Welcome to the Linux Foundation Forum!

Encrypted /root, /home, and swap mount at boot as does LV shared but no write access?

dusf
dusf Posts: 1
in Linux Security

The following is how I have encrypted the /root, /home, and swap partitions on a disk already containing Windows 8.1 and only require a single passphrase entry on boot:

Create 500 MiB ext4 sda5 partition that will later be assigned as /boot

sudo dd if=/dev/urandom of=/dev/sda6

12 hours elapse.

dd: writing to ‘/dev/sda6’: No space left on device
660092929+0 records in
660092928+0 records out
337967579136 bytes (338 GB) copied, 39571.4 s, 8.5 MB/s
modprobe dm-crypt
modprobe aes-x86_64
modprobe sha256


When I do this over I will run crptysetup benchmark first to see which aes and sha works best for my system.

sudo cryptsetup luksFormat /dev/sda6

WARNING!
========
This will overwrite data on /dev/sda6 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase:
Verify passphrase:
sudo cryptsetup luksOpen /dev/sda6 enc-pv
Enter passphrase for /dev/sda6:

sudo pvcreate /dev/mapper/enc-pv
Physical volume "/dev/mapper/enc-pv" successfully created
sudo vgcreate vg /dev/mapper/enc-pv
Volume group "vg" successfully created
sudo lvcreate -L 8.5G -n swap vg
Logical volume "swap" created
sudo lvcreate -L 20G -n ubuntu-root vg
Logical volume "ubuntu-root" created
sudo lvcreate -L 50G -n ubuntu-home vg
Logical volume "ubuntu-home" created
sudo lvcreate -L 140G -n shared vg
Logical volume "shared" created

sudo lvdisplay
--- Logical volume ---
LV Path /dev/vg/swap
LV Name swap
VG Name vg
LV UUID EMSdc1-yTSS-FF9W-5vcv-jEwF-OeF7-5oOoEI
LV Write Access read/write
LV Creation host, time ubuntu, 2014-04-23 12:57:17 +0000
LV Status available
# open 0
LV Size 8.50 GiB
Current LE 2176
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 252:1

--- Logical volume ---
LV Path /dev/vg/ubuntu-root
LV Name ubuntu-root
VG Name vg
LV UUID TCPIIE-fGv0-3tz8-XP3R-1c9Z-E18R-XTbcOd
LV Write Access read/write
LV Creation host, time ubuntu, 2014-04-23 12:58:41 +0000
LV Status available
# open 0
LV Size 20.00 GiB
Current LE 5120
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 252:2

--- Logical volume ---
LV Path /dev/vg/shared
LV Name shared
VG Name vg
LV UUID dPHDeT-52zj-7bAx-xjzP-p4yC-kXoo-aw7Eac
LV Write Access read/write
LV Creation host, time ubuntu, 2014-04-23 12:59:50 +0000
LV Status available
# open 0
LV Size 140.00 GiB
Current LE 35840
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 252:4

--- Logical volume ---
LV Path /dev/vg/ubuntu-home
LV Name ubuntu-home
VG Name vg
LV UUID pWFs3D-MXrh-bMez-68r0-4yPc-zMTo-MGhNF1
LV Write Access read/write
LV Creation host, time ubuntu, 2014-04-23 13:06:11 +0000
LV Status available
# open 0
LV Size 50.00 GiB
Current LE 12800
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 252:3

sudo vgdisplay | grep -i free
Free PE / Size 24641 / 96.25 GiB
sudo mkfs.ext4 /dev/mapper/vg-shared

mke2fs 1.42.9 (4-Feb-2014)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
9175040 inodes, 36700160 blocks
1835008 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
1120 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done


There was similar output for:

sudo mkfs.ext4 /dev/mapper/vg-ubuntu-root
sudo mkfs.ext4 /dev/mapper/vg-ubuntu-home


I may have needed to add an extra hyphen, like vg-ubuntu--root

Next I opened the Ubuntu 14.04 installer and selected 'something else'. I assigned /boot to the 500 MiB partition on sda5 and then /root, /home, and swap to the logical /dev/mapper/vg volumes.

After Ubuntu installs, before rebooting from the live USB I entered the following:

sudo cryptsetup luksOpen /dev/sda6 enc-pv
Enter passphrase for /dev/sda6:
sudo mount /dev/vg/ubuntu-root /mnt
sudo chroot /mnt mount /proc
sudo mount --bind /dev /mnt/dev
sudo chroot /mnt mount /boot
sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none luks" | sudo tee -a /mnt/etc/crypttab
enc-pv UUID=ad8b8a32-95ea-4add-abe6-326d151e30fa none luks
sudo chroot /mnt update-initramfs -u
update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt


On reboot Ubuntu boots asking for only one entry of the passphrase instead of three, one for each encrypted volume.

==================================================================

The only problem remaining now is that although the /dev/mapper/vg-shared volume appears like any other partitionin /media/dusf/, and although I can open it without having to enter the passphrase again, I cannot create files on it.

I have tried replacing the command 'sudo mount /dev/vg/ubuntu-root /mnt' with 'sudo mount /dev/vg/shared /mnt' but then when i go onto the next command 'sudo chroot /mnt mount /proc' it gives me the error 'chroot: failed to run command ‘mount’: No such file or directory'.

Can anyone tell me how I should edit the following commands so that /dev/vg/-shared not only mounts at boot, but I can also write to it?

sudo cryptsetup luksOpen /dev/sda6 enc-pv
Enter passphrase for /dev/sda6:
sudo mount /dev/vg/ubuntu-root /mnt
sudo chroot /mnt mount /proc
sudo mount --bind /dev /mnt/dev
sudo chroot /mnt mount /boot
sudo echo "enc-pv UUID=`sudo blkid -s UUID -o value /dev/sda6` none luks" | sudo tee -a /mnt/etc/crypttab
enc-pv UUID=ad8b8a32-95ea-4add-abe6-326d151e30fa none luks
sudo chroot /mnt update-initramfs -u
update-initramfs: Generating /boot/initrd.img-3.13.0-24-generic
sudo umount /mnt/proc /mnt/dev /mnt/boot /mnt

Categories

Upcoming Training