/> I haven't messed with Deb or Ubuntu yet, [...]/
Ubuntu will do what you want.
I use the full-disk encryption from the Ubuntu installer
(dm-crypt). I use it on 100% of my computers, incl. all my VM servers,
my netbook, and my MythTV box.
The Ubuntu installer situation is the opposite of CentOS. To get
support for full-disk encryption, you must use the "alternate" install
CD ISO image, which is a text-mode, ncurses-based install. It offers
you several default options for disk partitioning, incl. "manual". I
usually partition my disks manually, because I like to keep the
pre-installed Windows partition around. It's a little tricky, because
you need an unencrypted /boot/ part, and an encrypted LVM part to hold
both swap and root filesystems. That allows both swap and data to be
encrypted (and unlocked with just a single passphrase).
I have set up my systems with a custom initfs boot script that
allows me to unlock them with a USB thumbdrive. That allows me to start
my headless servers like using a car key. (I'll be publishing a blog
article about that soon.) If you are working with full-disk encryption
in Panama, you'll need to either be using virtual machines (e.g. VNC to
get to the bootloader screen), or else you'll need someone on-site to
type in the passhprase everytime you reboot your hardware -- or you need
some kind of IP-based keyboard/mouse that you can use remotely... (How
do you do you usually do an O.S. install remotely?)
Both Ubuntu installers (text and GUI) come with a "Encrypt your
home directory?" option, which uses EncFS to mount your $HOME when you
login. But I find that to be insufficient security. Swap needs to be
encrypted, period.
I've read that the new Ubuntu GUI installer is much faster than the
old text-mode installer. I guess it does a lot more stuff in parallel.
I'm disappointed that the Ubuntu GUI installer doesn't offer full-disk
encryption yet. But I am thankful I can still do a text-mode install
that works!
/> The deprecation of the text interface is Not Cool... /
Amen! Pixels are for pansies. Now excuse me while I go coddle my
old 2400 baud modem... /Rosebud!/
/> Advanced storage configuration has become too difficult to manage UI
in the newt manner. [...] //Bottom line, if you want advanced
configuration, you have to use advanced input methods.
/ LOL@CentOS! :)
I've used the Ubuntu text-mode CD ("alternate") to set up fairly
complicated disk configs, incl. creating an unencrypted RAID1 /boot/ and
an encrypted RAID6 root, swap, /home/ on the same set of disks. I used
the advanced input methods of "up", "down", and "enter".
--Derek
On 02/08/2011 05:55 PM, Jesse Keating wrote:
On 2/8/11 5:17 PM, Glenn Stone wrote:
Google sez I should be able to install an encrypted CentOS 5.5 system
from
the get-go, but there wasn't the appropriate ticky-box in the text
installer. It's there in the GUI installer (boo, hiss, requiring a
GUI when
I have to install remote in places like Panama), but you can't create a
custom disk layout, you HAVE to take the default and then edit it.
And LVM
seems to be mandated... *sigh*
I haven't messed with Deb or Ubuntu yet, though I understand you can
encrypt
in those installers, too, but still. The deprecation of the text
interface
is Not Cool... it will be interesting to see what the anaconda_ks.cfg
turns
out to be. If I can do this *once* and come up with a working kickstart
that I don't have to worry about, that will be marginally palatable, but
still. When I have to configure stuff on the other end of what in some
cases can be a 56k frame relay, I don't wanna have to mouse around
with it!
(The fact that HP seems to have a similar bias in configuring the RAID
arrays is beyond the scope of this article.)
Sign me,
Grumpy Old Man
(get off my lawn! :)
Advanced storage configuration has become too difficult to manage UI
in the newt manner. The code divergence vs the graphical installer
has led to many bugs and errors over the years. The anaconda
development team has decided to remove advanced storage and even
package selection from the non-gui install paths. One can use vnc if
remote, or kickstart for accomplishing more complicated setups.
https://fedoraproject.org/wiki/Anaconda/Kickstart is a very good set
of documentation on what modern day kickstart can do. Some of these
options are not available in CentOS 5.5, that's based on many years
old installer code.
Bottom line, if you want advanced configuration, you have to use
advanced input methods. Be it a graphical user interface or a
kickstart file.
