Can I use my boot disk in rescue mode with an encrypted drive?

Hi All,

I am thinking that the coming release of CentOS 6.0 would be a mighty 
fine time to upgrade my office computer. Got my eye on an i7-930 and a 
Supermicro X8SAX.

Anyway, when I install CentOS 6 fresh on my new hard drives (RAID), I am 
thinking it would be a good time to take advantage of the whole hard 
drive encryption feature. That said, some questions:

1) this is a deal killer: does it allow me to boot off the install disk 
in rescue mode and unlock/see/read/write my encrypted hard drives? I
must have this feature as I am constantly screwing things up. (Not an 
admission I screw thing up. Maybe once or twice. Maybe.)

2) what is the performance hit?

3) do you guys think my idea of a whole disk encryption is "practical"?

4) okay, not an encryption question, but do we finally get to use ext4?

Many thanks,
-T
0
Todd
11/14/2010 5:28:55 AM
comp.os.linux.misc 33618 articles. 0 followers. amosa69 (125) is leader. Post Follow

6 Replies
528 Views

Similar Articles

[PageSpeed] 18
On Sun, 14 Nov 2010 00:28:55 -0500, Todd <Todd@invalid.com> wrote:

> 1) this is a deal killer: does it allow me to boot off the install disk
> in rescue mode and unlock/see/read/write my encrypted hard drives? I
> must have this feature as I am constantly screwing things up. (Not an
> admission I screw thing up. Maybe once or twice. Maybe.)

They would not be accessible, until the needed kernel modules have been
loaded, and the appropriate programs executed.  It can be done, but no
live cd/dvd I've seen, will do it by default.

> 2) what is the performance hit?

I use a luks encrypted file system for my data, and only notice a
performance hit, when copying a large file (such as a 4+GB file, to/from
the encrypted filesystem.  During normal usage, I see no difference.

The filesystem containing /boot must not be encrypted, or the boot
manager will not be able to read it.

> 3) do you guys think my idea of a whole disk encryption is "practical"?

No, as /boot must be readable by the boot manager.

> 4) okay, not an encryption question, but do we finally get to use ext4?

I've been using ext4 for all of my file systems, for about 6 months,
including those on luks encrypted containers.  The fsck speed of ext4
is much faster than ext3.  I've lost data stored on reiserfs and xfs
file systems (open files getting file length zero after a crash), but
have not lost any on ext4.

See http://www.ody.ca/~dwhodgins/Luks-Howto.html for an explanation of
how to set up a luks encrypted filesystem.

I'm currently using the Mandriva 2010.1 version of linux.  The bulk of
the system is not encrypted.  Even /home/dave, is not encrypted.  I have
an encrypted filesystem, that is mounted at login, that contains my email,
usenet, photos, documents, videos, etc, and have replaced the appropriate
directories in /home/dave with symlinks to those directories, in the
encrypted filesystem.

Regards, Dave Hodgins

-- 
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
0
David
11/14/2010 8:09:13 AM
On 11/14/2010 12:09 AM, David W. Hodgins wrote:
> On Sun, 14 Nov 2010 00:28:55 -0500, Todd <Todd@invalid.com> wrote:
>
>> 1) this is a deal killer: does it allow me to boot off the install disk
>> in rescue mode and unlock/see/read/write my encrypted hard drives? I
>> must have this feature as I am constantly screwing things up. (Not an
>> admission I screw thing up. Maybe once or twice. Maybe.)
>
> They would not be accessible, until the needed kernel modules have been
> loaded, and the appropriate programs executed. It can be done, but no
> live cd/dvd I've seen, will do it by default.
>
>> 2) what is the performance hit?
>
> I use a luks encrypted file system for my data, and only notice a
> performance hit, when copying a large file (such as a 4+GB file, to/from
> the encrypted filesystem. During normal usage, I see no difference.
>
> The filesystem containing /boot must not be encrypted, or the boot
> manager will not be able to read it.
>
>> 3) do you guys think my idea of a whole disk encryption is "practical"?
>
> No, as /boot must be readable by the boot manager.
>
>> 4) okay, not an encryption question, but do we finally get to use ext4?
>
> I've been using ext4 for all of my file systems, for about 6 months,
> including those on luks encrypted containers. The fsck speed of ext4
> is much faster than ext3. I've lost data stored on reiserfs and xfs
> file systems (open files getting file length zero after a crash), but
> have not lost any on ext4.
>
> See http://www.ody.ca/~dwhodgins/Luks-Howto.html for an explanation of
> how to set up a luks encrypted filesystem.
>
> I'm currently using the Mandriva 2010.1 version of linux. The bulk of
> the system is not encrypted. Even /home/dave, is not encrypted. I have
> an encrypted filesystem, that is mounted at login, that contains my email,
> usenet, photos, documents, videos, etc, and have replaced the appropriate
> directories in /home/dave with symlinks to those directories, in the
> encrypted filesystem.
>
> Regards, Dave Hodgins
>

Thank you!
0
Todd
11/14/2010 10:01:33 PM
On Sun, 14 Nov 2010 03:09:13 -0500, David W. Hodgins wrote:
<snip>
> 
>> 3) do you guys think my idea of a whole disk encryption is "practical"?
> 
> No, as /boot must be readable by the boot manager.
> 
Another alternative is to have "boot" (at least the kernel and initrd) on 
a bootable media (cd, usb-stick, etc.).
>
<snip>
>
I can't speak for CentOS, but there are a lot of possibilities in the DIY 
(do it yourself) school. I have hacked together a means of booting 
Slackware from usb, cd, etc. My simple startup environment gives the 
ability to perform various functions including the following:

	* setup,
	* generic startup including networking for any hardware,
	* "live" system using a device mapper target
	* encrypted startup using a device mapper target

Please note that startup environment is distribution dependent and mine 
has been setup for Slackware. From what I've learned almost anything is 
possible- that is, if the user is willing to invest some time in learning 
what to do. The final point seems to be the weak link in the chain. YMMV.

-- 
Douglas Mayne
0
Douglas
11/14/2010 11:19:35 PM
On 11/14/2010 03:19 PM, Douglas Mayne wrote:
> On Sun, 14 Nov 2010 03:09:13 -0500, David W. Hodgins wrote:
> <snip>
>>
>>> 3) do you guys think my idea of a whole disk encryption is "practical"?
>>
>> No, as /boot must be readable by the boot manager.
>>
> Another alternative is to have "boot" (at least the kernel and initrd) on
> a bootable media (cd, usb-stick, etc.).
>>
> <snip>
>>
> I can't speak for CentOS, but there are a lot of possibilities in the DIY
> (do it yourself) school. I have hacked together a means of booting
> Slackware from usb, cd, etc. My simple startup environment gives the
> ability to perform various functions including the following:
>
> 	* setup,
> 	* generic startup including networking for any hardware,
> 	* "live" system using a device mapper target
> 	* encrypted startup using a device mapper target
>
> Please note that startup environment is distribution dependent and mine
> has been setup for Slackware. From what I've learned almost anything is
> possible- that is, if the user is willing to invest some time in learning
> what to do. The final point seems to be the weak link in the chain. YMMV.
>

Over at Red Hat, I found this: http://www.redhat.com/rhel/server/details/

        Storage devices can be designated for encryption at
        installation time, protecting user and system data.

So, I was wondering if the installation disk, in rescue mode (note
this is not a live CD or a rescue CD, this is the "installation disk"),
had a way of looking at the hard drive.

-T
0
Todd
11/15/2010 3:39:14 AM
On Sun, 14 Nov 2010 19:39:14 -0800, Todd wrote:

> On 11/14/2010 03:19 PM, Douglas Mayne wrote:
>> On Sun, 14 Nov 2010 03:09:13 -0500, David W. Hodgins wrote: <snip>
>>>
>>>> 3) do you guys think my idea of a whole disk encryption is
>>>> "practical"?
>>>
>>> No, as /boot must be readable by the boot manager.
>>>
>> Another alternative is to have "boot" (at least the kernel and initrd)
>> on a bootable media (cd, usb-stick, etc.).
>>>
>> <snip>
>>>
>> I can't speak for CentOS, but there are a lot of possibilities in the
>> DIY (do it yourself) school. I have hacked together a means of booting
>> Slackware from usb, cd, etc. My simple startup environment gives the
>> ability to perform various functions including the following:
>>
>> 	* setup,
>> 	* generic startup including networking for any hardware, * "live"
>> 	system using a device mapper target * encrypted startup using a 
device
>> 	mapper target
>>
>> Please note that startup environment is distribution dependent and mine
>> has been setup for Slackware. From what I've learned almost anything is
>> possible- that is, if the user is willing to invest some time in
>> learning what to do. The final point seems to be the weak link in the
>> chain. YMMV.
>>
>>
> Over at Red Hat, I found this:
> http://www.redhat.com/rhel/server/details/
> 
>         Storage devices can be designated for encryption at installation
>         time, protecting user and system data.
>
Most probably the method of encryption thet have chosen is LUKS. LUKS is 
implemented as a layer on top of device mapper encryption targets. AIUI, 
you can unlock LUKS if you have the proper toolset (cryptsetup, device 
mapper, etc.) As a WAG, I wager that the proper toolset is provided as 
part of the setup and rescue environments. Verify for yourself. BTW, I 
have decided not to use LUKS and stick with simple device mapper objects 
and manage my own encryption keys. For me, LUKS was just "one too many" 
abstraction layers. YMMV.

> So, I was wondering if the installation disk, in rescue mode (note this
> is not a live CD or a rescue CD, this is the "installation disk"), had a
> way of looking at the hard drive.
>
I don't know because I don't use CentOS, RedHat, etc. 
> 
> -T

Note: comments inline.

-- 
Douglas Mayne
0
Douglas
11/15/2010 1:45:21 PM
On Sun, 14 Nov 2010 22:39:14 -0500, Todd <Todd@invalid.com> wrote:

> Over at Red Hat, I found this: http://www.redhat.com/rhel/server/details/
>         Storage devices can be designated for encryption at
>         installation time, protecting user and system data.
> So, I was wondering if the installation disk, in rescue mode (note
> this is not a live CD or a rescue CD, this is the "installation disk"),
> had a way of looking at the hard drive.

I doubt it.  While the installer's partitioning software may be able
to create encrypted filesystems, and create the appropriate entries
in /etc/crypttab an /etc/fstab (like Mandriva's diskdrake can do),
I doubt the rescue cd wlll find those files, and use them.  What
would happen if you boot from the rescue cd, on a system with more
than one linux installation on it?

I expect you would have to manually load the kernel modules, and then
run "cryptsetup luksOpen <rest>".

All rescue cds I've looked at use the output of blkid to generate
/etc/fstab entries, to use for mounting partitions, not the contents
of files on those filesystems.

Regards, Dave Hodgins

-- 
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
0
David
11/16/2010 8:19:53 AM
Reply:
Similar Artilces:

Can any body tell where I can download COBOL compiler?
Can any body tell where I can download COBOL compiler. I want to compile some COBOL programs on my PC. Hi Ananda. If you check out the COBOL FAQ @ http://www.cobolreport.com/faqs/cobolfaq.htm , it provides details of where you can obtain COBOL compilers. Simon. Ananda Rao wrote: > Can any body tell where I can download COBOL compiler. I want to > compile some COBOL programs on my PC. There is a FAQ (Frequently Asked Questions) posted in the comp.lang.cobol group on google. As this is frequently asked the replies are all there rather than being repeated to each person that ask...

Using aggregation with TopCount (PLEASE HELP!)
I am trying to get subtotaling and totaling by dimension as well as trying to apply ranking. I want the totaling to only include what meets the ranking filter. I can seem to do it. I have tried the following MDX. The subtotal line is corrent and the very last total line is correct. But, the totaling in the "TOTAL" level of DATE is wrong. Help!!!! WITH set [a] as 'nonemptyCROSSJOIN([CARS].[CAR].MEMBERS,[DATE].[DTE].MEMBERS)' set [b] as 'ORDER({a}, ([Measures].[SALES_SUM]), DESC)' set [c] as 'TopCount([b], 10, [Measures].[SALES_SUM])' S...

[News] Poor Windows Can't Do Online Banking, GNU/Linux Sure Can
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Linux Picks Up Where Windows FAIL! ,----[ Quote ] | So; knowing that, we tried it on my installation of Fedora and I tried it | with Epiphany and Firefox and BoYAH! We’re in! Just one more reason to switch | from Windows to Linux. Linux can get you into online banking. `---- http://www.fergytech.com/2009/06/linux-picks-up-where-windows-fail/ Banks should be smart enough to block Windows and IE. It's how accounts get compromised. Related: UK banking fraud losses rise to £301.7m ,----[ Quote ] | UK banking losses due to fraud in ...

Eclipse can create jar everytime I save?
Hi, Is it possible with eclipse 3 (or with a plugin) to create automatically a jar file everytime I save a class. So everytime it will rebuild the .class files it will recreate the .jar file. Thank you Alessandro Rossi Hi, aleicaro@libero.it wrote: > Hi, > Is it possible with eclipse 3 (or with a plugin) to create > automatically a jar file everytime I save a class. So everytime it will > rebuild the .class files it will recreate the .jar file. > > Thank you > Alessandro Rossi Yes: When you save a class, it will automatically be compiled by Eclipse (if you have sele...

How can i save automatically the command window ?
Hi Do you know how can i save automatically the results after training in the Command window? I want to save all of the process(results) at the Command window during/after training. Ie there any fucntion or command key? It looks easy but i can't find. If you know it, please let me know. Thank you. JK wrote: > > > Hi > > Do you know how can i save automatically the results after training > in the Command window? > > I want to save all of the process(results) at the Command window > during/after training. > > Ie there any fucntion or command key? > ...

Re: ODS PDF Error
On Mon, 29 Aug 2005 easwara@GMAIL.COM wrote: > When I created a PDF file using ODS PDF. When given the option of Open, > I get to see the PDF file in the result window. But, without closing > the result pane, If I happen to run the code again, I get the ERROR : > File is in Use C:\gogo.pdf. > > Is there any way to oversome this error, by closing the document if it > is open OR to REPLACE the PDF - forcefully? Easwara, Shooting from the hip, but have you tried: ODS noresults ; This will force you to open the PDF with another program, such as Adobe Reader, which wil...

Can series of uploads be automated?
Would like to send separate messages on consecutive days to a single email address. Instead of logging in each day, would it be possible to load the three at one time and designate the delivery time and date? piedtype@gmail.com wrote: > > Would like to send separate messages on consecutive days to a single > email address. Instead of logging in each day, would it be possible to > load the three at one time and designate the delivery time and date? Yes. Schedulers and command-line email clients are available for most relevant operating systems. Thor -- http://www.anta.net/O...

can't upload file to $_FILES
I'm trying to figure out why I can't upload a file in php. I'm trying it locally on a windows XP machine running Apache 2.2 and PHP 5.2.1. That is I am running the browser/server on same machine to test with. I also tried it on a remote linux server, though in that case I'm not sure what the s config settings where, except that it does have PHP and I get the same results. Are there any releevant apache settings ? I have not come accross any. Below is my script, results, and config settings. =------------------------------------------------------ <html> <body>...

Can ctrl-c throw an exception?
Can I set things up so that if I hit ctrl-c while a program is running, then a catch block will be run before of a hard termination of the script? Thanks. Why not give it a try? function [] = ctrlcthrow % Call the function, then hit ctrl+c. cnt = 1; try while true cnt = cnt +1; end catch disp('Error caught') end "klydefrog" <aj00mcgraw@gmail.com> wrote in message news:18909815.1237217764250.JavaMail.jakarta@nitrogen.mathforum.org... > Can I set things up so that if I hit ctrl-c while a program is running, > then a catch block...

Can I Import Multiple Files?
If some1 can please inform, I am wondering if in either Pine or Alpine, or even NANO, if I can import multiple file in to a current message? I think control+l only accepts 1 name? Thanks so much in advance Hart On Thu, 2 May 2013, Hart Larry wrote: > If some1 can please inform, I am wondering if in either Pine or Alpine, or > even NANO, if I can import multiple file in to a current message? I think > control+l only accepts 1 name? > Thanks so much in advance > Hart > Are you talking about reading in files, or attaching files to email? If it's just ...

Can I play LOTRO?
If I download the 5.6Gb high res. client can I play it in UK even tho free trial is not for Europe? Alan "Rand Al'Thor" <randalthor@wheeloftime.ie> wrote in message news:heS7k.61057$iv3.34154@newsfe14.ams2... > If I download the 5.6Gb high res. client can I play it in UK even tho free > trial is not for Europe? > > Alan > Is there a smaller client you can DL first? Might be worth a try. :-) Depending on how complicated you want to get, you might be able to work it all out through a proxy in the US if it won't let you play from the UK. &quo...

Can you help save my mariage? Monitor question
Please help, my wife is insistent taht I get rid of my 21 inch IBM P201 and buy a flat screen monitor. I am in the Uk but the makes should be the same, I need a 17 inch tft that I can still work on my photographs with. Please give advice. Gary >From: "Gary" gary.sandy@btinternet.com >Please help, my wife is insistent taht I get rid of my 21 inch IBM P201 and >buy a flat screen monitor. I am in the Uk but the makes should be the same, >I need a 17 inch tft that I can still work on my photographs with. Please >give advice. It might be cheaper in the long run t...

Anone using gcm (Gnome Clipboard Manager) with vim?
I have the Gnome Clipboard Manager 2.4 installed under FC2. It works fine with just about everything except vim and gvim. Any idea why this clipboard does not pick up the text copied? -Thanks ...

How can I measure the network load ?
Hi I am looking for a tool allowing to get periodically the network load of some machines on a local area network (Linux and Solaris 8), and the amount of information between clients and servers of my distributed application. The aim is to gather enough information to optimize the distribution of my processes over the network, to know which clients/servers are the most bandwith consuming in runtime conditons, and so on ... I tried netstat, but this does not give me full satisfaction, and the result is different on Linux and Solaris. Thanks for any advice ! Nicolas > I am looking for ...

Can Sendmail merge delivery attempts?
Assuming Sendmail is configured to re-try delivery every 30 minutes, if one message is in the queue for a given destination MX, I would expect there to be one TCP connection to that destination's port 25 every 30 minutes. But if there is more than one message, what is supposed to happen? I would have expected a mail server to be smart enough to still try only once every 30 minutes, but once delivery can be accomplished, it would then try to deliver everything pending in the queue for that destination. What I am instead seeing is that in a scenario with 15 messages in the queue, it is ma...

Pg_dump : Can I specify the Password ?
Hello, I'm doing automated database dump and want to be able to specify Username and Passowrd in my shell script for pg_dump. When I do man pg_dump there are no options for password. There is -U username to specify username which actually doesn't work for me, I still get prompted for username, but there is nothing to specify password. Is there anyway of going around this? I need to automate everything and forego prompting. Thanks in advance. N.K. ...

where can I get to the faq?
Hello. Roman There is no faq Lukasz <journey@op.pl> wrote in message news:RGXQb.306234$Tz1.111302@news.chello.at... > Hello. > Roman Lukasz wrote: > Hello. > > Roman Faq off. ...

FA:External SCSI CD-Rom Drive
This is the 3rd time I've posted this. The first two tries it never showed up in the group...hope it works this time... http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&rd=1&item=5114263502 "Terry Olsen" <tolsen64@hotmail.com> wrote in message news:<2nhcs8Fnr38U1@uni-berlin.de>... > This is the 3rd time I've posted this. The first two tries it never showed > up in the group...hope it works this time... > > http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&rd=1&item=5114263502 They all showed up on Google Groups. ;-p Wish ...

quandry using GET
I have a page that lists a bunch of objects, stored in a database, to the user. After each object I'd like to do something like: object1 [edit] [delete] object2 [edit] [delete] and so on, where "edit" and "delete" are links. Right now, each link uses GET to pass the object ID to the scripit that will deal with it. For example, the urls for the first object links are something like: edit: http://www.host.com/edit.php?obj=object1 delete: http://www.host.com/delete.php?obj=object1 and similar for the second...you get the idea. This works alright for...

can't resolve host name
Problem: I can't resolve LAN computer names from my imac Context: * imac G5 running Tiger with all updates * imac is on a LAN with a linksys wrt54G router * win2k machine on same LAN * Linksys router performs dhcp services * my win2k machine uses a setting, "use NetBIOS setting from DHCP server" to enable me to resolve host names (as I can demonstrate with Ping hostname) Question: What settings do i make on the imac running Tiger to achieve the same goal (host name resolution) Thank you !!!! Bil ...

Multiple Interfaces ... which source IP is used ? SNAT, etc.
Let's say I have multiple ethernet interfaces ( combination of physical and logical interfaces ) on my machine. How does Solaris determines which IP address will a TCP connection have that is originating from the machine ? If I want to force some TCP connections originating from the machine to use a specific source IP address, can ipfilter do that ( e.g. ... like linux's iptables source NAT'ing ) ? With Solaris8 and Solaris9, since ipfilter is not part of the Solaris distribution, I am hesitant to install it since it will be a kernel module ... which may have implications...

Using itext to convert tiff document
Hi, I am using the code from the Lowagie sample, but the resulting pdf has a much large top margin then the original tiff. Is there a way I can get the pdf to look like the original tiff? I've tried adjusting the scaleToFit, pagemargins & scalePercent, to no avail. Code: try { Image img = TiffImage.getTiffImage(ra, c + 1); if (img != null) { System.out.println("page " + (c + 1)); if (img.getScaledWidth() > 500 || img.getScaledHeight() > 700) { ...

why does UserDict.DictMixin use keys instead of __iter__?
Sorry if this is a repost -- it didn't appear for me the first time. So I was looking at the Language Reference's discussion about emulating container types[1], and nowhere in it does it mention that .keys() is part of the container protocol. Because of this, I would assume that to use UserDict.DictMixin correctly, a class would only need to define __getitem__, __setitem__, __delitem__ and __iter__. So why does UserDict.DictMixin require keys() to be defined? py> class D(object, UserDict.DictMixin): .... """Simple dict wrapper that implements container protoc...

How can I plug in Swi-prolog in Eclipse
I'm trying to plug in Swi-prolog (include already jpl) to Eclipse. I use "gems-emf-intelligence-prolog-beta-1.01" like instruction. ===================================== You need to download and install SWI Prolog from http://www.swi-prolog.org/download.html. After installing SWI, you must copy the jpl.jar from SWI's bin directory to the lib directory in this plug-in. If it is not named exactly "jpl.jar", you must rename it to 'jpl.jar'. Finally, you must add the SWI's bin directory to your system PATH variable. In Windows, you MUST restart your system ...

Using muller() function to solve polynomial equations
Can anyone help me for the problem I am describing below: I generate equations using following programme: clear all; close all; syms z c=4; lamda=0.5; b= 0.04; er= [0.5 0.5 0.1 0.1 0.7 ]; for r=1:c y(r+1)=er(r+1)*(exp(-lamda*b*(1-z))^r)*z^(c-r); y2=sum(y); end y3=collect(z^c-y2) Here, I assumed c=4. The equation come as follows; y3=z^4 + (-exp(z/50 - 1/50)/2)*z^3 + (-exp(z/25 - 1/25)/10)*z^2 + (-exp((3*z)/50 - 3/50)/10)*z - (7*exp((2*z)/25 - 2/25))/10 I want to solve the equation using "muller()" function. Now, if I write "muller...