The contents of this website are Copyright (c)2006 by Brian Manning <brian at antlinux dot com>. Please do not reuse any of the content on this website without permission from the author.

Todos

• add links to different wiki/main site/external pages for each step listed below (Example: LVM steps should link to the LVM Mini HOWTO).

Installation

1. If you're running under QEMU, create a new disk to hold the new partitions
   1. qemu-img create -f qcow disk2.qcow 4G
2. create zero/two/three partitions on the drive (parted page)
   1. parted /dev/hdX mkpart primary 0 [size of device in megabytes]
   2. zero partitions: need to boot off of some other device (network maybe?), as GRUB won't be able to read the encrypted partition to boot the kernel and initramfs image
   3. 2 partitions: one for /boot and one for the encrypted loopback partition; swap device will be part of the encrypted loopback partition and use the same set of keys
   4. 3 partitions: one for /boot, one for the swap device and one for the encrypted loopback partition; the swap device will use it's own random key
3. create a /etc/fstab file showing /boot and the loopback partitions
   1. Encrypted swap: /dev/hdb2 none swap sw,loop=/dev/loop0,encryption=AES128 0 0
   2. See the loop-aes README for instructions on setting up encrypted partitons with loop-aes
4. mount the loopback device, then run pvcreate on it. See the LVMMini page for the full set of LVM steps
   1. losetup -F /dev/loopX
   2. pvcreate /dev/loopX
5. Create LVM groups as needed
   1. vgcreate evg0 /dev/loopX (evg0 is the volume name for this example)
6. Once all of the LVM groups/devices have been created on the loopback partition, run vgscan and vgchange to bring them online
   1. vgchange -a y evg0
7. Create the logical volumes needed to be able to install Linux on the encrypted volumes
   1. lvcreate -L1000 -nrootvol evg0
   2. lvcreate -L1000 -nvarvol evg0
   3. lvcreate -l351 -nusrvol evg0
8. create filesystems on each partition as needed
   1. mkfs.xfs /dev/evg0/[root|usr|var]vol
9. mount the partitions by hand and test
   1. mount -t xfs /dev/evg0/rootvol /mnt/rootvol
   2. mount -t xfs /dev/evg0/varvol /mnt/rootvol/var
   3. mount -t xfs /dev/evg0/usrvol /mnt/rootvol/usr
   4. swapon -a (mounts encrypted swap if enabled)
10. bonus points; run debootstrap as in the DebootStrap page

Normal Operation

• System boots off of the hard drive or a thumb drive
  • Thumbdrive can contain a kernel, initramfs image, and GPG keys needed to unlock the main LVM partition
• Run the services needed to accept connections from local/remote hosts and mount the encrypted loopback device(s)
  • Web server - run a SSL-enabled webserver with a CGI script from the initramfs image that accepts the keys and authentication, and dumps them after the filesystem is mounted
    • Use the key signature as part of the URL; you call http://www.someserver.com/?key=0x1234abcd, the system then brings up a key passphrase screen and prompts you to enter the passphrase.
    • SSL certificate generation is contained in the build_apache2.txt file in CVS
  • USB Thumbdrive - have the system check for the insertion of a USB thumbdrive; maybe use the hotplug package, as it can run scripts upon insertion events
• Upon successful loopback device setup, the init script runs vgscan to scan the loopback device for LVM volumes
• Change the LVM volumes status with vgchange -a y
• Mount the volumes contaned in the encrypted loopback to /mnt
  • See also current /init script to make sure no steps are missing here (switch_root)
• init script exits using exec() ala current /init script; system should then start up using the init binary on the mounted disks
  • update /etc/fstab on mounted encrypted loopback filesystems so mounts get unmounted correctly prior to system restart?

Normal Operation Testing steps

 swapon -a
 losetup -F /dev/loop1
 <enter password>
 vgscan -v
 vgchange -a y evg0
 mkdir /mnt/rootvol
 mount /mnt/rootvol
 mount /mnt/rootvol/var
 mount /mnt/rootvol/usr
 /usr/sbin/debootstrap --arch i386 --unpack-tarball /tmp/basedebs.tar woody /mnt/rootvol