Using Fedora 22, I've added an internal drive to my computer and I want to add it to my existing luks setup.
I don't want to create a new Luks setup, as I don't want to enter multiple passwords on boot. I'd like to add it as a new volume group (inside the Luks partition).
How can I go about doing this?
All the articles online I've found don't cover this particular task.
Good question. I don't know. And I explored my system. Still not sure. I might be able to provide a little information though (though it will be a bit technical). My plan was to try to reverse engineer how Fedora encrypts disks so I can do things like adding new disks, or encrypting my keyfile with a memory-hard kdf.
Assuming a UEFI system, the first thing to start up after the bios is the singed shim at /EFI/BOOT/BOOTX64.EFI on the /boot/efi gpt vfat partiton. This checks signatures and transfers control to grub at /EFI/fedora/grubx64.efi. Grub follows the instructions of EFI/fedora/grub.cfg. Finally something we can look at:
linuxefi /vmlinuz-4.0.4-301.fc22.x86_64 root=/dev/mapper/luks-56887873-ef18-4a20-a68b-dd9ce4d57ee3 ro rd.luks.uuid=luks-56887873-ef18-4a20-a68b-dd9ce4d57ee3 rd.lvm.lv=garrison/01 rd.lvm.lv=garrison/00 rd.luks.uuid=luks-3549f600-2703-44bb-843d-e8071b03995b rhgb quiet LANG=en_CA.UTF-8
initrdefi /initramfs-4.0.4-301.fc22.x86_64.img
The root= parameter tells us that initramfs decrypts the root filesystem to /dev/mapper/luks-<UUID>. The other parameters look like it's specific to Fedora's initramfs, but they indicate the location of the encrypted devices (my root filesystem is in a lvm volume group called garrison and is partition 01, while my swap is 00. I have a third encrypted partition at 02 that is not listed here. This make some sense since root is required to boot up normally, and swap is required to resume from suspend to disk, while the third one can be mounted later. Note that all 3 share the same password and are decrypted at boot with the one password).
So next grub loads the kernel and initramfs (which is a temporary filesystem who's job is to mount the rootfs, including decrypting it and managing lvm/raid). This should be the important part telling us how encryption is set up in Fedora. The kernel usually runs /init in here to set up the system.
$ mkdir initramfs && cd initramfs
$ cat /boot/initramfs-4.0.4-303.fc22.x86_64.img | cpio -i -H newc -0
$ ls -R
.:
early_cpio kernel
./kernel:
x86
./kernel/x86:
microcode
./kernel/x86/microcode:
GenuineIntel.bin
$ cat early_cpio
1
WAT. Ok, no /init, and not much that's productive in here. The microcode is just some firmware that is loaded directly into my CPU AFAIK. At this point I looked through the /boot directory for signs of things that decrypt volumes. Didn't find much. So it seems whatever's booting my computer is a hidden mystery. I thought that the kernel might be patched to do it, but apparently it's not according to this. Also, the config looks like it's not including an internal initramfs. This is very strange indeed.
After initramfs is ran, it's supposed to chroot into the main filesystem and run the init (which is sytemd). Systemd (udev) mounts filesystems based on /etc/fstab and /etc/crypttab. Both of those look fine, but not helpful on my system ...
Asked: 2015-06-12 07:10:11 -0600
Seen: 585 times
Last updated: Jun 15 '15
Ask Fedora is community maintained and Red Hat or Fedora Project is not responsible for content. Content on this site is licensed under a CC-BY-SA 3.0 license.
See if you can modify either of these options for fedora (the arch link seems less likely) http://blog.fealdia.org/2013/09/07/lu... or https://wiki.archlinux.org/index.php/...
Interesting, thanks for the first link. It doesn't look like this is supported by Fedora out of the box, though I wonder if the anaconda intaller can do it. In which case maybe if I re-install I can set it up then.