Installing DragonFly 6.2.2 with LUKS/LVM

Udo Z cantaro at gmail.com
Fri Aug 12 06:01:32 PDT 2022


Hi Volodymyr and everyone,

> 1. I don't think hibernation is supported right now.

Thanks for the info.

> 2. You can easily use your swap partition as encrypted with:
>
> /dev/something none swap sw,crypt 0 0
>
> This will create oneshot mapped encrypted device.

Unfortunately a one-shot encrypted swap is not helpful in case a crash dump
needs to be gathered.

I played around with the installer image some more, and found the following:

* Starting things as a service, e.g. `service udevd start`, does not work
but simply running `udevd` does.

* After this I was able to create a PV and VG but got errors when creating
LVs; turns out I needed to load some modules first:

kldload dm_target_striped
kldload dm_target_linear

* However, even then creating LVs failed because the device nodes were not
being created. After addnig parameter `--driverloaded n` to the lvcreate
commands, they succeeded but the LVs were still not created.

* Running `disklabel64` or `disklabel32` on the DM device did not core dump
anymore but produced an error:

# disklabel64 /dev/mapper/dfly0
disklabel64: Inappropriate ioctl for device

So I gave up on subdividing a crypt container, and set up the following
instead:

* GPT partitioning with an ESP and a DragonFly disklabel64 partition
* Boot partition (a) unencrypted, swap (b) encrypted, and root (d)
encrypted separately
* /etc/crypttab to unlock swap with a key saved on the root partition

This works, and finally I have a system where most important info is
encrypted, even if the exposed loader with all its modules still provides a
lot of potential attack surface. For thwarting an oppostunistic data thief
it will do.

Best regards,
Udo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20220812/13469579/attachment-0002.htm>


More information about the Users mailing list