diff options
Diffstat (limited to 'README_CRYPT.TXT')
-rw-r--r-- | README_CRYPT.TXT | 66 |
1 files changed, 42 insertions, 24 deletions
diff --git a/README_CRYPT.TXT b/README_CRYPT.TXT index d8a0dd87..d2b98029 100644 --- a/README_CRYPT.TXT +++ b/README_CRYPT.TXT @@ -14,6 +14,7 @@ Contents: * Hibernation (suspend-to-disk)
* Additional passphrases, keyfiles
* A note on custom kernels
+* USB keyboards and LUKS
* A mkinitrd helper script
@@ -306,10 +307,10 @@ needed to unlock the root filesystem, so that the kernel can start the init program. In the example command line below which creates the 'initrd.gz'
image I assume that the root filesystem is 'ext3', we used the mapped device
'cryptroot' for the root filesystem on the real partition '/dev/sdx1',
-and are running the Slackware 13.1 default SMP kernel '2.6.33.4-smp'
+and are running the Slackware 13.37 default SMP kernel '2.6.37.6-smp'
and we did not use Logical Volumes (more about that in the next section):
- # mkinitrd -c -k 2.6.33.4-smp -m ext3 -f ext3 -r cryptroot -C /dev/sdx1
+ # mkinitrd -c -k 2.6.37.6-smp -m ext3 -f ext3 -r cryptroot -C /dev/sdx1
* The resulting initrd image will be written to the file '/boot/initrd.gz'
by default. We still need to tell lilo about this initrd. Open the
@@ -317,7 +318,7 @@ configuration file '/etc/lilo.conf' in an editor such as vi or pico - it should already have been generated by the 'liloconfig' part of setup.
Look for the "Linux bootable partition config" and add a line for the initrd.
We also need to change the kernel file to a generic kernel, because lilo
-is unable to combine the 'huge' kernels in Slackware 13.1 with an initrd
+is unable to combine the 'huge' kernels in Slackware 13.37 with an initrd
image - it will complain about "The initial RAM disk is too big to fit
between the kernel and the 15M-16M memory hole" if you try with a 'huge'
kernel. We can live with that, since the 'huge' kernels are not meant
@@ -325,7 +326,7 @@ for day-to-day use anyway. They are meant to install Slackware on a wide range of computers and that is why they are 'huge'. The linux part of
'/etc/lilo.conf' should end up looking somewhat like this:
-image = /boot/vmlinuz-generic-smp-2.6.33.4-smp
+image = /boot/vmlinuz-generic-smp-2.6.37.6-smp
initrd = /boot/initrd.gz
root = /dev/mapper/cryptroot
label = linux
@@ -366,7 +367,7 @@ One, you will need to enter a passphrase for every partition you have encrypted (except for the swap which Slackware encrypts with a random passphrase
on every boot). Two, the method used for encrypting the swap partition
prohibits the use of the swap as a hibernation partition. And since the
-initrd of Slackware 13.1 supports hibernation, it would be a shame not to be
+initrd of Slackware 13.37 supports hibernation, it would be a shame not to be
able to use this feature on your laptop (which, because of it's portability,
is the primary target for full disk encryption anyway).
@@ -416,7 +417,7 @@ operations will therefore be '/dev/mapper/slackluks'. * The LVM part is next. Create a Physical Volume (PV) on device
'/dev/mapper/slackluks', a Volume Group (VG) called 'cryptvg' - any name will
do - on the PV, and three Logical Volumes (LV's) in the VG, one for your
-root partition (5 GB in size), one for the /home partition (10 GB in size)
+root partition (7 GB in size), one for the /home partition (10 GB in size)
and a third which we will use for swap (1 GB in size). You will probably
use different sizes depending on your environment and wishes, but keep the
sum of the LV sizes less than the total size of the Physical Volume:
@@ -425,7 +426,7 @@ sum of the LV sizes less than the total size of the Physical Volume: # vgcreate cryptvg /dev/mapper/slackluks
- # lvcreate -L 5G -n root cryptvg
+ # lvcreate -L 7G -n root cryptvg
# lvcreate -L 10G -n home cryptvg
@@ -489,10 +490,10 @@ stage of booting the kernel. The initial ramdisk (initrd) contains a small filesystem with the tools needed to unlock the root filesystem, so that
the kernel can start the init program. In the example command line below
which creates the 'initrd.gz' image I assume that you formatted the root
-filesystem as 'ext3', and will be running the Slackware 13.1 default SMP
-kernel '2.6.33.4-smp' :
+filesystem as 'ext3', and will be running the Slackware 13.37 default SMP
+kernel '2.6.37.6-smp' :
- # mkinitrd -c -k 2.6.33.4-smp -m ext3 -f ext3 -r /dev/cryptvg/root -C /dev/sdx2 -L
+ # mkinitrd -c -k 2.6.37.6-smp -m ext3 -f ext3 -r /dev/cryptvg/root -C /dev/sdx2 -L
NOTE: if you use a non-US keyboard and need to enter a passphrase during boot,
this may be problematic if the keyboard mapping is US while Slackware
@@ -508,7 +509,7 @@ configuration file '/etc/lilo.conf' in an editor such as vi or pico - it should already have been generated by the 'liloconfig' part of setup.
Look for the "Linux bootable partition config" and add a line for the initrd.
We also need to change the kernel file to a generic kernel, because lilo
-is unable to combine the 'huge' kernels in Slackware 13.1 with an initrd
+is unable to combine the 'huge' kernels in Slackware 13.37 with an initrd
image - it will complain about "The initial RAM disk is too big to fit
between the kernel and the 15M-16M memory hole" if you try a 'huge'
kernel. We can live with that, since the 'huge' kernels are not meant
@@ -516,7 +517,7 @@ for day-to-day use anyway. They are meant to install Slackware on a wide range of computers and that is why they are 'huge'. The linux part of
'/etc/lilo.conf' should end up looking somewhat like this:
-image = /boot/vmlinuz-generic-smp-2.6.33.4-smp
+image = /boot/vmlinuz-generic-smp-2.6.37.6-smp
initrd = /boot/initrd.gz
root = /dev/cryptvg/root
label = linux
@@ -547,22 +548,27 @@ do not mind using LVM. Additional passphrases, keyfiles
--------------------------------
-The cryptsetup program assigns 7 'key slots' to any partition or volume
+ The cryptsetup program assigns 7 'key slots' to any partition or volume
it encrypts. Each of those seven slots can contain a key to unlock the
partition's data. The key can be a passphrase, but the content of a
*keyfile* is another option. You can then pass the name of a file as a
parameter to cryptsetup in order to unlock an encrypted volume so that
you won't have to type a passphrase. This creates the possibility to
use a keyfile on a removable USB flash disk for unlocking your Slackware
-computer. Slackware has partial support for keyfiles: if the file can be
-found, it will be used and you won't have to type a passphrase. A file on a
-USB stick will *not* be found on boot because the stick's filesystem is not
-mounted. Future versions of Slackware may support USB sticks as unlocking
-mechanism. For now, if you encrypt your root filesystem, you will have to
-enter a passphrase to boot into it. After the root filesystem is unlocked
+computer. Slackware supports keyfiles: if the file can be found on the file
+system, it will be used and you won't have to type a passphrase.
+
+ A keyfile on a FAT formatted USB stick can be used as well. This scenario
+requires you to use the "-K" parameter to mkinitrd to specify the USB stick's
+FAT-label or UUID, as well as the full path to the keyfile. An example:
+
+ # mkinitrd -c -k 2.6.37.6-smp -m ext3 -f ext3 -r /dev/cryptvg/root -C /dev/sdx2 -L -K LABEL=TRAVELSTICK:/keys/alien.luks
+
+ The mkinitrd of Slackware 13.1 introduced this support for USB sticks as
+unlocking mechanism. Alternatively, after the root filesystem is unlocked
and mounted, it is completely safe to have a keyfile for _additional_
-encrypted filesystems stored in for instance the '/root' directory. That
-way, you have only one passphrase to type.
+encrypted filesystems stored in for instance the '/root' directory.
+That way, you still have only one passphrase to type.
Hibernation (suspend-to-disk)
@@ -601,10 +607,21 @@ CONFIG_DM_CRYPT=y Do not compile these as module! They are required in your kernel.
+USB keyboards and LUKS
+----------------------
+
+ If you have set up an encrypted root partition, you will need to have
+access to your keyboard in order to type the passphrase. This may require
+you to add the 'uhci-hcd' and 'usbhid' modules to your initrd image if you
+have a USB keyboard. Also note that if you are using a non-US keyboard,
+you can use the '-l' parameter to the 'mkinitrd' command in order to add
+support for this keyboard to your initrd.
+
+
A mkinitrd helper script
------------------------
- The mkinitrd package in Slackware 13.1 ships with a script called
+ The mkinitrd package in Slackware 13.37 ships with a script called
'mkinitrd_command_generator.sh'. If you run this script, it will analyze
your Slackware configuration and make a smart suggestion about the 'mkinitrd'
command you have to type in order to create an initrd.gz with all the bells
@@ -619,7 +636,7 @@ by yourself: It should emit a string like this (your system will probably give different
parameter values):
-mkinitrd -c -k 2.6.33.4-smp -m ext3 -f ext3 -r /dev/cryptvg/root -C /dev/sdx2 -L
+mkinitrd -c -k 2.6.37.6-smp -m ext3 -f ext3 -r /dev/cryptvg/root -C /dev/sdx2 -L
You can copy and paste this output to your command prompt, and add any other
parameters you need such as "-h" to indicate a hibernation partition or
@@ -634,6 +651,7 @@ Good luck with your fresh Slackware installion on encrypted partition(s)! ==============================================================================
Author:
- Eric Hameleers <alien@slackware.com> 23-jul-2009
+ Eric Hameleers <alien@slackware.com> 08-apr-2011
URLs:
http://www.slackware.com/~alien/dokuwiki/doku.php?id=slackware:setup
+
|