Debian Etch Raid Cryptsetup Lvm Setup

• Site links
  • Front Page
  • Recent Changes
  • Site Map
  • Site Search
• Tools
  • Backlinks
  • Localmap
  • Likesearch
• Actions
  • View
  • Print

Admin Stuff

I have no idea, how to do this using the etch installer. It might be possible but I didn't even try :-)

I installed debian manually from grml

• boot into grml
• setup RAID
• setup cryptsetup. Here comes the problem: I installed it using the default settings and a 64 byte keyfile. more on this later.
• setup physical volume on the crypted device and create volume group
• create logical volumes, mount and install debian using grml-debootstrap

Thats the installation. Now the difficult part is getting the thing to boot. My setup boots from a USB-Stick. This stick holds the kernel, initrd and the keyfile. There are two issues:

• The default paramters used by the boot script differ from those of cryptsetup
• There is no default support for using a keyfile to decrypt the root fs

We begin by installing SYSLINUX on the usb stick (with the syslinux command).

Next we configure /etc/crypttab. If we did not happen to use the default crypttab settings (aes with essiv and 256bit kezsize via sha256 hashing) we need to pass the cipher= and size= perameters explicitly. If cryptsetup was used with it's default parameters, this is cipher=aes-cbc-plain size=128 (but more on size below).

Since we use a keyfile, we need to write a simple key script. This script needs to write the key material to standard output. So something like

 modprobe usb_storage
 sleep 5
 mkdir /usb
 mount -o ro,umask=077 -t vfat /dev/usbstick /usb
 cat /usb/keyfile
 umount /usb

just make sure not to create any output on stdout besides the keyfile. Here comes another hurdle: cryptsetup will add an additional hash step when reading the keyfile from stdin, so we need to add hash=plain to the options in crypttab. This script assumes, that udev has been configured to create an additional symlink /dev/usbstick for the first partition of a usb storage device. The nice thing is, that udev is running on the initrd and that the local configuration files from /etc/udev/rules.d are copied into the intramfs so if udev is configured correctly on the host system, it will also work on the initramfs.

Lastly we need to add usb_storage plus the vfat codepages (nls_cp437, nls_iso8859_1) to /etc/initramfs-tools/modules.

Stop ... and theres another thing: We need to tell the cryptsetup boot module explicitly to start lvm. So we need to add yet another option to crypttab: lvm=VGsystem-LVroot (or however your root device is named in /dev/mapper)

running update-initramfs -u will create a new initrd.img which we copy to the stick together with the vmlinuz file. We create syslinux.cfg on the stick and are ready to reboot ... Voila !

© g0dil.de &emdash; Site powered by (a heavily patched Version of) MonkeyWiki