On Sun, May 16, 2010 at 12:45 PM, thib <t...@stammed.net> wrote: > ... > but consider encrypting the logical volume instead of the physical > volumes. It makes much more sense to me. >
It seems to me that > Does anyone know the right way to get the drives decrypted first? >> > > The fun might take place in your init scripts or in your initramfs, > depending on your configuration. Unfortunately, things are currently moving > in this domain, and I'm not sure about Debian's position here -- thus I > cannot recommend you a hack over any other. Maybe someone can. > > I (very) quickly overviewed the initscripts, it looks like the same code in > /lib/cryptsetup/cryptdisks.functions is called twice by cryptdisks-early > (before lvm2), and then by cryptdisks (after lvm2). Supposedly, the -early > script can't decrypt some devices, I just don't know why. By the looks of > it all, I wouldn't be surprised if there were some dependency problems for > unusual setups; is the problematic device a raid volume or something? > I started looking in this direction myself last night. I am, for the life of me, unable to figure why or how drives are designated as early versus non-early. With the exception of adding "noearly" to the options in /etc/cryptab. However, I am unable to find a single partition on a single encrypted machine that uses this option. So theoretically, all of the drives should be designated as early. I also haven't done this in a couple of years, so maybe the encryption system has matured in the meantime. > If you mount your filesystems in your initramfs (which should really be > done only for the root fs), you might be able to put some hooks in > /etc/initramfs-tools. I'm not really comfortable with it, so you should > read the initramfs-tools(8) manual page or wait for more help. > I'm really not comfortable with modifying something like that, not because I can't, but rather because I don't want to tweak something and have it break on the next upgrade. So I will take the latter suggestion. I want to build a test box to see if I can further troubleshoot the problem or if it still even exists. Thanks for the suggestions, thib... --b
