On Thu, Jun 28, 2018 at 1:21 AM, Allence <[email protected]> wrote: > Description: > I encrypt my root system, then i create /etc/crypttab and modify > /etc/fstab, But i don't know what should i boot my encrypt system. > this is my step to encrypt my root system: > 1, create two partition , sda1 is used boot, sda2 is root system > 2,encrypt sda2: > 2.1, dd if=/dev/random of=/etc/root-key bs=1c count=32 > 2.2, cryptsetup -d /etc/root-key create root /dev/sda1 > 2.3, mkfs.ext4 /dev/mapper/root > 2.4, mount /dev/mapper/root /mnt & cp -avx / /mnt > 3, create /etc/crypttab ' root /dev/sda3 /etc/root-key cipher=aes' > 4, modify /etc/fstab '#UUID ... ' replace to '/dev/mapper/root / ext3 > defaults 1 1' > 5, make initrd 'mkinitramfs' & mv ***.img to initrd.img > 6, setting grub.cfg: linux ... root=/dev/mapper/root initrd > /boot/initrd.img > > reference: > https://www.linuxjournal.com/article/7743 > http://www.linuxfromscratch.org/blfs/view/svn/postlfs/initramfs.html
We don't directly support encrypted file systems in LFS. I have never tried it so I cannot help directly, but below is my personal opinion. Others may disagree. The root file system has no sensitive files that need to be protected by encryption. It really only needs to contain /bin, /sbin, ./usr, /etc, /lib, and /root. Other directories can be on separate partitions. Sensitive data needs to be in /home or some other custom location. Solution: Don't encrypt /. Just encrypt what needs to be encrypted. after booting, managing encrypted partitions becomes much easier when you don't have to involve an initrd and the initial boot process. -- Bruce -- http://lists.linuxfromscratch.org/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
