Encrypted LVM partitions

Sun Sep 17 19:37:43 MST 2006

Yep.  What I was hoping was that somebody had already done this and knew
exactly what commands to put in the initrd 'init' script.  Yeah, I'm
lazy :-)

Okay, sometimes you get a little spoiled that distros like SUSE do
nearly everything for you.  I hadn't ever had to deal with lvm at a
command-line level so I didn't know what needed to be done.  It turns
out that the SUSE mkinitrd script *does* handle lvm volumes... but only
if the root partition is lvm.

That's where I ran into problems.  Normally, the only time you need lvm
support in the initrd is if the root volume is involved.  That's because
the lvm subsystem is activated prior to mounting any other local mount.
 In my case, I was moving outside of the mainstream.  I didn't have an
lvm root so the mkinitrd script didn't add those commands.  However, I
did need the lvm subsystem prior to boot since that's when the
cryptsetup code runs.

The fix was to customize the 'mkinitrd' to fit my purposes.  This
involved three steps:

1. Hard-coding 'lvm2' into the features list (to force it to include the
'lvm' binaries into the initrd
2. Doing a manual mapping of the /dev/dm-X to my /dev/mapper/symbolic
names since the numbering of dm-X can change
3. Manually activating the lvm subsystem prior to decrypting the
partitions using this:

  /sbin/lvm vgscan
  /sbin/lvm vgchange -ay

After that, it all magically worked!

Kenneth wrote:
> I don't have any experience with encrypted filesystems, but if some devices
> are not set up, maybe that should be done in the initrd.
> I know if you run a distro that uses udev and wants to run it from the
> initrd, and you try to start up with a kernel without that initrd, you don't
> get any device files at all, so it doesn't get very far.
> 
> --- Kurt Granroth <plug-discuss at granroth.org> wrote:
> 
>> Does anybody here have any experience with encrypted lvm partitions
>> mounted at system startup?  I'm running SUSE 10.1 (inside of VMware) and
>> I want to have an entirely encrypted system where *every* partition is
>> encrypted.  I am most of the way there but can't seem to get to the next
>> step.
>>
>> Here's what I have:
>>
>> /dev/sdb2 -> cryptsetup-luks -> /dev/mapper/root
>> /dev/sda2 -> cryptsetup-luks -> /dev/mapper/swap
>> /dev/mapper/system-home -> cryptsetup-luks -> /dev/mapper/home
>> /dev/mapper/system-shared -> cryptsetup-luks -> /dev/mapper/shared
>>
>> I used the instructions on the OpenSUSE site to get the encrypted root
>> and swap partitions to work using a modified 'mkinitrd'.
>>
>> http://en.opensuse.org/Encrypted_Root_File_System_with_SUSE_HOWTO
>>
>> That part is working like a charm.  When I boot, I am presented with an
>> opportunity to enter my password.  On doing so, it decrypts my root and
>> swap partitions, mounts them, and continues.
>>
>> Once booted, I can map my LVM partitions to the cryptsetup ones
>> (system-home to home and system-shared to shared).  I can then mount the
>>  decrypted mappings (home and shared) to the proper directories and
>> everything works great.
>>
>> The problem comes when I try to mount those LVM partitions during the
>> boot process.  When it comes time to mount them, I am presented with a
>> password prompt... but no password works.  I am nearly certain that it's
>> because the /dev/mapper/system-{home|shared} LVM devices don't yet exist
>> in the initrd process.
>>
>> But how?  I'm missing some crucial step, it seems, in figuring out how
>> to get this all to work.
>>
>> Any clues?
>>
>> Kurt