Your Linux Data Center Experts

Last Thursday several big events occurred:

  • Fedora 8 - Werewolf was released on the world. This was a pretty smooth and good release cycle I think. If you haven't tried a Fedora release in a while, this would be one to check out.
  • My laptop drive started having uncorrectable read errors, which made it less than happy running. It would hit one of those sectors, and then go into a infinite loop of resets and drive access.

Clearly this was a sign that I should do a fresh F8 install on a new drive, and also try out Sean's root encryption HOWTO. Read on for more information about encrypted root filesystem installs.

Sean wrote up a HOWTO a while back on making your install run totally from an encrypted drive. See the HOWTO here. I've been running with an encrypted /home for a while, but it's nice to just have everything encrypted so there is no information leakage from /home to the rest of the unencrypted disk.

The above HOWTO worked pretty nicely with F8, although I did things slightly differently. The new drive (200GB) was partitioned like so:

  • /boot (unencrypted because you need to read initrd from it) - 250MB
  • / (unencrypted at first because you need to do a F8 install to it) - 5GB.
  • the rest of the drive unallocated - 195GB.

Next, do a regular install to the 5GB partition. Boot up on it, and modify the files as mentioned in the link above and create the crypted partition that will become the encrypted root. Then, reboot with 'init=/bin/sh' and copy the 5GB / over to the crypted partition. Make a new initrd and reboot to the crypted kernel entry. Everything came up nicely.

Finally, I setup the old 5GB partition I made for installing to be a encrypted swap partition. Simply add to /etc/crypttab: “cryptswap /dev/sda2 /dev/urandom swap,cipher=aes-cbc-essiv:sha256”, and then add to your /etc/fstab: “/dev/mapper/cryptswap swap swap defaults 0 0” Which will give you a encrypted swap that gets a new random key on each boot.

Everything seems to be running along fine with the encrypted / after this setup. I am sure hoping there will be some progress in the Fedora 9 cycle to make anaconda able to create encrypted / partitions. There is a feature page for this feature, but it doesn't seem to have gotten much progress of late: I would even think that we should make Encrypted / the default at least on laptop type systems. The solution above works, but most people aren't going to go through the pain of setting it up.

There is also another nice HOWTO attached to a bug about encrypted / support: (See bug 124789)

Congrats to everyone on Fedora 8's release, and lets hope we can make progress on encrypted root filesystems for Fedora 9!

comments powered by Disqus

Join our other satisfied clients. Contact us today.