Difference between revisions of "Dm-crypt/System configuration"

From ArchWiki
Jump to: navigation, search
("configur*" is already in the title of the page)
(Boot loader: generalize, examples are in Dm-crypt/Encrypting an Entire System)
Line 18: Line 18:
  
 
== Boot loader ==
 
== Boot loader ==
In order to enable booting an encrypted root partition, the following kernel paramaters need to be set. See [[kernel parameters]] for instructions specific to your [[boot loader]].
+
In order to enable booting an encrypted root partition, a subset of the following kernel paramaters need to be set. See [[kernel parameters]] for instructions specific to your [[boot loader]].
 +
 
 +
=== cryptdevice ===
 +
This parameter will make the system prompt for the passphrase to unlock the root device on a cold boot.  
  
The main parameter is {{ic|cryptdevice}}, with the following syntax:
 
 
  cryptdevice=''device'':''dmname''
 
  cryptdevice=''device'':''dmname''
  
Line 26: Line 28:
 
* {{ic|''dmname''}} is the '''d'''evice-'''m'''apper name given to the device after decryption, which will be available as {{ic|/dev/mapper/''dmname''}}.
 
* {{ic|''dmname''}} is the '''d'''evice-'''m'''apper name given to the device after decryption, which will be available as {{ic|/dev/mapper/''dmname''}}.
  
So if the encrypted root device in the example is {{ic|/dev/sda2}} and the decrypted one should be mapped to {{ic|/dev/mapper/cryptroot}}, the kernel parameter would be:
+
=== root ===
  cryptdevice=/dev/sda2:cryptroot
+
root=''device''
 +
 
 +
* {{ic|''device''}} is the device file of the actual (decrypted) root file system. If the file system is formatted directly on the decrypted device file this will be {{ic|/dev/mapper/''dmname''}}.
 +
 
 +
=== resume ===
 +
  resume=''device''
 +
 
 +
* {{ic|''device''}} is the device file of the decrypted (swap) filesystem used for suspend2disk. See also [[Dm-crypt/Swap Encryption]].
  
This will make the system prompt for the passphrase to unlock the root device on a cold boot.  
+
=== cryptkey ===
 +
This parameter is required for reading a keyfile from a file system. See also [[Dm-crypt/Device Encryption#Using Cryptsetup with a Keyfile]].
  
Depending on the setup other parameters are required as well:
+
  cryptkey=''device'':''fstype'':''path''
  cryptdevice=''device'':''dmname'' root=''device'' resume=''device'' cryptkey=''device'':''fstype'':''path''
+
  
* {{ic|1=root=''device''}} is the device file of the actual (decrypted) root file system. If the file system is formatted directly on the decrypted device file this will be {{ic|/dev/mapper/''dmname''}}.
+
*{{ic|''device''}} is the raw block device where the key exists.
* {{ic|1=resume=''device''}} is the device file of the decrypted (swap) filesystem used for suspend2disk. See also [[Dm-crypt/Swap Encryption]].
+
*{{ic|''fstype''}} is the filesystem type of {{ic|''device''}} (or auto).
* {{ic|1=cryptkey=''<nowiki>device:fstype:path</nowiki>''}} is required for reading a keyfile from a file system. See also [[Dm-crypt/Device Encryption#Using Cryptsetup with a Keyfile]].
+
*{{ic|''path''}} is the absolute path of the keyfile within the device.
**{{ic|''device''}} is the raw block device where the key exists.
+
**{{ic|''fstype''}} is the filesystem type of {{ic|''device''}} (or auto).
+
**{{ic|''path''}} is the absolute path of the keyfile within the device.
+

Revision as of 07:06, 4 December 2013

Tango-document-new.pngThis article is a stub.Tango-document-new.png

Notes: This article is currently under heavy restructuring: for its latest stable revision see Dm-crypt with LUKS (Discuss in Talk:Dm-crypt/System configuration#)

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Aggregate here all the generic information on system configuration from the other sub-articles of Dm-crypt. (Discuss in Talk:Dm-crypt/System configuration#)

Back to Dm-crypt.

mkinitcpio

When encrypting a system it is necessary to regenerate the initial ramdisk after properly configuring mkinitcpio. Depending on the particular scenarios, a subset of the following hooks will have to be enabled:

  • encrypt: always needed when encrypting the root partition, or a partition that needs to be mounted before root; it must come before the filesystems hook; it is not needed in all the other cases, as system initialization scripts like /etc/crypttab take care of unencrypting any other partitions.
  • shutdown: highly recommended, ensures controlled unmounting during system shutdown.
  • keymap: provides support for foreign keymaps for typing encryption passwords; it must come before the encrypt hook.
  • keyboard: needed to make USB keyboards work in early userspace.
    • usbinput: deprecated, but can be given a try in case keyboard does not work.

Other hooks needed should be clear from other manual steps followed during the installation of the system.

Boot loader

In order to enable booting an encrypted root partition, a subset of the following kernel paramaters need to be set. See kernel parameters for instructions specific to your boot loader.

cryptdevice

This parameter will make the system prompt for the passphrase to unlock the root device on a cold boot.

cryptdevice=device:dmname
  • device is the path to the raw encrypted device. Usage of Persistent block device naming is advisable.
  • dmname is the device-mapper name given to the device after decryption, which will be available as /dev/mapper/dmname.

root

root=device
  • device is the device file of the actual (decrypted) root file system. If the file system is formatted directly on the decrypted device file this will be /dev/mapper/dmname.

resume

resume=device

cryptkey

This parameter is required for reading a keyfile from a file system. See also Dm-crypt/Device Encryption#Using Cryptsetup with a Keyfile.

cryptkey=device:fstype:path
  • device is the raw block device where the key exists.
  • fstype is the filesystem type of device (or auto).
  • path is the absolute path of the keyfile within the device.