[CentOS-docs] Encrypting tmp swap and home

Fri Oct 17 07:35:00 UTC 2008
Tru Huynh <tru at centos.org>

On Thu, Oct 16, 2008 at 09:41:12PM -0400, Chris * wrote:
> I had submitted a document to this list a few weeks back that gave
nice write-up, minor typo/corrections in the text added below.


> Summary
> Step One: Prepare the disk
> The first step is to prepare the disk. The installer partitioning software
> doesn't have the flexibility to be able to do this, so you will need to
> switch to the shell and perform the setup manually.

to be verified: you need to make a GUI install, the text mode installation
method does not have the lvm creation feature.

> Once the installer has moved into the GUI, press Ctrl-Alt-F2 to get a command prompt.
> Use fdisk to create the partitions for install. You will need to create a
> /boot partition and an LVM partition at the end of the disk. The gap in
> between the two partitions will become your encrypted file-system. This
> document will refer to the boot partition as /dev/sda1 and the install
> partition at the end of the disk as /dev/sda3. The encrypted partition will
> become /dev/sda2.

imho, should be emphasized -> and some figures hinted for the minimal size of sda3 (swap+/)

> The partition at the end of the disk should be smaller than the empty space
> between /boot and your LVM partition so that there is room for the meta-data
> associated with the encryption. The LVM partition really only needs to be
> large enough to install the system. You will be able to expand the system
> volumes if you like after you have a working, encrypted system.
> Step Two: Installing the OS
> The installation must be done using the graphical installer because the text installer doesn't allow a custom installation to use LVM.
should be placed above, since the installer has already started.

> Step Three: Create the encrypted partition
> Step Four: Configure mkinitrd for encrypted system
> Make a backup copy of /sbin/mkinitrd. Future updates of the mkinitrd package
> will overwrite it, but the changes will allow future kernel updates to
> properly build an initrd. Modify /sbin/mkinitrd per the patch below. The
> patch modifies the MODULES line so that initrd has the proper modules for
> encryption, adds cryptsetup to initrd, and configures initrd to open the
> encrypted file-system.
make patch file available a the command to apply it:
wget http://../mkinitrd.patch -O /tmp/mkintrd.patch
cd / && patch -p1 < /tmp/mkinitd.patch

> Enter the pass-phrase. Now you can copy the contents of sda3 to the encrypted sda2.
>  # dd if=/dev/sda3 of=/dev/mapper/lvm
non dd version?
vgextend + pvmove + vgreduce ?

> NOTE: To make the encrypted system the default system, make the above lines the first block listed in grub.conf
or set the default value 

> Once the encrypted system is confirmed to be working correctly, remove the
> unencrypted system. Randomize /dev/hda3 by using either shred or dd. Once
                                     ^ sda3
> Use the fdisk command to resize sda2 to fill the entire disk.
>  # pvresize –-setphysicalvolumesize [size of disk - /boot] /dev/mapper/lvm
why not just pvresize /dev/mapper/lvm ?
should it detect the size by itself?
> Extend the logical volumes of the system with lvextend. man lvextend for more information on the command.
>  # lvextend -L +[size to increase the volume] /dev/VolGroup00/LogVol00
same question, here (autodetection) if you only want to extend a single logical volume.
lvextend /dev/VolGroup00/LogVol00

Tru Huynh (mirrors, CentOS-3 i386/x86_64 Package Maintenance)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos-docs/attachments/20081017/8efa09b4/attachment-0002.sig>