[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Automating boot of Ubuntu on encrypted LVM?

  • To: xen-users@xxxxxxxxxxxxx
  • From: Alexandre Kouznetsov <alk@xxxxxxxxxx>
  • Date: Mon, 08 Apr 2013 12:42:05 -0500
  • Delivery-date: Mon, 08 Apr 2013 17:42:56 +0000
  • List-id: Xen user discussion <xen-users.lists.xen.org>


El 07/04/13 23:07, Fajar A. Nugraha escribió:
For example, if you just want to have dom0 boot normally while domU
boot requires some kind of password, then Mike's suggestion should
work. You encrypt everything that domU uses (domU's config file and
disk), but leave everything that only dom0 use unencrypted. One easy
way to do this is by having a separate VG:
- dom0 -> VG_1 -> PV on unencrypted disk/partition
- domU -> VG_2 -> PV on encrypted disk/partition (e.g. luks)

During boot, dom0 boot just fine, but then you log in to unencrypt the
luks partition and manually run the commands to start all domUs.

I wish to confirm, it is a very working setup. I use something very similar myself. An alternative would be to provide DomU with a initrd with embedded key, which is more complex to set up and maintain.

In both cases, it's assumed that DomU trusts Dom0, so it's perfectly legal to leave the encryption to Dom0 and reduce complexity in DomU.

In case Dom0 is administrated by someone else, it's another story.

In my case, Dom0 is also encrypted, but is uses a separate Physical Volume and Volume Group, so it's a completely independent mechanics. Dom0 asks passphrase from console or can read it form USB drive, if somebody authorized, who is near, inserts it before booting (and remove it once booted). Little bit tricky, if I where to setup something like this again, I would give a chance to a initrd with embedded minimalistic ssh server, so the key might be provided remotely.


Alexandre Kouznetsov

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.