encrypted partition configuration on kickstart
David Lehman
dlehman at redhat.com
Sun Feb 20 16:30:23 UTC 2011
On Wed, 2011-02-16 at 18:55 -0600, dabicho wrote:
> Hello.
> I am having troubles understanding how encrypted partitions are
> supposed to work and how to get my dessired effect ON Fedora 14
>
> I am writing a kickstart por an automated installation.
> I wrote the following for the partitions:
>
>
> part / --encrypted --passphrase=pass1 --size=10000
> part /boot --size=200
> part /var/lib/pgsql --encrypted --passphrase=pass2 --grow --size=1
> part /var --encrypted --passphrase=pass3 --size=10000
> part /tmp --encrypted --passphrase=pass4 --size=3000
> part swap --encrypted --recommended
>
> I thought that uppon boot I would be asked for each passphrase in
> turn, however I am asked only for one passphrase, without any
> indication as to whichone, and that being the passphrase for the first
> partition defined ( / ), and that would enable mounting of all the
> partitions.
>
> What am I missing here?
It seems like you're not missing anything.
Each of the partitions should use the passphrase you have specified for
that partition. File a bug at bugzilla.redhat.com against Fedora 14 if
this isn't working correctly. Be sure to include a description like the
one above as well as your kickstart file when you enter the bug report.
> What should I do if I needed the system to ask for each passphrase in
> turn? or at a later time (database partition)?
This is the intended/expected behavior.
>
> Also, I have seen no options to speciphy a cipher or other encryption
> parameters anywhere.
This is not supported by anaconda/kickstart. To get a cipher other than
the default (aes-xts-plain64 with a 512-byte key) you will have to set
up the encrypted devices yourself.
> Is it posible to prepare encrypted partitions on the %pre script?
Of course. Once you have created your devices using parted, pvcreate,
lvcreate, and/or mdadm you can encrypt them using cryptsetup. In F14 you
must make sure to deactivate/close all of your newly created devices
before exiting from the %pre script.
>
> Thank you.
> any pointer is appreciated.
http://docs.fedoraproject.org/en-US/Fedora/14/html/Installation_Guide/apcs02.html
This is Appendix C from the Fedora 14 Installation Guide, entitled "Disk
Encryption". There are several pages that explain concepts,
best-practices, and actual example commands for setting up encrypted
block devices.
David
More information about the users
mailing list