The set of patches are available here

NOTE:  The root_filesystem_encryption.sh script guides you through
this process in a logical order.  This is now for planning and for
reference.

I. Think About It!

    We have some initial limitations.   If you are installating
    to a prestine machine and do not want to have a system already
    up and running and then you will have to live with LVM under the 
    current anaconda installation program.   

    For this HOWTO, you will need to use the following utilities
        A. the prep script
        B. fdisk
        C. lvm
        D. the modified mkinitrd script provided

II) Decide how you want to handle protection:

    A. The Passphrase
        Like any password, you will need to remember it to unlock
        your data.  However, if you choose this method for multiple
        partitions you will have to enter the password repeatedly.

    B. The Embedded Key
    
        Under this system, the keyfile will be embedded in the 
        initrd image itself.  While not the most secure, you can
        destroy the usb media itself to protect the data.
    
        This is best used when you will be booting from a USB key
        or other removable media and/or leaving the media in place.
    
    C. The Disappearing Key

        Now, this is ugly, but useful.   In essence, your key 
        is stored on another volume or different media than 
        your boot partition and may not be included in the regular
        system.  This method allows you to only have the media
        present at the time the system boots and may be removed
        without disturbing or interrupting the system. This allows
        more automatic kernel updates.   
        
III) Now, decide how you want to boot.

    A) Fixed Media
        Booting from Fixed Media requires that the /boot partition 
        be unencrypted; however, this does show what OS was on the machine.

    B) Removable Media
        Normally requires leaving the /boot media in the machine because 
        you want updates to kernels and initrd images to be consistent 
        (or risk sanity.)

IV) Prep your Media

    This step needs to be done at the welcome screen for Anaconda.  Press
    CTRL+F2 to get the shell prompt.   At this point you should
    mount your removable media with root_filesystem_encryption.sh and 
    root_filesystem_encryption.txt on /tmp/removable.

    mkdir /tmp/removable
    mount /dev/<device> /tmp/removable

    If you haven't prepped your removable media you can do so now or 
    from the linux rescue cd and then get these files from the network
    
    http://www.cygnetech.com/linux/howtos/root_filesystem_encryption.txt
    http://www.cygnetech.com/linux/howtos/root_filesystem_encryption.sh
    http://www.cygnetech.com/linux/howtos/root_filesystem_encryption.tar.gz

    untar root_filesystem_encryption.tar.gz in /tmp/removable

VI) Manual Installation Information
    F) Fixed Media
        You will need a partition (preferably 64-256M at the
        beginning of your disk for /boot.   Everything else
        can be encrypted outside of this partition.
        
        fdisk /dev/<fixed device>
        
        create a partition for /boot
        | n -> p -> 1 -> 1 -> +64M 
        | t -> 1 -> 83
        | w
        
        mkfs.ext3 -L/boot -m0 /dev/<fixed device>1
        
        mount /dev/<fixed device>1 /tmp/boot

        
    R) Removable Media
        You will need a partition (preferably 64-256M at the
        beginning of your disk for /boot.   Everything else
        can be encrypted outside of this partition.
        
        fdisk /dev/<usb device>
        
        create a partition for /boot
        | n -> p -> 1 -> 1 -> +64M 
        | t -> 1 -> 83
        | w
        
        You do not want journaling on your USB/flash device. And, 
        you really don't need any reserved space.  I recommend
        at least 64M of space for the /boot partition on the 
        removeable media  or more if you want to support more than
        one system with the same USB drive.

        mkfs.ext2 -Lflashboot -m0 /dev/<usb device>1
        
        mkdir /tmp/removable
        mount /dev/<usb device>1 /tmp/removable
        
3) Preparing The Root Partition
            fdisk /dev/<fixed device>

        create a LVM partition for the remainder of the disk
        | n -> p -> 2 -> {accept defaults} -> {accept defaults}
        | t -> 2 -> 8e
    
        write the parition table
        | w
        
        The 8e (Linux LVM) entry is a ruse to trick anaconda into 
        letting us through.   After we do the encryption routine, 
        /dev/<partition> is just random bits, but anaconda does not
        know this. It trusts the LVM active volume groups. Proceed!
        
        Create an encrypted volume:
            With a key 
            
            cryptsetup luksFormat /dev/<device> \
            -d /tmp/removable/the.key
            cryptsetup luksOpen /dev/<device> <device> \
            -d /tmp/removable/the.key
            
            With a passphrase
            cryptsetup luksFormat /dev/<device>
            cryptsetup luksOpen /dev/<device> <device>
                
             
        Create the LVM groups and divide the disk however you
        want.
        
        # lvm pvcreate /dev/mapper/<device>
        # lvm vgcreate VG00 /dev/mapper/<device>
        # lvm lvdisplay
        
        This shows  how much space is available
        
        # lvm lvcreate -L<twice ram>MB -n swap
        # lvm lvcreate -L<remaining size>MB -n slash
        
        If lvm complains that the size is too large, then just
        reduce the size gradually until you get it right.  For
        example, if you think 1.6GB should be left.  Try 1.59GB,
        then 1.58GB, etc., until it succeeds. Leave at least 16MB
        free if you can.   Anaconda may carp about space and you 
        may have to backup to the welcome screen, blow the LV's 
        away and aim a little smaller.
        
        You are free to be more creative than the all-in-one 
        presented here.


        The installation script will tell you to start the installation.
        Read below for specifics.

    In Anaconda

        When you get to partitioning your drive select custom layout,
        and check "Review Partitions and Layout."  Move to the next
        step.
    
        Select the LV partitions you have just made format them with
        the filesystem of your choice and select the mount points.
    
        If you want to boot from fixed disks make sure you select
        the partition on your harddisk and use /boot for the mount
        point.  
    
        If you want to boot from removable media (USB), find the 
        removeable device partition to use and edit it.  Label it
        /boot and select "preserve data."  Next, select the option
        in the Grub menu to configure advanced boot loader options.  

        On the next screen, change the device ordering and move the 
        removable device up to the top.  
    
        Now the grub loader should be install on the MBR of the 
        USB device.

        Continue through the normal installation process until 
        you get to the Reboot step.  DO NOT REBOOT.

        Go back to the emergency shell using CTRL+F2.
    
    
Last Steps

    These are manual suggestions, consult the root_filesystem_encryption.sh
    for a more sane ordering.

    mount none -t proc /mnt/sysimage/proc
    mount none -t sysfs /mnt/sysimage/sys
    mkdir /tmp/sysimage/tmp/removable    
    mount /dev/<removable device> /mnt/sysimage/tmp/removable

    cp -a /etc/lvm /mnt/sysimage/lvm

    chroot /mnt/sysimage

    vi /mnt/sysimage/etc/sysconfig/mkinitrd

    add options for 
    CRYPTOMODS="DEFAULT"
    CRYPTODEVICES="/dev/<device>@/dev/<removeable-device>,<partition type>"

    /tmp/removable/tmp/mkinitrd --crypt-device=/dev/<device>@/dev/<removeable-device>,<partition type>:/path/to/key/file

    Example

    Password protected 
    CRYPTODEVICES="/dev/sda2"

    Disappearing Key
    CRYPTODEVICES="/dev/sda2@/dev/sdb1,ext2:/the.key"

    Notice /the.key is a relative path for the removeable device holding 
    the key.  The system will mount the removeable partition ro and read
    the key and then unmount it before continuing.  Also, the device can
    be referenced by LABEL=<lable> or UUID=<uuid> for that filesystem.

    Embedded Key
    CRYPTODEVICES="/dev/sda2:/tmp/the.key"

NOTES 

Creating A Key File

    If you have decided to use the key method, you will need to 
    create a key.   It's a general practice to use random data
    for the key rather than some arbitrary text.
    
    By default LUKS uses aes cbc sha256 encryption.  If we use
    this default, we will need a 256 bit key.


    We'll use dd and urandom to create the key file.  However,
    we need to know how many bytes to extract.

    256 bits   1 byte 
    -------- X ------ = 32 bytes 
               8 bits
               
    We need 32 bytes of random data for a permanent key
    
    mkdir -p /tmp/flash
    mount /dev/<device> /tmp/flash
    dd if=/dev/urandom of=/tmp/flash/the.key count=1 bs=32

F. Fixed Media

    You can have your /boot partition at the beginning of your 
    fixed disk.  However, you will not want to use the standard
    key file method for encryption.  You will want to use 
    either the [Passphrase], or the slightly more eclectic
    [Disappearing Key] method for the remaining paritions 
    and/or disks for decryption.

R. Removable Media

    You will need to have your removable media present and
    attached during the installation.

    1) Create a key file and store it on removable media
    2) Encrypt the partition with a password and boot from alternate media
    3) Encrypt the partition and boot from same media
    
    You will need a /boot partition on your boot drive or some place
    This will be unencrypted so I highly encourage use of either
    storing the key on the on removable disk so you can take it with you
    , doing the [Disappearing Key Method], or the password.

# vim: ts=4:sw=4:et
	

Questions or Comments can go to Thomas Swan thomas.swan@gmail.com