Take a Fedora Core 5 system and encrypt (using dm-crypt and LUKS) the partition that gets mounted on /home.
Note that /home needs to be on its own partition, not on the / partition. Also, in words similar to those from night-shade, I have tested this with LVM2 devices containing nothing important. It worked for me but you are advised to have current working backups if the data matters to you. Because we are dealing with the /home partition, these instructions will also explain how to ensure that the /home partition is mounted during a boot.
Step 0: Log on as root
Because you will need to unmount /home, you must log on as root rather than su to root from an unpriveledged user account.
-=Step 1: Backup /home Presumably you would like to return to the same Home environment that you started with before you encrypted your /home partition. Therefore, you need to backup the contents of /home. (Be aware that these instructions will not necessary restore your Home environment EXACTLY as it was before you encrypted /home. Please read all of these instructions before proceeding, so that you are sure that this solution will work for you.) In this HOWTO, we will assume there is only one unpriveledged user (jmaher) on the system, so only /home/jmaher needs to be backed up. One way to back up this folder is to use the following commands:
# mkdir /root/jmaher
# /bin/cp -a /home/jmaher/.* /root/jmaher
The -a option is for archiving files and directories. It uses recursion and preserves the permissions of the files and directories.
cryptsetup-luks on fedora: step 2, 3
Remove the user whose Home directory we just backed up
We will be recreating the unpriviledged user (jmaher) after we have encrypted and re-mounted our /home directory, so we should clean things up first and remove that account:
# userdel jmaher
Step 3: Get the correct cryptsetup version
You need the version of cryptsetup with luks enabled. You can determine if the correct version of cryptsetup is install using the command:
# cryptsetup --help
You should see "cryptsetup-luks" displayed near the top of the output.
If you do not have cryptsetup, you can install it using yum (assuming yum has been properly configured):
# yum -y install cryptsetup-luks
The -y option will assume that the answer is yes to any question that would be presented during the execution of yum.
cryptsetup-luks on fedora: step 4
Step 4a: (Optional) Check the hard disk for errors and fill it with random data.
(Much of the following was shamelessly lifted from William Owen Smith's HOWTO: EncryptedDeviceUsingLUKS.)
It's probably a good idea to check for errors on the partition where /home will be mounted. Not only is this good practice, but modern hard disks contain a few 'spare' sectors, and if they detect errors in reading, they can silently replace the bad sector with a backup sector (this is invisible to the OS). So writing and reading the entire disk before you start should allow this to happen.
We will now use the information in /etc/fstab to determine the partition that is currently mounted on /home. (This partition may be represented as a logical volume, as it is in the example below.) You should see a line in /etc/fstab that is similar to the following:
/dev/vg0/home /home ext3 defaults 1 2
The above line indicates that partition /dev/vg0/home, which is actually a logical volume, is currently mounted on /home. We will use this partition as our physical device. We need to unmount this device in order the proceed with the next steps:
# umount /home
It's good to fill an encrypted disk with initial random data. This makes breaking the passphrase so much harder. The below method is sufficient for a casual attack but is not 'random enough' to defeat sophisticated cryptographers. If you need protection against sophisticated cryptanaylsis, use the '/dev/urandom' method shown in Step 4b.
The following command will perform a disk check and fill the disk with random data at the same time. Read the man page for more details on this command:
# /sbin/badblocks -c 10240 -s -w -t random -v /dev/vg0/home
(wait several hours...)
Checking for bad blocks in read-write mode
From block 0 to 295360984
done
Reading and comparing: done
Pass completed, 0 bad blocks found.
#
The -c option will test 10,240 blocks at a time. The -s option will show the progress of the scan by writing out the block numbers as they are checked. The -w option scans for bad blocks by writing some patterns (0xaa, 0x55, 0xff, 0x00) on every block of the device, reading every block and comparing the contents. The -t options specifies that each scanned block should be filled with a random bit pattern. The -v option indicates verbose mode. The physical device (logical volume) is /dev/vg0/home.
This will take some time. On William Owen Smith's USB-attached 300Gb disk it took around 8 hours. Phase 1 will write random data to the disk, phase 2 will read it back and verify it.
Step 4b: (Optional) Fill the disk with random data
If you didn't do Step 4a (or you left out the -t random option), do Step 4b. This will take a long time, because generating good quality random data is very CPU intensive. However, this method is 'more random' (and more secure) than the primitive random number generator included in 'badblocks', above.
One minor advantage to the method in Step xa above is that it has a progress indicator, while "dd" only shows its progress when a USR1 signal is sent to it ("kill -USR1 `pidof dd`").
# dd if=/dev/urandom of=/dev/vg0/home
(wait several hours...)
cryptsetup-luks on fedora: step 5, 6
Step 5: Initialize a LUKS partition and set the initial key
This step establishes the mapping between physical partitions and logical partitions.
In this HOWTO, our physical partition will actually be a logical volume. By default, when installing Fedora Core 5, a volume group and logical volumes within the volume group are created. The volume group is called VolGroup00?, and the logical volumes are called LogVol00?, LogVol01?, etc, for each of the partitions. However, in this HOWTO, our volume group will be called vg0, and our logical volume that will eventually get mounted to /home will be called home. So, the full path of the physical partition that will be mounted on /home (when we are done) is /dev/vg0/home. (Your device path will likely be different, but you need to identify the device that is currently mounted to /home.)
With that said, let's use the following command to initialize a LUKS partition and set the initial key using a passphrase (note, this will wipe out all data on the /home partition):
# cryptsetup --verbose --verify-passphrase luksFormat /dev/vg0/home
WARNING!
========
This will overwrite data on /dev/vg0/home irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: (enter your passphrase, and write it down somewhere!)
Verify passphrase: (repeat passphrase)
Step 6: Create a mapping between physical and logical partitions
# cryptsetup luksOpen /dev/vg0/home home
Enter LUKS passphrase:
#
If all is well, you now have a special file called /dev/mapper/home. This is what you will mount on /home. Verify that the file was created:
# ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 63 May 24 06:52 control
brw-rw---- 1 root disk 253, 4 May 24 10:54 home
brw-rw---- 1 root disk 253, 1 May 24 06:52 vg0-home
brw-rw---- 1 root disk 253, 0 May 24 10:53 vg0-root
brw-rw---- 1 root disk 253, 2 May 24 06:52 vg0-swap
Notice the other logical volumes (vg0-home, vg0-root, and vg0-swap) that were created when Fedora Core 5 was installed. (Note, the names of these volumes were changed by me during the installation. The were originally VolGroup00-LogVol00?, VolGroup00-LogVol01?, etc.) The fact that you are using logical volumes (like /dev/vg0/home) as physical devices can be confusing. It may help to remember that when we refer to physical devices we use devices located in the volume group directory (example: /dev/vg0), and when we refer to logical devices we use devices located in /dev/mapper (i.e., they have been mapped are are ready to use). (Okay, yes, it's confusing that the physical devices in /dev/vg0 are also listed as logical devices in /dev/mapper. Try to ignore them.)
cryptsetup-luks on fedora: step 7, 8
Step 7: Create a filesystem on the new logical partition
For this HOWTO, we make an ext3 file system on /dev/mapper/home using the following commands:
# /sbin/mkfs.ext3 -j -m 1 /dev/mapper/home
(wait several minutes...)
mke2fs 1.35 (28-Feb-2004)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
36634624 inodes, 73258400 blocks
732584 blocks (1.00%) reserved for the super user
First data block=0
2236 block groups
32768 blocks per group, 32768 fragments per group
16384 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616
Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 39 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
#
(Note, the above output was borrowed from William Owen Smith's HOWTO: "EncryptedDeviceUsingLUKS".)
Step 8: Mount the filesystem
Mount your new logical device /dev/mapper/home to /home.
# mount /dev/mapper/home /home
View the file system's disk usage to verify that it worked:
# df -h /dev/mapper/home
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/home 4.0G 80M 3.8G 3% /home
cryptsetup-luks on fedora: step 9, 10
Step 9: Restore the user's Home directory
Re-create the unpriviledged user:
# useradd -m jmaher
# passwd jmaher
Changing password for user jmaher.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
#
The -m option create's the user's home directory using the files and directories in /etc/skel as a template.
Now we need to copy MOST of the user's backed-up files back to the user's Home directory. I say MOST because I have found that copying all of the files back to the user's Home directory will break the use of the Home directory for that user. I have not investigated this, so someone else may want to comment as to the reason for this. Basically, I found it safe to copy all non-hidden files and directories back to the /home/jmaher using the following command:
# /bin/cp -r --preserve /root/jmaher/* /home/jmaher
The -r options allows recursion of subdirectories to occur, and the --preserve option preserves permissions and ownership of the files and directories.
I would recommend selectively copying hidden files and directories for those applications you find most important. For example, I really wanted my Thunderbird, Firefox, and ssh settings to be restored, so I used the following commands:
# /bin/cp -r --preserve /root/jmaher/.thunderbird /home/jmaher
# /bin/cp -r --preserve /root/jmaher/.mozilla /home/jmaher
# /bin/cp -r --preserve /root/jmaher/.ssh /home/jmaher
If you had previously modified .bashrc, .bash_profile, or .bash_logout, then you may want to copy those files as well.
Don't reboot yet, but you should now be able to test your actions and log on as the unpriviledged user (jmaher) using the following command:
# su - jmaher
After confirming that you can log on as the unpriviledged user without errors indicating that the user's environment in /home is missing, log off as the unpriviledged user to return to root.
# logout
Step 10: Modify /etc/fstab
Some aspects of the boot sequence need to be changed, because the physical volume (/dev/vg0/home) that gets mounted to /home is encrypted and is no longer a recognizable file system as far as /bin/mount is concerned. Of course, if cryptsetup is used to open the device (using the command cryptsetup luksOpen /dev/vg0/home), then /bin/mount could see that the device has an ext3 file system, and the device can be mounted.
So here are the steps to do that.
Change the line in /etc/fstab that mounted the Home directory so that:
(a) the first field refers to /dev/mapper/home rather than /dev/vg0/home
(b) the fifth field no longer indicates that this device should be accessed by the dump command
(c) the six field no longer indicates that fsck should check this device at boot time.
In short, change the line that looks similar to this:
/dev/vg0/home /home ext3 defaults 1 2
and change it to this:
/dev/mapper/home /home ext3 defaults 0 0
cryptsetup-luks on fedora: step 11, 12 & 13
Step 11: Create and modify luksopen script
Copy the wonderful script called luksopen (created by embro and modified by johnny) from http://www.saout.de/tikiwiki/tiki-index.php?page=luksopen, and paste it into a new file called /sbin/luksopen.
Modify the script as follows:
a. Change devArray variable from:
devArray=(/dev/hda7 /dev/hda10 /dev/hda11 /dev/hda13)
to:
devArray=(/dev/vg0/home)
(Remember, this is the physical device used for /home. Yours is probably different.)
b. Delete the entire mapArray variable line
c. Change mntArray variable from:
mntArray=(/tmp /mnt/bergen /mnt/trondheim /mnt/oslo)
to:
mntArray=(/home)
d. Replace the line that reads:
map=${mapArray[$i]}
with:
# assign last directory name of device name to $map variable
map_elements=`echo ${devArray[$i]} | sed -e 's/^\///' -e 's/\// /g'`
for e in $map_elements ; do map=$e ; done
e. Add ' answer' (no quotes) to the following line:
read -p "Next device in list is \"$dev\". Do you want to open and mount it? (y/N): "
so that it looks like this:
read -p "Next device in list is \"$dev\". Do you want to open and mount it? (y/N): " answer
f. Delete (or comment out) the three lines at the bottom of the script that immediately preceed the final 'done' command. So, if you choose to comment out those lines, they would look like this:
#if $j -le 0 || ! mount "/dev/mapper/$map" "$mnt" ; then
# echo "Failed to mount \"/dev/mapper/$map\" on \"$mnt\"" >&2
#fi
Step 12: Edit /etc/rc.d/rc.sysinit
During a boot, we now need to open (unlock) our encrypted partition (/dev/vg0/home) and map it to our logical volume (/dev/mapper/home) before the logical volume can be mounted on /home. Because we would like to have /home mounted during the boot (so we can log on as an unpriviledged user), we need to be prompted for the LUKS passphrase (established in Step 5) before any attempts are made to mount /dev/mapper/home to /home (as configured in /etc/fstab).
Now, one could assume that simply adding /sbin/luksopen to /etc/rc.d/rc.local would result in the necessary prompting for the LUKS passphrase; however, when booting to runlevel 5 I have experienced problems getting prompted. Therefore, modifying /etc/rc.d/rc.sysinit as follows will solve the prompting problem.
Modify /etc/rc.d/rc.sysinit to incude the following code . . .
# Run /sbin/luksopen to use cryptsetup to map /dev/vg0/home to /dev/mapper/home.
if -x /sbin/luksopen ; then
/sbin/luksopen
fi
. . . immediately before the code where /usr/bin/rhgb is called. In Fedora Core 5 you can place the above code immediately before the comment line that reads:
# Start the graphical boot, if necessary; /usr may not be mounted yet, so we
# may have to do this again after mounting
Step 13: REBOOT
What You Can Expect
The boot process will be essentially the same as before, but this time you will be prompted with the following text shortly after the boot begins:
Next device in list is /dev/vg0/home. Do you want to open and mount it? (y/N):
You need to type y <ENTER>, and you will then be prompted to enter your passphrase. If you enter your passphrase correctly, the device (/dev/vg0/home) that you encrypted and mapped in Steps 5 and 6 above will be mapped to /dev/mapper/home and mounted to /home. The boot process will complete, and you can log on as your unpriviledged user (jmaher).
(Written by John Maher, 24 May 2006)
Take a Fedora Core 5 system and encrypt (using dm-crypt and LUKS) the partition that gets mounted on /home. Note that /home needs to be on its own partition, not on the / partition. Also, in words similar to those from night-shade, I have tested this with LVM2 devices containing nothing important. It worked for me but you are advised to have current working backups if the data matters to you. Because we are dealing with the /home partition, these instructions will also explain how to ensure that the /home partition is mounted during a boot.
Step 0: Log on as root
Because you will need to unmount /home, you must log on as root rather than su to root from an unpriveledged user account.
-=Step 1: Backup /home Presumably you would like to return to the same Home environment that you started with before you encrypted your /home partition. Therefore, you need to backup the contents of /home. (Be aware that these instructions will not necessary restore your Home environment EXACTLY as it was before you encrypted /home. Please read all of these instructions before proceeding, so that you are sure that this solution will work for you.) In this HOWTO, we will assume there is only one unpriveledged user (jmaher) on the system, so only /home/jmaher needs to be backed up. One way to back up this folder is to use the following commands:
# mkdir /root/jmaher
# /bin/cp -a /home/jmaher/.* /root/jmaher
The -a option is for archiving files and directories. It uses recursion and preserves the permissions of the files and directories.
Step 2: Remove the user whose Home directory we just backed up
We will be recreating the unpriviledged user (jmaher) after we have encrypted and re-mounted our /home directory, so we should clean things up first and remove that account:
# userdel jmaher
Step 3: Get the correct cryptsetup version
You need the version of cryptsetup with luks enabled. You can determine if the correct version of cryptsetup is install using the command:
# cryptsetup --help
You should see "cryptsetup-luks" displayed near the top of the output.
If you do not have cryptsetup, you can install it using yum (assuming yum has been properly configured):
# yum -y install cryptsetup-luks
The -y option will assume that the answer is yes to any question that would be presented during the execution of yum.
Step 4a: (Optional) Check the hard disk for errors and fill it with random data.
(Much of the following was shamelessly lifted from William Owen Smith's HOWTO: EncryptedDeviceUsingLUKS.)
It's probably a good idea to check for errors on the partition where /home will be mounted. Not only is this good practice, but modern hard disks contain a few 'spare' sectors, and if they detect errors in reading, they can silently replace the bad sector with a backup sector (this is invisible to the OS). So writing and reading the entire disk before you start should allow this to happen.
We will now use the information in /etc/fstab to determine the partition that is currently mounted on /home. (This partition may be represented as a logical volume, as it is in the example below.) You should see a line in /etc/fstab that is similar to the following:
/dev/vg0/home /home ext3 defaults 1 2
The above line indicates that partition /dev/vg0/home, which is actually a logical volume, is currently mounted on /home. We will use this partition as our physical device. We need to unmount this device in order the proceed with the next steps:
# umount /home
It's good to fill an encrypted disk with initial random data. This makes breaking the passphrase so much harder. The below method is sufficient for a casual attack but is not 'random enough' to defeat sophisticated cryptographers. If you need protection against sophisticated cryptanaylsis, use the '/dev/urandom' method shown in Step 4b.
The following command will perform a disk check and fill the disk with random data at the same time. Read the man page for more details on this command:
# /sbin/badblocks -c 10240 -s -w -t random -v /dev/vg0/home
(wait several hours...)
Checking for bad blocks in read-write mode
From block 0 to 295360984
done
Reading and comparing: done
Pass completed, 0 bad blocks found.
#
The -c option will test 10,240 blocks at a time. The -s option will show the progress of the scan by writing out the block numbers as they are checked. The -w option scans for bad blocks by writing some patterns (0xaa, 0x55, 0xff, 0x00) on every block of the device, reading every block and comparing the contents. The -t options specifies that each scanned block should be filled with a random bit pattern. The -v option indicates verbose mode. The physical device (logical volume) is /dev/vg0/home.
This will take some time. On William Owen Smith's USB-attached 300Gb disk it took around 8 hours. Phase 1 will write random data to the disk, phase 2 will read it back and verify it.
Step 4b: (Optional) Fill the disk with random data
If you didn't do Step 4a (or you left out the -t random option), do Step 4b. This will take a long time, because generating good quality random data is very CPU intensive. However, this method is 'more random' (and more secure) than the primitive random number generator included in 'badblocks', above.
One minor advantage to the method in Step xa above is that it has a progress indicator, while "dd" only shows its progress when a USR1 signal is sent to it ("kill -USR1 `pidof dd`").
# dd if=/dev/urandom of=/dev/vg0/home
(wait several hours...)
Step 5: Initialize a LUKS partition and set the initial key
This step establishes the mapping between physical partitions and logical partitions.
In this HOWTO, our physical partition will actually be a logical volume. By default, when installing Fedora Core 5, a volume group and logical volumes within the volume group are created. The volume group is called VolGroup00?, and the logical volumes are called LogVol00?, LogVol01?, etc, for each of the partitions. However, in this HOWTO, our volume group will be called vg0, and our logical volume that will eventually get mounted to /home will be called home. So, the full path of the physical partition that will be mounted on /home (when we are done) is /dev/vg0/home. (Your device path will likely be different, but you need to identify the device that is currently mounted to /home.)
With that said, let's use the following command to initialize a LUKS partition and set the initial key using a passphrase (note, this will wipe out all data on the /home partition):
# cryptsetup --verbose --verify-passphrase luksFormat /dev/vg0/home
WARNING!
========
This will overwrite data on /dev/vg0/home irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: (enter your passphrase, and write it down somewhere!)
Verify passphrase: (repeat passphrase)
Step 6: Create a mapping between physical and logical partitions
# cryptsetup luksOpen /dev/vg0/home home
Enter LUKS passphrase:
#
If all is well, you now have a special file called /dev/mapper/home. This is what you will mount on /home. Verify that the file was created:
# ls -l /dev/mapper/
total 0
crw------- 1 root root 10, 63 May 24 06:52 control
brw-rw---- 1 root disk 253, 4 May 24 10:54 home
brw-rw---- 1 root disk 253, 1 May 24 06:52 vg0-home
brw-rw---- 1 root disk 253, 0 May 24 10:53 vg0-root
brw-rw---- 1 root disk 253, 2 May 24 06:52 vg0-swap
Notice the other logical volumes (vg0-home, vg0-root, and vg0-swap) that were created when Fedora Core 5 was installed. (Note, the names of these volumes were changed by me during the installation. The were originally VolGroup00-LogVol00?, VolGroup00-LogVol01?, etc.) The fact that you are using logical volumes (like /dev/vg0/home) as physical devices can be confusing. It may help to remember that when we refer to physical devices we use devices located in the volume group directory (example: /dev/vg0), and when we refer to logical devices we use devices located in /dev/mapper (i.e., they have been mapped are are ready to use). (Okay, yes, it's confusing that the physical devices in /dev/vg0 are also listed as logical devices in /dev/mapper. Try to ignore them.)
Step 7: Create a filesystem on the new logical partition
For this HOWTO, we make an ext3 file system on /dev/mapper/home using the following commands:
# /sbin/mkfs.ext3 -j -m 1 /dev/mapper/home
(wait several minutes...)
mke2fs 1.35 (28-Feb-2004)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
36634624 inodes, 73258400 blocks
732584 blocks (1.00%) reserved for the super user
First data block=0
2236 block groups
32768 blocks per group, 32768 fragments per group
16384 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616
Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 39 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
#
(Note, the above output was borrowed from William Owen Smith's HOWTO: "EncryptedDeviceUsingLUKS".)
Step 8: Mount the filesystem
Mount your new logical device /dev/mapper/home to /home.
# mount /dev/mapper/home /home
View the file system's disk usage to verify that it worked:
# df -h /dev/mapper/home
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/home 4.0G 80M 3.8G 3% /home
Step 9: Restore the user's Home directory
Re-create the unpriviledged user:
# useradd -m jmaher
# passwd jmaher
Changing password for user jmaher.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
#
The -m option create's the user's home directory using the files and directories in /etc/skel as a template.
Now we need to copy MOST of the user's backed-up files back to the user's Home directory. I say MOST because I have found that copying all of the files back to the user's Home directory will break the use of the Home directory for that user. I have not investigated this, so someone else may want to comment as to the reason for this. Basically, I found it safe to copy all non-hidden files and directories back to the /home/jmaher using the following command:
# /bin/cp -r --preserve /root/jmaher/* /home/jmaher
The -r options allows recursion of subdirectories to occur, and the --preserve option preserves permissions and ownership of the files and directories.
I would recommend selectively copying hidden files and directories for those applications you find most important. For example, I really wanted my Thunderbird, Firefox, and ssh settings to be restored, so I used the following commands:
# /bin/cp -r --preserve /root/jmaher/.thunderbird /home/jmaher
# /bin/cp -r --preserve /root/jmaher/.mozilla /home/jmaher
# /bin/cp -r --preserve /root/jmaher/.ssh /home/jmaher
If you had previously modified .bashrc, .bash_profile, or .bash_logout, then you may want to copy those files as well.
Don't reboot yet, but you should now be able to test your actions and log on as the unpriviledged user (jmaher) using the following command:
# su - jmaher
After confirming that you can log on as the unpriviledged user without errors indicating that the user's environment in /home is missing, log off as the unpriviledged user to return to root.
# logout
Step 10: Modify /etc/fstab
Some aspects of the boot sequence need to be changed, because the physical volume (/dev/vg0/home) that gets mounted to /home is encrypted and is no longer a recognizable file system as far as /bin/mount is concerned. Of course, if cryptsetup is used to open the device (using the command cryptsetup luksOpen /dev/vg0/home), then /bin/mount could see that the device has an ext3 file system, and the device can be mounted.
So here are the steps to do that.
Change the line in /etc/fstab that mounted the Home directory so that:
(a) the first field refers to /dev/mapper/home rather than /dev/vg0/home
(b) the fifth field no longer indicates that this device should be accessed by the dump command
(c) the six field no longer indicates that fsck should check this device at boot time.
In short, change the line that looks similar to this:
/dev/vg0/home /home ext3 defaults 1 2
and change it to this:
/dev/mapper/home /home ext3 defaults 0 0
Step 11: Create and modify luksopen script
Copy the wonderful script called luksopen (created by embro and modified by johnny) from http://www.saout.de/tikiwiki/tiki-index.php?page=luksopen, and paste it into a new file called /sbin/luksopen.
Modify the script as follows:
a. Change devArray variable from:
devArray=(/dev/hda7 /dev/hda10 /dev/hda11 /dev/hda13)
to:
devArray=(/dev/vg0/home)
(Remember, this is the physical device used for /home. Yours is probably different.)
b. Delete the entire mapArray variable line
c. Change mntArray variable from:
mntArray=(/tmp /mnt/bergen /mnt/trondheim /mnt/oslo)
to:
mntArray=(/home)
d. Replace the line that reads:
map=${mapArray[$i]}
with:
# assign last directory name of device name to $map variable
map_elements=`echo ${devArray[$i]} | sed -e 's/^\///' -e 's/\// /g'`
for e in $map_elements ; do map=$e ; done
e. Add ' answer' (no quotes) to the following line:
read -p "Next device in list is \"$dev\". Do you want to open and mount it? (y/N): "
so that it looks like this:
read -p "Next device in list is \"$dev\". Do you want to open and mount it? (y/N): " answer
f. Delete (or comment out) the three lines at the bottom of the script that immediately preceed the final 'done' command. So, if you choose to comment out those lines, they would look like this:
#if $j -le 0 || ! mount "/dev/mapper/$map" "$mnt" ; then
# echo "Failed to mount \"/dev/mapper/$map\" on \"$mnt\"" >&2
#fi
Step 12: Edit /etc/rc.d/rc.sysinit
During a boot, we now need to open (unlock) our encrypted partition (/dev/vg0/home) and map it to our logical volume (/dev/mapper/home) before the logical volume can be mounted on /home. Because we would like to have /home mounted during the boot (so we can log on as an unpriviledged user), we need to be prompted for the LUKS passphrase (established in Step 5) before any attempts are made to mount /dev/mapper/home to /home (as configured in /etc/fstab).
Now, one could assume that simply adding /sbin/luksopen to /etc/rc.d/rc.local would result in the necessary prompting for the LUKS passphrase; however, when booting to runlevel 5 I have experienced problems getting prompted. Therefore, modifying /etc/rc.d/rc.sysinit as follows will solve the prompting problem.
Modify /etc/rc.d/rc.sysinit to incude the following code . . .
# Run /sbin/luksopen to use cryptsetup to map /dev/vg0/home to /dev/mapper/home.
if -x /sbin/luksopen ; then
/sbin/luksopen
fi
. . . immediately before the code where /usr/bin/rhgb is called. In Fedora Core 5 you can place the above code immediately before the comment line that reads:
# Start the graphical boot, if necessary; /usr may not be mounted yet, so we
# may have to do this again after mounting
Step 13: REBOOT
What You Can Expect
The boot process will be essentially the same as before, but this time you will be prompted with the following text shortly after the boot begins:
Next device in list is /dev/vg0/home. Do you want to open and mount it? (y/N):
You need to type y <ENTER>, and you will then be prompted to enter your passphrase. If you enter your passphrase correctly, the device (/dev/vg0/home) that you encrypted and mapped in Steps 5 and 6 above will be mapped to /dev/mapper/home and mounted to /home. The boot process will complete, and you can log on as your unpriviledged user (jmaher).
(Written by John Maher, 24 May 2006)