Encrypted root questions

Alex Hornung ahornung at gmail.com
Sun Dec 12 23:05:15 PST 2010


I'm assuming you are using the 'master' branch, otherwise the 
dm_target_crypt_load="YES" is not necessary. For whatever it's worth, 
I've added a task to google code-in a few weeks ago to document all this 
dm stuff, both cryptsetup and lvm, basically. Hopefully there will be a 
taker.

For encrypted swap you definitely should be running the 'master' branch, 
as the release dm_target_crypt, while it supports it, would have 
problems under memory pressure. In any case: to set it up, you'd use the 
/etc/crypttab file; just add a line a la:

swap    /dev/da0s1b    none    none

or, possibly, setting a keyfile, if that's what you'd like to use, as 
the third parameter. Man page should help you out on that. Then just add 
the following line to fstab:

/dev/mapper/swap    none    swap    sw    1    0

and you'll be all set up.

Regards,
Alex Hornung
On 13/12/2010 06:24, Tim Darby wrote:
I'm trying to set up an encrypted root filesystem with disk A 
containing /boot and swap and disk B containing the encrypted root. 
 Having never done this before, I figured I'd 
use /share/examples/rconfig/encrypted_root.sh as a guide.  However, I 
ran into a couple of snags, so maybe someone can tell me what I'm 
doing wrong.

First, this command appears to have a typo:

cryptsetup -y luksFormat /dev/${disk}s1 <== shouldn't this be "s1d"?

Second, in these lines for loader.conf:



dm_load="YES"
initrd.img_load="YES"
initrd.img_type="md_image"
vfs.root.mountfrom="ufs:md0s0"
vfs.root.realroot="crypt:hammer:/dev/${disk}s1d:root"



This failed for me during boot right after it prompted me for the 
passphrase. Eventually, I realized that it was not able to find 
dm_target_crypt.ko at the point where it was trying to open the 
encrypted filesytem and I was only able to get the machine to 
successfully boot all the way by adding the line:

dm_target_crypt_load="YES"

I'm also interested in encrypted swap. Is there anything tricky about 
setting that up?

Thanks,

Tim






More information about the Users mailing list