[opensuse] Loading an encrypted partition at boot time
Following the spate of lost government laptops and hard drives in the UK recently, I decided to encrypt the /home partition on my laptop. And, no, it doesn't contain any state secrets ;) When I boot up, I now have to type in the passphrase to allow mounting of /home, as expected. What I would like to do is put a passphrase onto a USB memory stick, which would have to be present to allow the machine to boot properly. I have created a textfile on the memory stick called (for the sake of argument) /media/disk/this_is_my_passphrase, which contains the one line passphrase which I created with the following: # cryptsetup luksAddKey /dev/sda3 /media/disk/this_is_my_passphrase How do get the system to mount the USB memory stick *before* it tries to mount /home, so that the alternative passphrase can be found? Bob -- Registered Linux User #463880 FSFE Member #1300 GPG-FP: A6C1 457C 6DBA B13E 5524 F703 D12A FB79 926B 994E openSUSE 11.0, Kernel 2.6.25.11-0.1-default, KDE 4.1.2 Intel Celeron 2.53GB, 2GB DDR RAM, nVidia GeForce 7600GS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2008-10-14 at 09:54 +0100, Bob Williams wrote:
Following the spate of lost government laptops and hard drives in the UK recently, I decided to encrypt the /home partition on my laptop. And, no, it doesn't contain any state secrets ;)
When I boot up, I now have to type in the passphrase to allow mounting of /home, as expected. What I would like to do is put a passphrase onto a USB memory stick, which would have to be present to allow the machine to boot properly.
I have created a textfile on the memory stick called (for the sake of argument) /media/disk/this_is_my_passphrase, which contains the one line passphrase which I created with the following:
I'm not clear on how to do it, but the best thing seems to beto have a passphrase in "biological memory", and a... ¿long key? in external media.
# cryptsetup luksAddKey /dev/sda3 /media/disk/this_is_my_passphrase
How do get the system to mount the USB memory stick *before* it tries to mount /home, so that the alternative passphrase can be found?
That part I know :-) You can not use "fstab", or the system will fail booting if the stick is not in, and go into fsck mode. But you can add an init script that mounts the stick if present. The stick filesystem should have a label to make this easier. If you don't know how to make that script, ask again :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEUEARECAAYFAkj0cgIACgkQtTMYHG2NR9UxuQCeKanMJbbAU3BV7WTLR0Mpyamv mPYAmJjT4vAdhD0GOG1Z6M0quumIxtY= =xOSy -----END PGP SIGNATURE-----
On Tuesday 14 October 2008 11:18:33 Carlos E. R. wrote:
On Tuesday, 2008-10-14 at 09:54 +0100, Bob Williams wrote:
Following the spate of lost government laptops and hard drives in the UK recently, I decided to encrypt the /home partition on my laptop. And, no, it doesn't contain any state secrets ;)
When I boot up, I now have to type in the passphrase to allow mounting of /home, as expected. What I would like to do is put a passphrase onto a USB memory stick, which would have to be present to allow the machine to boot properly.
I have created a textfile on the memory stick called (for the sake of argument) /media/disk/this_is_my_passphrase, which contains the one line passphrase which I created with the following:
I'm not clear on how to do it, but the best thing seems to beto have a passphrase in "biological memory", and a... ¿long key? in external media.
# cryptsetup luksAddKey /dev/sda3 /media/disk/this_is_my_passphrase
How do get the system to mount the USB memory stick *before* it tries to mount /home, so that the alternative passphrase can be found?
That part I know :-)
You can not use "fstab", or the system will fail booting if the stick is not in, and go into fsck mode. But you can add an init script that mounts the stick if present. The stick filesystem should have a label to make this easier.
If you don't know how to make that script, ask again :-)
Great! Yes, please. I'm ready for my script writing tutorial :) The reason I want to do this is 1) I like learning new tricks, 2) I'd like to make it difficult for anyone who stole/found my laptop to get into it. OTOH I don't want it to be too cumbersome for me to use, hence this compromise between an open system and a long passphrase held in 'biological memory'. Thanks, Bob -- Registered Linux User #463880 FSFE Member #1300 GPG-FP: A6C1 457C 6DBA B13E 5524 F703 D12A FB79 926B 994E openSUSE 11.0, Kernel 2.6.25.11-0.1-default, KDE 4.1.1 Intel Celeron 2.53GB, 2GB DDR RAM, nVidia GeForce 7600GS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2008-10-14 at 11:38 +0100, Bob Williams wrote:
How do get the system to mount the USB memory stick *before* it tries to mount /home, so that the alternative passphrase can be found?
That part I know :-)
You can not use "fstab", or the system will fail booting if the stick is not in, and go into fsck mode. But you can add an init script that mounts the stick if present. The stick filesystem should have a label to make this easier.
If you don't know how to make that script, ask again :-)
Great! Yes, please. I'm ready for my script writing tutorial :)
The reason I want to do this is 1) I like learning new tricks, 2) I'd like to make it difficult for anyone who stole/found my laptop to get into it. OTOH I don't want it to be too cumbersome for me to use, hence this compromise between an open system and a long passphrase held in 'biological memory'.
Ok! First thing is to add a label to the stick filesystem; this is usually done while formatting, but there are tools for doing it later. ext2/3, reiser, xfs... I'm not sure vfat is supported, maybe it is. Just assume the label is "mylabel", and it will thus be visible in "/dev/disk/by-label/". You can connect your stick and see if it is there, most do have a label. Add a line for your stick in fstab, like: LABEL=mylabel /mnt/usb/myusbstick reiserfs noatime,nodiratime,user,noauto,acl,user_xattr 0 0 Create the mount point (change it to your liking, but I prefer leaving /media for automated mount only), and check that you can mount it by issuing the command: mount /mnt/usb/myusbstick The script is placed in /etc/init.d. I'm going to write it, based on another of mine, without checking it, I leave that to you :-) (have a look at the script 'skeleton', man init.d, and also the suse book, it is explained there). #! /bin/sh # /sbin/rchelloworld MYLABEL="mylabel" MYSTICK="/mnt/usb/myusbstick" ### BEGIN INIT INFO # Provides: HelloWorld # Required-Start: $syslog $remote_fs $local_fs $kbd # Required-Stop: $syslog $remote_fs $local_fs # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Description: Mounts usb stick ### END INIT INFO # Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v ditto but be verbose in local rc status # rc_status -v -r ditto and clear the local rc status # rc_failed set local and overall rc status to failed # rc_reset clear local rc status (overall remains) # rc_exit . /etc/rc.status rc_reset case "$1" in start) ISDISK=`ls /dev/disk/by-label | grep $MYLABEL` if ! test -n "$ISDISK" ; then echo "*** ERROR: missing disk" rc_failed else /etc/init.d/boot.crypto start Something fi # Remember status and be verbose rc_status -v ;; stop) /etc/init.d/boot.crypto stop Something rc_status -v ;; try-restart) $0 stop && $0 start rc_status ;; restart) $0 stop $0 start rc_status ;; force-reload) $0 stop && $0 start rc_status ;; reload) echo -n "not supported" rc_status -v # If it does not support reload: ;; status) $0 start #rc_status ;; probe) ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit Name it, rcmyusb, for instance, and make a symlink to it in /sbin named mysub. Give it execute permission. You have to test it by running "mysusb start". Check how it fails when stick is not present, I'm not sure it will produce the correct output. You also have to check the correct data to give to "/etc/init.d/boot.crypto" so that it mounts your stick. I think there is another method if it is of the new... hold on, I goofed. Your stick is not encrypted, is it? Then the start section should be: start) ISDISK=`ls /dev/disk/by-label | grep $MYLABEL` if ! test -n "$ISDISK" ; then echo "*** ERROR: missing disk" rc_failed else mount $MYSTICK fi # Remember status and be verbose rc_status -v ;; stop) umount $MYSTICK rc_status -v ;; Another: status) ISDISK=`mount | grep $MYSTICK` if ! test -n "$ISDISK" ; then echo "*** ERROR: missing disk or not mounted" rc_failed fi rc_status -v ;; When it works, activate it: chkconfig mysub on and you should be done :-) Usual disclaimers apply. If you go up in smoke, don't blame me, just quit smoking cigars :-p - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkj0jUgACgkQtTMYHG2NR9WcdwCcD0dP4m2tMFt+uDo/yVC5qAFF opAAn2XYQjafnOyefm2KCQLNJyWOoVSz =Azcl -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 14 October 2008 13:15:00 Carlos E. R. wrote:
On Tuesday, 2008-10-14 at 11:38 +0100, Bob Williams wrote:
How do get the system to mount the USB memory stick *before* it tries to mount /home, so that the alternative passphrase can be found?
That part I know :-)
You can not use "fstab", or the system will fail booting if the stick is not in, and go into fsck mode. But you can add an init script that mounts the stick if present. The stick filesystem should have a label to make this easier.
If you don't know how to make that script, ask again :-)
Great! Yes, please. I'm ready for my script writing tutorial :)
The reason I want to do this is 1) I like learning new tricks, 2) I'd like to make it difficult for anyone who stole/found my laptop to get into it. OTOH I don't want it to be too cumbersome for me to use, hence this compromise between an open system and a long passphrase held in 'biological memory'.
Ok!
Many thanks, Carlos. I'll look at this in more detail in a couple of days, when I have more time, but an initial run of 'myusb start' threw up the following: /sbin/myusb: line 24: ./etc/rc.status: No such file or directory #but I've looked and it's there! /sbin/myusb: line 25: rc_reset: command not found #but I can see it on line 77 of rc.status! /sbin/myusb: line 38: rc_status: command not found /sbin/myusb: line 74: rc_exit: command not found
First thing is to add a label to the stick filesystem; this is usually done while formatting, but there are tools for doing it later. ext2/3, reiser, xfs... I'm not sure vfat is supported, maybe it is. Just assume the label is "mylabel", and it will thus be visible in "/dev/disk/by-label/". You can connect your stick and see if it is there, most do have a label.
Add a line for your stick in fstab, like:
LABEL=mylabel /mnt/usb/myusbstick reiserfs noatime,nodiratime,user,noauto,acl,user_xattr 0 0
Done this
Create the mount point (change it to your liking, but I prefer leaving /media for automated mount only), and check that you can mount it by issuing the command:
mount /mnt/usb/myusbstick
Done this
The script is placed in /etc/init.d. I'm going to write it, based on another of mine, without checking it, I leave that to you :-)
(have a look at the script 'skeleton', man init.d, and also the suse book, it is explained there).
Which suse book?
#! /bin/sh # /sbin/rchelloworld
MYLABEL="mylabel" MYSTICK="/mnt/usb/myusbstick"
### BEGIN INIT INFO # Provides: HelloWorld # Required-Start: $syslog $remote_fs $local_fs $kbd # Required-Stop: $syslog $remote_fs $local_fs # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # Description: Mounts usb stick ### END INIT INFO
# Shell functions sourced from /etc/rc.status: # rc_check check and set local and overall rc status # rc_status check and set local and overall rc status # rc_status -v ditto but be verbose in local rc status # rc_status -v -r ditto and clear the local rc status # rc_failed set local and overall rc status to failed # rc_reset clear local rc status (overall remains) # rc_exit . /etc/rc.status rc_reset
case "$1" in start) ISDISK=`ls /dev/disk/by-label | grep $MYLABEL` if ! test -n "$ISDISK" ; then echo "*** ERROR: missing disk" rc_failed else /etc/init.d/boot.crypto start Something fi
# Remember status and be verbose rc_status -v ;; stop) /etc/init.d/boot.crypto stop Something rc_status -v ;; try-restart) $0 stop && $0 start rc_status ;; restart) $0 stop $0 start rc_status ;; force-reload) $0 stop && $0 start rc_status
;; reload) echo -n "not supported" rc_status -v
# If it does not support reload: ;; status) $0 start #rc_status ;; probe) ;; *) echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" exit 1 ;; esac rc_exit
Name it, rcmyusb, for instance, and make a symlink to it in /sbin named mysub. Give it execute permission. You have to test it by running "mysusb start". Check how it fails when stick is not present, I'm not sure it will produce the correct output.
You also have to check the correct data to give to "/etc/init.d/boot.crypto" so that it mounts your stick. I think there is another method if it is of the new... hold on, I goofed. Your stick is not encrypted, is it? Then the start section should be:
No encrypted (it's the /home inside the laptop that's encrypted) so I used this:
start) ISDISK=`ls /dev/disk/by-label | grep $MYLABEL` if ! test -n "$ISDISK" ; then echo "*** ERROR: missing disk" rc_failed else mount $MYSTICK fi
# Remember status and be verbose rc_status -v ;; stop) umount $MYSTICK rc_status -v ;;
Another:
status) ISDISK=`mount | grep $MYSTICK` if ! test -n "$ISDISK" ; then echo "*** ERROR: missing disk or not mounted" rc_failed fi rc_status -v ;;
Do I need this section (above), or is it an alternative?
When it works, activate it:
There's the rub :(
chkconfig mysub on
and you should be done :-)
Usual disclaimers apply. If you go up in smoke, don't blame me, just quit smoking cigars :-p
Gave up twenty years ago :)
-- Cheers, Carlos E. R.
-- Registered Linux User #463880 FSFE Member #1300 GPG-FP: A6C1 457C 6DBA B13E 5524 F703 D12A FB79 926B 994E openSUSE 11.0, Kernel 2.6.25.11-0.1-default, KDE 4.1.1 Intel Celeron 2.53GB, 2GB DDR RAM, nVidia GeForce 7600GS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2008-10-14 at 22:56 +0100, Bob Williams wrote:
Ok!
Many thanks, Carlos. I'll look at this in more detail in a couple of days, when I have more time, but an initial run of 'myusb start' threw up the following:
/sbin/myusb: line 24: ./etc/rc.status: No such file or directory
There should be a space after the first dot ("._script"). Ie, ". /etc/rc.status". You eated it! :-p
/sbin/myusb: line 25: rc_reset: command not found
#but I can see it on line 77 of rc.status!
Yes, but with the missing space it did not load.
(have a look at the script 'skeleton', man init.d, and also the suse book, it is explained there).
Which suse book?
The admin book, it has a different name now. It is in "opensuse-manual_en-11.0-10.2...rpm". Chapter 8 in version 11.0. Years ago it was a real paper book which I read when going to bed :-)
You also have to check the correct data to give to "/etc/init.d/boot.crypto" so that it mounts your stick. I think there is another method if it is of the new... hold on, I goofed. Your stick is not encrypted, is it? Then the start section should be:
No encrypted (it's the /home inside the laptop that's encrypted) so I used this:
Right!
start) ISDISK=`ls /dev/disk/by-label | grep $MYLABEL` if ! test -n "$ISDISK" ; then
...
Another:
status) ISDISK=`mount | grep $MYSTICK` if ! test -n "$ISDISK" ; then echo "*** ERROR: missing disk or not mounted" rc_failed fi rc_status -v ;;
Do I need this section (above), or is it an alternative?
Replace the original "status" section with the later one. When you issue the command "rcmyusb status" it should tell you if it is mounted or not. The original section does nothing.
When it works, activate it:
There's the rub :(
No problem, re-add that missing space. Funny what a trifle can do, eh? :)
chkconfig mysub on
and you should be done :-)
Usual disclaimers apply. If you go up in smoke, don't blame me, just quit smoking cigars :-p
Gave up twenty years ago :)
Good! X'-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkj1T5QACgkQtTMYHG2NR9V7JgCeMsE5MzOZ5Zq/4PnyOA6SbiC3 O3YAnigLigYERYsPPOLtmJV0wfExVGAw =k8Rx -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 15 October 2008 03:04:02 Carlos E. R. wrote:
On Tuesday, 2008-10-14 at 22:56 +0100, Bob Williams wrote:
Ok!
Many thanks, Carlos. I'll look at this in more detail in a couple of days, when I have more time, but an initial run of 'myusb start' threw up the following:
/sbin/myusb: line 24: ./etc/rc.status: No such file or directory
There should be a space after the first dot ("._script"). Ie, ". /etc/rc.status". You eated it! :-p
No, I did not! It fell on the floor while I was typing your script in! Didn't cut and paste as different machines, not networked, etc. Anyway, your script is now working well, thank you, Carlos, but it won't read in the passphrase for unencrypting the hard-drive that boots immediately after the usb stick. I think I need to study the cryptsetup docs. Bob -- Registered Linux User #463880 FSFE Member #1300 GPG-FP: A6C1 457C 6DBA B13E 5524 F703 D12A FB79 926B 994E openSUSE 11.0, Kernel 2.6.25.11-0.1-default, KDE 4.1.1 Intel Celeron 2.53GB, 2GB DDR RAM, nVidia GeForce 7600GS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2008-10-15 at 21:17 +0100, Bob Williams wrote:
On Wednesday 15 October 2008 03:04:02 Carlos E. R. wrote:
There should be a space after the first dot ("._script"). Ie, ". /etc/rc.status". You eated it! :-p
No, I did not! It fell on the floor while I was typing your script in! Didn't cut and paste as different machines, not networked, etc.
wow, too bad... I hate when I have to do that.
Anyway, your script is now working well, thank you, Carlos, but it won't read in the passphrase for unencrypting the hard-drive that boots immediately after the usb stick. I think I need to study the cryptsetup docs.
I'm glad that it works. About reading the passphrase, I don't know, my setup is different. The script simply mounts the stick, you will have to tell the crypto parts to use it somehow; I can't help you there, sorry. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkj2YZ4ACgkQtTMYHG2NR9XAdwCdHc/gGcd0mnol5Xg4MZKn0uMj +i0AoI+jXRVMFh7a4rPP9HUv6WBTARYe =93px -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
"Carlos E. R."
Anyway, your script is now working well, thank you, Carlos, but itwon't read in the passphrase for unencrypting the hard-drive that boots immediately after the usb stick. I think I need to study the cryptsetup docs.
I'm glad that it works.
About reading the passphrase, I don't know, my setup is different. The script simply mounts the stick, you will have to tell the crypto parts to use it somehow; I can't help you there, sorry.
I'm coming into the thread a bit late, but it seems to me that you can solve this problem by encrypting the volume with a key. Save that key to the USB drive and point to it during the mounting process. You can then choose to protect the key with a "biologically stored" passphrase, or have no passphrase on the key itself. This is essentially what the Security vendors do with USB Smart Cards, etc. It seems to me the only difference is that you're storing the key on a filesystem instead of a "smart card". This shouldn't be too hard to get going since you already have the USB Filesystem side of things working. I hope I didn't just misunderstand what you're trying to accomplish. ~Dale -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2008-10-16 at 14:35 -0700, Dale Schuster wrote:
I'm coming into the thread a bit late, but it seems to me that you can solve this problem by encrypting the volume with a key. Save that key to the USB drive and point to it during the mounting process. You can then choose to protect the key with a "biologically stored" passphrase, or have no passphrase on the key itself.
Yes, that's what I think too, but I'm fuzzy on the procedure so I can't help him further. I don't know if yast can create such a filesystem :-? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEUEARECAAYFAkj3xs0ACgkQtTMYHG2NR9UiOQCeNH0EZmEl9Zz7nyhqyz17rWGa wDUAmLcuY7bh9GGtLmmZjoiIGlFPIQY= =0iKH -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 16 October 2008 22:35:36 Dale Schuster wrote:
"Carlos E. R."
wrote on 10/15/2008 02:33:16 PM:
Anyway, your script is now working well, thank you, Carlos, but
itwon't read
in the passphrase for unencrypting the hard-drive that boots
immediately after
the usb stick. I think I need to study the cryptsetup docs.
I'm glad that it works.
About reading the passphrase, I don't know, my setup is different. The script simply mounts the stick, you will have to tell the crypto parts
to
use it somehow; I can't help you there, sorry.
I'm coming into the thread a bit late, but it seems to me that you can solve this problem by encrypting the volume with a key. Save that key to the USB drive and point to it during the mounting process. You can then choose to protect the key with a "biologically stored" passphrase, or have no passphrase on the key itself.
Yes, that's right. I've created the key on the USB drive. LUKS allows encrypted partititions to have more than one passphrase. So, in my case, my encrypted /home partition requires me to type in a passphrase before it can be mounted. I have added a second passphrase which resides in a file on the USB drive. The problem I have is getting the USB drive mounted before /home, so that the encryption software can find a valid passphrase there, rather than requiring me to type one in. I have posed my question on the (low traffic) dm-crypt mailing list where I am getting some help, but have not completely solved my problem.
This is essentially what the Security vendors do with USB Smart Cards, etc. It seems to me the only difference is that you're storing the key on a filesystem instead of a "smart card". This shouldn't be too hard to get going since you already have the USB Filesystem side of things working.
I hope I didn't just misunderstand what you're trying to accomplish.
You didn't :)
~Dale
Bob -- Registered Linux User #463880 FSFE Member #1300 GPG-FP: A6C1 457C 6DBA B13E 5524 F703 D12A FB79 926B 994E openSUSE 11.0, Kernel 2.6.25.11-0.1-default, KDE 4.1.1 Intel Celeron 2.53GB, 2GB DDR RAM, nVidia GeForce 7600GS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2008-10-17 at 18:20 +0100, Bob Williams wrote:
The problem I have is getting the USB drive mounted before /home, so that the encryption software can find a valid passphrase there, rather than requiring me to type one in.
But that was already solved, wasn't it? Unless... you mean you need the usb stick mounted before the system tries to mount /home? If that's your problem, I think it is easy to solve. You just have to run the script earlier in the boot sequence. It is controlled by this line: # Required-Start: $syslog $remote_fs $local_fs $kbd I think that removing the local_fs and remote_fs will do it. Maybe also syslog, because it will need writing somewhere. Kbd need to stay, you need the keyboard to type the password. After editing that line, you also need to run "chkconfig scriptname on" again. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkj5SbUACgkQtTMYHG2NR9UcXgCfeBzisX5htMclRWZFhc8tSGtu poUAoIKldRQuVcIjyO2VGfWfk6R4Gq1J =rOiu -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Saturday 18 October 2008 03:28:02 Carlos E. R. wrote:
On Friday, 2008-10-17 at 18:20 +0100, Bob Williams wrote:
The problem I have is getting the USB drive mounted before /home, so that the encryption software can find a valid passphrase there, rather than requiring me to type one in.
But that was already solved, wasn't it?
No, but read on
Unless... you mean you need the usb stick mounted before the system tries to mount /home? If that's your problem, I think it is easy to solve. You just have to run the script earlier in the boot sequence. It is controlled by this line:
Yes, that's what I wanted to do, and I solved it (with help from my son) by running either # udevinfo -a -p /sys/block/sdx or # udevinfo --query=all --name=sdx sdx is the current drive allocation of the usbstick, eg. sda, sdb, sdc etc. From the output of this command, you can get some unique strings to identify the device, which you then write into the following line (the bits beginning with ENV, use one or more) ENV{ID_SERIAL_SHORT}=="00012345ABCDE", ENV{ID_MODEL}=="YP-MT6", SYMLINK+="put_your_name_here" which you put into the following, newly created file /etc/udev/dules.d/61-CUSTOM-storage.rules Next, edit /etc/init.d/boot.crypto, adding the following lines (I put them between blocks of ###, for easy identification) echo "Custom Early USB Mount" modprobe usb_storage sleep 5 mount -n -t vfat -o rw,umask=111 /dev/"put_your_name_here" /media/"put_your_name_here" (you may have to edit the 'mount' line if your stick is not vfat) Then, edit /etc/crypttab to contain the following line home /dev/sdxn /media/folder/key luks (this is the path to the file on your USB stick which is acting as the keyphrase - it can be anything, text, jpg etc) and finally, if you haven't created the keyfile yet, do the following at a bash prompt cryptsetup luksAddKey /dev/sdxn media/folder/key In fact I also had to change /etc/fstab so that the line starting cr_sdxn which pointed to my encrypted partition actually started with /dev/mapper/home Anyone wanting to try this will have to fiddle around with the above to suit your system, but it works for me, so I didn't get round to doing
# Required-Start: $syslog $remote_fs $local_fs $kbd
I think that removing the local_fs and remote_fs will do it. Maybe also syslog, because it will need writing somewhere. Kbd need to stay, you need the keyboard to type the password.
After editing that line, you also need to run "chkconfig scriptname on" again.
-- Cheers, Carlos E. R.
Bob -- Registered Linux User #463880 FSFE Member #1300 GPG-FP: A6C1 457C 6DBA B13E 5524 F703 D12A FB79 926B 994E openSUSE 11.0, Kernel 2.6.25.11-0.1-default, KDE 4.1.1 Intel Celeron 2.53GB, 2GB DDR RAM, nVidia GeForce 7600GS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Bob Williams
-
Carlos E. R.
-
Dale Schuster