summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--en/boot-new/mount-encrypted.xml180
1 files changed, 180 insertions, 0 deletions
diff --git a/en/boot-new/mount-encrypted.xml b/en/boot-new/mount-encrypted.xml
index e69de29bb..631088ce2 100644
--- a/en/boot-new/mount-encrypted.xml
+++ b/en/boot-new/mount-encrypted.xml
@@ -0,0 +1,180 @@
+<!-- retain these comments for translator revision tracking -->
+<!-- $Id$ -->
+
+ <sect1 id="mount-encrypted-volumes">
+ <title>Mounting encrypted volumes</title>
+
+<para>
+
+If you created encrypted volumes during the installation and assigned
+them mount points, you will be asked to enter the passphrase for each
+of these volumes during the boot. The actual procedure differs
+slightly between dm-crypt and loop-AES.
+
+</para>
+
+ <sect2 id="mount-dm-crypt">
+ <title>dm-crypt</title>
+
+<para>
+
+For partitions encrypted using dm-crypt you will be shown the following
+prompt during the boot:
+
+<informalexample><screen>
+Starting early crypto disks... crypt<replaceable>X</replaceable>(starting)
+Enter LUKS passphrase:
+</screen></informalexample>
+
+In the first line of the prompt, <replaceable>X</replaceable> is the
+number of the loop device. You are now probably wondering
+<emphasis>for which volume</emphasis> you are actually entering the
+passphrase. Does it relate to your <filename>/home</filename>? Or to
+<filename>/var</filename>? Of course, if you have just one encrypted
+volume, this is easy and you can just enter the passphrase you used
+when setting up this volume. If you set up more than one encrypted
+volume during the installation, the notes you wrote down as the last
+step in <xref linkend="partman-crypto"/> come in handy. If you did not
+make a note of the mapping between
+<filename>crypt<replaceable>X</replaceable></filename> and the mount
+points before, you can still find it
+in <filename>/etc/crypttab</filename>
+and <filename>/etc/fstab</filename> of your new system.
+
+</para><para>
+
+The prompt may look somewhat different when an encrypted root file system is
+mounted. This depends on which initramfs generator was used to generate the
+initrd used to boot the system. The example below is for an initrd generated
+using <classname>initramfs-tools</classname>:
+
+<informalexample><screen>
+Begin: Mounting <emphasis>root file system</emphasis>... ...
+Begin: Running /scripts/local-top ...
+Enter LUKS passphrase:
+</screen></informalexample>
+
+</para><para>
+
+No characters (even asterisks) will be shown while entering the passphrase.
+If you enter the wrong passphrase, you have two more tries to correct it.
+After the third try the boot process will skip this volume and continue to
+mount the next filesystem. Please see <xref linkend="crypto-troubleshooting"/>
+for further information.
+
+</para><para>
+
+After entering all passphrases the boot should continue as usual.
+
+</para>
+ </sect2>
+
+ <sect2 id="mount-loop-aes">
+ <title>loop-AES</title>
+
+<para>
+
+For partitions encrypted using loop-AES you will be shown the following
+prompt during the boot:
+
+<informalexample><screen>
+Checking loop-encrypted file systems.
+Setting up /dev/loop<replaceable>X</replaceable> (/<replaceable>mountpoint</replaceable>)
+Password:
+</screen></informalexample>
+
+</para><para>
+
+No characters (even asterisks) will be shown while entering the passphrase.
+If you enter the wrong passphrase, you have two more tries to correct it.
+After the third try the boot process will skip this volume and continue to
+mount the next filesystem. Please see <xref linkend="crypto-troubleshooting"/>
+for further information.
+
+</para><para>
+
+After entering all passphrases the boot should continue as usual.
+
+</para>
+ </sect2>
+
+ <sect2 id="crypto-troubleshooting">
+ <title>Troubleshooting</title>
+
+<para>
+
+If some of the encrypted volumes could not be mounted because a wrong
+passphrase was entered, you will have to mount them manually after the
+boot. There are several cases.
+
+</para>
+
+<itemizedlist>
+<listitem><para>
+
+The first case concerns the root partition. When it is not mounted
+correctly, the boot process will halt and you will have to reboot the
+computer to try again.
+
+</para></listitem>
+<listitem><para>
+
+The easiest case is for encrypted volumes holding data like
+<filename>/home</filename> or <filename>/srv</filename>. You can
+simply mount them manually after the boot. For loop-AES this is
+one-step operation:
+
+<informalexample><screen>
+<prompt>#</prompt> <userinput>mount <replaceable>/mount_point</replaceable></userinput>
+<prompt>Password:</prompt>
+</screen></informalexample>
+
+where <replaceable>/mount_point</replaceable> should be replaced by
+the particular directory (e.g. <filename>/home</filename>). The only
+difference from an ordinary mount is that you will be asked to enter
+the passphrase for this volume.
+
+</para><para>
+
+For dm-crypt this is a bit trickier. First you need to register the
+volumes with <application>device mapper</application> by running:
+
+<informalexample><screen>
+<prompt>#</prompt> <userinput>/etc/init.d/cryptdisks start</userinput>
+</screen></informalexample>
+
+This will scan all volumes mentioned
+in <filename>/etc/crypttab</filename> and will create appropriate
+devices under the <filename>/dev</filename> directory after entering
+the correct passphrases. (Already registered volumes will be skipped,
+so you can repeat this command several times without worrying.) After
+successful registration you can simply mount the volumes the usual
+way:
+
+<informalexample><screen>
+<prompt>#</prompt> <userinput>mount <replaceable>/mount_point</replaceable></userinput>
+</screen></informalexample>
+
+</para></listitem>
+<listitem><para>
+
+If any volume holding noncritical system files could not be mounted
+(<filename>/usr</filename> or <filename>/var</filename>), the system
+should still boot and you should be able to mount the volumes manually
+like in the previous case. However, you will also need to (re)start
+any services usually running in your default runlevel because it is
+very likely that they were not started. The easiest way to achieve
+this is by switching to the first runlevel and back by entering
+
+<informalexample><screen>
+<prompt>#</prompt> <userinput>init 1</userinput>
+</screen></informalexample>
+
+at the shell prompt and pressing <keycombo> <keycap>Control</keycap>
+<keycap>D</keycap> </keycombo> when asked for the root password.
+
+</para></listitem>
+</itemizedlist>
+
+ </sect2>
+ </sect1>