Home » linux documentation » file management » cryptsetup-luks on fedora

cryptsetup-luks on fedora: step 11, 12 & 13

by tom.mcmanus | Thu, 10/23/2008 - 16:01

cryptsetup-luks on fedora: step 11, 12 & 13

Step 11: Create and modify luksopen script

Copy the wonderful script called luksopen (created by embro and modified by johnny) from http://www.saout.de/tikiwiki/tiki-index.php?page=luksopen, and paste it into a new file called /sbin/luksopen.

Modify the script as follows:

a. Change devArray variable from:
devArray=(/dev/hda7 /dev/hda10 /dev/hda11 /dev/hda13)
to:
devArray=(/dev/vg0/home)
(Remember, this is the physical device used for /home. Yours is probably different.)

b. Delete the entire mapArray variable line

c. Change mntArray variable from:
mntArray=(/tmp /mnt/bergen /mnt/trondheim /mnt/oslo)
to:
mntArray=(/home)

d. Replace the line that reads:
map=${mapArray[$i]}
with:
# assign last directory name of device name to $map variable
map_elements=`echo ${devArray[$i]} | sed -e 's/^\///' -e 's/\// /g'`
for e in $map_elements ; do map=$e ; done

e. Add ' answer' (no quotes) to the following line:
read -p "Next device in list is \"$dev\". Do you want to open and mount it? (y/N): "
so that it looks like this:
read -p "Next device in list is \"$dev\". Do you want to open and mount it? (y/N): " answer

f. Delete (or comment out) the three lines at the bottom of the script that immediately preceed the final 'done' command. So, if you choose to comment out those lines, they would look like this:
#if $j -le 0 || ! mount "/dev/mapper/$map" "$mnt" ; then
# echo "Failed to mount \"/dev/mapper/$map\" on \"$mnt\"" >&2
#fi

Step 12: Edit /etc/rc.d/rc.sysinit

During a boot, we now need to open (unlock) our encrypted partition (/dev/vg0/home) and map it to our logical volume (/dev/mapper/home) before the logical volume can be mounted on /home. Because we would like to have /home mounted during the boot (so we can log on as an unpriviledged user), we need to be prompted for the LUKS passphrase (established in Step 5) before any attempts are made to mount /dev/mapper/home to /home (as configured in /etc/fstab).

Now, one could assume that simply adding /sbin/luksopen to /etc/rc.d/rc.local would result in the necessary prompting for the LUKS passphrase; however, when booting to runlevel 5 I have experienced problems getting prompted. Therefore, modifying /etc/rc.d/rc.sysinit as follows will solve the prompting problem.

Modify /etc/rc.d/rc.sysinit to incude the following code . . .

# Run /sbin/luksopen to use cryptsetup to map /dev/vg0/home to /dev/mapper/home.
if -x /sbin/luksopen ; then
/sbin/luksopen
fi

. . . immediately before the code where /usr/bin/rhgb is called. In Fedora Core 5 you can place the above code immediately before the comment line that reads:

# Start the graphical boot, if necessary; /usr may not be mounted yet, so we
# may have to do this again after mounting

Step 13: REBOOT

What You Can Expect

The boot process will be essentially the same as before, but this time you will be prompted with the following text shortly after the boot begins:

Next device in list is /dev/vg0/home. Do you want to open and mount it? (y/N):

You need to type y <ENTER>, and you will then be prompted to enter your passphrase. If you enter your passphrase correctly, the device (/dev/vg0/home) that you encrypted and mapped in Steps 5 and 6 above will be mapped to /dev/mapper/home and mounted to /home. The boot process will complete, and you can log on as your unpriviledged user (jmaher).

(Written by John Maher, 24 May 2006)