0

I have created a Logical vol and used luks to encrypt it. But while rebooting the server. I get a error message (below), therefore I would have to enter the root pass and disable the /etc/fstab entry. So mount of the LUKS partition is not persistent during reboot using LUKS. I have this setup on RHEL6 and wondering what i could be missing. I want to the LV to get be mount on reboot. Later I would want to replace it with UUID instead of the device name.

Error message on reboot: "Give root password for maintenance (or type Control-D to continue):"

Here are the steps from the beginning: 

[root@rhel6 ~]# pvcreate /dev/sdb 
  Physical volume "/dev/sdb" successfully created
[root@rhel6 ~]# vgcreate vg01 /dev/sdb 
  Volume group "vg01" successfully created
[root@rhel6 ~]# lvcreate --size 500M -n lvol1 vg01
  Logical volume "lvol1" created
[root@rhel6 ~]# lvdisplay 
  --- Logical volume ---
  LV Name                /dev/vg01/lvol1
  VG Name                vg01
  LV UUID                nX9DDe-ctqG-XCgO-2wcx-ddy4-i91Y-rZ5u91
  LV Write Access        read/write
  LV Status              available
  # open                 0
  LV Size                500.00 MiB
  Current LE             125
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:0

[root@rhel6 ~]# cryptsetup luksFormat /dev/vg01/lvol1 

WARNING!
========
This will overwrite data on /dev/vg01/lvol1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 

[root@rhel6 ~]# mkdir /house

[root@rhel6 ~]# cryptsetup luksOpen /dev/vg01/lvol1 house
Enter passphrase for /dev/vg01/lvol1: 

[root@rhel6 ~]# mkfs.ext4 /dev/mapper/house 
mke2fs 1.41.12 (17-May-2010)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
Stride=0 blocks, Stripe width=0 blocks
127512 inodes, 509952 blocks
25497 blocks (5.00%) reserved for the super user
First data block=1
Maximum filesystem blocks=67633152
63 block groups
8192 blocks per group, 8192 fragments per group
2024 inodes per group
Superblock backups stored on blocks: 
    8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409

Writing inode tables: done                            
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 21 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

[root@rhel6 ~]# mount -t ext4 /dev/mapper/house /house

PS: HERE I have successfully mounted:
[root@rhel6 ~]# ls /house/
lost+found

[root@rhel6 ~]# vim /etc/fstab  -> as follow
/dev/mapper/house /house ext4 defaults 1 2

[root@rhel6 ~]# vim /etc/crypttab -> entry as follows
house /dev/vg01/lvol1 password

[root@rhel6 ~]# mount -o remount /house
[root@rhel6 ~]# ls /house/
lost+found
[root@rhel6 ~]# umount /house/
[root@rhel6 ~]# mount -a  -> SUCCESSFUL AGAIN
[root@rhel6 ~]# ls /house/
lost+found

Please let me know if I am missing anything here.

Thanks in advance.

linxsaga
  • 41
  • 1
  • 5
  • Is your oot filesystem already encryped? You didn't actually put yor password in the crypttab did you? – Zoredache May 30 '12 at 18:41
  • My boot partition or any other partitions are NOT encrypted. Yes - I have put the password in /etc/crypttab file as the third string. Is thr something i am missing ? – linxsaga May 30 '12 at 18:59
  • 1
    Well what is the point of encypting anything if you leave the key unencrypted on the filesystem? Seems like a completely pointless thing to do. What are you protecting against? – Zoredache May 30 '12 at 19:32
  • Either way even if you would rand string in a file it requires to be kept unencrypted. – linxsaga May 30 '12 at 19:40
  • are their better alternatives ? I know we could used a rand string in a file and which could be used as a password, still the file would be protected by permissions only. But the issue here is why I cant reboot ? – linxsaga May 30 '12 at 19:43
  • You are missing the point. If an attacker has they key, then the encryption is pointless. If you don't plan on storing your key on some kind of removable media (USB key) or entering when the system boots, then you might as well leave it unencrypted. Anyway to your main problem. Everytime I see luks and lvm use together the LVM is on top of luks, not the other way around. – Zoredache May 31 '12 at 01:42

1 Answers1

1

Here is the solution i found and i am just sharing it for the benefit others.

Just typing the password in the /etc/crypttab does not work for me - Instead I created a random key which was used to encrypt the password with the following commands - However, the key is still still stored insecurely under /root/pass.key.

dd if=/dev/random of=/root/pass.key bs=32 count=1

cryptsetup luksAddKey /dev/vg01/lvol1 /root/pass.key

Then i use vim to edit /etc/crypttab and added the path of the key file.

Journeyman Geek
  • 6,977
  • 3
  • 32
  • 50
linxsaga
  • 41
  • 1
  • 5