Swap and Encfs mounting on Startup in Ubuntu
I use Ubuntu 14.04 on my laptop and I have a somewhat unique setup, whereby I use DRBD and encfs to mirror and secure my data as I understand that when SSD drives fail they tend to do so catastrophically and without warning. I thus have a rather complex boot process.
I spent the morning tidying up the boot process so it looks professional (* which is not to say that this is the professional or best way to do it – but it works)
I discovered there is a dearth of information on the kinds of things I want to do, but needed to become familiar with the following –
Plymouth – The fancy boot screen that Ubuntu throws up when it boots – thats run by plymouthd. It is possible to interact with plymouthd by using plymouth. Your mileage may vary, but i discovered that when plymouthd is running it has a pid file in /dev/.initramfs/plymouth.pid – so by checking for that file I can request the passphrase using plymouth or a command prompt as appropriate.
encfs – Using the -S switch allows the command prompt to be read from stdin. rc.local – I run this entire script from rc.local – because its easy enough to do, and happens automatically and before plymouth exits.
The script is as follows:
#! /bin/bash
ifconfig eth0 my.internal.ip
/etc/init.d/drbd start
/bin/mount /dev/drbd0 /media/drbd0
if [ -f "/dev/.initramfs/plymouth.pid" ]
then
/bin/plymouth ask-for-password --prompt "Passphrase: " | /usr/bin/encfs /media/drbd0/ /data/ssd --public -S -o nonempty
else
/usr/bin/encfs /media/drbd0/ /data/ssd --public -o nonempty
fi
while [ $? -ne 0 ]
do
if [ -f "/dev/.initramfs/plymouth.pid" ]
then
/bin/plymouth ask-for-password --prompt "Passphrase was not accepted. Please enter Passphrase: " | /usr/bin/encfs /media/drbd0/ /data/ssd --public -S -o nonempty
else
echo "Incorrect Password"
/usr/bin/encfs /media/drbd0/ /data/ssd --public -o nonempty
fi
done
# We have all sorts of problems if /tmp is not mounted before X
# but we want to ensure its encrypted !!
#echo "Note: We destroy /tmp on restart as good Linux systems do, but "
#echo "there is a backup of the last boot at /data/ssd/tmp-old"
echo "Stopping services that need /tmp or a network and fixing these"
/etc/init.d/openvpn stop
/etc/init.d/ssh stop
rm -r /data/ssd/tmp-old
mv /data/ssd/tmp /data/ssd/tmp-old
mkdir /data/ssd/tmp
chmod 777 /data/ssd/tmp
rm -r /tmp
ln -s /data/ssd/tmp /tmp
dhclient eth0 &
echo "Restarting services that need /tmp or a network"
/etc/init.d/ssh start
/etc/init.d/openvpn start
/usr/sbin/lxdm
In addition I did the following:
Stopped display managers from starting under system control on boot. This is a bit weird because they exist in /etc/init, rather then /etc/init.d where I would have expected. Anyway, I moved gdm.conf, lightdm.conf and lxdm.conf out of /etc/init (and into a new directory called /etc/notinit which I created).
I also took steps to encrypt the swap space on startup. This does not appear to be well documented, but is quite easy. Simply make the following modifications to
/etc/crypttab (Create it if it does not exist)
swap /dev/mapper/ubuntu--vg-swap_1 /dev/urandom swap,cipher=aes-cbc-essiv:sha256
This line creates “/dev/mapper/swap” using the backing device “/dev/mapper/ubuntu–vg-swap_1”, along with a random password it creates on the fly
and /etc/fstab
/dev/mapper/swap none swap sw 0 0
Which mounts /dev/mapper/swap (Remember to comment out the old swap)
If you look through my rc.local script, you will see I jump through all kinds of hoops to move /tmp into encrypted space after startup. An easy alternative might be to do something similar for /tmp as I did for /swap above – the downside being that it requires a fixed amount of diskspace which is carved out of my ssd.
Its worth noting that all sorts of wonderfully weird and non-obvious failures occur if /tmp is not mounted and readable by all (including X window managers crashing and issues with sound). /tmp really needs to be useable BEFORE X is loaded.