09 Feb 2010, 21:05

Moving Root-FS to Crypto-Raid


Have you ever tried to move your Debian root filesystem to a RAID? Ok, no problem so far. What about LVM-on-RAID? Still no trouble? Then what about Root-on-LVM-on-Crypto-on-RAID? Sounds funny. Debian has several helpscripts which are able to create a suitable initrd file for this kind of setup. This is good and bad at the same time. The good thing is that they can detect a correct setup and create an appropriate initrd. The bad about this is that it won’t work if you just moving your system to this kind of setup. Imagine you’re still on an ordinary partition without all this fancy crypto, raid and LVM stuff. If you just execute update-initramfs -k <kernel> -u/-c the initramfs tools and the supplied hook scripts won’t know about your intentions. So you’ll have to create a full equipped chroot, set everything up like it would be on a realy Root-on-LVM-on-Crypto-on-RAID-System and run update-initramfs there. Of course you could build the initrd by hand, but I’m not going this Gentoo way.

So, what do you have to do? First you’ll have to create your RAID, luks Volume and LVM on top of each other. See the Gentoo tutorial above for these steps. This should be pretty straight forward. The interesting part starts as soon as you try to boot from your new root. If you did follow the tutorial you should have a working Grub but it won’t be able to boot your system since it can’t unlock your root fs.

So, after you’re back into your good ol’ system setup the chroot. This includes assembling the RAID, unlocking your luks Volume and mounting the LV. So these are the steps, assuming sane defaults for folders, partitions and device names:

mdadm –assemble /dev/md2 /dev/sdc2 /dev/sdd2
cryptsetup luksOpen /dev/md2 cryptoroot
vgchange -ay vg
mount -t ext3 /dev/mapper/vg-root /mnt
mount -t ext2 /dev/sdc1 /mnt/boot
mount -t proc proc /mnt/proc
mount –bind /dev /mnt/dev
LANG=C chroot /mnt /bin/bash
So, now you’re inside your proper chroot. You could just run update-initramfs, but that’ll probably fail. You need to setup mdadm first and create your crypttab.

Your /etc/mdadm/mdadm.conf should at least contain the partitions to scan and your array.

The command mdadm –detail –scan >>  /etc/mdadm/mdadm.conf should do it. But verify the file yourself!

Next you have to tell the mdadm-initramfs-script to start this array on boot. This is set in the file /etc/default/mdadm. Insert the full name of your array (e.g. /dev/md2) into the INITRDSTART variable in this file.

Now define a proper crypttab and you should be ready to create a working initrd. Make your crypttab look something like this:

cryptoroot   /dev/md2  none  luks,tries=3
Just generate a new initramfs, update grub (if necessary) and reboot.
update-initramfs -k all -u
In case you encounter any error let me know, I’ll try to help.