On Thu, Oct 16, 2008 at 09:41:12PM -0400, Chris * wrote: > > I had submitted a document to this list a few weeks back that gave ... nice write-up, minor typo/corrections in the text added below. Cheers, Tru > Summary ... > > Step One: Prepare the disk > The first step is to prepare the disk. The installer partitioning software > doesn't have the flexibility to be able to do this, so you will need to > switch to the shell and perform the setup manually. to be verified: you need to make a GUI install, the text mode installation method does not have the lvm creation feature. > Once the installer has moved into the GUI, press Ctrl-Alt-F2 to get a command prompt. ... > > Use fdisk to create the partitions for install. You will need to create a > /boot partition and an LVM partition at the end of the disk. The gap in > between the two partitions will become your encrypted file-system. This > document will refer to the boot partition as /dev/sda1 and the install > partition at the end of the disk as /dev/sda3. The encrypted partition will > become /dev/sda2. imho, should be emphasized -> and some figures hinted for the minimal size of sda3 (swap+/) > The partition at the end of the disk should be smaller than the empty space > between /boot and your LVM partition so that there is room for the meta-data > associated with the encryption. The LVM partition really only needs to be > large enough to install the system. You will be able to expand the system > volumes if you like after you have a working, encrypted system. > ... > > Step Two: Installing the OS > The installation must be done using the graphical installer because the text installer doesn't allow a custom installation to use LVM. should be placed above, since the installer has already started. ... > > Step Three: Create the encrypted partition > > Step Four: Configure mkinitrd for encrypted system > > Make a backup copy of /sbin/mkinitrd. Future updates of the mkinitrd package > will overwrite it, but the changes will allow future kernel updates to > properly build an initrd. Modify /sbin/mkinitrd per the patch below. The > patch modifies the MODULES line so that initrd has the proper modules for > encryption, adds cryptsetup to initrd, and configures initrd to open the > encrypted file-system. > make patch file available a the command to apply it: wget http://../mkinitrd.patch -O /tmp/mkintrd.patch cd / && patch -p1 < /tmp/mkinitd.patch > Enter the pass-phrase. Now you can copy the contents of sda3 to the encrypted sda2. > > # dd if=/dev/sda3 of=/dev/mapper/lvm non dd version? vgextend + pvmove + vgreduce ? > NOTE: To make the encrypted system the default system, make the above lines the first block listed in grub.conf or set the default value > Once the encrypted system is confirmed to be working correctly, remove the > unencrypted system. Randomize /dev/hda3 by using either shred or dd. Once ^ sda3 > Use the fdisk command to resize sda2 to fill the entire disk. > ... > > # pvresize –-setphysicalvolumesize [size of disk - /boot] /dev/mapper/lvm why not just pvresize /dev/mapper/lvm ? should it detect the size by itself? > Extend the logical volumes of the system with lvextend. man lvextend for more information on the command. > > # lvextend -L +[size to increase the volume] /dev/VolGroup00/LogVol00 > same question, here (autodetection) if you only want to extend a single logical volume. lvextend /dev/VolGroup00/LogVol00 -- Tru Huynh (mirrors, CentOS-3 i386/x86_64 Package Maintenance) http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos-docs/attachments/20081017/8efa09b4/attachment-0004.sig>