{"id":408,"date":"2014-02-26T17:28:33","date_gmt":"2014-02-26T05:28:33","guid":{"rendered":"http:\/\/mdickinson.dyndns.org\/php\/wordpress\/?p=408"},"modified":"2014-02-26T17:28:45","modified_gmt":"2014-02-26T05:28:45","slug":"a-wasted-evening-disk-encryption-is-a-pain","status":"publish","type":"post","link":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/?p=408","title":{"rendered":"A wasted evening, disk encryption is a pain"},"content":{"rendered":"<p>Been quite a few burglaries this way, every single machine I have apart from the webserver (which must start without human intervention) and my main desktop have encrypted disks; so I thought it was time to encrypt the home folder on my main desktop.<\/p>\n<p>So I backed up the home folders to the encrypted external drive for that machine, created a \/home2\/mark directory and edited \/etc\/passwd to make that my home directory (so I could unmount the LV used by home), and rebooted.<\/p>\n<p>umounted \/home, luks encrypted it, luksOpened it, made an ext4 filesystem in the volume, put the luks uuid in \/etc\/crypttab and the embedded ext4 uuid in \/etc\/fstab to replace the origional ext4 LV entry; rebooted.<\/p>\n<p>OOPS. The external disk encryption keys were in \/home, so the external drive failed to mount. And the encryption keys I use are not enterable from the keyboard. But at least I knew what they were, created a key file in \/home2 and manually mounted the drive using that.<br \/>\nAnd here lies problem two, obviously I cannot keep the encryption keys in \/home anymore, as that is going to be encrypted, no biggie, the external disk keys can go in \/boot.<\/p>\n<p>BUT wasn&#8217;t actually able to mount the new encrypted \/home filesystem; and password prompting was irrigular (sometimes a gui window at boot, sometimes had to hit ESC and enter it from the command line boot window).<\/p>\n<p>I think the problem is the crypttab entries try to mount their encryted volumes <b>before<\/b> the logical volumes are mounted, which makes sense as PVs and associated LVs are normally on encrypted raw partitions and I am trying to do it the other way around.<br \/>\nNo problem, I will have to mount it from a S99 rc script, which will prbably require using the command line boot display rather than let it start with the GUI splash screens&#8230;<\/p>\n<p>&#8230;but thats next weekend, I needed it back to do some TV recording so reformatted \/home as a normal ext4 LV and restored back into it. Flicked selinux into permissive as the context labels were not restores by tar, will rebale on the next boot to fix that. <\/p>\n<p>But after 4-5hrs of mucking about with this it&#8217;s back to where I started from for now.<\/p>\n<p>The problem there may be keychaining keychaining as the \/home filesystem must use a different key top the external drive (so I can enter it from the keyboard at boot), or more probably the crypttab entries try to<br \/>\nautomating providing that key on the same disk makes encryption pointless (ok to automount external disks as if someone steals them they can&#8217;t use them without taking the desktop as well)).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Been quite a few burglaries this way, every single machine I have apart from the webserver (which must start without human intervention) and my main desktop have encrypted disks; so I thought it was time to encrypt the home folder &hellip; <a href=\"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/?p=408\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-408","post","type-post","status-publish","format-standard","hentry","category-my-nux-thoughts-and-notes"],"_links":{"self":[{"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/408","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=408"}],"version-history":[{"count":1,"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/408\/revisions"}],"predecessor-version":[{"id":409,"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/408\/revisions\/409"}],"wp:attachment":[{"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=408"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=408"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=408"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}