The basic config works fine for creating RAID1, LVM, etc. The -:encrypt mount point option to the RAID1 is what has been problematic when I have tried it. I'll check experimental9 soon and report my findings.
In the meantime, I use the following post install script I wrote to convert the system from mirrored root to encrypted root: #!/bin/bash mdadm /dev/md1 --fail /dev/sdb2 || exit 1 sleep 5 mdadm /dev/md1 --remove /dev/sdb2 || exit 1 sleep 5 pvcreate /dev/sdb2 || exit 1 vgextend RootVG0 /dev/sdb2 || exit 1 pvmove /dev/md1 || exit 1 vgreduce RootVG0 /dev/md1 || exit 1 pvremove /dev/md1 || (echo "Reboot and run $0 script 2 "; exit 1) echo "PassPhrase Here" | cryptsetup -q luksFormat /dev/md1 -c aes-cbc-essiv:sha256 -s 256 || exit 1 echo "PassPhrase Here" | cryptsetup luksOpen /dev/md1 md1_crypt || exit 1 pvcreate /dev/mapper/md1_crypt || exit 1 printf "md1_crypt /dev/md1 none luks\n" >> $target/etc/crypttab || exit 1 vgextend RootVG0 /dev/mapper/md1_crypt || exit 1 pvmove /dev/sdb2 || exit 1 vgreduce RootVG0 /dev/sdb2 || exit 1 pvremove /dev/sdb2 || exit 1 mdadm /dev/md1 --add /dev/sdb2 || exit 1 update-initramfs -u -k all || exit 1 That script works well. The pvremove command seems to have occasional issues with getting a device lock if the md device hasn't fully mirrored before I begin the process. Running an optional sfill from the secure-delete package at the end of the process will write random data into the unused space, making spotting the encrypted data more difficult. The current Lenny Debian installer does wipe the disk as part of the encryption configuration. Doug Spencer http://SecurityBulletins.com/ On Thu, 12 Feb 2009 00:02:53 +0100 Michael Tautschnig <[email protected]> wrote: > Hi Doug, > > > Experimental5 had the same issue as experimental4 when I tried it > > yesterday. > > > > I finally got around to try your config and on my system the parser nicely > accepted it. Could you please retry using experimental9 and report back? In > case > it still fails while parsing, please supply the error message and attach your > config file (please don't paste it, there may be some strange whitespace > issue). > Thanks! --- Cut > Best, > Michael > >
