0
my sd card have two partition,one is the boot,and another is the filesystem,now I use linux tool cryptsetup encrypt the filesystem partition,when boot on my board,the kernel can't mount the filesystem(encrypt),my aim is to protect the whole filesystem,maybe three partition can achieve,if I have only two partition,whether it can be achieved?need to modify the kernel source?
Lyric
Posted 2013-02-25T07:09:22.287
Reputation: 11
0
You have not advised the distro you are using, and this makes a difference. It is definitely possible to do "full disk" encryption with 2 partitions under Linux, and I know that it can be done with Ubuntu. (Not sure if the default install does it, I think it does, otherwise you can get an alternate disk which does). I'd imagine there is a Spin for Fedora or CentOS as well.
The mechanism used to achieve this is as follows:
Create (or let the system create for you) 2 partitions, a small "boot" partition, typically about 200 megs, and a large partition for encryption. (You need to work out if you want an additional partition for swap, or if you want to mount swap encrypted either using LVM or as a file - there are advantages to each, but for security you would take a performance hit and mount it on the encrypted partition)
Your OS will put the bare minimum it needs to boot on the boot partition (which will typically be /boot). While this is unencrypted, it only contains "stock files".
The install then typically builds/recreates an initial ramdisk (initrd), which includes the files and commands needed to prompt for a password, decrypt the system and remount it as root.
davidgo
Posted 2013-02-25T07:09:22.287
Reputation: 49 152
the boot partition I put my boot.scr,MLO,u-boot.bin,u-boot.image,uImage and initrd file(include cryptsetup command etc),the second partition I put my encryption filesystem(include rootfs,some libs,apps etc),right? – Lyric – 2013-02-25T08:58:08.827
Don't know about exactly what you put on /boot (My distro does not use boot.scr, MLO, u-boot.*, rather it users Grub, the kernel and an initramfs (Centos) or initrd (Ubuntu), but yes, thats the right idea. – davidgo – 2013-02-25T18:49:18.140
can you tell me the step make initrd?the more detailed the better.I use kernel3.4 on embedded Linux device. – Lyric – 2013-02-26T03:02:37.403