Cannot decrypt swap partition with Mandos inside a LV (LVM)
Teddy Hogeborn
teddy at recompile.se
Thu May 29 12:41:15 CEST 2014
Olivier Molinete <olivier at molinete.org> writes:
> I think that mandos-client and mandos(-server) are configured
> correctly... When the server with the mandos-client reboots, it
> automagically gets the passphrase from the mandos(-server) and the LV
> with the root partition is decrypted instantly.
Yes, this is the role of the Mandos client, to supply the password of
the root partition so the system can continue booting.
> But the problem comes when the swap encrypted partition has to be
> decrypted... It seems that mandos(-server) does not send the passphrase
> in that case (to decrypt the swap partition), and the server with
> mandos-client waits forever with the passphrase prompt till you enter
> the passphrase manually through the console.
>
> My question is: Am I doing something wrong? Am I missing something?
> Maybe it is a Mandos limitation which I don't know, but I haven't
> found any info related to that issue in the documentation or
> googlin'.
Once the system has started booting, Mandos is out of the picture, and
is no longer relevant. In your situation, I would suggest that you save
the password for other crypto devices, like your swap partition, in a
keyfile (I would suggest putting it in something like /etc/keys/swap)
and edit /etc/crypttab to reference that keyfile (in the third field).
It seems like this problem is because of your unusual setup. You have:
[HD] -> [Part.] -> [LVM PV] -> [LVM VG] -> [LVM LV] -> [LUKS] -> [FS]
but the usual setup is:
[HD] -> [Part.] -> [LUKS] -> [LVM PV] -> [LVM VG] -> [LVM LV] -> [FS]
In this usual setup, there is only one encrypted device, and the swap is
located on an LVM LV. Since there is only one encrypted device, Mandos
can supply the decryption password at boot time with no further
passwords needed.
(To complete the picture: In the normal case, software RAID is placed
between [Partition] and [LUKS], and hardware RAID looks like a [HD];
i.e. it is located between [HD] and [Partition].)
/Teddy Hogeborn
--
The Mandos Project
http://www.recompile.se/mandos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <http://mail.recompile.se/pipermail/mandos-dev/attachments/20140529/35de3998/attachment.sig>
More information about the Mandos-Dev
mailing list