LVM ROOT encryption
Posted: 2009/01/09 07:30:26
Hello All,
I have following problem:
Notebook Dell Latitude D630:
Disk partitoned:
fdisk -l
Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sda1 * 3866 3882 136552+ 83 Linux------------> /boot partition
/dev/sda2 * 16 3865 30925125 7 HPFS/NTFS---> windows
/dev/sda3 3883 13609 78132127+ 83 Linux ----------> partition for encrypted data
/dev/sda4 18600 19457 6891885 8e Linux LVM----> current CentOs installation
I am running kernel: 2.6.18-92.1.22.el5PAE
I tried to create encrypted partition with cryptsetup luks to encrypt whole root partition, and I exactly followed this manual:
http://lists.centos.org/pipermail/centos-docs/2008-September/001791.html
So everything was ok, I was able to do all of this:
cryptsetup -v -y -s 256 luksFormat /dev/sda3
cryptsetup luksOpen /dev/sda3 crypt
key slot 0 unlocked.
Command successful.
cryptsetup luksDump /dev/sda3
LUKS header information for /dev/sda3
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 1032
MK bits: 128
MK digest: 2c da d4 15 2b 0d d5 ed 6c 8a a6 e2 b9 fe 26 c8 da a5 90 b9
MK salt: bb 20 50 e4 73 df b6 31 8c a0 a8 69 9a e5 a6 a6
8d d4 fc 22 8b 46 7c 5a de 02 18 18 92 11 de 83
MK iterations: 10
UUID: 5a7a7b07-4a28-4c03-a913-c1313183c52a
Key Slot 0: ENABLED
Iterations: 212118
Salt: 91 20 0d 52 30 68 c6 1f a5 c0 6a 97 25 f6 85 31
c8 a1 98 33 57 2b b5 48 2b e7 c6 43 20 ba 14 3f
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 211126
Salt: 98 e6 4b d6 4f 7b 77 c9 ab 17 9f 3a 16 73 dc 07
d0 5c ad e2 1a 92 e0 77 32 0c 9c be fe 4b c4 93
Key material offset: 136
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
cryptsetup status crypt
/dev/mapper/crypt is active:
cipher: aes-cbc-essiv:sha256
keysize: 128 bits
device: /dev/sda3
offset: 1032 sectors
size: 156263223 sectors
mode: read/write
dmsetup status
vg00-lvol01: 0 9175040 linear
crypt: 0 156263223 crypt
vg00-lvol04: 0 1179648 linear
vg00-lvol03: 0 983040 linear
vg00-lvol02: 0 1179648 linear
ls -l /dev/mapper
total 0
crw------- 1 root root 10, 63 Jan 9 2009 control
brw-rw---- 1 root disk 253, 4 Jan 9 08:12 crypt
brw-rw---- 1 root disk 253, 0 Jan 9 08:08 vg00-lvol01---------> /
brw-rw---- 1 root disk 253, 2 Jan 9 08:08 vg00-lvol02---------->/home
brw-rw---- 1 root disk 253, 1 Jan 9 08:08 vg00-lvol03----------->/tmp
brw-rw---- 1 root disk 253, 3 Jan 9 2009 vg00-lvol04------------>/swap
cryptsetup luksClose crypt
I am also able to load modules without any problem:
modprobe dm-mod aes sha256 cbc
ok
I was able to create mkinitrd with "patched" mkinitrd for encrypted FS:
/sbin/mkinitrd -v /boot/initrd-2.6.18-92.1.22.el5PAE.crypt.img 2.6.18-92.1.22.el5PAE
Then in single user mode:
cryptsetup luksOpen /dev/sda3 crypt
dd if=/dev/sda4 of=/dev/mapper/crypt
cryptsetup luksClose crypt
everything ok!
But when I tried to boot from new initrd image:
The system correctly asks for passphrase and.....
ERROR:
========================================
device-mapper: table: 253:0: crypt unknown target type ---------> I found something about multipath issue.
Failed to setup dm-crypt key mapping.
Check kernel for support for aes-cbc-essiv:sha256 cipher spec and verify that /dev/sda3 contains at least 133 sectors.
Failed to read from key storage.
========================================
maybe also problem with mkinitrd ? You can find mine in attachement.
I tried to setup it all before on virtualbox (just kernel without PAE, but the same one) and it worked!
Please help me out with this or bring any idea how to fix this. Maybe it is possible bug also. I do now know.
But what I know for sure that I will have to suicide myself if this will not work until monday morning.
I have following problem:
Notebook Dell Latitude D630:
Disk partitoned:
fdisk -l
Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/sda1 * 3866 3882 136552+ 83 Linux------------> /boot partition
/dev/sda2 * 16 3865 30925125 7 HPFS/NTFS---> windows
/dev/sda3 3883 13609 78132127+ 83 Linux ----------> partition for encrypted data
/dev/sda4 18600 19457 6891885 8e Linux LVM----> current CentOs installation
I am running kernel: 2.6.18-92.1.22.el5PAE
I tried to create encrypted partition with cryptsetup luks to encrypt whole root partition, and I exactly followed this manual:
http://lists.centos.org/pipermail/centos-docs/2008-September/001791.html
So everything was ok, I was able to do all of this:
cryptsetup -v -y -s 256 luksFormat /dev/sda3
cryptsetup luksOpen /dev/sda3 crypt
key slot 0 unlocked.
Command successful.
cryptsetup luksDump /dev/sda3
LUKS header information for /dev/sda3
Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 1032
MK bits: 128
MK digest: 2c da d4 15 2b 0d d5 ed 6c 8a a6 e2 b9 fe 26 c8 da a5 90 b9
MK salt: bb 20 50 e4 73 df b6 31 8c a0 a8 69 9a e5 a6 a6
8d d4 fc 22 8b 46 7c 5a de 02 18 18 92 11 de 83
MK iterations: 10
UUID: 5a7a7b07-4a28-4c03-a913-c1313183c52a
Key Slot 0: ENABLED
Iterations: 212118
Salt: 91 20 0d 52 30 68 c6 1f a5 c0 6a 97 25 f6 85 31
c8 a1 98 33 57 2b b5 48 2b e7 c6 43 20 ba 14 3f
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 211126
Salt: 98 e6 4b d6 4f 7b 77 c9 ab 17 9f 3a 16 73 dc 07
d0 5c ad e2 1a 92 e0 77 32 0c 9c be fe 4b c4 93
Key material offset: 136
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED
cryptsetup status crypt
/dev/mapper/crypt is active:
cipher: aes-cbc-essiv:sha256
keysize: 128 bits
device: /dev/sda3
offset: 1032 sectors
size: 156263223 sectors
mode: read/write
dmsetup status
vg00-lvol01: 0 9175040 linear
crypt: 0 156263223 crypt
vg00-lvol04: 0 1179648 linear
vg00-lvol03: 0 983040 linear
vg00-lvol02: 0 1179648 linear
ls -l /dev/mapper
total 0
crw------- 1 root root 10, 63 Jan 9 2009 control
brw-rw---- 1 root disk 253, 4 Jan 9 08:12 crypt
brw-rw---- 1 root disk 253, 0 Jan 9 08:08 vg00-lvol01---------> /
brw-rw---- 1 root disk 253, 2 Jan 9 08:08 vg00-lvol02---------->/home
brw-rw---- 1 root disk 253, 1 Jan 9 08:08 vg00-lvol03----------->/tmp
brw-rw---- 1 root disk 253, 3 Jan 9 2009 vg00-lvol04------------>/swap
cryptsetup luksClose crypt
I am also able to load modules without any problem:
modprobe dm-mod aes sha256 cbc
ok
I was able to create mkinitrd with "patched" mkinitrd for encrypted FS:
/sbin/mkinitrd -v /boot/initrd-2.6.18-92.1.22.el5PAE.crypt.img 2.6.18-92.1.22.el5PAE
Then in single user mode:
cryptsetup luksOpen /dev/sda3 crypt
dd if=/dev/sda4 of=/dev/mapper/crypt
cryptsetup luksClose crypt
everything ok!
But when I tried to boot from new initrd image:
The system correctly asks for passphrase and.....
ERROR:
========================================
device-mapper: table: 253:0: crypt unknown target type ---------> I found something about multipath issue.
Failed to setup dm-crypt key mapping.
Check kernel for support for aes-cbc-essiv:sha256 cipher spec and verify that /dev/sda3 contains at least 133 sectors.
Failed to read from key storage.
========================================
maybe also problem with mkinitrd ? You can find mine in attachement.
I tried to setup it all before on virtualbox (just kernel without PAE, but the same one) and it worked!
Please help me out with this or bring any idea how to fix this. Maybe it is possible bug also. I do now know.
But what I know for sure that I will have to suicide myself if this will not work until monday morning.