Mounting encrypted volumes

If you created encrypted volumes during the installation and assigned them mount points, you will be asked to enter the passphrase for each of these volumes during the boot. The actual procedure differs slightly between dm-crypt and loop-AES.

loop-AES

For partitions encrypted via loop-AES you will be shown the following prompt during the boot: 

mount: going to use loop device /dev/loopX
Password:

In the first line of the prompt, X is the number of the loop device. You are now probably wondering for which volume you are actually entering the passphrase. Does it relate to your /home? Or to /var? Of course, if you have just one encrypted volume, this is easy and you can just enter the passphrase you used when setting up this volume. If you set up more than one encrypted volume during the installation, the notes you wrote down as the last step in the section called “Configuring Encrypted Volumes” come in handy. If you did not make a note of the mapping between loopX and the mount points before, you can still find it in /etc/fstab of your new system.

No characters (even asterisks) will be shown while entering the passphrase. Be careful, you have only one try. If you enter wrong passphrase, an error message will appear and the boot process will skip that volume and continue to mount the next filesystem. Please see the section called “Troubleshooting” for further information.

After entering all passphrases the boot should continue as usual.

Troubleshooting

If some of the encrypted volumes could not be mounted because a wrong passphrase was entered, you will have to mount them manually after the boot. There are several cases.

  • The first case concerns the root partition. When it is not mounted correctly, the boot process will halt and you will have to reboot the computer to try again.

  • The easiest case is for encrypted volumes holding data like /home or /srv. You can simply mount them manually after the boot. For loop-AES this is one-step operation: 

    # mount /mount_point
Password:

    where /mount_point should be replaced by the particular directory (e.g. /home). The only difference from an ordinary mount is that you will be asked to enter the passphrase for this volume.

    For dm-crypt this is a bit trickier. First you need to register the volumes with device mapper by running: 

    # /etc/init.d/cryptdisks start

    This will scan all volumes mentioned in /etc/crypttab and will create appropriate devices under the /dev directory after entering the correct passphrases. (Already registered volumes will be skipped, so you can repeat this command several times without worrying.) After successful registration you can simply mount the volumes the usual way: 

    # mount /mount_point

  • If the volumes holding noncritical system files could not be mounted (/usr or /var), the system should still boot and you should be able to mount the volumes manually like in the previous case. However, you will also need to (re)start any services usually running in your default runlevel because it is very likely that they were not started. The easiest way to achieve this is by switching to the first runlevel and back by entering 

    # init 1

    at the shell prompt and pressing Control-D when asked for the root password.

Prev  Up  Next
The Moment of Truth  Home  Log In