From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LIqqy-0006z5-64 for garchives@archives.gentoo.org; Fri, 02 Jan 2009 20:42:44 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F3CC1E05D1; Fri, 2 Jan 2009 20:42:41 +0000 (UTC) Received: from mx01.admin-box.com (mx01.admin-box.com [78.47.249.108]) by pigeon.gentoo.org (Postfix) with ESMTP id 9B894E05D1 for ; Fri, 2 Jan 2009 20:42:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mx01.admin-box.com (Postfix) with ESMTP id 09F61202474D for ; Fri, 2 Jan 2009 21:42:41 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mx01.admin-box.com Received: from mx01.admin-box.com ([127.0.0.1]) by localhost (mx01.admin-box.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ffzMsqpKJRhh for ; Fri, 2 Jan 2009 21:42:38 +0100 (CET) Received: from [192.168.0.136] (e178062229.adsl.alicedsl.de [85.178.62.229]) (Authenticated sender: daniel@troeder.de) by mx01.admin-box.com (Postfix) with ESMTP id 3927A2023B87 for ; Fri, 2 Jan 2009 21:42:38 +0100 (CET) Subject: Re: [gentoo-user] Re: Genkernel: non-standard crypto setup From: Daniel Troeder To: gentoo-user@lists.gentoo.org In-Reply-To: <200901022003.40873.dirk.heinrichs@online.de> References: <200901021928.56817.dirk.heinrichs@online.de> <200901022003.40873.dirk.heinrichs@online.de> Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-bXG78GjwPUX73ZmLULWr" Date: Fri, 02 Jan 2009 21:42:37 +0100 Message-Id: <1230928957.12748.31.camel@maya.local> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.24.2 X-Archives-Salt: 9dbbdd0a-e83e-4e45-921f-d8d5d9c37e30 X-Archives-Hash: e29c73885464eb6071992e3ab8ffcda0 --=-bXG78GjwPUX73ZmLULWr Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Am Freitag, den 02.01.2009, 20:03 +0100 schrieb Dirk Heinrichs: > Am Freitag, 2. Januar 2009 19:36:28 schrieb Jens M=C3=BCller: > > Raid part 1 \ > > Raid part 2 >- Raid5 -> /dev/md127 =3D PV1 > > Raid part 3 / > > > > ...(possibly others)... > > PV1 --LVM--> VG1 ---> LV1: \dev\mapper\vg1-crypt > > > > LV1: \dev\mapper\vg1-crypt --cryptsetup--> \dev\mapper\crypt_pv > > > > \dev\mapper\crypt_pv =3D PV2 --LVM--> VG1 ---> (all the partitions) ^^^^^^^^^^^^^^^^^ backslashes - hihi ;-) > > Basically, I have one encrypted "physical" volume, but I want to be > > flexible ... >=20 > If you have one encrypted PV from which you build a VG, then every LV ins= ide=20 > it will automatically be encrypted. So where's the flexibility? I think it's a good idea. I have (nearly) my hole disk (except /boot and 1xNTFS) as a partition which is encrypted. Unencrypted it is a PV for a VG in which all my Linux-partitions lives. Nicely transparent setup for me, except for the fact, that now I cannot install anything unencrypted anymore (for guests for example) or use a different key for different LVs. I don't know if the added LVM-layer costs notable CPU-time - but I'd be easy for you to test :) > For the latter I have some scripts ready to create an initramfs which can= be=20 > combined with the kernel (It's for EVMS, but it should be easy to adapt t= o=20 > LVM. I'm pretty sure genkernel can do it. I have observed that _before_ it asks me for my crypt-password it does a lvm-scan, and also _after_. The latter is the only one I need, but for Jens the first one will make your LV for decryption accessible, and the latter will then reveal your LV for your root. BTW: I have compiled the modules I need for booting (incl. crypto-stuff) into the kernel, so I can use this initrd with every new kernel. As it now contains no modules, there is no need not to use genkernel anymore. The genkernel-docs tell you to use on the kernel command line: root=3D/dev/vg0/gentoo-root (unencrypted dev - for /proc/cmdline) real_root=3D/dev/vg0/gentoo-root (unencrypted dev - for initrd-script) crypt_root=3D/dev/sda2 (encrypted dev - for initrd-script) dolvm (do LVM scans - for initrd-script) keymap=3Dde (if not US-kbd - for initrd-script) There is also "real_swap" and "real_resume" and other nice stuff :) Bye, Daniel --=-bXG78GjwPUX73ZmLULWr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Dies ist ein digital signierter Nachrichtenteil -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEABECAAYFAklefD0ACgkQg3+4tbudSIdR0QCcDWncNpTed3jVSDaa9cgn2IKd GMoAn3PjKAD8h3HDFMXVEYLbnmsGTo0B =VKmD -----END PGP SIGNATURE----- --=-bXG78GjwPUX73ZmLULWr--