Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
mount command options in fstab
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
LIsLinuxIsSogood
Veteran
Veteran


Joined: 13 Feb 2016
Posts: 1171

PostPosted: Tue Sep 22, 2020 7:03 am    Post subject: mount command options in fstab Reply with quote

Help! (Edited many times...but I am done now.)
I have two lvm's that I want mounted at all times. They are located on an encrypted partition with he key stored locally on another local filesystem partition /home. Unfortunately dmcrypt does not seem to work when it is in the boot runlevel, but it does in the default runlevel. Maybe this is because it needs the /home partition to be mounted, i don't know. Would like to understand (maybe in the logs somewhere) why dmcrypt is failing to unencrypt the partition in boot but able to in default service runlevel. Also I am happy to leave it in the default service runlevel working there, but would then need to have a workaround in order to mount the two encrypted logical volumes in /etc/fstab after the default runlevel is loaded. Would this be the job for a batch script or new service to add to the default runlevel? I've never created a service for myself so if that is a fairly straightforward and simple workaround then I can try that.

Obviously modifying the depend() section of localmount won't work as far I can tell, at least until dmcrypt is able to unencrypt and lvm can recognize the two unencrypted volume groups.

When I boot into the default runlevel I am basically left with needing to execute a mount -a.

That is really all I need my service to do. Or a solution to why dmcrypt and lvm don't work at the boot runlevel.
Back to top
View user's profile Send private message
LIsLinuxIsSogood
Veteran
Veteran


Joined: 13 Feb 2016
Posts: 1171

PostPosted: Tue Sep 22, 2020 7:40 am    Post subject: Reply with quote

Even though I am done editing the initial post, here is some helpful rc.log about the situation...based on this what it looks like to me is that I need localmount to execute twice, once before dmcrypt for the key, and once after for the encrypted (unencrypted) partitions. Does that seem right?

Code:


 * Loading kernel modules ...
insmod /lib/modules/5.4.60-gentoo/net/wireless/wl.ko
 [ ok ]
 * Mounting misc binary format filesystem ...
 [ ok ]
 * Loading custom binary format handlers ...
 [ ok ]
 * Setting up dm-crypt mappings ...
 * /dev/sdb2 will not be decrypted ...
 * Reason: keyfile /home/jonathanr/Admin/Temp/tower_disk_secret_key does not exist.
 [ ok ]
 * /run/lvm: creating directory
 * Starting lvmetad ...
 [ ok ]
 * Starting the Logical Volume Manager ...
  Reading volume groups from cache.
 [ ok ]
 * Checking local filesystems  ...
gentoo: clean, 558824/1286144 files, 3780923/5120000 blocks
SOFTWARE: clean, 16799/3858432 files, 25772973/61733984 blocks
BACKUP_DOCS_TO_U: clean, 661446/3809280 files, 8878164/15236859 blocks
ShellLang: clean, 24/125184 files, 123700/500178 blocks
 [ ok ]
 * Remounting root filesystem read/write ...
 [ ok ]
 * Remounting filesystems ...
 [ ok ]
 * Updating /etc/mtab ...
 * Creating mtab symbolic link
 [ ok ]
 * Activating swap devices ...
 [ ok ]
 * Mounting local filesystems ...
mount: /mnt/Backups: can't find UUID=b29c46fd-e54f-4bee-b911-6d68a1658e77.
mount: /mnt/Backups/BareMetal: can't find UUID=3c660aff-13c5-446f-8675-30eb19d62e88.
 * Some local filesystem failed to mount
 [ !! ]
Back to top
View user's profile Send private message
LIsLinuxIsSogood
Veteran
Veteran


Joined: 13 Feb 2016
Posts: 1171

PostPosted: Tue Sep 22, 2020 8:12 am    Post subject: Reply with quote

I have temporarily resolved the problem by moving the key file. It is now in the / folder. Not a very secretive place to store such a key, which I will need to ask some more advice about now.
(I don't see the point of having an encrypted drive when the key is kept on an unencrypted partition on the same machine.)
I could use help with some of my security related questions:
1) I wanted to play around with a encrypted partition that I am currently using to store backups. Now I understand that as long as any encrypted partition is is an unencrypted state and in use so to speak that the encryption does next to nothing to protect that from intrusion or any other kind of similar threat. For that purpose I could see myself going the direction of leaving the encrypted partition closed except for when performing the backups, but even this would mean for the 30 minutes or so of time that backups are being done each night between 4-5 am that I would end up with a potential threat during that time, right? My system is also not encrypted, nor do I feel it needs to be since it is always turned on and that pretty much means it is always going to be mounted and active. I don't envision any scenario of someone with physical access to my machine that bothers me too much to consider that.
2) I realize also that the encrypted volumes for backups may be a bit overkill, but as long as my goal is to use the encrypted volumes for backups maybe the opening of the encrypted partition is better left to a more appropriately timed backup script that will open it, backup things, and then close it.
3) I'm also curious about the possibility of storing the key for opening the luks partition on a remote server as a way of actually preventing access to the backup locations. This way I could use the encrypted partition not only for backups but also for storage of anything that seems like it would be best kept on the encrypted drive. If I wanted to do this, I was toying with two ideas a) the method of USB device that I could physically attach and remove with the key, and 2) storing the key on a network host that has ssh privilieges and copying/removing the key each time I perform the backup. Do these two ways present trade-offs and can anyone speak of their own experience.
Note that my initial problem has only been temporarily solved but that I am now looking for a more secure way of handling the key to the encrypted partition and their stored logical volumes. Thanks
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46368
Location: 56N 3W

PostPosted: Tue Sep 22, 2020 8:33 am    Post subject: Reply with quote

LIsLinuxIsSogood,

The localmount script says

Code:
        need fsck
        use lvm modules mtab
        after lvm modules

so it runs after lvm.
Code:

 * Setting up dm-crypt mappings ...
 * /dev/sdb2 will not be decrypted ...
 * Reason: keyfile /home/jonathanr/Admin/Temp/tower_disk_secret_key does not exist.

but your setup needs a key which is not available because /home is not yet mounted because localmount has not run, which depends an a key on /home ...

The key should be on a removable USB stick that is only fitted for booting.
You ned at least three copies of the key, so that you still have a backup, even when one USB stick fails.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
LIsLinuxIsSogood
Veteran
Veteran


Joined: 13 Feb 2016
Posts: 1171

PostPosted: Wed Sep 23, 2020 3:57 am    Post subject: Reply with quote

Thanks, but I am worried about placing the key somewhere that dmcrypt won’t recognize yet. Does the filesystem on the usb drive become an accessible mount point before the dmcrypt services are performed?
Back to top
View user's profile Send private message
pietinger
Guru
Guru


Joined: 17 Oct 2006
Posts: 353
Location: Bavaria

PostPosted: Wed Sep 23, 2020 9:56 am    Post subject: Reply with quote

LIsLinuxIsSogood wrote:
Does the filesystem on the usb drive become an accessible mount point before the dmcrypt services are performed?

Yes.

I am doing this with my notebook. See the 2nd post of this thread: https://forums.gentoo.org/viewtopic-t-1112988.html (its german, but you need only the commands of my installation).
Back to top
View user's profile Send private message
LIsLinuxIsSogood
Veteran
Veteran


Joined: 13 Feb 2016
Posts: 1171

PostPosted: Thu Sep 24, 2020 5:43 am    Post subject: Reply with quote

thanks it helped
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum