Last Thursday several big events occurred:
Clearly this was a sign that I should do a fresh F8 install on a new drive, and also try out Sean's root encryption HOWTO. Read on for more information about encrypted root filesystem installs.
Sean wrote up a HOWTO a while back on making your install run totally from an encrypted drive. See the HOWTO here. I've been running with an encrypted /home for a while, but it's nice to just have everything encrypted so there is no information leakage from /home to the rest of the unencrypted disk.
The above HOWTO worked pretty nicely with F8, although I did things slightly differently. The new drive (200GB) was partitioned like so:
Next, do a regular install to the 5GB partition. Boot up on it, and modify the files as mentioned in the link above and create the crypted partition that will become the encrypted root. Then, reboot with 'init=/bin/sh' and copy the 5GB / over to the crypted partition. Make a new initrd and reboot to the crypted kernel entry. Everything came up nicely.
Finally, I setup the old 5GB partition I made for installing to be a encrypted swap partition. Simply add to /etc/crypttab: “cryptswap /dev/sda2 /dev/urandom swap,cipher=aes-cbc-essiv:sha256”, and then add to your /etc/fstab: “/dev/mapper/cryptswap swap swap defaults 0 0” Which will give you a encrypted swap that gets a new random key on each boot.
Everything seems to be running along fine with the encrypted / after this setup. I am sure hoping there will be some progress in the Fedora 9 cycle to make anaconda able to create encrypted / partitions. There is a feature page for this feature, but it doesn't seem to have gotten much progress of late: http://fedoraproject.org/wiki/Releases/FeatureEncryptedFilesystems. I would even think that we should make Encrypted / the default at least on laptop type systems. The solution above works, but most people aren't going to go through the pain of setting it up.
There is also another nice HOWTO attached to a bug about encrypted / support: (See bug 124789)
Congrats to everyone on Fedora 8's release, and lets hope we can make progress on encrypted root filesystems for Fedora 9!comments powered by Disqus