Cifratura di un disco in Ubuntu: Difference between revisions
mNo edit summary |
mNo edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 50: | Line 50: | ||
GRUB_CMDLINE_LINUX="splash cryptopts=source=/dev/mapper/vg0-lv0,target=cryptroot" | GRUB_CMDLINE_LINUX="splash cryptopts=source=/dev/mapper/vg0-lv0,target=cryptroot" | ||
* In pratica, il formato è | |||
cryptopts=source=DEVICE_CHE_CONTIENE_IL_VOLUME_CIFRATO,target=NOME_DEL_VOLUME_CIFRATO_COME_IN_CRYPTTAB" | |||
* Se invece si ha un volume luks sotto un volume lvm su cui c'è la root, aggiungere a cryptopts: | |||
,lvm=NOME_LVM_USATO_PER_ROOT | |||
:'''FIXME: *[http://forums.linuxmint.com/viewtopic.php?f=189&t=83763 Linux Mint Forums • View topic - (SOLVED) LUKS/dm-crypt & LVM boot sequence incorrect!]''' | |||
* Aggiornare grup ed initrd: | |||
sudo update-grub | sudo update-grub | ||
sudo update-initramfs -u -k all | sudo update-initramfs -u -k all | ||
Latest revision as of 10:44, 18 December 2012
Installazione da zero
- Viene fatto tutto da menù con l'alternate cd
Reinstallazione senza upgrade, ma conservazione dei volumi cryotati
- Oppure da desktop cd per recuperare dei volumi in uso, ad esempio /home
sudo apt-get install lvm2 cryptsetup vgchange -ay
cryptsetup luksOpen /dev/vg0/lv0 cryptroot cryptsetup luksOpen /dev/vg0/lv1 crypthome cryptsetup luksOpen /dev/vg0/lv2 cryptswap
- Installare formattando la cryptroot, ma non la crypthome
- Prima di riavviare, chrootare nella root, montando in bind i sysfs e installare quello che serve
sudo mount /dev/mapper/cryptroot /mnt/root mount -o bind /dev /mnt/root/dev ... chroot /mnt/cryotroot root /mnt/cryotroot sudo apt-get install lvm2 cryptsetup ...
Conversione di un'installazione plain in una criptata
- Fare un tar di tutto
- tenere /boot non cifrato
- Configurare lvm
- Configurare cryptsetup su lvm
- Creare cryptroot con questo nome
- Creare crypthome con questo nome
- Creare crytswap con questo nome
- Modificare /etc/fstab
- Reinstallare grub2
- Creare la crypttab per fare in modoc he venga richiesto al boot di aprire tutti i dispositivi:
sudoedit /etc/crypttab
# <target name> <source device> <key file> <options> cryptroot /dev/mapper/vg0-lv0 none luks crypthome /dev/mapper/vg0-lv1 none luks cryptswap /dev/mapper/vg0-lv2 none luks
- Aggiungere la specifica di come montare la cyptroot come paraemtro del kernel
sudoedit /etc/default/grub
GRUB_CMDLINE_LINUX="splash cryptopts=source=/dev/mapper/vg0-lv0,target=cryptroot"
- In pratica, il formato è
cryptopts=source=DEVICE_CHE_CONTIENE_IL_VOLUME_CIFRATO,target=NOME_DEL_VOLUME_CIFRATO_COME_IN_CRYPTTAB"
- Se invece si ha un volume luks sotto un volume lvm su cui c'è la root, aggiungere a cryptopts:
,lvm=NOME_LVM_USATO_PER_ROOT
- Aggiornare grup ed initrd:
sudo update-grub sudo update-initramfs -u -k all
- Per i formati vedi *System encryption on Debian Etch
I am currently using everything in my message... posting from a computer with everything except /boot encrypted.
The swap partition is set up with a random key. I am pretty sure the luks and swap options probably don't work together, but the swap by itself works fine.
As for initramfs-tools, to autoconfigure it also needs the partitons to be mounted. On the other hand, you can pass all the options on the kernel command line in grub.
root=/dev/mapper/zeuslvm-root cryptops="target=cryptroot,source=/dev/sda4,lvm=zeuslvm-root "
then this is used instead of whatever the mkinitramfs script found, so could be used the first time you boot before mkinitramfs can run correctly.
The lvm option tells the initramfs script to test the partiton created by the cryptmap for lvm, and if so configure it... the root= option then uses the lvm partition found. If you didn't have lvm, you could just use something like (I haven't tested this, but it should work)
root=/dev/mapper/cryptroot cryptops="target=cryptroot,source=/dev/sda4"
As for the installer, what I did is created a 2G swap partition, and installed debian (basic) into the swap partition. I then created the crypt partition and set up lvm and everything, and then used debootstrap to install. After it was installed and booting, I tured the swap partiton back into a swap partiton.
- Se al boot non fa il mount, aprire la cryptroot con
vgchange -ay
cryptsetup luksOpen /dev/vg0/lv0 cryptroot cryptsetup luksOpen /dev/vg0/lv1 crypthome cryptsetup luksOpen /dev/vg0/lv2 cryptswap
Riferimenti
- Full-disk Encryption
- Logical Volume Manager
- cryptsetup - Setup virtual encryption devices under dm-crypt Linux - Google Project Hosting
- Installing Ubuntu 10.10 with full disk encryption «
- Gentoo Blog » Encrypted home and swap partition on Ubuntu 10.10 Maverick with auto logon
- Howto: Completly encrypted harddisk including the suspend to disk partition with Ubuntu 6.10 Edgy Eft
- How-To: encrypted partitions over LVM with LUKS | Debian/Ubuntu Tips & Tricks
- How To Migrate to a full encrypted LVM system
- Encrypted Root LVM | HowtoForge - Linux Howtos and Tutorials
- StalkR's Blog: Ubuntu 10.10->11.04 encrypted LVM fail, rebuilding initramfs, rdinit
- Resizing Encrypted Filesystems
- Resizing a dm-crypt / LVM / ext3 partition | Uwe Hermann
- Jootamam - Howto: Basic cryptsetup