Encrypted root questions
Alex Hornung
ahornung at gmail.com
Sun Dec 12 23:05:15 PST 2010
I'm assuming you are using the 'master' branch, otherwise the
dm_target_crypt_load="YES" is not necessary. For whatever it's worth,
I've added a task to google code-in a few weeks ago to document all this
dm stuff, both cryptsetup and lvm, basically. Hopefully there will be a
taker.
For encrypted swap you definitely should be running the 'master' branch,
as the release dm_target_crypt, while it supports it, would have
problems under memory pressure. In any case: to set it up, you'd use the
/etc/crypttab file; just add a line a la:
swap /dev/da0s1b none none
or, possibly, setting a keyfile, if that's what you'd like to use, as
the third parameter. Man page should help you out on that. Then just add
the following line to fstab:
/dev/mapper/swap none swap sw 1 0
and you'll be all set up.
Regards,
Alex Hornung
On 13/12/2010 06:24, Tim Darby wrote:
I'm trying to set up an encrypted root filesystem with disk A
containing /boot and swap and disk B containing the encrypted root.
Having never done this before, I figured I'd
use /share/examples/rconfig/encrypted_root.sh as a guide. However, I
ran into a couple of snags, so maybe someone can tell me what I'm
doing wrong.
First, this command appears to have a typo:
cryptsetup -y luksFormat /dev/${disk}s1 <== shouldn't this be "s1d"?
Second, in these lines for loader.conf:
dm_load="YES"
initrd.img_load="YES"
initrd.img_type="md_image"
vfs.root.mountfrom="ufs:md0s0"
vfs.root.realroot="crypt:hammer:/dev/${disk}s1d:root"
This failed for me during boot right after it prompted me for the
passphrase. Eventually, I realized that it was not able to find
dm_target_crypt.ko at the point where it was trying to open the
encrypted filesytem and I was only able to get the machine to
successfully boot all the way by adding the line:
dm_target_crypt_load="YES"
I'm also interested in encrypted swap. Is there anything tricky about
setting that up?
Thanks,
Tim
More information about the Users
mailing list