* Boot off of a Live CD, I used Fedora Core 9 Preview
* Find out which disk is which; for me /dev/sda was the external usb, and /dev/sdb was the internal
sfdisk -d /dev/sdb | sfdisk /dev/sda* Change the partition type to 83 for /dev/sdb2
pvcreate --verbose /dev/sda2
vgextend --verbose VolGroup00 /dev/sda2
pvmove --verbose /dev/sdb2 /dev/sda2 # This takes ages
vgreduce --verbose VolGroup00 /dev/sdb2
pvremove --verbose /dev/sdb2
fdisk /dev/sdb
* Here is when you get to choose the password that will protect your partition:
cryptsetup --verify-passphrase --key-size 256 luksFormat /dev/sdb2
cryptsetup luksOpen /dev/sdb2 cryptroot
pvcreate --verbose /dev/mapper/cryptroot
vgextend --verbose VolGroup00 /dev/mapper/cryptroot
pvmove --verbose /dev/sda2 /dev/mapper/cryptroot # This takes ages
vgreduce --verbose VolGroup00 /dev/sda2
pvremove --verbose /dev/sda2
mkdir /mnt/tmp
mount /dev/VolGroup00/LogVol00 /mnt/tmp
cp -ax /dev/* /mnt/tmp/dev # I said no to overwriting any files
chroot /mnt/tmp/
(chroot) # mount -t proc proc /proc
(chroot) # mount -t sysfs sysfs /sys
(chroot) # mount /boot
(chroot) # swapon -a
(chroot) # vgcfgbackup
For the initrd, the blog mentions /etc/sysconfig/mkinitrd as a file. CentOS had a directory, I tried doing their suggestion as a file in there, moving the directory out, and making the file as they suggested. Both failed. So I ran the following command:
(chroot) # mkinitrd -v /boot/initrd-2.6.18-53.el5.crypt.img --with=aes --with=sha256 --with=dm-crypt 2.6.18-53.el5
Now we need to modify the initrd so that it will decrypt the partition at boot time
(chroot) # cd /boot
(chroot) # mkdir /boot/initrd-2.6.18-53.el5.crypt.dir
(chroot) # cd /boot/initrd-2.6.18-53.el5.crypt.dir
(chroot) # gunzip < ../initrd-2.6.18-53.el5.crypt.img | cpio -ivd
Now, we need to modify init by adding the following lines after the line which reads “mkblkdevs” and before “echo Scanning and configuring dmraid supported devices.”:
echo Decrypting root device
cryptsetup luksOpen /dev/sda2 cryptroot
echo Scanning logical volumes
lvm vgscan --ignorelockingfailure
echo Activating logical volumes
lvm vgchange -ay --ignorelockingfailure vg00
Copy cryptsetup and lvm to be put into the initrd, the blog doesn't mention it, but I'm sure it needs it.
cp /sbin/cryptsetup bin/
cp /sbin/lvm bin/
Compress the new initrd
find ./ | cpio -H newc -o | gzip -9 > /boot/initrd-2.6.18-53.el5.crypt.img
Modify the grub.conf. Copy the grub entry for the current kernel, and change as follows
title Centos Encrypted Server (2.6.18-53.1.4.el5)
initrd /initrd-2.6.18-53.el5.crypt.img
Unmount the fs's in the chroot, and exit
cd /
umount /boot
umount /proc
umount /sys
exit
NOTE: Don't upgrade the kernel without upgrading the initrd and grub.conf.
Reboot and test :)
After you have crypto setup, you can find out information about it (such as the crypto algorithm used) via this command:
# cryptsetup luksDump /dev/sda2
LUKS header information for /dev/sda2
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 2056
MK bits: 256
MK digest: af 2e e6 39 3e 79 60 bb 4a 2b 33 05 1c 86 3a 83 bc a0 ef c1
MK salt: 79 b2 13 53 6f 52 72 a1 b5 3d dc d3 72 cd d6 f4
e3 25 3c 6e 08 00 f3 1d 44 1e 90 47 bc 43 e7 07
MK iterations: 10
UUID: 721abe52-5122-447b-8ed0-5ca3b2b32366
Key Slot 0: ENABLED
Iterations: 247223
Salt: 86 c7 53 6a 13 a9 77 81 89 ec 90 b3 e5 6a ea 8d
da 0c 6f ad ec 3e 3c 47 2d 6e 5f 59 28 4e 7c 63
Key material offset: 8
AF stripes: 4000
Key Slot 1: DISABLED
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
 
 
5 comments:
Hi, can you please elaborate the reasons for two drives (USB/internal), as well as where/how/when to install CentOS5? I see the referenced site seems to tell how to do this with three partitions, so it seems the idea here is to use one of the partitions on the USB drive (sda)?
Thanks to you and your helper, though!
Hi, can you elaborate more regarding need for sda/sdb? Would be nice if there was a way to install directly to LUKS partition (as FC9) but I trust CentOS5 more for stability. Thanks for your work!
I know this is old, but could you see if you can look for a key file on a uuid partition first, and then ask for a password?
Thanks for this. Please keep posting linux related how-to's!
Hey 1st anonymous, guess you figured this one out already since your post was 2008. But you can plug in the USB, install the OS and use the USB as /boot and then install the rest of the OS on your internal drives (should be /dev/sdb, could be reversed and internal is /dev/sda and USB is /dev/sdb). With CentOS if you choose to encrypt your install, then /boot is not encrypted but everything else is. So your USB drive will be the unencrypted part of your OS install
Post a Comment