Open topic with navigation

Preparing for Root and Swap Encryption

Requirements

A separate boot disk is required on which the HyTrust software will be installed. Make sure your version of Linux has a separate boot partition. If it does not you will need to create one. The procedure to set up a separate boot partition is different for different Linux platforms. What follows are instructions for three flavors of Linux (Ubuntu, CentOS 6, and CentOS 7).

Ubuntu: Setting Up a Separate Boot Device

Assume that the current Linux is installed on device /dev/sda and the GRUB stage1 bootloader is also installed on /dev/sda. This is a typical Linux installation. Assuming you add a new device named /dev/sdb to hold the new boot partition, you should create a partition on it using fdisk or sfdisk, like this:

# sfdisk -f -uS -D /dev/sdb << EOF
2048,,83,*
EOF
# partprobe

Find out the space required by the /boot subtree:

# du -sh /boot

The new boot partition should have at least have two times this space. As a rule of thumb, the space provided should be twice the space used by /boot, plus 100MB. Format the new partition with ext4 (ext3 is also fine), as follows:

# mkfs.ext4 /dev/sdb1

Copy the files from the /boot directory to the new boot partition:

# mkdir -p /tmp/sdb1
# mount /dev/sdb1 /tmp/sdb1
# cp -a /boot/* /tmp/sdb1

Get the UUID of the new boot partition:

# blkid /dev/sdb1
# umount /tmp/sdb1

Add an entry to /etc/fstab to mount the new boot partition:

UUID=<uuid> /boot ext4 rw 0 0

Mount the new /boot:

# mount /boot

Install GRUB with boot files on the new boot partition, while the GRUB stage1 is copied to the current boot device, as follows:

# grub-install /dev/sda

Note that GRUB is being installed on /dev/sda but the boot directory comes from /dev/sdb1. Update your GRUB configuration to take this change into account:

# grub-mkconfig -o /boot/grub/grub.cfg

Your system is ready now, so reboot and confirm that all is well.

CentOS 6: Setting Up a Separate Boot Device

Assume that the current Linux is installed on device /dev/sda and that the GRUB stage1 bootloader is also installed on /dev/sda. This is a typical Linux installation. Assuming you add a new device named /dev/sdb to hold the new boot partition, you should create a partition on it using fdisk or sfdisk, like this:

# sfdisk -f -uS -D /dev/sdb << EOF
2048,,83,*
EOF
# partprobe

Find out the space required by the /boot subtree:

# du -sh /boot

The new boot partition should have at least have two times this space. As a rule of thumb, the space provided should be twice the space used by /boot, plus 100MB. Format the new partition with ext4 (ext3 is also fine), as follows:

# mkfs.ext4 /dev/sdb1

Copy the files from the /boot directory to the new boot partition:

# mkdir -p /tmp/sdb1/boot
# mount /dev/sdb1 /tmp/sdb1/boot
# cp -a /boot/* /tmp/sdb1/boot

Find out the UUID of the new boot partition:

# blkid /dev/sdb1
# umount /tmp/sdb1/boot

Add an entry to /etc/fstab to mount the new boot partition, as follows:

UUID=<uuid> /boot ext4 rw 0 0

Mount the new /boot partition:

# mount /boot

Install GRUB with boot files on the new boot partition, while the GRUB stage1 is copied to the current boot device, as follows:

# grub-install --recheck /dev/sda

Note that GRUB is being installed on /dev/sda but the boot directory comes from /dev/sdb1. Update your GRUB configuration to take this change into account. Manually edit /boot/grub/menu.lst, so that root points to the GRUB device equivalent of /dev/sdb Usually, it is hd1. See the mapping in /boot/grub/device.map: kernel must assume that vmlinuz is in / and not /boot, and initrd must assume that vmlinuz is in / and not /boot.

For example:

default=0
timeout=5 splashimage=(hd1,0)/grub/splash.xpm.gz hiddenmenu
title CentOS (2.6.32-358.el6.x86_64)
 
root (hd1,0)
kernel /vmlinuz-2.6.32-358.el6.x86_64 ro \

  root=UUID=98e62ddf-69ec-4a82-b143-b87291d4a9b8 \

  rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 r initrd \

  /initramfs-2.6.32-358.el6.x86_64.img

Please refer to the section Using a separate partition for /boot in http://wiki.centos.org/HowTos/GrubInstallation.

Your system is ready now, so reboot and confirm that all is well.

CentOS 7: Setting Up a Separate Boot Device

Assume that the current Linux is installed on device /dev/sda and the GRUB stage1 bootloader is also installed on /dev/sda. This is a typical Linux installation. Assuming you add a new device named /dev/sdb to hold the new boot partition, you should create a partition on it using fdisk or sfdisk, like this:

# sfdisk -f -uS -D /dev/sdb << EOF
2048,,83,*
EOF
partprobe

Find out the space required by the /boot subtree:

# du -sh /boot

The new boot partition should have at least have two times this space. As a rule of thumb, the space provided should be twice the space used by /boot, plus 100MB. Format the new partition with ext4 (ext3 is also fine), as follows:

# mkfs.ext4 /dev/sdb1

Copy the files from the /boot directory to the new boot partition:

# mkdir -p /tmp/sdb1
# mount /dev/sdb1  /tmp/sdb1
# cp -a /boot/* /tmp/sdb1

Find the UUID of the new boot partition:

# blkid /dev/sdb1
# umount /tmp/sdb1

Add an entry to /etc/fstab to mount the new boot partition, as follows:

UUID=<uuid> /boot ext4 rw 0 0

Mount the /boot partition. 

# mount /boot

Re-install GRUB on the current boot device (GRUB files go to /boot which you mounted in the previous step), as follows:

# grub2-install /dev/sda

Note that GRUB is being installed on /dev/sda but the boot directory comes from /dev/sdb1. Update your GRUB configuration to take this change into account:

# grub2-mkconfig -o /boot/grub2/grub.cfg

Your system is ready now, so reboot and confirm that all is well.

Open topic with navigation