev/vg/ubuntu-root /mnt sudo chroot /mnt mount /proc sudo mount --bind /dev /mnt/dev sudo chroot /mnt mount /boot sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none luks" | sudo tee -a /mnt/etc/crypttab enc-pv UUID=ad8b8a32-95ea-4add-abe6-326d151e30fa none luks sudo chroot /mnt update-initramfs -u update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt[/CODE] On reboot Ubuntu boots asking for only one entry of the passphrase instead of three, one for each encrypted volume. ================================================================== The only problem remaining now is that although the /dev/mapper/vg-shared volume appears like any other partitionin /media/dusf/, and although I can open it without having to enter the passphrase again, I cannot create files on it. I have tried replacing the command 'sudo mount /dev/vg/ubuntu-root /mnt' with 'sudo mount /dev/vg/shared /mnt' but then when i go onto the next command 'sudo chroot /mnt mount /proc' it gives me the error 'chroot: failed to run command ‘mount’: No such file or directory'. Can anyone tell me how I should edit the following commands so that /dev/vg/-shared not only mounts at boot, but I can also write to it? [CODE]sudo cryptsetup luksOpen /dev/sda6 enc-pv Enter passphrase for /dev/sda6: sudo mount /dev/vg/ubuntu-root /mnt sudo chroot /mnt mount /proc sudo mount --bind /dev /mnt/dev sudo chroot /mnt mount /boot sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none luks" | sudo tee -a /mnt/etc/crypttab enc-pv UUID=ad8b8a32-95ea-4add-abe6-326d151e30fa none luks sudo chroot /mnt update-initramfs -u update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt[/CODE]
    Link to this post 26 Apr

    The following is how I have encrypted the /root, /home, and swap partitions on a disk already containing Windows 8.1 and only require a single passphrase entry on boot:

    Create 500 MiB ext4 sda5 partition that will later be assigned as /boot

    [CODE]sudo dd if=/dev/urandom of=/dev/sda6[/CODE]

    12 hours elapse.

    [CODE]dd: writing to ‘/dev/sda6’: No space left on device
    660092929+0 records in
    660092928+0 records out
    337967579136 bytes (338 GB) copied, 39571.4 s, 8.5 MB/s[/CODE]

    [CODE]modprobe dm-crypt
    modprobe aes-x86_64
    modprobe sha256[/CODE]

    When I do this over I will run crptysetup benchmark first to see which aes and sha works best for my system.

    [CODE]sudo cryptsetup luksFormat /dev/sda6

    WARNING!
    ========
    This will overwrite data on /dev/sda6 irrevocably.

    Are you sure? (Type uppercase yes): YES
    Enter passphrase:
    Verify passphrase:
    sudo cryptsetup luksOpen /dev/sda6 enc-pv
    Enter passphrase for /dev/sda6:

    sudo pvcreate /dev/mapper/enc-pv
    Physical volume "/dev/mapper/enc-pv" successfully created
    sudo vgcreate vg /dev/mapper/enc-pv
    Volume group "vg" successfully created
    sudo lvcreate -L 8.5G -n swap vg
    Logical volume "swap" created
    sudo lvcreate -L 20G -n ubuntu-root vg
    Logical volume "ubuntu-root" created
    sudo lvcreate -L 50G -n ubuntu-home vg
    Logical volume "ubuntu-home" created
    sudo lvcreate -L 140G -n shared vg
    Logical volume "shared" created

    sudo lvdisplay
    --- Logical volume ---
    LV Path /dev/vg/swap
    LV Name swap
    VG Name vg
    LV UUID EMSdc1-yTSS-FF9W-5vcv-jEwF-OeF7-5oOoEI
    LV Write Access read/write
    LV Creation host, time ubuntu, 2014-04-23 12:57:17 +0000
    LV Status available
    # open 0
    LV Size 8.50 GiB
    Current LE 2176
    Segments 1
    Allocation inherit
    Read ahead sectors auto
    - currently set to 256
    Block device 252:1

    --- Logical volume ---
    LV Path /dev/vg/ubuntu-root
    LV Name ubuntu-root
    VG Name vg
    LV UUID TCPIIE-fGv0-3tz8-XP3R-1c9Z-E18R-XTbcOd
    LV Write Access read/write
    LV Creation host, time ubuntu, 2014-04-23 12:58:41 +0000
    LV Status available
    # open 0
    LV Size 20.00 GiB
    Current LE 5120
    Segments 1
    Allocation inherit
    Read ahead sectors auto
    - currently set to 256
    Block device 252:2

    --- Logical volume ---
    LV Path /dev/vg/shared
    LV Name shared
    VG Name vg
    LV UUID dPHDeT-52zj-7bAx-xjzP-p4yC-kXoo-aw7Eac
    LV Write Access read/write
    LV Creation host, time ubuntu, 2014-04-23 12:59:50 +0000
    LV Status available
    # open 0
    LV Size 140.00 GiB
    Current LE 35840
    Segments 1
    Allocation inherit
    Read ahead sectors auto
    - currently set to 256
    Block device 252:4

    --- Logical volume ---
    LV Path /dev/vg/ubuntu-home
    LV Name ubuntu-home
    VG Name vg
    LV UUID pWFs3D-MXrh-bMez-68r0-4yPc-zMTo-MGhNF1
    LV Write Access read/write
    LV Creation host, time ubuntu, 2014-04-23 13:06:11 +0000
    LV Status available
    # open 0
    LV Size 50.00 GiB
    Current LE 12800
    Segments 1
    Allocation inherit
    Read ahead sectors auto
    - currently set to 256
    Block device 252:3

    sudo vgdisplay | grep -i free
    Free PE / Size 24641 / 96.25 GiB[/CODE]

    [CODE]sudo mkfs.ext4 /dev/mapper/vg-shared

    mke2fs 1.42.9 (4-Feb-2014)
    Filesystem label=
    OS type: Linux
    Block size=4096 (log=2)
    Fragment size=4096 (log=2)
    Stride=0 blocks, Stripe width=0 blocks
    9175040 inodes, 36700160 blocks
    1835008 blocks (5.00%) reserved for the super user
    First data block=0
    Maximum filesystem blocks=4294967296
    1120 block groups
    32768 blocks per group, 32768 fragments per group
    8192 inodes per group
    Superblock backups stored on blocks:
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
    4096000, 7962624, 11239424, 20480000, 23887872

    Allocating group tables: done
    Writing inode tables: done
    Creating journal (32768 blocks): done
    Writing superblocks and filesystem accounting information: done
    [/CODE]

    There was similar output for:

    [CODE]sudo mkfs.ext4 /dev/mapper/vg-ubuntu-root
    sudo mkfs.ext4 /dev/mapper/vg-ubuntu-home[/CODE]

    I may have needed to add an extra hyphen, like vg-ubuntu--root

    Next I opened the Ubuntu 14.04 installer and selected 'something else'. I assigned /boot to the 500 MiB partition on sda5 and then /root, /home, and swap to the logical /dev/mapper/vg volumes.

    After Ubuntu installs, before rebooting from the live USB I entered the following:

    [CODE]sudo cryptsetup luksOpen /dev/sda6 enc-pv
    Enter passphrase for /dev/sda6:
    sudo mount /dev/vg/ubuntu-root /mnt
    sudo chroot /mnt mount /proc
    sudo mount --bind /dev /mnt/dev
    sudo chroot /mnt mount /boot
    sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none luks" | sudo tee -a /mnt/etc/crypttab
    enc-pv UUID=ad8b8a32-95ea-4add-abe6-326d151e30fa none luks
    sudo chroot /mnt update-initramfs -u
    update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
    sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt[/CODE]

    On reboot Ubuntu boots asking for only one entry of the passphrase instead of three, one for each encrypted volume.

    ==================================================================

    The only problem remaining now is that although the /dev/mapper/vg-shared volume appears like any other partitionin /media/dusf/, and although I can open it without having to enter the passphrase again, I cannot create files on it.

    I have tried replacing the command 'sudo mount /dev/vg/ubuntu-root /mnt' with 'sudo mount /dev/vg/shared /mnt' but then when i go onto the next command 'sudo chroot /mnt mount /proc' it gives me the error 'chroot: failed to run command ‘mount’: No such file or directory'.

    Can anyone tell me how I should edit the following commands so that /dev/vg/-shared not only mounts at boot, but I can also write to it?

    [CODE]sudo cryptsetup luksOpen /dev/sda6 enc-pv
    Enter passphrase for /dev/sda6:
    sudo mount /dev/vg/ubuntu-root /mnt
    sudo chroot /mnt mount /proc
    sudo mount --bind /dev /mnt/dev
    sudo chroot /mnt mount /boot
    sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none luks" | sudo tee -a /mnt/etc/crypttab
    enc-pv UUID=ad8b8a32-95ea-4add-abe6-326d151e30fa none luks
    sudo chroot /mnt update-initramfs -u
    update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
    sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt[/CODE]

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board