-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04.09.2012 22:05, "Roland Häder" wrote: > Okay, I have setup so far this: > > /dev/sda1 - /boot (unencrypted) /dev/sda2 - swap (not yet setup, > will be encrypted) /dev/sda3 - / (encrypted) > > /dev/sda3 is the underlaying drive, where I used gpg: > > # gpg --decrypt key.gpg | cryptsetup --verbose luksFormat > /dev/sda3 # gpg --decrypt key.gpg | cryptsetup --verbose luksOpen > /dev/sda3 encVol # dd if=/dev/zero of=/dev/mapper/encVol bs=100M > (to avoid filesystem corruption) # mkfs.ext4 -L root > /dev/mapper/encVol > > Now I continued as usual with the Gentoo handbook (mount all, copy > things on it, etc.) > > After I compiled the kernel, emerged cryptsetup on the new system, > I editied /boot/grub/grub.conf: > ----------------------------------------------- default 0 timeout > 30 splashimage=(hd0,0)/boot/grub/splash.xpm.gz > > title Gentoo Linux root (hd0,0) kernel > /boot/kernel-genkernel-x86-3.3.8-gentoo root=/dev/ram0 > crypt_root=/dev/sda3 initrd > /boot/initramfs-genkernel-x86-3.3.8-gentoo > ----------------------------------------------- (I read not to use > real_root, but crypt_root instead?) > > Then I emerged grub as usual (also: # cat /proc/mounts > etc/mtab ) > and did: # grub-install --no-floppy /dev/sda > > Still as usual. Now it is downloading plymouth (to have some cool > things) + dracut (easiest way as I read in wiki). > > I also had to expand /etc/make.conf (not /etc/portage/make.conf ??? > Is this a mistake in handbook?): > > ----------------------------------------------- > DRACUT_MODULES="crypt_gpg plymouth" > ----------------------------------------------- > > Now I really hope, that after I installed dracut on it, that I can > boot it and the initrd will be updated. It needs at least some > kernel modules (e.g. dm_crypt, ext4, sha512_generic, aes_generic) > plus gpg and cryptsetup tools to actually decrypt the hard drive. > > Regards, Roland >
I thin you need to add crypt as a dracut module since crypt_gpg is afaik just an extension to crypt. The output from equery seems to support my assumption: ... dracut_modules_crypt : Decrypt devices encrypted with cryptsetup/LUKS dracut_modules_crypt-gpg : Support for GPG-encrypted keys for crypt module ... WKR Hinnerk -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQRmFOAAoJEJwwOFaNFkYc4eoH/0TthI9pSRXF/AKTp1fYFiwM qFPW7ZvvQVVX3QctL+h/NiPceWw6G5WGjc+eqiTput1A8B9ledi87OGvT13JFb40 vMfRWrlqrn89dtL/pkLQUHrT1FtjP4/jp6oY98XN1fcODKItQ8+F6TZN0/wrTzrJ CPJtdPdR8X2U+40zBUU8pxkm1doIbiMGmsU0hAf8aq2GC65Eer4rOCqPcLsTvMnz 9zUYzTFxSq4rj34apuGrS8RxEsj9uABi4JpfMD+k3nzmI6D2ya1wOHJUMYtgiAoe itsuJxRsi5j0gZNwHz4XqF7iBTzMHHbKcQ2qtfSpJ/hx0LrMCXGeIALHylPeU+Q= =F+nL -----END PGP SIGNATURE-----