FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 02-16-2011, 11:55 PM
dabicho
 
Default encrypted partition configuration on kickstart

Hello.
I am having troubles understanding how encrypted partitions are
supposed to work and how to get my dessired effect ON Fedora 14

I am writing a kickstart por an automated installation.
I wrote the following for the partitions:


part / --encrypted --passphrase=pass1 --size=10000
part /boot --size=200
part /var/lib/pgsql --encrypted --passphrase=pass2 --grow --size=1
part /var --encrypted --passphrase=pass3 --size=10000
part /tmp --encrypted --passphrase=pass4 --size=3000
part swap --encrypted --recommended

I thought that uppon boot I would be asked for each passphrase in
turn, however I am asked only for one passphrase, without any
indication as to whichone, and that being the passphrase for the first
partition defined ( / ), and that would enable mounting of all the
partitions.

What am I missing here?
What should I do if I needed the system to ask for each passphrase in
turn? or at a later time (database partition)?

Also, I have seen no options to speciphy a cipher or other encryption
parameters anywhere.
Is it posible to prepare encrypted partitions on the %pre script?

Thank you.
any pointer is appreciated.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-17-2011, 12:44 PM
Bruno Wolff III
 
Default encrypted partition configuration on kickstart

On Wed, Feb 16, 2011 at 18:55:28 -0600,
dabicho <tsukebumi@gmail.com> wrote:
> I thought that uppon boot I would be asked for each passphrase in
> turn, however I am asked only for one passphrase, without any
> indication as to whichone, and that being the passphrase for the first
> partition defined ( / ), and that would enable mounting of all the
> partitions.

I don't know all of the ks stuff for configuring how the partitions are
set up, but as far as passphrases go on F14 (F15 things work different
and could really use some more work), each time none of the previously
entered pass phrases work, you will get asked for a new one. Each pass
phrase you have entered already gets tried in turn (until one works)
for each encrypted device.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-17-2011, 05:01 PM
dabicho
 
Default encrypted partition configuration on kickstart

On Thu, Feb 17, 2011 at 10:24 AM, Bruno Wolff III <bruno@wolff.to> wrote:
> On Thu, Feb 17, 2011 at 10:11:37 -0600,
> *dabicho <tsukebumi@gmail.com> wrote:
>>
>> That's ok. And I thought it would work that way, but what I am seeing is this:
>>
>> If I encrypt root ( / ) (as well as other partitions, each with a
>> different passphrase),I get asked for one passphrase without any input
>> as to for which partition it is, and all filesystems get mounted
>> without any need for me to write any other passphrase, which makes me
>> wonder what was the deal about specifying a different passphrase on
>> the kickstart if in the end I only use one.
>
> That sounds like there is a bug where perhaps the same passphrase is being
> used for each device. You could probably verify that by running a live image
> and then manually running cryptsetup for each device to verify what the
> passphrase is. If it looks messed up, then file a bug.
>
> Note that you just replied to me. You might want to move the discussion
> back on list if you have further questions.
>
(thanks for the head's up)

Well, I manually changed the passphrase of one partition and allright,
after a reboot I was asked for a password twice, so it looks like it
is indeed using the same passphrase for all partitions.

Is that the intended behaviour for the kickstart? Is there anything I can do?

I guess I can use something like
(echo somepassphrase; echo newpassphrase) | cryptsetup luksAddKey someDevice -
cryptsetup luksKillSlot someDevice 0

on the %post script
And it leaves me with figuring a way to determine the correct 'someDevice'
as fstab uses /dev/mapper entry, and crypttab uses UUID to determine
the correct device, which after some searching, I could make some
relation between them and get the UUID from crypttab and use it with

blkid -l -t UUID=something -o device

Is there a simpler better way to do it?
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-17-2011, 05:24 PM
dexter
 
Default encrypted partition configuration on kickstart

On 17 February 2011 18:01, dabicho <tsukebumi gmail.com> wrote:
> Well, I manually changed the passphrase of one partition and allright,
> after a reboot I was asked for a password twice, so it looks like it
> is indeed using the same passphrase for all partitions.
>
> Is that the intended behaviour for the kickstart? Is there anything I can do?
Sounds like a bug (or unsupported) against pykickstart, there's no
mention of this behaviour on this page:

https://fedoraproject.org/w/index.php?title=Anaconda/Kickstart#part_or_partition

...dex
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-20-2011, 03:30 PM
David Lehman
 
Default encrypted partition configuration on kickstart

On Wed, 2011-02-16 at 18:55 -0600, dabicho wrote:
> Hello.
> I am having troubles understanding how encrypted partitions are
> supposed to work and how to get my dessired effect ON Fedora 14
>
> I am writing a kickstart por an automated installation.
> I wrote the following for the partitions:
>
>
> part / --encrypted --passphrase=pass1 --size=10000
> part /boot --size=200
> part /var/lib/pgsql --encrypted --passphrase=pass2 --grow --size=1
> part /var --encrypted --passphrase=pass3 --size=10000
> part /tmp --encrypted --passphrase=pass4 --size=3000
> part swap --encrypted --recommended
>
> I thought that uppon boot I would be asked for each passphrase in
> turn, however I am asked only for one passphrase, without any
> indication as to whichone, and that being the passphrase for the first
> partition defined ( / ), and that would enable mounting of all the
> partitions.
>
> What am I missing here?

It seems like you're not missing anything.

Each of the partitions should use the passphrase you have specified for
that partition. File a bug at bugzilla.redhat.com against Fedora 14 if
this isn't working correctly. Be sure to include a description like the
one above as well as your kickstart file when you enter the bug report.


> What should I do if I needed the system to ask for each passphrase in
> turn? or at a later time (database partition)?

This is the intended/expected behavior.

>
> Also, I have seen no options to speciphy a cipher or other encryption
> parameters anywhere.

This is not supported by anaconda/kickstart. To get a cipher other than
the default (aes-xts-plain64 with a 512-byte key) you will have to set
up the encrypted devices yourself.

> Is it posible to prepare encrypted partitions on the %pre script?

Of course. Once you have created your devices using parted, pvcreate,
lvcreate, and/or mdadm you can encrypt them using cryptsetup. In F14 you
must make sure to deactivate/close all of your newly created devices
before exiting from the %pre script.

>
> Thank you.
> any pointer is appreciated.

http://docs.fedoraproject.org/en-US/Fedora/14/html/Installation_Guide/apcs02.html

This is Appendix C from the Fedora 14 Installation Guide, entitled "Disk
Encryption". There are several pages that explain concepts,
best-practices, and actual example commands for setting up encrypted
block devices.

David

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-21-2011, 04:12 AM
dabicho
 
Default encrypted partition configuration on kickstart

On Sun, Feb 20, 2011 at 4:30 PM, David Lehman <dlehman@redhat.com> wrote:
> On Wed, 2011-02-16 at 18:55 -0600, dabicho wrote:
>
> Of course. Once you have created your devices using parted, pvcreate,
> lvcreate, and/or mdadm you can encrypt them using cryptsetup. In F14 you
> must make sure to deactivate/close all of your newly created devices
> before exiting from the %pre script.
>
>>
>> Thank you.
>> any pointer is appreciated.
>
> http://docs.fedoraproject.org/en-US/Fedora/14/html/Installation_Guide/apcs02.html
>
> This is Appendix C from the Fedora 14 Installation Guide, entitled "Disk
> Encryption". There are several pages that explain concepts,
> best-practices, and actual example commands for setting up encrypted
> block devices.
>
> David
>
>

Thank you very much.
My doubts were more to the way Anaconda creates /etc/cryptotab and
/etc/fstab, but I guess if it will be the %pre script who prepares the
partitions, then I can also tell anaconda the right mapper device
names, and I will need to write the /etc/cryptotab file on the %post
script too.
Am I right?
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 06:54 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org