summaryrefslogtreecommitdiff
path: root/en/boot-new/mount-encrypted.xml
blob: 332f60f5296d0340053a9220748955dc7451aece (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
<!-- retain these comments for translator revision tracking -->
<!-- $Id$ -->

 <sect1 id="mount-encrypted-volumes">
 <title>Mounting encrypted volumes</title>

<para>

If you created encrypted volumes during the installation and assigned
them mount points, you will be asked to enter the passphrase for each
of these volumes during the boot.

</para>

<para>

For partitions encrypted using dm-crypt you will be shown the following
prompt during the boot:

<informalexample><screen>
Starting early crypto disks... <replaceable>part</replaceable>_crypt(starting)
Enter LUKS passphrase:
</screen></informalexample>

In the first line of the prompt, <replaceable>part</replaceable> is the
name of the underlying partition, e.g. sda2 or md0.
You are now probably wondering
<emphasis>for which volume</emphasis> you are actually entering the
passphrase. Does it relate to your <filename>/home</filename>? Or to
<filename>/var</filename>? Of course, if you have just one encrypted
volume, this is easy and you can just enter the passphrase you used
when setting up this volume. If you set up more than one encrypted
volume during the installation, the notes you wrote down as the last
step in <xref linkend="partman-crypto"/> come in handy. If you did not
make a note of the mapping between
<filename><replaceable>part</replaceable>_crypt</filename> and the mount
points before, you can still find it
in <filename>/etc/crypttab</filename>
and <filename>/etc/fstab</filename> of your new system.

</para><para>

The prompt may look somewhat different when an encrypted root file system is
mounted. This depends on which initramfs generator was used to generate the
initrd used to boot the system. The example below is for an initrd generated
using <classname>initramfs-tools</classname>:

<informalexample><screen>
Begin: Mounting <emphasis>root file system</emphasis>... ...
Begin: Running /scripts/local-top ...
Enter LUKS passphrase:
</screen></informalexample>

</para><para>

No characters (even asterisks) will be shown while entering the passphrase.
If you enter the wrong passphrase, you have two more tries to correct it.
After the third try the boot process will skip this volume and continue to
mount the next filesystem. Please see <xref linkend="crypto-troubleshooting"/>
for further information.

</para><para>

After entering all passphrases the boot should continue as usual.

</para>

  <sect2 id="crypto-troubleshooting">
  <title>Troubleshooting</title>

<para>

If some of the encrypted volumes could not be mounted because a wrong
passphrase was entered, you will have to mount them manually after the
boot. There are several cases.

</para>

<itemizedlist>
<listitem><para>

The first case concerns the root partition. When it is not mounted
correctly, the boot process will halt and you will have to reboot the
computer to try again.

</para></listitem>
<listitem><para>

The easiest case is for encrypted volumes holding data like
<filename>/home</filename> or <filename>/srv</filename>. You can
simply mount them manually after the boot.

</para><para>

However for dm-crypt this is a bit tricky. First you need to register the
volumes with <application>device mapper</application> by running:

<informalexample><screen>
<prompt>#</prompt> <userinput>/etc/init.d/cryptdisks start</userinput>
</screen></informalexample>

This will scan all volumes mentioned
in <filename>/etc/crypttab</filename> and will create appropriate
devices under the <filename>/dev</filename> directory after entering
the correct passphrases. (Already registered volumes will be skipped,
so you can repeat this command several times without worrying.) After
successful registration you can simply mount the volumes the usual
way:

<informalexample><screen>
<prompt>#</prompt> <userinput>mount <replaceable>/mount_point</replaceable></userinput>
</screen></informalexample>

</para></listitem>
<listitem><para>

If any volume holding noncritical system files could not be mounted
(<filename>/usr</filename> or <filename>/var</filename>), the system
should still boot and you should be able to mount the volumes manually
like in the previous case. However, you will also need to (re)start
any services usually running in your default runlevel because it is
very likely that they were not started. The easiest way is to just
reboot the computer.

</para></listitem>
</itemizedlist>

  </sect2>
 </sect1>