Ask Your Question
2

Add new internal drive to existing encrypted disk setup

asked 2015-06-12 07:10:11 -0600

rmblr gravatar image

Using Fedora 22, I've added an internal drive to my computer and I want to add it to my existing luks setup.

I don't want to create a new Luks setup, as I don't want to enter multiple passwords on boot. I'd like to add it as a new volume group (inside the Luks partition).

How can I go about doing this?

All the articles online I've found don't cover this particular task.

edit retag flag offensive close merge delete

Comments

See if you can modify either of these options for fedora (the arch link seems less likely) http://blog.fealdia.org/2013/09/07/lu... or https://wiki.archlinux.org/index.php/...

bodhi.zazen gravatar imagebodhi.zazen ( 2015-06-15 21:52:32 -0600 )edit

Interesting, thanks for the first link. It doesn't look like this is supported by Fedora out of the box, though I wonder if the anaconda intaller can do it. In which case maybe if I re-install I can set it up then.

rmblr gravatar imagermblr ( 2015-06-21 09:24:19 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted
2

answered 2015-06-12 21:05:07 -0600

bthomas gravatar image

updated 2015-06-15 20:18:48 -0600

Good question. I don't know. And I explored my system. Still not sure. I might be able to provide a little information though (though it will be a bit technical). My plan was to try to reverse engineer how Fedora encrypts disks so I can do things like adding new disks, or encrypting my keyfile with a memory-hard kdf.

Assuming a UEFI system, the first thing to start up after the bios is the singed shim at /EFI/BOOT/BOOTX64.EFI on the /boot/efi gpt vfat partiton. This checks signatures and transfers control to grub at /EFI/fedora/grubx64.efi. Grub follows the instructions of EFI/fedora/grub.cfg. Finally something we can look at:

linuxefi /vmlinuz-4.0.4-301.fc22.x86_64 root=/dev/mapper/luks-56887873-ef18-4a20-a68b-dd9ce4d57ee3 ro rd.luks.uuid=luks-56887873-ef18-4a20-a68b-dd9ce4d57ee3 rd.lvm.lv=garrison/01 rd.lvm.lv=garrison/00 rd.luks.uuid=luks-3549f600-2703-44bb-843d-e8071b03995b rhgb quiet LANG=en_CA.UTF-8
initrdefi /initramfs-4.0.4-301.fc22.x86_64.img

The root= parameter tells us that initramfs decrypts the root filesystem to /dev/mapper/luks-<UUID>. The other parameters look like it's specific to Fedora's initramfs, but they indicate the location of the encrypted devices (my root filesystem is in a lvm volume group called garrison and is partition 01, while my swap is 00. I have a third encrypted partition at 02 that is not listed here. This make some sense since root is required to boot up normally, and swap is required to resume from suspend to disk, while the third one can be mounted later. Note that all 3 share the same password and are decrypted at boot with the one password).

So next grub loads the kernel and initramfs (which is a temporary filesystem who's job is to mount the rootfs, including decrypting it and managing lvm/raid). This should be the important part telling us how encryption is set up in Fedora. The kernel usually runs /init in here to set up the system.

$ mkdir initramfs && cd initramfs
$ cat /boot/initramfs-4.0.4-303.fc22.x86_64.img | cpio -i -H newc -0
$ ls -R
.:
early_cpio  kernel

./kernel:
x86

./kernel/x86:
microcode

./kernel/x86/microcode:
GenuineIntel.bin
$ cat early_cpio
1

WAT. Ok, no /init, and not much that's productive in here. The microcode is just some firmware that is loaded directly into my CPU AFAIK. At this point I looked through the /boot directory for signs of things that decrypt volumes. Didn't find much. So it seems whatever's booting my computer is a hidden mystery. I thought that the kernel might be patched to do it, but apparently it's not according to this. Also, the config looks like it's not including an internal initramfs. This is very strange indeed.

After initramfs is ran, it's supposed to chroot into the main filesystem and run the init (which is sytemd). Systemd (udev) mounts filesystems based on /etc/fstab and /etc/crypttab. Both of those look fine, but not helpful on my system ... (more)

edit flag offensive delete link more

Comments

Thanks for the research, but as you noted it remains a mystery where Fedora is decrypting the non / partition and mounting the other partitions (in my case with /home).

rmblr gravatar imagermblr ( 2015-06-21 10:14:20 -0600 )edit

Indeed it's perplexing. You could start looking at the dracut project page / or looking through it's source rpm for more information.

bthomas gravatar imagebthomas ( 2015-06-22 18:52:47 -0600 )edit

Question Tools

1 follower

Stats

Asked: 2015-06-12 07:10:11 -0600

Seen: 585 times

Last updated: Jun 15 '15