Encrypted root questions

Tim Darby t+dfbsd at timdarby.net
Mon Dec 13 07:52:33 PST 2010


Thanks!  Yes, I'm using master because I need it for the SATA ports on my motherboard.  I'd be willing to put up some documentation for this stuff, but I don't want to snatch the google code-in opportunity away from some deserving person. ;-)

Tim
On Mon, Dec 13, 2010 at 12:00 AM, Alex Hornung <ahornung at gmail.com> wrote:

I'm assuming you are using the 'master' branch, otherwise the dm_target_crypt_load="YES" is not necessary. For whatever it's worth, I've added a task to google code-in a few weeks ago to document all this dm stuff, both cryptsetup and lvm, basically. Hopefully there will be a taker.



For encrypted swap you definitely should be running the 'master' branch, as the release dm_target_crypt, while it supports it, would have problems under memory pressure. In any case: to set it up, you'd use the /etc/crypttab file; just add a line a la:



swap    /dev/da0s1b    none    none

or, possibly, setting a keyfile, if that's what you'd like to use, as the third parameter. Man page should help you out on that. Then just add the following line to fstab:

/dev/mapper/swap    none    swap    sw    1    0

and you'll be all set up.

Regards,
Alex Hornung

On 13/12/2010 06:24, Tim Darby wrote:

I'm trying to set up an encrypted root filesystem with disk A containing /boot and swap and disk B containing the encrypted root.  Having never done this before, I figured I'd use /share/examples/rconfig/encrypted_root.sh as a guide.  However, I ran into a couple of snags, so maybe someone can tell me what I'm doing wrong.



First, this command appears to have a typo:

cryptsetup -y luksFormat /dev/${disk}s1 <== shouldn't this be "s1d"?

Second, in these lines for loader.conf:



dm_load="YES"
initrd.img_load="YES"


initrd.img_type="md_image"
vfs.root.mountfrom="ufs:md0s0"


vfs.root.realroot="crypt:hammer:/dev/${disk}s1d:root"



This failed for me during boot right after it prompted me for the passphrase. Eventually, I realized that it was not able to find dm_target_crypt.ko at the point where it was trying to open the encrypted filesytem and I was only able to get the machine to successfully boot all the way by adding the line:



dm_target_crypt_load="YES"

I'm also interested in encrypted swap. Is there anything tricky about setting that up?

Thanks,

Tim







More information about the Users mailing list