Welcome to TiddlyWiki created by Jeremy Ruston, Copyright © 2007 UnaMesa Association
The default partitioning provided by [[Anaconda]] won't work for us, so we'll partition the drive manually before the installer gets under way. We need to set up (in this order on the drive):
# A partition for {{folder{/boot}}}
# Some space to use later for the encrypted partition
# A partition that the installer can use
The space for the encrypted partition will need to be bigger than the partition that is used for the initial install, and needs to be before the partition used for the initial install. This will allow us to encrypt the space, copy the installation onto it, and grow it to use up all of the space formerly used by the initial installation.
!Steps
# Boot the installation disc
# At the first step of the graphical installer, press ~Ctrl-Alt-F2 to bring up a root prompt
# Run {{command{fdisk /dev/sda}}}
# Create an {{literal{sda1}}} of about 100M
# Create an {{literal{sda2}}} of a bit more than 1/2 of the remainder of the disk
# Create an {{literal{sda3}}} of the remainder of the disk
# Change the partition ID of {{literal{sda3}}} to {{literal{8E}}} (Linux LVM)
# Confirm with the {{literal{p}}} command that {{literal{sda3}}} is larger than {{literal{sda2}}} (see example below)
# Delete {{literal{sda2}}}
# Write the partition table
# Reboot
!Sample partition table
Before deleting {{literal{sda2}}}, your partition table will look something like this:
{{{
Device Boot Start End Blocks Id System
/dev/sda1 1 13 104391 83 Linux
/dev/sda2 14 622 4891792+ 83 Linux
/dev/sda3 623 1109 3911827+ 8e Linux LVM
}}}
Note that {{literal{sda2}}} is larger than {{literal{sda3}}}.
You must install using the graphical installer, because the text installer won't allow you create a custom installation with [[LVM]].
!Steps
# Boot the installation disc
# Install as usual up to the partitioning dialog
# Select {{listitem{Create custom layout}}}, then click {{cmdbutton{Next}}}
# Edit {{literal{/dev/sda1}}} and format as {{literal{ext3}}} with mount point {{literal{/boot}}}
# Edit {{literal{/dev/sda3}}} and format as {{literal{physical volume (LVM)}}}
# Click {{cmdbutton{LVM}}} to create a volume group, then {{cmdbutton{Add}}} the following logical volume to it:
#* Mount point: {{literal{/}}}
#* File system type: {{literal{ext3}}}
# Click {{cmdbutton{Next}}}
# At {{dialog{Partitioning Warnings}}}: click {{cmdbutton{Yes}}}
# At {{dialog{Format Warnings}}}: click {{cmdbutton{Format}}}
# Proceed through the rest of the installation as normal (use whatever settings you like)
!Notes
* You can add a swap partition later after moving the [[LVM]] volume group to the encrypted partition and growing it.
* You can also grow the root filesystem later
* If you named your volume group something other than the default {{literal{~VolGroup00}}}, use that anywhere you see {{literal{~VolGroup00}}} in the rest of these instructions.
* It may be possible to create the volume group manually by switching to the console with ~Ctrl-Alt-F2 and using {{command{lvm}}}, but this can be tedious and is not recommended if you are unfamiliar with [[LVM]].
We need to turn the empty space between {{literal{sda1}}} and {{literal{sda3}}} into a partition ({{literal{sda2}}}), then encrypt it. First we'll create the partition.
!Steps
# Boot into the installed system (complete the 'first boot' dialogs)
# Use {{command{fdisk /dev/sda}}} to create {{literal{sda2}}} to fill the space between {{literal{sda1}}} and {{literal{sda3}}}
# Check that {{literal{sda2}}}'s partition ID is {{literal{83}}} (Linux)
# Write the partition table
# Reboot
Now we'll format the spare partition {{literal{sda2}}} with [[LUKS]], in preparation for moving the volume group onto it.
<<tiddler PasswordWarning>>
!Steps
# Think up and write down a long and secure passphrase (eg: a gibberish sentence - See PassphraseSelection)
# Format the new partition:
#* {{command{cryptsetup -{{{}}}-verbose -{{{}}}-cipher 'aes-cbc-essiv{{{}}}:sha256' -{{{}}}-key-size 256 -{{{}}}-verify-passphrase luksFormat /dev/sda2}}}
# Optional: AddADecryptionKeyFile
If you AddADecryptionKeyFile, you can boot with either a passphrase or a thumb drive. If you do not, you must use your passphrase during boot.
We need to patch {{command{mkinitrd}}} so that the [[initrd]] that it creates can ask for a passphrase and decrypt the encrypted volume, and so that the encryption-related modules are added.
!Steps
!!Fedora 7
# Apply {{file{[[mkinitrd-6.0.9-5.patch]]}}} to {{file{/sbin/mkinitrd}}}:
#* {{command{patch /sbin/mkinitrd mkinitrd-6.0.9-5.patch}}}
!!Fedora 8
# Apply {{file{[[mkinitrd-6.0.19-4.patch]]}}} to {{file{/sbin/mkinitrd}}}:
#* {{command{patch /sbin/mkinitrd mkinitrd-6.0.19-4.patch}}}
!!~CentOS 5.0
# Apply {{file{[[mkinitrd-5.1.19.6-1.patch]]}}} to {{file{/sbin/mkinitrd}}}:
#* {{command{patch /sbin/mkinitrd mkinitrd-5.1.19.6-1.patch}}}
!!~CentOS 5.1
# Apply {{file{[[mkinitrd-5.1.19.6-19.patch]]}}} to {{file{/sbin/mkinitrd}}}:
#* {{command{patch /sbin/mkinitrd mkinitrd-5.1.19.6-19.patch}}}
In adding support for an encrypted partition, our patch also allowed for the parameters of the encrypted partition to be kept in a separate file, so that you can change the configuration without editing {{command{mkinitrd}}}, and so that upgrades to {{command{mkinitrd}}} will not destroy the configuration.
The configuration file is different for Fedora and ~CentOS:
* For Fedora 8
** {{file{/etc/sysconfig/mkinitrd}}}
* For ~CentOS 5.0 & ~CentOS 5.1
** {{file{/etc/sysconfig/mkinitrd/crypt}}}
The main difference is that Fedora has only one configuration file, whereas ~CentOS has a folder (of the same name) that contains many configuration files. In either case if the file is missing, create it.
!Steps
# Add these lines to {{file{/etc/sysconfig/mkinitrd}}} (Fedora) or {{file{/etc/sysconfig/mkinitrd/crypt}}} (~CentOS):
#* {{literal{~CRYPT_PARTITION=/dev/sda2}}}
#* {{literal{~CRYPT_DMNAME=cryptpv}}}
#* {{literal{~CRYPT_KEYDRIVE=/dev/sdb1}}}
#* {{literal{~CRYPT_KEYPATH=laptop.key}}}
# Under ~CentOS, you must make the configuration file executable:
#* {{command{chmod +x /etc/sysconfig/mkinitrd/crypt}}}
!Notes
For more information about these parameters, see CryptParameters.
We'll rebuild the initrd using the same mechanism that the kernel package installation script uses. Also, we'll back up the initrd before we rebuild it, just in case something goes wrong.
If you set up a thumb drive key, you will actually need to test twice: once for the passphrase, and once for the thumb drive key. This is covered in the instructions below.
!Steps
# Rebuild the initrd:
## Back up the current initrd:
##* {{command{cp /boot/initrd-`uname -r`.img /boot/initrd-`uname -r`.bak}}}
## Rebuild the current initrd:
##* {{command{new-kernel-pkg -{{{}}}-mkinitrd -{{{}}}-update `uname -r`}}}
## Remove your thumb drive (if you set up a thumb drive key)
# Testing the passphrase
## Reboot
## During boot, enter your LUKS passphrase (if you see a 'mount' error and a 'Command failed' error, this is normal when you do not have your thumb drive plugged in during boot)
## Once booted, check that there is an encrypted LVM physical volume:
##* {{command{ls -l /dev/mapper/cryptpv}}}
# Testing the thumb drive key (only if you chose to AddADecryptionKeyFile):
## Reboot
## Insert your thumb drive before booting starts
## If you are asked for a passphrase, then something went wrong - see Troubleshooting below
## Once booted, check that there is an encrypted LVM physical volume:
##* {{command{ls -l /dev/mapper/cryptpv}}}
At this point, decryption during boot can still fail without causing any problems. This is why you need to test for success by checking for the presence of {{file{/dev/mapper/cryptpv}}}. Once the next step is completed, booting will fail if decription during boot fails.
!Notes
* {{command{uname -r}}} tells us what the current kernel version is. Using {{literal{`uname -r`}}} as part of a command embeds the kernel version into the command for us, saving copy/pasting or retyping it.
!Troubleshooting
!!Can't boot at all
* Try editing the Grub boot entry. You can edit the boot entry on the fly by pressing a key to bring up the boot menu, then pressing 'e' to edit the boot entry. Change the initrd to the one that you backed up (ie: change {{literal{.img}}} to {{literal{.bak}}}).
!!Can boot, but not with thumb drive key
* If you used a device for {{literal{~CRYPT_KEYDRIVE}}}, try using the thumb drive's label.
* If you used a label for {{literal{~CRYPT_KEYDRIVE}}}, try using a device. If you boot clean then insert the thumb drive, wait for it to be mounted, then type {{command{mount}}}, you should be able to work out what device the thumb drive is seen as. The initrd will //usually// find it at the same place.
* Try setting {{literal{~CRYPT_KEYDRIVEFSMOD}}} (see CryptParameters).
!!Boots OK, but didn't ask for a passphrase
* If you're using ~CentOS, make sure that {{file{/etc/sysconfig/mkinitrd/crypt}}} is executable, then RebuildInitrd.
We could just copy the partition containing the LVM group onto the encrypted partition we created, but LVM can become confused. Besides, LVM is already capable of performing this task for us. Basic steps:
!Steps
# Prepare our encrypted partition for LVM:
#* {{command{pvcreate /dev/mapper/cryptpv}}}
# Extend the volume group onto the encrypted partition:
#* {{command{vgextend ~VolGroup00 /dev/mapper/cryptpv}}}
# Move all data from the unencrypted physical volume in the group to the encrypted physical volume in the group:
#* {{command{pvmove /dev/sda3 /dev/mapper/cryptpv}}} (this will take a while, but {{command{pvmove}}} will show progress as it goes)
# Remove the original partition from the volume group:
#* {{command{vgreduce ~VolGroup00 /dev/sda3}}}
# Tell LVM that we're not planning on using {{litera{sda3}}} and more:
#* {{command{pvremove /dev/sda3}}}
# Reboot and test
!Notes
* If you are feeling paranoid, you can erase the contents of the original partition, but since this is a fresh install, there won't be anything of value on it. Besides, we will be deleting the partition and extending the encrypted partition into the space it occupied.
* If you really do want to erase the original partition:
** {{command{shred -zn3 /dev/sda3}}}
While we are removing the original LVM partition, we will grow the partition containing the encrypted volume into its space. (Later we will tell the encryption system and LVM that they can use this new space in the underlying partition.)
The main things to remember are:
* We must keep the same starting block when growing our encrypted partition
* We must not make the encrpyted partition smaller
!Security note
You may want to erase the contents of the old (unencrypted) partition before you remove it. This can be done with:
* {{command{shred -zn5 /dev/sda3}}}
Do not shred the wrong volume.
!Steps
# Using {{command{fdisk}}} (eg: {{command{fdisk /dev/sda}}}:
## Delete {{literal{sda3}}}
## Make a note of {{literal{sda2}}}'s starting cylinder and block ('p' command)
## Delete {{literal{sda2}}}
## Create {{literal{sda2}}} with the same starting cylinder as before, but as big as you can
## Check that the the starting cylinder and block are the same ('p' command) before writing the partition table
## Write the partition table and exit ('w' command)
# Reboot
Now that the partition on which the encrypted volume group sits is larger than it was when we moved onto it, we can tell the encryption system and LVM that they can use that space.
!Steps
# Tell the encryption system that it can use the rest of the space in its partition:
#* {{command{cryptsetup resize cryptpv}}} (see note below)
# Tell LVM that it can use the now-larger encrypted volume:
#* {{command{pvresize /dev/mapper/cryptpv}}}
!Notes
* According to the documentation of {{command{cryptsetup}}}, using {{cryptsetup resize}}} requires a size parameter, but if you don't supply a size parameter, it will grow the encrypted volume to the size of the underlying physical volume.
* Now you can see how much spare space there is in the volume group with {{command{vgs}}}.
Now you can make your filesystems bigger, add a swap (if you didn't include one when you installed), and so on.
!Examples
Here are some examples to get you started.
!!Add a swap partition
# Create new 1G volume called {{literal{swap}}} in volume group:
#* {{command{lvcreate -L 1G -n swap ~VolGroup00}}}
# Format the new volume as swap:
#* {{command{mkswap /dev/~VolGroup00/swap}}}
# Add the swap space to {{file{/etc/fstab}}} by adding a line like this:
#* {{literal{/dev/~VolGroup00/swap swap swap defaults 0 0}}}
# Activate the swap space:
#* {{command{swapon -a}}}
!!Add 2G to your root filesystem
# Add 2G to the volume on which the root filesystem sits
#* {{command{lvextend -L +2G ~VolGroup00/{{variable{root}}}}}} (change {{variable{root}}} to whatever volume your root sits on; check with {{command{df}}} or {{command{mount}}})
# Grow the filesystem into the additional space:
#* {{command{resize2fs /dev/~VolGroup00/{{variable{root}}}}}}
!Xen
If you have set up Xen, be sure that you RebuildInitrd for both the base kernel and the Xen kernel. Test them both, too.
!Recovery strategy
Before doing anything else, you should CreateABootCD.
Also: ''you do have backups of important data, right?''
There are two packages you need to be careful of when updating your computer:
* kernel
* mkinitrd
If either of them are updated, you need to follow the instructions below, then update your boot CD.
!The Linux kernel
The kernel will usually be OK, since we've patched and re-used the same mechanism that the kernel packages use to update the initrd file to create an initrd that supports encryption. This means that when a new kernel is installed, it will use our patched {{command{mkinitrd}}} to create an initrd for itself.
Nevertheless, it's still a good idea to test that the new kernel works correctly.
!!Testing
Just reboot the computer and check that you can decrypt with both your passphrase and your thumb drive (if you set up a thumb drive with a decryption key).
If the new kernel does not work, then you can always reboot back into the previous one. However, when fixing things, do ''not'' use {{literal{`uname -r`}}} to select the package to update (particularly when [[RebuildingInitrd|RebuildInitrd]] after changing or patching anything), or you will mess up your //current// kernel (ie: possibly the only one still working).
!The mkinitrd package
An update to the mkinitrd package will cause our changes to {{command{mkinitrd}}} to be reverted. The kernel package that is currently installed should not stop working, but if something triggers the kernel to be rebuilt, then it will be rebuilt without encryption support, and you will not be able to boot your computer.
!!Re-patching
You should be able to simply re-[[apply the patch| 5 - Patch mkinitrd to build initrd with decryption]], but doing so may fail. Even if the application of the patch succeeeds, it may still generate a {{command{mkinitrd}}} that fails. See also the list of [[Patches]].
If the patch fails, you will have to analyse the patch and apply it manually by cutting and pasting bits into {{file{/sbin/mkinitrd}}}. Instructions for doing so are beyond the scope of this guide.
!!Testing
The steps for testing the re-patched {{command{mkinitrd}}} are the same as the original steps for [[rebuilding and testing the initrd| 7 - Rebuild and test initrd]].
What if you forget your passphrase? [[LUKS]] allows you to have more than one passphrase (and thus give one to a friend or colleague, or store in a safe), or you could add a key file.
A key file is just 32 bytes of data that can be used to decrypt a LUKS partition instead of using a passphrase. You should use 32 bytes of random data; the steps below show you how to create such a file.
''WARNING'': The key file can be used to decrypt the LUKS partition without using a passphrase. Think of it as liquid currency (as opposed to your bank card): simply having possession of the file is sufficient to be able to use it. That is, if someone else has possession of it, they can use it. They do not have to decode it.
If you use a USB thumb drive to decrypt your laptop, NEVER leave them together. It is safe to remove the USB thumb drive once the laptop has started up.
!Steps
# If you are using ~CentOS 5.//x//, you will need to TurnOffSecurityEnhancedLinux.
# Create a mount point for your thumb drive with:
#* {{command{mkdir /mnt/thumb}}}
# Insert your thumb drive
# Mount your thumb drive with:
#* {{command{mount /dev/sdb1 /mnt/thumb}}}
# Create a key file {{file{laptop.key}}} by copying 32 bytes from {{file{/dev/random}}} with:
#* {{command{dd if=/dev/random of=/mnt/thumb/laptop.key bs=32 count=1}}}
# Add {{file{laptop.key}}} to the keys for the encryption partition with:
#* {{command{cryptsetup luksAddKey /dev/sda2 /mnt/thumb/laptop.key}}} (note that under ~CentOS, you may be asked for your passphrase twice)
# Unmount your thumb drive with:
#* {{command{umount /mnt/thumb}}}
# If you are using ~CentOS 5.0, you will need to TurnOnSecurityEnhancedLinux.
!Notes
* You should create the file directly on the USB thumb drive you intend to use as your decryption device.
* You can call the file whatever you like, not just {{literal{laptop.key}}}. However, the //name// of the file will be embedded in the computer's initrd without being encrypted. This allows a determined intruder to find out what file to look for on all of your removable media.
* {{file{/dev/random}}} is the Linux kernel's source of 'truly' random data. This is about as random as Linux can be without hardware assistance, but will generate something random enough for our purposes. Linux uses as many sources of semi-deterministic and non-deterministic sources as it can find.
* See also KeyFileNotes.
Anaconda is the Linux installation tool used by Red Hat based Linux distributions. It performs the task of preparing a new system's disk(s), and installing Linux onto the system.
If you have an i586 or i686 processor, you can get better encryption/decryption performance by using the {{literal{aes-i586}}} module instead of the standard {{literal{aes}}} module.
{{command{uname -r}}} should tell you if you have an i586 or i686 compatible processor. If you do, make this change to {{file{/sbin/mkinitrd}}} after you have applied the relevant patch:
# Find the line that looks like one of these:
#* {{literal{ for n in aes sha256 dm_crypt cbc; do}}}
#* {{literal{ for n in aes sha256 dm_crypt; do}}}
# Change the string {{literal{aes}}} to {{literal{aes-i586}}}
Don't forget to RebuildInitrd for each kernel you have, then test that it works. You might like to rebuild and test one kernel version first, so that you can boot back into the other and revert the change & rebuild again if it fails.
/***
| Name|CloseOnCancelPlugin|
| Description|Closes the tiddler if you click new tiddler then cancel. Default behaviour is to leave it open|
| Version|3.0 ($Rev: 1845 $)|
| Date|$Date: 2007-03-16 15:19:22 +1000 (Fri, 16 Mar 2007) $|
| Source|http://mptw.tiddlyspot.com/#CloseOnCancelPlugin|
| Author|Simon Baird <simon.baird@gmail.com>|
| License|http://mptw.tiddlyspot.com/#TheBSDLicense|
***/
//{{{
merge(config.commands.cancelTiddler,{
handler_orig_closeUnsaved: config.commands.cancelTiddler.handler,
handler: function(event,src,title) {
this.handler_orig_closeUnsaved(event,src,title);
if (!store.tiddlerExists(title) && !store.isShadowTiddler(title))
story.closeTiddler(title,true);
return false;
}
});
//}}}
/***
|Name|CollapseTiddlersPlugin|
|Source|http://gensoft.revhost.net/Collapse.html|
|Version|2007.04.09-msq|
|Author|Bradley Meck (modified by ELS; subsequently modified by Msquared)|
|License|unknown|
|~CoreVersion|2.1|
|Type|plugin|
|Requires||
|Overrides||
|Description|show/hide content of a tiddler while leaving tiddler title visible|
|MSQ 9/4/2007: add ability to supply label to expandAll and collapseAll macros. |
|ELS 6/5/2007: add "return false" at the end of each command handler to prevent IE 'page transition' problem. |
|ELS 3/30/2007: add a shadow definition for CollapsedTemplate. Tweak ViewTemplate shadow so "fold/unfold" and "focus" toolbar items automatically appear when using default templates. Remove error check for "CollapsedTemplate" existence, since shadow version will now always work as a fallback. |
|ELS 2/24/2006: added fallback to "CollapsedTemplate" if "WebCollapsedTemplate" is not found |
|ELS 2/6/2006: added check for 'readOnly' flag to use alternative "WebCollapsedTemplate" |
***/
//{{{
config.shadowTiddlers.CollapsedTemplate=
"<!--{{{-->\
<div class='toolbar' macro='toolbar expandTiddler collapseOthers closeTiddler closeOthers +editTiddler permalink references jump'></div>\
<div class='title' macro='view title'></div>\
<!--}}}-->";
// automatically tweak shadow ViewTemplate to add "collapseTiddler collapseOthers" commands at 'front' of toolbar (before 'closeTiddler')
config.shadowTiddlers.ViewTemplate=config.shadowTiddlers.ViewTemplate.replace(/closeTiddler/,"collapseTiddler collapseOthers closeTiddler");
config.commands.collapseTiddler = {
text: "fold",
tooltip: "Collapse this tiddler",
handler: function(event,src,title)
{
var e = story.findContainingTiddler(src);
if(e.getAttribute("template") != config.tiddlerTemplates[DEFAULT_EDIT_TEMPLATE]){
var t = (readOnly&&store.tiddlerExists("WebCollapsedTemplate"))?"WebCollapsedTemplate":"CollapsedTemplate";
if(e.getAttribute("template") != t ){
e.setAttribute("oldTemplate",e.getAttribute("template"));
story.displayTiddler(null,title,t);
}
}
return false;
}
}
config.commands.expandTiddler = {
text: "unfold",
tooltip: "Expand this tiddler",
handler: function(event,src,title)
{
var e = story.findContainingTiddler(src);
story.displayTiddler(null,title,e.getAttribute("oldTemplate"));
return false;
}
}
config.macros.collapseAll = {
handler: function(place,macroName,params,wikifier,paramString,tiddler){
var label = params.shift(); if (!label) { label = 'Collapse All'; }
createTiddlyButton(place,label,"",function(){
story.forEachTiddler(function(title,tiddler){
if(tiddler.getAttribute("template") != config.tiddlerTemplates[DEFAULT_EDIT_TEMPLATE])
var t = (readOnly&&store.tiddlerExists("WebCollapsedTemplate"))?"WebCollapsedTemplate":"CollapsedTemplate";
story.displayTiddler(null,title,t);
})})
}
}
config.macros.expandAll = {
handler: function(place,macroName,params,wikifier,paramString,tiddler){
var label = params.shift(); if (!label) { label = 'Expand All'; }
createTiddlyButton(place,label,"",function(){
story.forEachTiddler(function(title,tiddler){
var t = (readOnly&&store.tiddlerExists("WebCollapsedTemplate"))?"WebCollapsedTemplate":"CollapsedTemplate";
if(tiddler.getAttribute("template") == t) story.displayTiddler(null,title,tiddler.getAttribute("oldTemplate"));
})})
}
}
config.commands.collapseOthers = {
text: "focus",
tooltip: "Expand this tiddler and collapse all others",
handler: function(event,src,title)
{
var e = story.findContainingTiddler(src);
story.forEachTiddler(function(title,tiddler){
if(tiddler.getAttribute("template") != config.tiddlerTemplates[DEFAULT_EDIT_TEMPLATE]){
var t = (readOnly&&store.tiddlerExists("WebCollapsedTemplate"))?"WebCollapsedTemplate":"CollapsedTemplate";
if (e==tiddler) t=e.getAttribute("oldTemplate");
//////////
// ELS 2006.02.22 - removed this line. if t==null, then the *current* view template, not the default "ViewTemplate", will be used.
// if (!t||!t.length) t=!readOnly?"ViewTemplate":"WebViewTemplate";
//////////
story.displayTiddler(null,title,t);
}
})
return false;
}
}
//}}}
<!--{{{-->
<div class='toolbar'>
<span macro="showWhenTagged systemConfig">
<span macro="toggleTag systemConfigDisable . '[[disable|systemConfigDisable]]'"></span>
</span>
<span macro="showWhenTagged palette">
<span macro="setPalette"></span>
</span>
<span style="padding:1em;"></span>
<span macro='toolbar +expandTiddler collapseOthers closeTiddler closeOthers editTiddler > fields syncing permalink references jump'></span>
<span macro='newHere label:"new here"'></span>
</div>
<div class='titleContainer'>
<span class='title' macro='view title'></span>
<span macro="miniTag"></span>
</div>
<!--}}}-->
//{{{
config.options.chkHttpReadOnly = false; // means web visitors can experiment with your site by clicking edit
config.options.chkInsertTabs = true; // tab inserts a tab when editing a tiddler
config.views.wikified.defaultText = ""; // don't need message when a tiddler doesn't exist
config.views.editor.defaultText = ""; // don't need message when creating a new tiddler
//}}}
Remember to do this after you RebuildInitrd.
!Fedora
# Install {{command{mkbootdisk}}} (you'll only have to do this the first time):
#* {{command{yum -y install mkbootdisk}}}
# Create a boot image:
#* {{command{mkbootdisk -{{{}}}-iso -{{{}}}-device bootcd-`uname -r`.iso `uname -r`}}}
# Burn the boot image to a CD:
#* {{command{cdrecord bootcd-`uname -r`.iso}}}
Once you've installed it, you can create a boot CD any time
!~CentOS
# Create a boot image:
#* {{command{mkbootdisk -{{{}}}-iso -{{{}}}-device bootcd-`uname -r`.iso `uname -r`}}}
# Burn the boot image to a CD:
#* {{command{cdrecord bootcd-`uname -r`.iso}}}
!Notes
* {{literal{`uname -r`}}} can be replaced with a kernel version number ({{command{rpm -q kernel}}} or {{command{rpm -q kernel-xen}}} to find them).
The encryption parameters that our patched {{command{[[mkinitrd]]}}} uses to build the [[initrd]] are kept in {{file{/etc/sysconfig/mkinitrd}}} (Fedora) or {{file{/etc/sysconfig/mkinitrd/crypt}}} (~CentOS).
''NOTE'': If you change any of these parameters, you must RebuildInitrd.
!Parameters
; {{literal{~CRYPT_PARTITION}}}
: The encrypted partition. eg: {{literal{~CRYPT_BACK=/dev/sda2}}}
; {{literal{~CRYPT_DMNAME}}}
: The device mapper name that is created when opening the encrypted partition. eg: {{literal{~CRYPT_DMNAME=cryptpv}}}
; {{literal{~CRYPT_KEYDRIVE}}}
: The USB partition that holds the decryption key file. eg: {{literal{~CRYPT_KEYDRIVE=/dev/sdb1}}} or {{literal{~CRYPT_KEYDRIVE=LABEL=~MyThumbDrive}}}
: If {{literal{~CRYPT_KEYDRIVE}}} is omitted or is empty, no key file is used - you must enter the passphrase when booting.
; {{literal{~CRYPT_KEYDRIVEFSMOD}}}
: Which filesystem module to use to mount the specified {{literal{~CRYPT_KEYDRIVE}}}. eg: {{literal{~CRYPT_KEYDRIVEFSMOD=vfat}}}.
:* If {{literal{~CRYPT_KEYDRIVEFSMOD}}} is omitted or is empty, the resulting initrd will first attempt to use {{literal{vfat}}}, then {{literal{ext3}}}.
:* Normally you should omit this parameter. It's typically only needed for troubleshooting, or if you have a thumb drive with an unusual filesystem.
; {{literal{~CRYPT_KEYPATH}}}
: The path (relative to the root of the thumb drive) of the key file. Do not include a leading slash. eg: {{literal{~CRYPT_KEYPATH=keys/laptop/xoanon.key}}}
!Notes
* Usually you will omit {{literal{~CRYPT_KEYDRIVEFSMOD}}}.
* {{literal{~CRYPT_KEYDRIVE}}} can be either a device specifier or a label. Each has advantages and disadvantages. Using a device specifier means that finding your thumb drive is not dependent on having the right label on the thumb drive. On the other hand, using a label means that you don't have to guess what device the kernel will assign to your thumb drive. Using a label will be easier to set up, using a device may provide better long-term maintainability.
[[Introduction]] MainInstructions
/***
| Name:|DocumentationStyleSheet|
| Description:|Gives you spans that are suited to writing documentation for procedures relating to computers.|
| Version:|1.2|
| Date:|05-Dec-2007|
| Source:|Not yet published|
| Author:|[[Msquared]]|
| License:|BSD open source license (tiddler source), GNU (icons)|
| ~CoreVersion:|2.1, 2.2.x|
!Installation
# Copy the contents of this tiddler into a tiddler called DocumentationStyleSheet in your own TiddlyWiki;
# Copy the icon files to a folder with your TiddlyWiki (default is {{folder{icons/documentation}}};
# Change the values in the configuration table below to correspond to the location of the icon files;
# Add the line {{literal{[{{{}}}[~DocumentationStyleSheet]{{{}}}]}}} to the StyleSheet tiddler.
!Usage
Apply the styles below using custom CSS classes.
!Example
The text
<<<
{{{
Issue the command {{command{ls -l}}} to see the files in the current directory
}}}
<<<
in a tiddler will result in
>Issue the command {{command{ls -l}}} to see the files in the current directory
being displayed.
!Supported styles
!!Computer-related things
|!Style|!Example|
| {{{file}}}|Delete {{file{unimportant.doc}}}|
| {{{folder}}}|Open the {{folder{C:\Documents and Settings\}}} folder|
| {{{command}}}|Run the command {{command{ls -l}}}|
| {{{user}}}|Log in as {{user{Administrator}}}|
| {{{usergroup}}}|Add yourself to the {{usergroup{Local Administrators}}} group|
| {{{password}}}|The password is {{password{p4ssw0rd}}}|
| {{{server}}}|{{server{staffprint1}}} is a print server|
| {{{workstation}}}|Log in to {{workstation{libpc123}}} as yourself|
| {{{printer}}}|Set {{printer{\\staffprint1\fooprn01}}} as the default printer|
!!Text to enter
|!Style|!Example|
| {{{literal}}}|{{literal{this is some literal text}}} (enter it as you see it)|
| {{{variable}}}|{{variable{placeholder text}}} (you need to supply something}|
!!User interface items to interact with
|!Style|!Example|
| {{{dialog}}}|Open the {{dialog{File Properties}}} dialog|
| {{{tab}}}|Select the {{tab{Security}}} tab|
| {{{cmdbutton}}}|Click {{cmdbutton{OK}}}|
| {{{radiobutton}}}|Select {{radiobutton{Custom installation}}}|
| {{{checkbox}}}|{{checkbox{Advanced}}} should be off|
| {{{checkedbox}}}|Select {{checkedbox{Enable override}}}|
| {{{menu}}}|Open the {{menu{File}}} menu|
| {{{menuitem}}}|Select {{menuitem{Properties}}} from the context menu|
| {{{winstartbutton}}}|Click on {{winstartbutton{Start}}}|
!!Messages you may see
|!Style|!example|
| {{{question}}}|When you quit you will be asked {{question{Are you sure?}}}|
| {{{infomsg}}}|{{infomsg{File saved}}} should be displayed|
| {{{warningmsg}}}|You can safely ignore the warning {{warningmsg{Temporary file removed}}}|
| {{{errormsg}}}|If you see {{errormsg{Application closed unexpectedly}}} reboot the computer|
!Configuration
|IconPath:|icons/documentation/|
!History
|1.2|Msquared|05-Dec-2007|Set increasing indentation on H1..H4 to make structure more visible|
|1.1|Msquared|05-Sep-2007|Minor changes to installation and usage instructions|
|1.0|Msquared|17-Oct-2006|First version, based on a regular CSS stylesheet|
***/
/*{{{*/
h1 {
padding-left: 0em;
}
h2 {
padding-left: 0.8em;
}
h3 {
padding-left: 1.8em;
}
h4 {
padding-left: 2.8em;
}
dl {
margin-left: 2em;
}
span.externalwebsite {
background-image: url([[DocumentationStyleSheet::IconPath]]externalwebsite.png);
background-position: right;
background-repeat: no-repeat;
padding-right: 17px;
}
span.winstartbutton {
background: #4a4;
color: white;
font-size: 85%;
padding: 0 0.3em;
margin: 0 0.2em;
border: solid 1px #ada;
border-right-color: #252;
border-bottom-color: #484;
background-image: url([[DocumentationStyleSheet::IconPath]]winstarticon.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 18px;
}
/* this is for an item in the start menu */
span.startmenuitem {
}
/* this is for a program group in the All Programs menu(s) */
span.programgroup {
}
/* this is for an actual program or other item in the All Programs menu(s) */
span.programitem {
}
span.cmdbutton {
background: #ddd;
font-size: 85%;
padding: 0 0.3em;
margin: 0 0.2em;
border: solid 1px #aaa;
border-bottom-color: #000;
border-right-color: #000;
}
span.radiobutton {
background: #eee;
font-size: 85%;
padding: 0 0.3em;
margin: 0 0.2em;
border: solid 1px #e8e8e8;
background-image: url([[DocumentationStyleSheet::IconPath]]radiobutton.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 17px;
}
span.checkbox {
background: #eee;
font-size: 85%;
padding: 0 0.3em;
margin: 0 0.2em;
border: solid 1px #e8e8e8;
background-image: url([[DocumentationStyleSheet::IconPath]]checkbox.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 17px;
}
/* this is for an item in a listbox */
span.listboxitem {
}
/* this is for an item in a combobox (dropdown box) */
span.comboboxitem {
}
span.dialog {
background: #eee;
font-size: 85%;
padding: 0 0.3em;
margin: 0 0.2em;
border: solid 1px #eee;
background-image: url([[DocumentationStyleSheet::IconPath]]dialog.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 18px;
}
span.checkedbox {
background: #eee;
font-size: 85%;
padding: 0 0.3em;
margin: 0 0.2em;
border: solid 1px #e8e8e8;
background-image: url([[DocumentationStyleSheet::IconPath]]checkedbox.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 17px;
}
span.menu {
background: #eee;
font-size: 85%;
padding: 0 1em 0 1em;
margin: 0 0.2em;
border: solid 1px #999;
}
span.menuitem {
background: #eee;
font-size: 85%;
padding: 0 2em 0 1em;
margin: 0 0.2em;
border: solid 1px #e8e8e8;
border-left-color: #999;
border-right-color: #999;
}
span.tab {
background: #eee;
font-size: 85%;
padding: 0 0.6em;
margin: 0 0.2em;
border: solid 1px #bbb;
border-bottom-color: #eee;
}
span.infomsg,
span.warningmsg,
span.errormsg,
span.question {
font-size: 90%;
background: #eee;
border: solid 1px #ccc;
padding: 0px 2px;
}
span.infomsg {
background-image: url([[DocumentationStyleSheet::IconPath]]info.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 17px;
}
span.warningmsg {
background-image: url([[DocumentationStyleSheet::IconPath]]warning.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 17px;
}
span.errormsg {
background-image: url([[DocumentationStyleSheet::IconPath]]error.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 17px;
}
span.question {
background-image: url([[DocumentationStyleSheet::IconPath]]question.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 17px;
}
span.literal,
span.variable,
span.command,
span.folder,
span.file,
span.user,
span.usergroup,
span.password,
span.server,
span.workstation,
span.printer {
font-family: monospace;
font-weight: normal;
font-size: 115%;
background: #eeeeee;
border: solid 1px #ccc;
padding: 0px 2px;
}
span.variable { /* variable is the same as literal, but italic */
font-style: italic;
}
/* Display variable text inside other things (eg: command) without most chrome */
span span.variable {
font-size: 100%;
background: transparent;
border: none;
}
span.command {
background-image: url([[DocumentationStyleSheet::IconPath]]command.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 17px;
}
span.user {
background-image: url([[DocumentationStyleSheet::IconPath]]user.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 17px;
}
span.usergroup {
background-image: url([[DocumentationStyleSheet::IconPath]]usergroup.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 17px;
}
span.password {
background-image: url([[DocumentationStyleSheet::IconPath]]password.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 17px;
}
span.file {
background-image: url([[DocumentationStyleSheet::IconPath]]file.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 17px;
}
span.folder {
background-image: url([[DocumentationStyleSheet::IconPath]]folder.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 17px;
}
span.server {
background-image: url([[DocumentationStyleSheet::IconPath]]server.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 17px;
}
span.workstation {
background-image: url([[DocumentationStyleSheet::IconPath]]workstation.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 17px;
}
span.printer {
background-image: url([[DocumentationStyleSheet::IconPath]]printer.png);
background-position: left;
background-repeat: no-repeat;
padding-left: 17px;
}
/*}}}*/
This is a TiddlyWiki that is set up by [[Msquared]] for documenting processes (primarily computer-based processes).
!!Features
* Almost entirely self-contained within a single HTML file (icons are in separate PNG image files)
* Editable entirely within a web browser (compatible with most modern browsers)
* Can be stored and updated on a USB drive for maximum portability (can be used with FirefoxPortable)
* A comprehensive set of styles for representing literal strings, variable strings, user interface components, computing-related real-world objects, and more
!!How it was built
# Downloaded an empty TiddlyWiki
# Installed DocumentationStyleSheet
# Installed MonkeyPirateTiddlyWiki (but disabled LessBackupsPlugin)
# Installed selected plugins from TiddlyTools:
#* CollapseTiddlersPlugin - allows you to 'fold' tiddlers
#* RearrangeTiddlersPlugin - allows you to rearrange tiddlers by dragging their titles
#* SetUserNamePlugin - allows you to request a user name if one is not set when editing tiddlers
# Tweaked some TiddlyTools plugins:
#* CollapseTiddlersPlugin - added label string as optional parameter to 'collapse all' and 'expand all' macros to allow customisation of these buttons
#* SetUserNamePlugin - added prompt string as optional parameter to username request macro to allow customisation of the username popup
# Modified some tiddlers (mostly layout tweaks to better integrate above plugins):
#* SiteTitle & SiteSubtitle
#** Changed to reflect intended usage of this TiddlyWiki (ie: process documentation)
#* EditTemplate
#** Added setUserName macro from SetUserNamePlugin
#* SideBarOptions
#** Added 'fold all', removed 'new journal'
#* MptwViewTemplate
#** Added 'fold' and 'focus', removed 'new journal'
#* CollapsedTemplate
#** Based the toolbar on the toolbar from MptwViewTemplate but removed 'delete', changed 'fold' to 'unfold', and made 'unfold' the default double-click action
!Windows/Linux dual-boot
You can still encrypt your Linux installation on a dual-boot system, but not your Windows partition (at least, not with LUKS). You could encrypt your data inside Windows with something such as TrueCrypt, but the rest of the Windows filesystem and the Windows swap will not be encrypted, thus potentially exposing encrypted data by storing it (even temporarily) on disk in unencrypted form (see "Why encrypt the root filesystem?" in the [[References]]).
If you really must have Windows, run it as a virtual machine under your fully-encrypted Linux installation (see below).
!Linux/Linux dual-boot
I think this is possible, but there are a some issues, depending on the approach you take.
The main approaches I would consider to making this work:
* Xen or other virtualisation technology
* Leave enough unallocated space on the drive to create a new LVM partition for the new installation
* Create a small unencrypted 'installation partition' (4G or so) specifically for new installations
!!Virtualisation
This is probably the best approach, if you can use it, since only the host operating system will need to support encryption. Note that this means if you can run Windows as a virtulized guest under Linux, your Windows can effectively be encrypted, too.
!!Multiple volume groups
The main problems with this approach:
* {{folder{/boot}}} will be shared between both installations
The first issue (irrespective of which approach you take) is that a fresh installation will want to format your /boot, which you will want it to keep, so that it can be shared between the installations. will contain all your custom initrds and your grub configuration.
* You will need to plan ahead for your hard drive usage (and thus partitioning) more than you would with a single installation.
Otherwise, this will be fairly easy to set up.
!!Small unencrypted 'installation partition'
Deploy your new installation to a new LVM volume group on the unencrypted partition, then merge its volume group with your main volume group, and move it across to the encrypted part of the volume group.
While more flexible in terms of disk space management, this is a more difficult. In addition to the issue with sharing {{folder{/boot}}} between your installations, the new installation's initrd will expect its volumes to be in the new volume group, but will not even find that volume group. This might be one way to perform the installation and merge:
# Install to the unencrypted partition
# Patch the new installation's {{command{mkinitrd}}} and rebuild the initrd
# Merge the volume group on the unencrypted partition with the volume group on the encrypted partition
# Move the volumes onto the encrypted partition
# Remove the unencrypted partition from the volume group
# Update {{file{/etc/fstab}}} to reflect the fact that the filesystems are now in a different volume group
# Rebuild the initrd again to update the volume group that is opened to access the root filesystem
Possible problems with this approach:
* When you are merging one volume group into another, the logical volumes in the group that is disappearing must be inactive. This means that you can't do the merge while running the new install
* If you merge the new installation's volume group into the existing (encrypted) volume group while not running the new installation, updating the initrd will be more difficult.
If you do try this, here's how you might update the initrd after the merge:
# Boot into the original (encrypted) installation (not the new one)
# Back up the new installation's initrd:
## {{command{cp /boot/initrd-{{variable{kernelversion}}}.img /boot/initrd-{{variable{kernelversion}}}.bak}}}
# Extract the new installation's initrd:
## {{command{mkdir{tmpinit}}}
## {{command{cd tmpinit}}}
## {{command{zcat /boot/initrd-{{variable{kernelversion}}}.img | cpio -i}}} (this should be the new installation's initrd)
# Edit {{file{init}}}:
## Look for a line such as {{literal{lvm vgchange -ay -{{{}}}-ignorelockingfailure {{variable{volumegroup}}}}}}
## Change {{variable{volumegroup}}} from the new installation's original volume group to the encrypted installation's volume group
## Save the file
# Repack the initrd:
## {{command{find | cpio -c -o | gzip >/boot/initrd-{{variable{kernelversion}}}.img}}}
Even if this works, you will have complications sharing {{folder{/boot}}} between multiple installations of the same version of the same distribution. For example, you might be able to dual-boot ~CentOS and Fedora, or even Fedora 7 and Fedora 8, but you might have issues dual-booting two installations of Fedora 8.
You could eliminate the need to change volume groups with {{file{/etc/fstab}}} by using volume labels instead, but it's just about the same amount of work (perhaps more), and you still have to modify the initrd anyway.
[[MptwEditTemplate]]
<span macro='setUserName "Please enter your username (eg: BobJones)"'></span>
/***
| Name:|ExtentTagButtonPlugin|
| Description:|Adds a New tiddler button in the tag drop down|
| Version:|3.2 ($Rev: 2406 $)|
| Date:|$Date: 2007-08-08 22:50:23 +1000 (Wed, 08 Aug 2007) $|
| Source:|http://mptw.tiddlyspot.com/#ExtendTagButtonPlugin|
| Author:|Simon Baird <simon.baird@gmail.com>|
| License|http://mptw.tiddlyspot.com/#TheBSDLicense|
***/
//{{{
window.onClickTag_mptw_orig = window.onClickTag;
window.onClickTag = function(e) {
window.onClickTag_mptw_orig.apply(this,arguments);
var tag = this.getAttribute("tag");
var title = this.getAttribute("tiddler");
// Saq, you're a genius :)
var popup = Popup.stack[Popup.stack.length-1].popup;
createTiddlyElement(createTiddlyElement(popup,"li",null,"listBreak"),"div");
wikify("<<newTiddler label:'New tiddler' tag:'"+tag+"'>>",createTiddlyElement(popup,"li"));
return false;
}
//}}}
Firefox set up to be run without installation. Ideal for running from a USB thumb drive.
!Home page
http://portableapps.com/apps/internet/firefox_portable
To get started with this blank DocumentationTiddlyWiki, you'll need to modify the following tiddlers:
* SiteTitle & SiteSubtitle: The title and subtitle of the site, as shown above (after saving, they will also appear in the browser title bar)
* MainMenu: The menu (usually on the left)
* DefaultTiddlers: Contains the names of the tiddlers that you want to appear when the TiddlyWiki is opened
You'll also need to enter your username for signing your edits: <<option txtUserName>>
See also MonkeyPirateTiddlyWiki.
/***
| Name|HideWhenPlugin|
| Description|Allows conditional inclusion/exclusion in templates|
| Version|3.0 ($Rev: 1845 $)|
| Date|$Date: 2007-03-16 15:19:22 +1000 (Fri, 16 Mar 2007) $|
| Source|http://mptw.tiddlyspot.com/#HideWhenPlugin|
| Author|Simon Baird <simon.baird@gmail.com>|
| License|http://mptw.tiddlyspot.com/#TheBSDLicense|
For use in ViewTemplate and EditTemplate. Example usage:
{{{<div macro="showWhenTagged Task">[[TaskToolbar]]</div>}}}
{{{<div macro="showWhen tiddler.modifier == 'BartSimpson'"><img src="bart.gif"/></div>}}}
***/
//{{{
window.removeElementWhen = function(test,place) {
if (test) {
removeChildren(place);
place.parentNode.removeChild(place);
}
};
merge(config.macros,{
hideWhen: { handler: function(place,macroName,params,wikifier,paramString,tiddler) {
removeElementWhen( eval(paramString), place);
}},
showWhen: { handler: function(place,macroName,params,wikifier,paramString,tiddler) {
removeElementWhen( !eval(paramString), place);
}},
hideWhenTagged: { handler: function (place,macroName,params,wikifier,paramString,tiddler) {
removeElementWhen( tiddler.tags.containsAll(params), place);
}},
showWhenTagged: { handler: function (place,macroName,params,wikifier,paramString,tiddler) {
removeElementWhen( !tiddler.tags.containsAll(params), place);
}},
hideWhenTaggedAny: { handler: function (place,macroName,params,wikifier,paramString,tiddler) {
removeElementWhen( tiddler.tags.containsAny(params), place);
}},
showWhenTaggedAny: { handler: function (place,macroName,params,wikifier,paramString,tiddler) {
removeElementWhen( !tiddler.tags.containsAny(params), place);
}},
hideWhenTaggedAll: { handler: function (place,macroName,params,wikifier,paramString,tiddler) {
removeElementWhen( tiddler.tags.containsAll(params), place);
}},
showWhenTaggedAll: { handler: function (place,macroName,params,wikifier,paramString,tiddler) {
removeElementWhen( !tiddler.tags.containsAll(params), place);
}},
hideWhenExists: { handler: function(place,macroName,params,wikifier,paramString,tiddler) {
removeElementWhen( store.tiddlerExists(params[0]) || store.isShadowTiddler(params[0]), place);
}},
showWhenExists: { handler: function(place,macroName,params,wikifier,paramString,tiddler) {
removeElementWhen( !(store.tiddlerExists(params[0]) || store.isShadowTiddler(params[0])), place);
}}
});
//}}}
!Goal
The goal of this guide is to show you how to install Fedora 8 on a machine such that the root filesystem is encrypted.
!Target audience
This guide is targeted at intermediate and advanced Linux users and administrators.
!Outline
We will:
* Patch {{command{[[mkinitrd]]}}} to modify the [[initrd]] to handle an encrypted drive;
* Use [[LUKS]] to perform the encryption and provide key/passphrase management;
* Use [[LVM]] to provide easier drive management, and to allow us to encrypt the entire disk.
!Background
Although Fedora's and ~CentOS's [[Anaconda]] doesn't have the ability to create an encrypted root filesystem, we can modify an installed system so that the root filesystem is encrypted. In fact, almost the entire hard drive will be encrypted.
We'll format the spare partition {{literal{sda2}}} with [[LUKS]]. LUKS allows an encrypted partition to be decrypted on-the-fly for usage as a regular block device. Because it's decrypted and encrypted on-the-fly, nothing unencrypted is stored on the disk. (move to intro??)
By installing fresh, this walk-through is much simpler, thus improving your chances for success. Once you've done it once, you can try it on an existing system; you'll know what's normal and what's not, and have a better chance of successful troubleshooting. Remember: ''always back up your data''.
!Requirements
!!Required knowledge
* Some familiarity with installing Linux, preferably Fedora and/or ~CentOS
* Some familiarity with using a shell
* Understanding of disk partitioning (eg: use of {{command{fdisk}}} to change edit partition the table)
* Knowledge of how to edit plain text files
!!Required hardware
* A PC with at least a 10GB HD
!!Required media
* A Fedora 7, Fedora 8, ~CentOS 5.0, or ~CentOS 5.1 install DVD
* A SystemRescueCD (optional, but very handy to have for recovering after a failed kernel upgrade, mkinitrd patch, etc)
<<tiddler PasswordWarning>>
!Data warning!
Many of the things you are asked to do in this guide are destructive. If your setup differs at all from what is assumed in here (chances are that it will), then you will likely make a mistake and break/format/delete something. Try this on an unused machine first, then when you succeed, experiment on that machine.
While I've tried to make these instructions relatively simple, they are intended for an intermediate or advanced audience.
!Get going!
To get going, proceed to the MainInstructions.
Although I recommend generating a key file called something like {{file{laptop.key}}}, in theory you could use an ~MP3 file, a Word document or something else, to make it harder for someone to work out where your key file is. However, there are two problems with this:
# Someone can find out what file to look for by pulling apart your initrd (which is not encrypted)
# The start of virtually any file that has information in it tends to be a standard header for that type of file
The second point means that after someone has determined that you are using an mp3 file for your key file, they'll try using the first 32 bytes of all of the ~MP3s in their own collection.
However, there is a way you can put them off the scent. As long as you still use 32 truly random bytes at the start of the file, you can //name// the file whatever you like. This means that they will start looking for the wrong type of data to decrypt with. :-)
See LinuxUnifiedKeySetup.
See LogicalVolumeManagement.
/***
|''Name:''|LegacyStrikeThroughPlugin|
|''Description:''|Support for legacy (pre 2.1) strike through formatting|
|''Version:''|1.0.2|
|''Date:''|Jul 21, 2006|
|''Source:''|http://www.tiddlywiki.com/#LegacyStrikeThroughPlugin|
|''Author:''|MartinBudden (mjbudden (at) gmail (dot) com)|
|''License:''|[[BSD open source license]]|
|''CoreVersion:''|2.1.0|
***/
//{{{
// Ensure that the LegacyStrikeThrough Plugin is only installed once.
if(!version.extensions.LegacyStrikeThroughPlugin) {
version.extensions.LegacyStrikeThroughPlugin = {installed:true};
config.formatters.push(
{
name: "legacyStrikeByChar",
match: "==",
termRegExp: /(==)/mg,
element: "strike",
handler: config.formatterHelpers.createElementAndWikify
});
} //# end of "install only once"
//}}}
/***
| Name|LessBackupsPlugin|
| Description|Intelligently limit the number of backup files you create|
| Version|3.0 ($Rev: 2320 $)|
| Date|$Date: 2007-06-18 22:37:46 +1000 (Mon, 18 Jun 2007) $|
| Source|http://mptw.tiddlyspot.com/#LessBackupsPlugin|
| Author|Simon Baird|
| Email|simon.baird@gmail.com|
| License|http://mptw.tiddlyspot.com/#TheBSDLicense|
!!!Description
You end up with just backup one per year, per month, per weekday, per hour, minute, and second. So total number won't exceed about 200 or so. Can be reduced by commenting out the seconds/minutes/hours line from modes array
!!!Notes
Works in IE and Firefox only. Algorithm by Daniel Baird. IE code by by Saq Imtiaz.
!!!Code
***/
//{{{
window.getSpecialBackupPath = function(backupPath) {
var MINS = 60 * 1000;
var HOURS = 60 * MINS;
var DAYS = 24 * HOURS;
// comment out the ones you don't want
var modes = [
["YYYY", 365*DAYS], // one per year for ever
["MMM", 31*DAYS], // one per month
["ddd", 7*DAYS], // one per weekday
//["d0DD", 1*DAYS], // one per day of month
["h0hh", 24*HOURS], // one per hour
["m0mm", 1*HOURS], // one per minute
["s0ss", 1*MINS], // one per second
["latest",0] // always keep last version. (leave this).
];
var now = new Date();
for (var i=0;i<modes.length;i++) {
// the filename we will try
var specialBackupPath = backupPath.replace(/(\.)([0-9]+\.[0-9]+)(\.html)$/,
'$1'+now.formatString(modes[i][0]).toLowerCase()+'$3')
// open the file
try {
if (config.browser.isIE) {
var fsobject = new ActiveXObject("Scripting.FileSystemObject")
var fileExists = fsobject.FileExists(specialBackupPath);
if (fileExists) {
var fileObject = fsobject.GetFile(specialBackupPath);
var modDate = new Date(fileObject.DateLastModified).valueOf();
}
}
else {
netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
var file = Components.classes["@mozilla.org/file/local;1"].createInstance(Components.interfaces.nsILocalFile);
file.initWithPath(specialBackupPath);
var fileExists = file.exists();
if (fileExists) {
var modDate = file.lastModifiedTime;
}
}
}
catch(e) {
// give up
return backupPath;
}
// expiry is used to tell if it's an 'old' one. Eg, if the month is June and there is a
// June file on disk that's more than an month old then it must be stale so overwrite
// note that "latest" should be always because the expiration period is zero (see above)
var expiry = new Date(modDate + modes[i][1]);
if (!fileExists || now > expiry)
return specialBackupPath;
}
}
// hijack the core function
window.getBackupPath_orig = window.getBackupPath;
window.getBackupPath = function(localPath) {
return getSpecialBackupPath(getBackupPath_orig(localPath));
}
//}}}
The text of this guide document is Copyright © 2007 by [[Msquared|http://www.msquared.com.au/]]. Some rights reserved.
<html><a rel="license" href="http://creativecommons.org/licenses/by-sa/2.5/au/">
<img alt="Creative Commons License" style="border-width:0" src="http://i.creativecommons.org/l/by-sa/2.5/au/88x31.png" />
</a>
<br />
<span xmlns:dc="http://purl.org/dc/elements/1.1/" href="http://purl.org/dc/dcmitype/Text" property="dc:title" rel="dc:type">Encrypted root on Fedora & Centos</span> by
<a xmlns:cc="http://creativecommons.org/ns#" href="http://www.msquared.com.au/" property="cc:attributionName" rel="cc:attributionURL">Msquared</a> is licensed under a
<a rel="license" href="http://creativecommons.org/licenses/by-sa/2.5/au/">Creative Commons Attribution-Share Alike 2.5 Australia</a>.</html>
-----
The presentation of this guide document is implemented using [[TiddlyWiki|http://www.tiddlywiki.com/]], with plugins from [[MonkeyPirateTiddlyWiki|http://mptw.tiddlyspot.com/]], [[TiddlyWikiCollapsePlugin|http://gensoft.revhost.net/Collapse.html]], [[TiddlyTools|http://www.tiddlytools.com/]], and [[DocumentationStylesheet|http://www.msquared.id.au]].
LUKS is now the de-facto standard on-disk encryption for Linux. It's popularity is due to a few useful features:
* Encryption and decryption is done 'on-the-fly', meaning that no unencrypted data is ever stored on disk
* You can use virtually any block device as encrypted storage (hard drive, USB drive, etc)
* Once you 'mount' the encrypted storage, the resulting decrypted volume looks just like a block device, so you can put any filesystem on it that you like
* You can use multiple decryption keys (even supports a mix of passwords and key files)
!Additional information
* http://luks.endorphin.org/
LVM alows you to have more flexibiilty when setting up disks than simple partitioning normally permits. LVM's flexibility may possibly be surpassed only by [[ZFS|http://en.wikipedia.org/wiki/ZFS]].
LVM can:
* Resize and move volumes almost at will
* Handle adding and removal of physical devices almost at will
* Move logical drives between physical drives almost at will
We are taking advantage of LVM's storage malleability to simply slide our LVM volume group from a normal partition to an encrypted partition.
!Additional information
* http://sources.redhat.com/lvm2/
You can click on a step below to open it in a new box, or you can click on 'excerpts'/'contents'/'sliders'/'title only' (to the right of 'Tagged as...') in order to change how the instructions are displayed.
[[Introduction]] <<tag MainInstructions>> <<tag AdvancedTopics>> <<tag AdditionalInformation>> <<tag Patches>> [[References]]
MonkeyPirateTiddlyWiki is a distribution of TiddlyWiki created by Simon Baird.
!Home page
http://mptw.tiddlyspot.com/
|''Type:''|file|
|''URL:''|http://mptw.tiddlyspot.com/empty.html|
|''Workspace:''||
This tiddler was automatically created to record the details of this server
/***
| Name|MptwLayoutPlugin|
| Description|A package containing templates and css for the MonkeyPirateTiddlyWiki layout|
| Version|3.0 ($Rev: 1845 $)|
| Source|http://mptw.tiddlyspot.com/#MptwLayoutPlugin|
| Author|Simon Baird <simon.baird@gmail.com>|
| License|http://mptw.tiddlyspot.com/#TheBSDLicense|
!Notes
Presumes you have TagglyTaggingPlugin installed. To enable this you should have a PageTemplate containing {{{[[MptwPageTemplate]]}}} and similar for ViewTemplate and EditTemplate.
***/
//{{{
// used in MptwViewTemplate
config.mptwDateFormat = 'DD/MM/YY';
config.mptwJournalFormat = 'Journal DD/MM/YY';
//config.mptwDateFormat = 'MM/0DD/YY';
//config.mptwJournalFormat = 'Journal MM/0DD/YY';
config.shadowTiddlers.GettingStarted += "\n\nSee also MonkeyPirateTiddlyWiki.";
//}}}
//{{{
merge(config.shadowTiddlers,{
'MptwEditTemplate':[
"<!--{{{-->",
"<!--- http://mptw.tiddlyspot.com/#MptwEditTemplate ($Rev: 1829 $) --->",
"<div class=\"toolbar\" macro=\"toolbar +saveTiddler saveCloseTiddler closeOthers -cancelTiddler cancelCloseTiddler deleteTiddler\"></div>",
"<div class=\"title\" macro=\"view title\"></div>",
"<div class=\"editLabel\">Title</div><div class=\"editor\" macro=\"edit title\"></div>",
"<div class=\"editLabel\">Tags</div><div class=\"editor\" macro=\"edit tags\"></div>",
"<div class=\"editorFooter\"><span macro=\"message views.editor.tagPrompt\"></span><span macro=\"tagChooser\"></span></div>",
"<div macro=\"showWhenExists EditPanelTemplate\">[[EditPanelTemplate]]</div>",
"<div class=\"editor\" macro=\"edit text\"></div>",
"<!--}}}-->"
].join("\n"),
'MptwPageTemplate':[
"<!--{{{-->",
"<!-- http://mptw.tiddlyspot.com/#MptwPageTemplate ($Rev: 1829 $) -->",
"<div class='header' macro='gradient vert [[ColorPalette::PrimaryLight]] [[ColorPalette::PrimaryMid]]'>",
" <div class='headerShadow'>",
" <span class='siteTitle' refresh='content' tiddler='SiteTitle'></span> ",
" <span class='siteSubtitle' refresh='content' tiddler='SiteSubtitle'></span>",
" </div>",
" <div class='headerForeground'>",
" <span class='siteTitle' refresh='content' tiddler='SiteTitle'></span> ",
" <span class='siteSubtitle' refresh='content' tiddler='SiteSubtitle'></span>",
" </div>",
"</div>",
"<!-- horizontal MainMenu -->",
"<div id='topMenu' refresh='content' tiddler='MainMenu'></div>",
"<!-- original MainMenu menu -->",
"<!-- <div id='mainMenu' refresh='content' tiddler='MainMenu'></div> -->",
"<div id='sidebar'>",
" <div id='sidebarOptions' refresh='content' tiddler='SideBarOptions'></div>",
" <div id='sidebarTabs' refresh='content' force='true' tiddler='SideBarTabs'></div>",
"</div>",
"<div id='displayArea'>",
" <div id='messageArea'></div>",
" <div id='tiddlerDisplay'></div>",
"</div>",
"<!--}}}-->"
].join("\n"),
'MptwStyleSheet':[
"/*{{{*/",
"/* http://mptw.tiddlyspot.com/#MptwStyleSheet ($Rev: 2246 $) */",
"",
"/* a contrasting background so I can see where one tiddler ends and the other begins */",
"body {",
" background: [[ColorPalette::TertiaryLight]];",
"}",
"",
"/* sexy colours and font for the header */",
".headerForeground {",
" color: [[ColorPalette::PrimaryPale]];",
"}",
".headerShadow, .headerShadow a {",
" color: [[ColorPalette::PrimaryMid]];",
"}",
"",
"/* separate the top menu parts */",
".headerForeground, .headerShadow {",
" padding: 1em 1em 0;",
"}",
"",
".headerForeground, .headerShadow {",
" font-family: 'Trebuchet MS' sans-serif;",
" font-weight:bold;",
"}",
".headerForeground .siteSubtitle {",
" color: [[ColorPalette::PrimaryLight]];",
"}",
".headerShadow .siteSubtitle {",
" color: [[ColorPalette::PrimaryMid]];",
"}",
"",
"/* make shadow go and down right instead of up and left */",
".headerShadow {",
" left: 1px;",
" top: 1px;",
"}",
"",
"/* prefer monospace for editing */",
".editor textarea {",
" font-family: 'Consolas' monospace;",
"}",
"",
"/* sexy tiddler titles */",
".title {",
" font-size: 250%;",
" color: [[ColorPalette::PrimaryLight]];",
" font-family: 'Trebuchet MS' sans-serif;",
"}",
"",
"/* more subtle tiddler subtitle */",
".subtitle {",
" padding:0px;",
" margin:0px;",
" padding-left:0.5em;",
" font-size: 90%;",
" color: [[ColorPalette::TertiaryMid]];",
"}",
".subtitle .tiddlyLink {",
" color: [[ColorPalette::TertiaryMid]];",
"}",
"",
"/* a little bit of extra whitespace */",
".viewer {",
" padding-bottom:3px;",
"}",
"",
"/* don't want any background color for headings */",
"h1,h2,h3,h4,h5,h6 {",
" background: [[ColorPalette::Background]];",
" color: [[ColorPalette::Foreground]];",
"}",
"",
"/* give tiddlers 3d style border and explicit background */",
".tiddler {",
" background: [[ColorPalette::Background]];",
" border-right: 2px [[ColorPalette::TertiaryMid]] solid;",
" border-bottom: 2px [[ColorPalette::TertiaryMid]] solid;",
" margin-bottom: 1em;",
" padding-bottom: 1em;",
" padding-top: 0.75em;",
"}",
"",
"/* make options slider look nicer */",
"#sidebarOptions .sliderPanel {",
" border:solid 1px [[ColorPalette::PrimaryLight]];",
"}",
"",
"/* the borders look wrong with the body background */",
"#sidebar .button {",
" border-style: none;",
"}",
"",
"/* this means you can put line breaks in SidebarOptions for readability */",
"#sidebarOptions br {",
" display:none;",
"}",
"/* undo the above in OptionsPanel */",
"#sidebarOptions .sliderPanel br {",
" display:inline;",
"}",
"",
"/* horizontal main menu stuff */",
"#displayArea {",
" margin: 1em 15.7em 0em 1em; /* use the freed up space */",
"}",
"#topMenu br {",
" display: none;",
"}",
"#topMenu {",
" background: [[ColorPalette::PrimaryMid]];",
" color:[[ColorPalette::PrimaryPale]];",
"}",
"#topMenu {",
" padding:2px;",
"}",
"#topMenu .button, #topMenu .tiddlyLink, #topMenu a {",
" margin-left: 0.5em;",
" margin-right: 0.5em;",
" padding-left: 3px;",
" padding-right: 3px;",
" color: [[ColorPalette::PrimaryPale]];",
" font-size: 115%;",
"}",
"#topMenu .button:hover, #topMenu .tiddlyLink:hover {",
" background: [[ColorPalette::PrimaryDark]];",
"}",
"",
"/* make 2.2 act like 2.1 with the invisible buttons */",
".toolbar {",
" visibility:hidden;",
"}",
".selected .toolbar {",
" visibility:visible;",
"}",
"",
"/* experimental. this is a little borked in IE7 with the button ",
" * borders but worth it I think for the extra screen realestate */",
".toolbar { float:right; }",
"",
"/* for Tagger Plugin, thanks sb56637 */",
".popup li a {",
" display:inline;",
"}",
"",
"/* make it print a little cleaner */",
"@media print {",
" #topMenu {",
" display: none ! important;",
" }",
" /* not sure if we need all the importants */",
" .tiddler {",
" border-style: none ! important;",
" margin:0px ! important;",
" padding:0px ! important;",
" padding-bottom:2em ! important;",
" }",
" .tagglyTagging .button, .tagglyTagging .hidebutton {",
" display: none ! important;",
" }",
" .headerShadow {",
" visibility: hidden ! important;",
" }",
" .tagglyTagged .quickopentag, .tagged .quickopentag {",
" border-style: none ! important;",
" }",
" .quickopentag a.button, .miniTag {",
" display: none ! important;",
" }",
"}",
"/*}}}*/"
].join("\n"),
'MptwViewTemplate':[
"<!--{{{-->",
"<!--- http://mptw.tiddlyspot.com/#MptwViewTemplate ($Rev: 2247 $) --->",
"",
"<div class='toolbar'>",
" <span macro=\"showWhenTagged systemConfig\">",
" <span macro=\"toggleTag systemConfigDisable . '[[disable|systemConfigDisable]]'\"></span>",
" </span>",
" <span macro=\"showWhenTagged palette\">",
" <span macro=\"setPalette\"></span>",
" </span>",
" <span style=\"padding:1em;\"></span>",
" <span macro='toolbar closeTiddler closeOthers +editTiddler deleteTiddler > fields syncing permalink references jump'></span> <span macro='newHere label:\"new here\"'></span>",
" <span macro='newJournalHere {{config.mptwJournalFormat?config.mptwJournalFormat:\"MM/0DD/YY\"}}'></span>",
"</div>",
"",
"<div class=\"tagglyTagged\" macro=\"tags\"></div>",
"",
"<div class='titleContainer'>",
" <span class='title' macro='view title'></span>",
" <span macro=\"miniTag\"></span>",
"</div>",
"",
"<div class='subtitle'>",
" <span macro='view modifier link'></span>,",
" <span macro='view modified date {{config.mptwDateFormat?config.mptwDateFormat:\"MM/0DD/YY\"}}'></span>",
" (<span macro='message views.wikified.createdPrompt'></span>",
" <span macro='view created date {{config.mptwDateFormat?config.mptwDateFormat:\"MM/0DD/YY\"}}'></span>)",
"</div>",
"",
"<div macro=\"showWhenExists ViewPanelTemplate\">[[ViewPanelTemplate]]</div>",
"",
"<div macro=\"hideWhen tiddler.tags.containsAny(['css','html','pre','systemConfig']) && !tiddler.text.match('{{'+'{')\">",
" <div class='viewer' macro='view text wikified'></div>",
"</div>",
"<div macro=\"showWhen tiddler.tags.containsAny(['css','html','pre','systemConfig']) && !tiddler.text.match('{{'+'{')\">",
" <div class='viewer'><pre macro='view text'></pre></div>",
"</div>",
"",
"<div macro=\"showWhenExists ViewDashboardTemplate\">[[ViewDashboardTemplate]]</div>",
"",
"<div class=\"tagglyTagging\" macro=\"tagglyTagging\"></div>",
"",
"<!--}}}-->"
].join("\n")
});
//}}}
For upgrading directly from tiddlyspot. See [[ImportTiddlers]].
URL: /proxy/mptw.tiddlyspot.com/upgrade.html
For upgrading. See [[ImportTiddlers]].
URL: http://mptw.tiddlyspot.com/upgrade.html
<!--{{{-->
<div class='toolbar'>
<span macro="showWhenTagged systemConfig">
<span macro="toggleTag systemConfigDisable . '[[disable|systemConfigDisable]]'"></span>
</span>
<span macro="showWhenTagged palette">
<span macro="setPalette"></span>
</span>
<span style="padding:1em;"></span>
<span macro='toolbar collapseTiddler collapseOthers closeTiddler closeOthers +editTiddler deleteTiddler > fields syncing permalink references jump'></span>
<span macro='newHere label:"new here"'></span>
</div>
<div class="tagglyTagged" macro="tags"></div>
<div class='titleContainer'>
<span class='title' macro='view title'></span>
<span macro="miniTag"></span>
</div>
<div class='subtitle'>
<span macro='view modifier link'></span>,
<span macro='view modified date {{config.mptwDateFormat?config.mptwDateFormat:"MM/0DD/YY"}}'></span>
(<span macro='message views.wikified.createdPrompt'></span>
<span macro='view created date {{config.mptwDateFormat?config.mptwDateFormat:"MM/0DD/YY"}}'></span>)
</div>
<div macro="showWhenExists ViewPanelTemplate">[[ViewPanelTemplate]]</div>
<div macro="hideWhen tiddler.tags.containsAny(['css','html','pre','systemConfig']) && !tiddler.text.match('{{'+'{')">
<div class='viewer' macro='view text wikified'></div>
</div>
<div macro="showWhen tiddler.tags.containsAny(['css','html','pre','systemConfig']) && !tiddler.text.match('{{'+'{')">
<div class='viewer'><pre macro='view text'></pre></div>
</div>
<div macro="showWhenExists ViewDashboardTemplate">[[ViewDashboardTemplate]]</div>
<div class="tagglyTagging" macro="tagglyTagging"></div>
<!--}}}-->
For business enquiries: http://www.msquared.com.au/
For personal enquiries: http://www.msquared.id.au/
/***
| Name:|NewHerePlugin|
| Description:|Creates the new here and new journal macros|
| Version:|3.0 ($Rev: 1845 $)|
| Date:|$Date: 2007-03-16 15:19:22 +1000 (Fri, 16 Mar 2007) $|
| Source:|http://mptw.tiddlyspot.com/#NewHerePlugin|
| Author:|Simon Baird <simon.baird@gmail.com>|
| License|http://mptw.tiddlyspot.com/#TheBSDLicense|
***/
//{{{
merge(config.macros, {
newHere: {
handler: function(place,macroName,params,wikifier,paramString,tiddler) {
wikify("<<newTiddler "+paramString+" tag:[["+tiddler.title+"]]>>",place,null,tiddler);
}
},
newJournalHere: {
handler: function(place,macroName,params,wikifier,paramString,tiddler) {
wikify("<<newJournal "+paramString+" tag:[["+tiddler.title+"]]>>",place,null,tiddler);
}
}
});
//}}}
/***
| Name:|NewMeansNewPlugin|
| Description:|If 'New Tiddler' already exists then create 'New Tiddler (1)' and so on|
| Version:|1.0 ($Rev: 2263 $)|
| Date:|$Date: 2007-06-13 04:22:32 +1000 (Wed, 13 Jun 2007) $|
| Source:|http://mptw.tiddlyspot.com/empty.html#NewMeansNewPlugin|
| Author:|Simon Baird <simon.baird@gmail.com>|
| License|http://mptw.tiddlyspot.com/#TheBSDLicense|
***/
//{{{
String.prototype.getNextFreeName = function() {
var numberRegExp = / \(([0-9]+)\)$/;
var match = numberRegExp.exec(this);
if (match) {
var num = parseInt(match[1]) + 1;
return this.replace(numberRegExp," ("+num+")");
}
else {
return this + " (1)";
}
}
config.macros.newTiddler.getName = function(newName) {
while (store.getTiddler(newName))
newName = newName.getNextFreeName();
return newName;
}
config.macros.newTiddler.onClickNewTiddler = function()
{
var title = this.getAttribute("newTitle");
if(this.getAttribute("isJournal") == "true") {
var now = new Date();
title = now.formatString(title.trim());
}
title = config.macros.newTiddler.getName(title); // <--- only changed bit
var params = this.getAttribute("params");
var tags = params ? params.split("|") : [];
var focus = this.getAttribute("newFocus");
var template = this.getAttribute("newTemplate");
var customFields = this.getAttribute("customFields");
story.displayTiddler(null,title,template,false,null,null);
var tiddlerElem = document.getElementById(story.idPrefix + title);
if(customFields)
story.addCustomFields(tiddlerElem,customFields);
var text = this.getAttribute("newText");
if(typeof text == "string")
story.getTiddlerField(title,"text").value = text.format([title]);
for(var t=0;t<tags.length;t++)
story.setTiddlerTag(title,tags[t],+1);
story.focusTiddler(title,focus);
return false;
};
//}}}
[[LUKS]] (and many other recent high-security encryption and access control products and systems) commonly refer to a 'passphrase', instead of a password. This is to help remind you that you need to choose something long and difficult to guest (either by knowing anything about you, or by scanning through a dictionary of some sort).
The longer and more random your passphrase is, the harder it will be to guess or find in a dictionary or password list. Making your passphrase a nonsensical sentence may help you remember it, too.
Some general tips:
* Human language words have a low amount of 'randomness', because certain letters and letter combinations are common in any given human language; you can offset this by:
** Using more words
** Including punctuation
** Inventing spellings for common words, or even inventing words
* A human language sentence will also have a low amount of 'randomness', because sentence structure is generally well-formed; you can offset this by:
** Using words in wrong places
** Adding punctuation in wrong or unusual places
''NOTE'': be careful of keyboard layout issues, especially with respect to 'foreign' characters, unusual punctuation, etc.
!Password warning!
''You can not recover a lost password.'' Do note, though, that [[LUKS]] will allow you to have more than one passphrase, more than one key file, or a mixture of passphrases and key files, allowing you to give a different password to a trusted friend or colleague.
LUKS' flexibility also allows a corporate environment to benefit, by allowing the use of a central key for system administrators, while allowing each user to have their own key.
Fedora has a new feature that allows you to perform an upgrade without having to download and burn any installation discs, and will download the required files in the background while you continue to use your existing system. When the packages have been downloaded, you reboot the computer, and Anaconda will start the upgrade.
There is a problem in that this will not (normally) upgrade an encrypted system (even though Anaconda can create an encrypted system when it performas a fresh install). However, it is possible to UpgradeAnEncryptedSystemToFedora9.
!Additional information
* http://fedoraproject.org/wiki/Features/PreUpgrade
/***
| Name|QuickOpenTagPlugin|
| Description|Changes tag links to make it easier to open tags as tiddlers|
| Version|3.0.1 ($Rev: 2342 $)|
| Date|$Date: 2007-07-05 10:57:49 +1000 (Thu, 05 Jul 2007) $|
| Source|http://mptw.tiddlyspot.com/#QuickOpenTagPlugin|
| Author|Simon Baird <simon.baird@gmail.com>|
| License|http://mptw.tiddlyspot.com/#TheBSDLicense|
***/
//{{{
config.quickOpenTag = {
dropdownChar: (document.all ? "\u25bc" : "\u25be"), // the little one doesn't work in IE?
createTagButton: function(place,tag,excludeTiddler) {
// little hack so we can to <<tag PrettyTagName|RealTagName>>
var splitTag = tag.split("|");
var pretty = tag;
if (splitTag.length == 2) {
tag = splitTag[1];
pretty = splitTag[0];
}
var sp = createTiddlyElement(place,"span",null,"quickopentag");
createTiddlyText(createTiddlyLink(sp,tag,false),pretty);
var theTag = createTiddlyButton(sp,config.quickOpenTag.dropdownChar,
config.views.wikified.tag.tooltip.format([tag]),onClickTag);
theTag.setAttribute("tag",tag);
if (excludeTiddler)
theTag.setAttribute("tiddler",excludeTiddler);
return(theTag);
},
miniTagHandler: function(place,macroName,params,wikifier,paramString,tiddler) {
var tagged = store.getTaggedTiddlers(tiddler.title);
if (tagged.length > 0) {
var theTag = createTiddlyButton(place,config.quickOpenTag.dropdownChar,
config.views.wikified.tag.tooltip.format([tiddler.title]),onClickTag);
theTag.setAttribute("tag",tiddler.title);
theTag.className = "miniTag";
}
},
allTagsHandler: function(place,macroName,params) {
var tags = store.getTags(params[0]);
var filter = params[1]; // new feature
var ul = createTiddlyElement(place,"ul");
if(tags.length == 0)
createTiddlyElement(ul,"li",null,"listTitle",this.noTags);
for(var t=0; t<tags.length; t++) {
var title = tags[t][0];
if (!filter || (title.match(new RegExp('^'+filter)))) {
var info = getTiddlyLinkInfo(title);
var theListItem =createTiddlyElement(ul,"li");
var theLink = createTiddlyLink(theListItem,tags[t][0],true);
var theCount = " (" + tags[t][1] + ")";
theLink.appendChild(document.createTextNode(theCount));
var theDropDownBtn = createTiddlyButton(theListItem," " +
config.quickOpenTag.dropdownChar,this.tooltip.format([tags[t][0]]),onClickTag);
theDropDownBtn.setAttribute("tag",tags[t][0]);
}
}
},
// todo fix these up a bit
styles: [
"/*{{{*/",
"/* created by QuickOpenTagPlugin */",
".tagglyTagged .quickopentag, .tagged .quickopentag ",
" { margin-right:1.2em; border:1px solid #eee; padding:2px; padding-right:0px; padding-left:1px; }",
".quickopentag .tiddlyLink { padding:2px; padding-left:3px; }",
".quickopentag a.button { padding:1px; padding-left:2px; padding-right:2px;}",
"/* extra specificity to make it work right */",
"#displayArea .viewer .quickopentag a.button, ",
"#displayArea .viewer .quickopentag a.tiddyLink, ",
"#mainMenu .quickopentag a.tiddyLink, ",
"#mainMenu .quickopentag a.tiddyLink ",
" { border:0px solid black; }",
"#displayArea .viewer .quickopentag a.button, ",
"#mainMenu .quickopentag a.button ",
" { margin-left:0px; padding-left:2px; }",
"#displayArea .viewer .quickopentag a.tiddlyLink, ",
"#mainMenu .quickopentag a.tiddlyLink ",
" { margin-right:0px; padding-right:0px; padding-left:0px; margin-left:0px; }",
"a.miniTag {font-size:150%;} ",
"#mainMenu .quickopentag a.button ",
" /* looks better in right justified main menus */",
" { margin-left:0px; padding-left:2px; margin-right:0px; padding-right:0px; }",
"#topMenu .quickopentag { padding:0px; margin:0px; border:0px; }",
"#topMenu .quickopentag .tiddlyLink { padding-right:1px; margin-right:0px; }",
"#topMenu .quickopentag .button { padding-left:1px; margin-left:0px; border:0px; }",
"/*}}}*/",
""].join("\n"),
init: function() {
// we fully replace these builtins. can't hijack them easily
window.createTagButton = this.createTagButton;
config.macros.allTags.handler = this.allTagsHandler;
config.macros.miniTag = { handler: this.miniTagHandler };
config.shadowTiddlers["QuickOpenTagStyles"] = this.styles;
store.addNotification("QuickOpenTagStyles",refreshStyles);
}
}
config.quickOpenTag.init();
//}}}
Redundant Array of Independent Drives. Also known as Redundant Array of Inexpensive Drives. Either form may use 'Disks' in place of 'Drives'.
Under Linux, you can use hardware RAID or software RAID. Software raid has the advantage that it is not bound to any specific hardware, and thus can even survive controller failure where replacement controllers are not identical (or even of the same manufacturer). Hardware RAID, however, will usually perform faster.
!Additional information
http://en.wikipedia.org/wiki/RAID
/***
|Name|RearrangeTiddlersPlugin|
|Source|http://www.TiddlyTools.com/#RearrangeTiddlersPlugin|
|Version|0.0.0|
|Author|Joe Raii|
|License|http://www.TiddlyTools.com/#LegalStatements <<br>>and [[Creative Commons Attribution-ShareAlike 2.5 License|http://creativecommons.org/licenses/by-sa/2.5/]]|
|~CoreVersion|2.1|
|Type|plugin|
|Requires||
|Overrides|Story.prototype.refreshTiddler|
|Description|drag tiddlers by title to re-order story column display|
adapted from: http://www.cs.utexas.edu/~joeraii/dragn/#Draggable
changes by ELS:
* hijack refreshTiddler() instead of overridding createTiddler()
* find title element by className instead of elementID
* set cursor style via code instead of stylesheet
* set tooltip help text
* set tiddler "position:relative" when starting drag event, restore saved value when drag ends
* update 2006.08.07: use getElementsByTagName("*") to find title element, even when it is 'buried' deep in tiddler DOM elements (due to custom template usage)
* update 2007.03.01: use apply() to invoke hijacked core function
***/
//{{{
Story.prototype.rearrangeTiddlersHijack_refreshTiddler = Story.prototype.refreshTiddler;
Story.prototype.refreshTiddler = function(title,template,unused1,unused2,unused3,unused4,unused5)
{
this.rearrangeTiddlersHijack_refreshTiddler.apply(this,arguments);
var theTiddler = document.getElementById(this.idPrefix + title); if (!theTiddler) return;
var theHandle;
var children=theTiddler.getElementsByTagName("*");
for (var i=0; i<children.length; i++) if (hasClass(children[i],"title")) { theHandle=children[i]; break; }
if (!theHandle) return theTiddler;
Drag.init(theHandle, theTiddler, 0, 0, null, null);
theHandle.style.cursor="move";
theHandle.title="drag title to re-arrange tiddlers"
theTiddler.onDrag = function(x,y,myElem) {
if (this.style.position!="relative")
{ this.savedstyle=this.style.position; this.style.position="relative"; }
y = myElem.offsetTop;
var next = myElem.nextSibling;
var prev = myElem.previousSibling;
if (next && y + myElem.offsetHeight > next.offsetTop + next.offsetHeight/2) {
myElem.parentNode.removeChild(myElem);
next.parentNode.insertBefore(myElem, next.nextSibling);//elems[pos+1]);
myElem.style["top"] = -next.offsetHeight/2+"px";
}
if (prev && y < prev.offsetTop + prev.offsetHeight/2) {
myElem.parentNode.removeChild(myElem);
prev.parentNode.insertBefore(myElem, prev);
myElem.style["top"] = prev.offsetHeight/2+"px";
}
};
theTiddler.onDragEnd = function(x,y,myElem) {
myElem.style["top"] = "0px";
if (this.savedstyle!=undefined)
this.style.position=this.savedstyle;
}
return theTiddler;
}
/**************************************************
* dom-drag.js
* 09.25.2001
* www.youngpup.net
**************************************************
* 10.28.2001 - fixed minor bug where events
* sometimes fired off the handle, not the root.
**************************************************/
var Drag = {
obj:null,
init:
function(o, oRoot, minX, maxX, minY, maxY) {
o.onmousedown = Drag.start;
o.root = oRoot && oRoot != null ? oRoot : o ;
if (isNaN(parseInt(o.root.style.left))) o.root.style.left="0px";
if (isNaN(parseInt(o.root.style.top))) o.root.style.top="0px";
o.minX = typeof minX != 'undefined' ? minX : null;
o.minY = typeof minY != 'undefined' ? minY : null;
o.maxX = typeof maxX != 'undefined' ? maxX : null;
o.maxY = typeof maxY != 'undefined' ? maxY : null;
o.root.onDragStart = new Function();
o.root.onDragEnd = new Function();
o.root.onDrag = new Function();
},
start:
function(e) {
var o = Drag.obj = this;
e = Drag.fixE(e);
var y = parseInt(o.root.style.top);
var x = parseInt(o.root.style.left);
o.root.onDragStart(x, y, Drag.obj.root);
o.lastMouseX = e.clientX;
o.lastMouseY = e.clientY;
if (o.minX != null) o.minMouseX = e.clientX - x + o.minX;
if (o.maxX != null) o.maxMouseX = o.minMouseX + o.maxX - o.minX;
if (o.minY != null) o.minMouseY = e.clientY - y + o.minY;
if (o.maxY != null) o.maxMouseY = o.minMouseY + o.maxY - o.minY;
document.onmousemove = Drag.drag;
document.onmouseup = Drag.end;
Drag.obj.root.style["z-index"] = "10";
return false;
},
drag:
function(e) {
e = Drag.fixE(e);
var o = Drag.obj;
var ey = e.clientY;
var ex = e.clientX;
var y = parseInt(o.root.style.top);
var x = parseInt(o.root.style.left);
var nx, ny;
if (o.minX != null) ex = Math.max(ex, o.minMouseX);
if (o.maxX != null) ex = Math.min(ex, o.maxMouseX);
if (o.minY != null) ey = Math.max(ey, o.minMouseY);
if (o.maxY != null) ey = Math.min(ey, o.maxMouseY);
nx = x + (ex - o.lastMouseX);
ny = y + (ey - o.lastMouseY);
Drag.obj.root.style["left"] = nx + "px";
Drag.obj.root.style["top"] = ny + "px";
Drag.obj.lastMouseX = ex;
Drag.obj.lastMouseY = ey;
Drag.obj.root.onDrag(nx, ny, Drag.obj.root);
return false;
},
end:
function() {
document.onmousemove = null;
document.onmouseup = null;
Drag.obj.root.style["z-index"] = "0";
Drag.obj.root.onDragEnd(parseInt(Drag.obj.root.style["left"]), parseInt(Drag.obj.root.style["top"]), Drag.obj.root);
Drag.obj = null;
},
fixE:
function(e) {
if (typeof e == 'undefined') e = window.event;
if (typeof e.layerX == 'undefined') e.layerX = e.offsetX;
if (typeof e.layerY == 'undefined') e.layerY = e.offsetY;
return e;
}
};
//}}}
You must do this for all installed kernels if you change any of the CryptParameters.
* Rebuild initrd for the current kernel:
** {{command{new-kernel-pkg -{{{}}}-mkinitrd -{{{}}}-update `uname -r`}}}
* Rebuild initrd for any kernel you specify:
** {{command{new-kernel-pkg -{{{}}}-mkinitrd -{{{}}}-update {{variable{kernelversion}}}}}}
After you rebuild the initrd, you should CreateABootCD.
Various places I found useful information for constructing this guide:
* [[LUKS homepage|http://luks.endorphin.org/]]
* [[dm-crypt wiki|http://www.saout.de/tikiwiki/tiki-index.php]]
* [[Encrypt devices using dm-cryopt and LUKS|http://www.g-loaded.eu/2005/11/10/encrypt-devices-using-dm-crypt-and-luks/]]
* [[Encrypted root with LVM on Fedora 7|http://www.tummy.com/Community/Articles/cryptoroot-f7/]]
* [[Encrypted root with LVM on Fedora 8|http://www.tummy.com/Community/Articles/cryptoroot-f8/]]
* [[Encrypting your root partition on Fedora Core 5|http://linux.ioerror.us/2006/09/encrypting-your-root-partition-on-fedora-core-5/]]
* [[Why encrypt the root filesystem?|http://en.opensuse.org/Encrypted_Root_File_System_with_SUSE_HOWTO#Why_encrypt_the_root_file_system.3F]]
/***
| Name:|RenameTagsPlugin|
| Description:|Allows you to easily rename or delete tags across multiple tiddlers|
| Version:|3.0 ($Rev: 1845 $)|
| Date:|$Date: 2007-03-16 15:19:22 +1000 (Fri, 16 Mar 2007) $|
| Source:|http://mptw.tiddlyspot.com/#RenameTagsPlugin|
| Author:|Simon Baird <simon.baird@gmail.com>|
| License|http://mptw.tiddlyspot.com/#TheBSDLicense|
Rename a tag and you will be prompted to rename it in all its tagged tiddlers.
***/
//{{{
config.renameTags = {
prompts: {
rename: "Rename the tag '%0' to '%1' in %2 tidder%3?",
remove: "Remove the tag '%0' from %1 tidder%2?"
},
removeTag: function(tag,tiddlers) {
store.suspendNotifications();
for (var i=0;i<tiddlers.length;i++) {
store.setTiddlerTag(tiddlers[i].title,false,tag);
}
store.resumeNotifications();
store.notifyAll();
},
renameTag: function(oldTag,newTag,tiddlers) {
store.suspendNotifications();
for (var i=0;i<tiddlers.length;i++) {
store.setTiddlerTag(tiddlers[i].title,false,oldTag); // remove old
store.setTiddlerTag(tiddlers[i].title,true,newTag); // add new
}
store.resumeNotifications();
store.notifyAll();
},
storeMethods: {
saveTiddler_orig_renameTags: TiddlyWiki.prototype.saveTiddler,
saveTiddler: function(title,newTitle,newBody,modifier,modified,tags,fields) {
if (title != newTitle) {
var tagged = this.getTaggedTiddlers(title);
if (tagged.length > 0) {
// then we are renaming a tag
if (confirm(config.renameTags.prompts.rename.format([title,newTitle,tagged.length,tagged.length>1?"s":""])))
config.renameTags.renameTag(title,newTitle,tagged);
if (!this.tiddlerExists(title) && newBody == "")
// dont create unwanted tiddler
return null;
}
}
return this.saveTiddler_orig_renameTags(title,newTitle,newBody,modifier,modified,tags,fields);
},
removeTiddler_orig_renameTags: TiddlyWiki.prototype.removeTiddler,
removeTiddler: function(title) {
var tagged = this.getTaggedTiddlers(title);
if (tagged.length > 0)
if (confirm(config.renameTags.prompts.remove.format([title,tagged.length,tagged.length>1?"s":""])))
config.renameTags.removeTag(title,tagged);
return this.removeTiddler_orig_renameTags(title);
}
},
init: function() {
merge(TiddlyWiki.prototype,this.storeMethods);
}
}
config.renameTags.init();
//}}}
/***
| Name|SaveCloseTiddlerPlugin|
| Description|Provides two extra toolbar commands, saveCloseTiddler and cancelCloseTiddler|
| Version|3.0 ($Rev: 2134 $)|
| Date|$Date: 2007-04-30 16:11:12 +1000 (Mon, 30 Apr 2007) $|
| Source|http://mptw.tiddlyspot.com/#SaveCloseTiddlerPlugin|
| Author|Simon Baird <simon.baird@gmail.com>|
| License|http://mptw.tiddlyspot.com/#TheBSDLicense|
To use these you must add them to the tool bar in your EditTemplate
***/
//{{{
merge(config.commands,{
saveCloseTiddler: {
text: 'done/close',
tooltip: 'Save changes to this tiddler and close it',
handler: function(e,src,title) {
config.commands.saveTiddler.handler(e,src,title);
config.commands.closeTiddler.handler(e,src,title);
return false;
}
},
cancelCloseTiddler: {
text: 'cancel/close',
tooltip: 'Undo changes to this tiddler and close it',
handler: function(e,src,title) {
config.commands.cancelTiddler.handler(e,src,title);
config.commands.closeTiddler.handler(e,src,title);
return false;
}
}
});
//}}}
/***
|Name|SetUserNamePlugin|
|Source|http://www.TiddlyTools.com/#SetUserNamePlugin|
|Version|1.0.0-msq|
|Author|Eric Shulman - ELS Design Studios (changes by Msquared)|
|License|http://www.TiddlyTools.com/#LegalStatements <<br>>and [[Creative Commons Attribution-ShareAlike 2.5 License|http://creativecommons.org/licenses/by-sa/2.5/]]|
|~CoreVersion|2.1|
|Type|plugin|
|Requires||
|Overrides||
|Description|If default username is used ("YourName"), display prompt box to get new username|
!!!!!Installation
<<<
import (or copy/paste) the following tiddlers into your document:
''SetUserNamePlugin'' (tagged with <<tag systemConfig>>)
If you are using the default (shadow) EditTemplate definition, it will be updated to invoke this macro, so that whenever a user attempts to edit/create a tiddler AND the username is "YourName", they will be automatically prompted to enter a new username. If you are using a customized EditTemplate, you will need to edit it yourself and add the following line:
{{{
<span macro='setUserName'></span>
}}}
<<<
!!!!!Revision History
<<<
''2006.12.01 [1.0.0]'' initial release - converted from SetUserName inline script
''2007.09.05 [1.0.0-msq]'' Added prompt string as optional parameter to macro
<<<
!!!!!Credits
<<<
This feature was developed by EricShulman from [[ELS Design Studios|http:/www.elsdesign.com]]
<<<
!!!!!Code
***/
//{{{
version.extensions.setUserName= {major: 1, minor: 0, revision: 0, date: new Date(2006,12,1)};
config.macros.setUserName = {
handler: function(place,macroName,params) {
// only prompt when needed
if (readOnly || config.options.txtUserName!="YourName") return;
// get new username
var strprompt = params.shift(); if ( !strprompt ) { strprompt = "Please set your username"; }
var who=prompt(strprompt,config.options.txtUserName);
if (!who||!who.trim().length) return; // cancelled by user
// set new username
config.options.txtUserName=who;
saveOptionCookie("txtUserName");
// sync any option input fields that are showing username
var nodes = document.getElementsByTagName("input");
for(var t=0; t<nodes.length; t++)
if(nodes[t].getAttribute("option")=="txtUserName") nodes[t].value=who;
}
}
// add trigger to default shadow EditTemplate (custom templates: add this by hand)
config.shadowTiddlers.EditTemplate+="<span macro='setUserName'></span>";
//}}}
<<search>><<collapseAll "fold all">><<closeAll>><<permaview>><<newTiddler>><<saveChanges>><<slider chkSliderOptionsPanel OptionsPanel "options »" "Change TiddlyWiki advanced options">>
<<tabs txtMainTab "Timeline" "Timeline" TabTimeline "All" "All tiddlers" TabAll "Tags" "All tags" TabTags "More" "More lists" TabMore>>
[img[License this guide|http://i.creativecommons.org/l/by-sa/2.5/au/88x31.png][LicenseAndCopyright]]
A guide to encrypting the root filesystem under Fedora 7 & 8 and ~CentOS 5
Encrypted root on Fedora & ~CentOS
[[MptwStyleSheet]]
[[DocumentationStyleSheet]]
A small bootable Linux Live CD with a good collection of recovery tools, including disk partitioners, [[LVM]] commandline tools, and utilities such as a [[LUKS]]-enabled version of {{command{cryptsetup}}}.
You can use SystemRescueCD for troubleshooting and/or recovery. Once set up successfully, you should not need SystemRescueCD unless something goes wrong.
!Links
* [[Main site|http://www.sysresccd.org/]]
* [[Download page|http://www.sysresccd.org/Download]]
<<tabs txtMoreTab "Tags" "All Tags" TabAllTags "Miss" "Missing tiddlers" TabMoreMissing "Orph" "Orphaned tiddlers" TabMoreOrphans "Shad" "Shadowed tiddlers" TabMoreShadowed>>
<<allTags excludeLists [a-z]>>
/***
| Name|TagglyTaggingPlugin|
| Description|tagglyTagging macro is a replacement for the builtin tagging macro in your ViewTemplate|
| Version|3.1 ($Rev: 2341 $)|
| Date|$Date: 2007-07-05 10:02:27 +1000 (Thu, 05 Jul 2007) $|
| Source|http://mptw.tiddlyspot.com/#TagglyTaggingPlugin|
| Author|Simon Baird <simon.baird@gmail.com>|
| License|http://mptw.tiddlyspot.com/#TheBSDLicense|
!Notes
See http://mptw.tiddlyspot.com/#TagglyTagging
***/
//{{{
config.taggly = {
// for translations
lingo: {
labels: {
asc: "\u2191", // down arrow
desc: "\u2193", // up arrow
title: "title",
modified: "modified",
created: "created",
show: "+",
hide: "-",
normal: "normal",
group: "group",
commas: "commas",
sitemap: "sitemap",
numCols: "cols\u00b1", // plus minus sign
label: "Tagged as '%0':",
excerpts: "excerpts",
contents: "contents",
sliders: "sliders",
noexcerpts: "title only"
},
tooltips: {
title: "Click to sort by title",
modified: "Click to sort by modified date",
created: "Click to sort by created date",
show: "Click to show tagging list",
hide: "Click to hide tagging list",
normal: "Click to show a normal ungrouped list",
group: "Click to show list grouped by tag",
sitemap: "Click to show a sitemap style list",
commas: "Click to show a comma separated list",
numCols: "Click to change number of columns",
excerpts: "Click to show excerpts",
contents: "Click to show entire tiddler contents",
sliders: "Click to show tiddler contents in sliders",
noexcerpts: "Click to show entire title only"
}
},
config: {
showTaggingCounts: true,
listOpts: {
// the first one will be the default
sortBy: ["title","modified","created"],
sortOrder: ["asc","desc"],
hideState: ["show","hide"],
listMode: ["normal","group","sitemap","commas"],
numCols: ["1","2","3","4","5","6"],
excerpts: ["noexcerpts","excerpts","contents","sliders"]
},
valuePrefix: "taggly.",
excludeTags: ["excludeLists","excludeTagging"],
excerptSize: 50,
excerptMarker: "/%"+"%/"
},
getTagglyOpt: function(title,opt) {
var val = store.getValue(title,this.config.valuePrefix+opt);
return val ? val : this.config.listOpts[opt][0];
},
setTagglyOpt: function(title,opt,value) {
if (!store.tiddlerExists(title))
// create it silently
store.saveTiddler(title,title,config.views.editor.defaultText.format([title]),config.options.txtUserName,new Date(),null);
// if value is default then remove it to save space
return store.setValue(title,
this.config.valuePrefix+opt,
value == this.config.listOpts[opt][0] ? null : value);
},
getNextValue: function(title,opt) {
var current = this.getTagglyOpt(title,opt);
var pos = this.config.listOpts[opt].indexOf(current);
// a little usability enhancement. actually it doesn't work right for grouped or sitemap
var limit = (opt == "numCols" ? store.getTaggedTiddlers(title).length : this.config.listOpts[opt].length);
var newPos = (pos + 1) % limit;
return this.config.listOpts[opt][newPos];
},
toggleTagglyOpt: function(title,opt) {
var newVal = this.getNextValue(title,opt);
this.setTagglyOpt(title,opt,newVal);
},
createListControl: function(place,title,type) {
var lingo = config.taggly.lingo;
var label;
var tooltip;
var onclick;
if ((type == "title" || type == "modified" || type == "created")) {
// "special" controls. a little tricky. derived from sortOrder and sortBy
label = lingo.labels[type];
tooltip = lingo.tooltips[type];
if (this.getTagglyOpt(title,"sortBy") == type) {
label += lingo.labels[this.getTagglyOpt(title,"sortOrder")];
onclick = function() {
config.taggly.toggleTagglyOpt(title,"sortOrder");
return false;
}
}
else {
onclick = function() {
config.taggly.setTagglyOpt(title,"sortBy",type);
config.taggly.setTagglyOpt(title,"sortOrder",config.taggly.config.listOpts.sortOrder[0]);
return false;
}
}
}
else {
// "regular" controls, nice and simple
label = lingo.labels[type == "numCols" ? type : this.getNextValue(title,type)];
tooltip = lingo.tooltips[type == "numCols" ? type : this.getNextValue(title,type)];
onclick = function() {
config.taggly.toggleTagglyOpt(title,type);
return false;
}
}
// hide button because commas don't have columns
if (!(this.getTagglyOpt(title,"listMode") == "commas" && type == "numCols"))
createTiddlyButton(place,label,tooltip,onclick,type == "hideState" ? "hidebutton" : "button");
},
makeColumns: function(orig,numCols) {
var listSize = orig.length;
var colSize = listSize/numCols;
var remainder = listSize % numCols;
var upperColsize = colSize;
var lowerColsize = colSize;
if (colSize != Math.floor(colSize)) {
// it's not an exact fit so..
upperColsize = Math.floor(colSize) + 1;
lowerColsize = Math.floor(colSize);
}
var output = [];
var c = 0;
for (var j=0;j<numCols;j++) {
var singleCol = [];
var thisSize = j < remainder ? upperColsize : lowerColsize;
for (var i=0;i<thisSize;i++)
singleCol.push(orig[c++]);
output.push(singleCol);
}
return output;
},
drawTable: function(place,columns,theClass) {
var newTable = createTiddlyElement(place,"table",null,theClass);
var newTbody = createTiddlyElement(newTable,"tbody");
var newTr = createTiddlyElement(newTbody,"tr");
for (var j=0;j<columns.length;j++) {
var colOutput = "";
for (var i=0;i<columns[j].length;i++)
colOutput += columns[j][i];
var newTd = createTiddlyElement(newTr,"td",null,"tagglyTagging"); // todo should not need this class
wikify(colOutput,newTd);
}
return newTable;
},
createTagglyList: function(place,title) {
switch(this.getTagglyOpt(title,"listMode")) {
case "group": return this.createTagglyListGrouped(place,title); break;
case "normal": return this.createTagglyListNormal(place,title,false); break;
case "commas": return this.createTagglyListNormal(place,title,true); break;
case "sitemap":return this.createTagglyListSiteMap(place,title); break;
}
},
getTaggingCount: function(title) {
// thanks to Doug Edmunds
if (this.config.showTaggingCounts) {
var tagCount = store.getTaggedTiddlers(title).length;
if (tagCount > 0)
return " ("+tagCount+")";
}
return "";
},
getExcerpt: function(inTiddlerTitle,title,indent) {
if (!indent)
indent = 1;
if (this.getTagglyOpt(inTiddlerTitle,"excerpts") == "excerpts") {
var t = store.getTiddler(title);
if (t) {
var text = t.text.replace(/\n/," ");
var marker = text.indexOf(this.config.excerptMarker);
if (marker != -1) {
return " {{excerpt{<nowiki>" + text.substr(0,marker) + "</nowiki>}}}";
}
else if (text.length < this.config.excerptSize) {
return " {{excerpt{<nowiki>" + t.text + "</nowiki>}}}";
}
else {
return " {{excerpt{<nowiki>" + t.text.substr(0,this.config.excerptSize) + "..." + "</nowiki>}}}";
}
}
}
else if (this.getTagglyOpt(inTiddlerTitle,"excerpts") == "contents") {
var t = store.getTiddler(title);
if (t) {
return "\n{{contents indent"+indent+"{\n" + t.text + "\n}}}";
}
}
else if (this.getTagglyOpt(inTiddlerTitle,"excerpts") == "sliders") {
var t = store.getTiddler(title);
if (t) {
return "<slider open>\n{{contents{\n" + t.text + "\n}}}\n</slider>";
}
}
return "";
},
notHidden: function(t,inTiddler) {
if (typeof t == "string")
t = store.getTiddler(t);
return (!t || !t.tags.containsAny(this.config.excludeTags) ||
(inTiddler && this.config.excludeTags.contains(inTiddler)));
},
// this is for normal and commas mode
createTagglyListNormal: function(place,title,useCommas) {
var list = store.getTaggedTiddlers(title,this.getTagglyOpt(title,"sortBy"));
if (this.getTagglyOpt(title,"sortOrder") == "desc")
list = list.reverse();
var output = [];
var first = true;
for (var i=0;i<list.length;i++) {
if (this.notHidden(list[i],title)) {
var countString = this.getTaggingCount(list[i].title);
var excerpt = this.getExcerpt(title,list[i].title);
if (useCommas)
output.push((first ? "" : ", ") + "[[" + list[i].title + "]]" + countString + excerpt);
else
output.push("*[[" + list[i].title + "]]" + countString + excerpt + "\n");
first = false;
}
}
return this.drawTable(place,
this.makeColumns(output,useCommas ? 1 : parseInt(this.getTagglyOpt(title,"numCols"))),
useCommas ? "commas" : "normal");
},
// this is for the "grouped" mode
createTagglyListGrouped: function(place,title) {
var sortBy = this.getTagglyOpt(title,"sortBy");
var sortOrder = this.getTagglyOpt(title,"sortOrder");
var list = store.getTaggedTiddlers(title,sortBy);
if (sortOrder == "desc")
list = list.reverse();
var leftOvers = []
for (var i=0;i<list.length;i++)
leftOvers.push(list[i].title);
var allTagsHolder = {};
for (var i=0;i<list.length;i++) {
for (var j=0;j<list[i].tags.length;j++) {
if (list[i].tags[j] != title) { // not this tiddler
if (this.notHidden(list[i].tags[j],title)) {
if (!allTagsHolder[list[i].tags[j]])
allTagsHolder[list[i].tags[j]] = "";
if (this.notHidden(list[i],title)) {
allTagsHolder[list[i].tags[j]] += "**[["+list[i].title+"]]"
+ this.getTaggingCount(list[i].title) + this.getExcerpt(title,list[i].title) + "\n";
leftOvers.setItem(list[i].title,-1); // remove from leftovers. at the end it will contain the leftovers
}
}
}
}
}
var allTags = [];
for (var t in allTagsHolder)
allTags.push(t);
var sortHelper = function(a,b) {
if (a == b) return 0;
if (a < b) return -1;
return 1;
};
allTags.sort(function(a,b) {
var tidA = store.getTiddler(a);
var tidB = store.getTiddler(b);
if (sortBy == "title") return sortHelper(a,b);
else if (!tidA && !tidB) return 0;
else if (!tidA) return -1;
else if (!tidB) return +1;
else return sortHelper(tidA[sortBy],tidB[sortBy]);
});
var leftOverOutput = "";
for (var i=0;i<leftOvers.length;i++)
if (this.notHidden(leftOvers[i],title))
leftOverOutput += "*[["+leftOvers[i]+"]]" + this.getTaggingCount(leftOvers[i]) + this.getExcerpt(title,leftOvers[i]) + "\n";
var output = [];
if (sortOrder == "desc")
allTags.reverse();
else if (leftOverOutput != "")
// leftovers first...
output.push(leftOverOutput);
for (var i=0;i<allTags.length;i++)
if (allTagsHolder[allTags[i]] != "")
output.push("*[["+allTags[i]+"]]" + this.getTaggingCount(allTags[i]) + this.getExcerpt(title,allTags[i]) + "\n" + allTagsHolder[allTags[i]]);
if (sortOrder == "desc" && leftOverOutput != "")
// leftovers last...
output.push(leftOverOutput);
return this.drawTable(place,
this.makeColumns(output,parseInt(this.getTagglyOpt(title,"numCols"))),
"grouped");
},
// used to build site map
treeTraverse: function(title,depth,sortBy,sortOrder) {
var list = store.getTaggedTiddlers(title,sortBy);
if (sortOrder == "desc")
list.reverse();
var indent = "";
for (var j=0;j<depth;j++)
indent += "*"
var childOutput = "";
for (var i=0;i<list.length;i++)
if (list[i].title != title)
if (this.notHidden(list[i].title,this.config.inTiddler))
childOutput += this.treeTraverse(list[i].title,depth+1,sortBy,sortOrder);
if (depth == 0)
return childOutput;
else
return indent + "[["+title+"]]" + this.getTaggingCount(title) + this.getExcerpt(this.config.inTiddler,title,depth) + "\n" + childOutput;
},
// this if for the site map mode
createTagglyListSiteMap: function(place,title) {
this.config.inTiddler = title; // nasty. should pass it in to traverse probably
var output = this.treeTraverse(title,0,this.getTagglyOpt(title,"sortBy"),this.getTagglyOpt(title,"sortOrder"));
return this.drawTable(place,
this.makeColumns(output.split(/(?=^\*\[)/m),parseInt(this.getTagglyOpt(title,"numCols"))), // regexp magic
"sitemap"
);
},
macros: {
tagglyTagging: {
handler: function (place,macroName,params,wikifier,paramString,tiddler) {
var refreshContainer = createTiddlyElement(place,"div");
// do some refresh magic to make it keep the list fresh - thanks Saq
refreshContainer.setAttribute("refresh","macro");
refreshContainer.setAttribute("macroName",macroName);
refreshContainer.setAttribute("title",tiddler.title);
this.refresh(refreshContainer);
},
refresh: function(place) {
var title = place.getAttribute("title");
removeChildren(place);
if (store.getTaggedTiddlers(title).length > 0) {
var lingo = config.taggly.lingo;
config.taggly.createListControl(place,title,"hideState");
if (config.taggly.getTagglyOpt(title,"hideState") == "show") {
createTiddlyElement(place,"span",null,"tagglyLabel",lingo.labels.label.format([title]));
config.taggly.createListControl(place,title,"title");
config.taggly.createListControl(place,title,"modified");
config.taggly.createListControl(place,title,"created");
config.taggly.createListControl(place,title,"listMode");
config.taggly.createListControl(place,title,"excerpts");
config.taggly.createListControl(place,title,"numCols");
config.taggly.createTagglyList(place,title);
}
}
}
}
},
// todo fix these up a bit
styles: [
"/*{{{*/",
"/* created by TagglyTaggingPlugin */",
".tagglyTagging { padding-top:0.5em; }",
".tagglyTagging li.listTitle { display:none; }",
".tagglyTagging ul {",
" margin-top:0px; padding-top:0.5em; padding-left:2em;",
" margin-bottom:0px; padding-bottom:0px;",
"}",
".tagglyTagging { vertical-align: top; margin:0px; padding:0px; }",
".tagglyTagging table { margin:0px; padding:0px; }",
".tagglyTagging .button { visibility:hidden; margin-left:3px; margin-right:3px; }",
".tagglyTagging .button, .tagglyTagging .hidebutton {",
" color:[[ColorPalette::TertiaryLight]]; font-size:90%;",
" border:0px; padding-left:0.3em;padding-right:0.3em;",
"}",
".tagglyTagging .button:hover, .hidebutton:hover, ",
".tagglyTagging .button:active, .hidebutton:active {",
" border:0px; background:[[ColorPalette::TertiaryPale]]; color:[[ColorPalette::TertiaryDark]];",
"}",
".selected .tagglyTagging .button { visibility:visible; }",
".tagglyTagging .hidebutton { color:[[ColorPalette::Background]]; }",
".selected .tagglyTagging .hidebutton { color:[[ColorPalette::TertiaryLight]] }",
".tagglyLabel { color:[[ColorPalette::TertiaryMid]]; font-size:90%; }",
".tagglyTagging ul {padding-top:0px; padding-bottom:0.5em; margin-left:1em; }",
".tagglyTagging ul ul {list-style-type:disc; margin-left:-1em;}",
".tagglyTagging ul ul li {margin-left:0.5em; }",
".editLabel { font-size:90%; padding-top:0.5em; }",
".tagglyTagging .commas { padding-left:1.8em; }",
"/* not technically tagglytagging but will put them here anyway */",
".tagglyTagged li.listTitle { display:none; }",
".tagglyTagged li { display: inline; font-size:90%; }",
".tagglyTagged ul { margin:0px; padding:0px; }",
".excerpt { color:[[ColorPalette::TertiaryDark]]; }",
"div.tagglyTagging table,",
"div.tagglyTagging table tr,",
"td.tagglyTagging",
" {border-style:none!important; }",
".tagglyTagging .contents { border:1px solid [[ColorPalette::TertiaryPale]]; padding:0 1em 0 0.5em; }",
".tagglyTagging .indent1 { margin-left:3em; }",
".tagglyTagging .indent2 { margin-left:4em; }",
".tagglyTagging .indent3 { margin-left:5em; }",
".tagglyTagging .indent4 { margin-left:6em; }",
".tagglyTagging .indent5 { margin-left:7em; }",
".tagglyTagging .indent6 { margin-left:8em; }",
".tagglyTagging .indent7 { margin-left:9em; }",
".tagglyTagging .indent8 { margin-left:10em; }",
".tagglyTagging .indent9 { margin-left:11em; }",
".tagglyTagging .indent10 { margin-left:12em; }",
"/*}}}*/",
""].join("\n"),
init: function() {
merge(config.macros,this.macros);
config.shadowTiddlers["TagglyTaggingStyles"] = this.styles;
store.addNotification("TagglyTaggingStyles",refreshStyles);
}
};
config.taggly.init();
//}}}
/***
InlineSlidersPlugin
By Saq Imtiaz
http://tw.lewcid.org/sandbox/#InlineSlidersPlugin
// syntax adjusted to not clash with NestedSlidersPlugin
***/
//{{{
config.formatters.unshift( {
name: "inlinesliders",
// match: "\\+\\+\\+\\+|\\<slider",
match: "\\<slider",
// lookaheadRegExp: /(?:\+\+\+\+|<slider) (.*?)(?:>?)\n((?:.|\n)*?)\n(?:====|<\/slider>)/mg,
lookaheadRegExp: /(?:<slider) (.*?)(?:>)\n((?:.|\n)*?)\n(?:<\/slider>)/mg,
handler: function(w) {
this.lookaheadRegExp.lastIndex = w.matchStart;
var lookaheadMatch = this.lookaheadRegExp.exec(w.source)
if(lookaheadMatch && lookaheadMatch.index == w.matchStart ) {
var btn = createTiddlyButton(w.output,lookaheadMatch[1] + " "+"\u00BB",lookaheadMatch[1],this.onClickSlider,"button sliderButton");
var panel = createTiddlyElement(w.output,"div",null,"sliderPanel");
panel.style.display = "none";
wikify(lookaheadMatch[2],panel);
w.nextMatch = lookaheadMatch.index + lookaheadMatch[0].length;
}
},
onClickSlider : function(e) {
if(!e) var e = window.event;
var n = this.nextSibling;
n.style.display = (n.style.display=="none") ? "block" : "none";
return false;
}
});
//}}}
A large collection of tools and plugins for TiddlyWiki
!Home page
http://www.tiddlytools.com/
|''Type:''|file|
|''URL:''|http://www.tiddlytools.com/|
|''Workspace:''||
This tiddler was automatically created to record the details of this server
TiddlyWiki is a complete [[wiki|http://en.wikipedia.org/wiki/Wiki]] in a single HTML file. It contains the entire text of the wiki, and all the ~JavaScript, CSS and HTML goodness to be able to display it, and let you edit it or search it. Without needing a server.
!Home page
http://www.tiddlywiki.com/
/***
| Name|ToggleTagPlugin|
| Description|Makes a checkbox which toggles a tag in a tiddler|
| Version|3.0 ($Rev: 1845 $)|
| Date|$Date: 2007-03-16 15:19:22 +1000 (Fri, 16 Mar 2007) $|
| Source|http://tiddlyspot.com/mptw/#ToggleTagMacro|
| Author|Simon Baird <simon.baird@gmail.com>|
| License|http://mptw.tiddlyspot.com/#TheBSDLicense|
!Usage
{{{<<toggleTag }}}//{{{TagName TiddlerName LabelText}}}//{{{>>}}}
* TagName - the tag to be toggled, default value "checked"
* TiddlerName - the tiddler to toggle the tag in, default value the current tiddler
* LabelText - the text (gets wikified) to put next to the check box, default value is '{{{[[TagName]]}}}' or '{{{[[TagName]] [[TiddlerName]]}}}'
(If a parameter is '.' then the default will be used)
Examples:
|Code|Description|Example|h
|{{{<<toggleTag>>}}}|Toggles the default tag (checked) in this tiddler|<<toggleTag>>|
|{{{<<toggleTag TagName>>}}}|Toggles the TagName tag in this tiddler|<<toggleTag TagName>>|
|{{{<<toggleTag TagName TiddlerName>>}}}|Toggles the TagName tag in the TiddlerName tiddler|<<toggleTag TagName TiddlerName>>|
|{{{<<toggleTag TagName TiddlerName 'click me'>>}}}|Same but with custom label|<<toggleTag TagName TiddlerName 'click me'>>|
|{{{<<toggleTag . . 'click me'>>}}}|dot means use default value|<<toggleTag . . 'click me'>>|
Notes:
* If TiddlerName doesn't exist it will be silently created
* Set label to '-' to specify no label
* See also http://mgtd-alpha.tiddlyspot.com/#ToggleTag2
!Known issues
* Doesn't smoothly handle the case where you toggle a tag in a tiddler that is current open for editing
***/
//{{{
merge(config.macros,{
toggleTag: {
doRefreshAll: true,
createIfRequired: true,
shortLabel: "[[%0]]",
longLabel: "[[%0]] [[%1]]",
handler: function(place,macroName,params,wikifier,paramString,tiddler) {
var tag = (params[0] && params[0] != '.') ? params[0] : "checked";
var title = (params[1] && params[1] != '.') ? params[1] : tiddler.title;
var defaultLabel = (title == tiddler.title ? this.shortLabel : this.longLabel);
var label = (params[2] && params[2] != '.') ? params[2] : defaultLabel;
label = (label == '-' ? '' : label);
var theTiddler = title == tiddler.title ? tiddler : store.getTiddler(title);
var cb = createTiddlyCheckbox(place, label.format([tag,title]), theTiddler && theTiddler.isTagged(tag), function(e) {
if (!store.tiddlerExists(title)) {
if (config.macros.toggleTag.createIfRequired) {
var content = store.getTiddlerText(title); // just in case it's a shadow
store.saveTiddler(title,title,content?content:"",config.options.txtUserName,new Date(),null);
}
else
return false;
}
store.setTiddlerTag(title,this.checked,tag);
return true;
});
}
}
});
//}}}
TrueCrypt is an open-source on-the-fly disk encryption package that supports both Windows and Linux, but can not be set up to encrypt the boot disk of either operating system.
!Additional information
* http://www.truecrypt.org/
# Edit {{file{/etc/selinux/config}}}
# Change the {{literal{SELINUX=enforcing}}} to {{literal{SELINUX=permissive}}}
# Save the file
# Reboot the computer
# Edit {{file{/etc/selinux/config}}}
# Change the {{literal{SELINUX=permissive}}} to {{literal{SELINUX=enforcing}}}
# Save the file
# Reboot the computer
Fedora 9 will install an encrypted system for you, but what about upgrading an encrypted Fedora 8 system?
Fortunately, this is actually fairly easy, although you will lose the ability to decrypt with a USB drive (until I come up with a patch).
!Problem
The reason you can't just run an upgrade is that Anaconda (the installer) decrypts encrypted drives //after// it decides whether or not there's an installed system that it can upgrade. This means that Anaconda doesn't even give you the option to do an upgrade; it just assumes you want to perform an install.
!Solution
Actually quite simple: just decrypt the drive before Anaconda gets under way. Anaconda will detect your existing installation, and offer to upgrade it for you.
Even better, you can still use Fedora 9's new PreUpgrade feature to help you upgrade without burning ~CDs or ~DVDs, and without waiting for the upgrade files to download (they'll be downloaded in the background).
!Steps
# Boot your existing Fedora 8 system;
# Look in {{file{/etc/sysconfig/mkinitrd}}} and find the value of {{literal{~CRYPT_PARTITION}}} (eg: {{literal{/dev/sda2}}});
# Run PreUpgrade and reboot, or boot a Fedora 9 install DVD;
# If Anaconda asks for IP configuration, supply it;
# At Anaconda's first graphic screen (ie: just after it starts X):
## Press {{key{~ALT-F2}}} to switch to a root console;
## Run {{command{cryptsetup luksOpen /dev/sda2 cryptpv}}} to decrypt your system partition;
## You should see something like {{literal{key slot 0 unlocked.}}}/{{literal{Command successful.}}}
# Switch back to graphical installer with {{key{~ALT-F6}}};
# Continue with the upgrade, but note:
#* Anaconda will ask you for the passphrase your partition: hit cancel, as it is already decrypted
I will post a patch for decrypting with a thumb drive soon...
!Notes
!!Password only - no USB drive (yet)
Anaconda (and the installed Fedora 9) do not yet know how to use a USB thumb drive to decrypt your system, so you must perform this process using a LUKS passphrase. If your LUKS partition does not have a passphrase (because you only have USB thumb drives configured for decryption), you must add a LUKS passphrase.
You can add a LUKS passphrase using a command such as:
* {{command{cryptsetup -{{{}}}-key-file {{variable{/mnt/thumb/keys/laptop.key}}} luksAddKey {{variable{/dev/sda2}}}}}}
Be sure to mount your thumb drive and use the correct path, and add the key to the correct partition. (See {{file{/etc/sysconfig/mkinitrd}}} for the location that Fedora 8 normally uses to find the decryption key.)
[[RAID]] is a means of improving performance and/or improving reliability by using two or more drives together.
Whether you do something differently when setting up may depend on whether you use software-based or hardware-based RAID:
* Hardware-based RAID will probably allow you to use this guide the same as if you were not using RAID at all, but if your RAID controller fails and you can't replace it with a compatible one, you may lose all of your data;
* Software-based RAID may afford you eaiser recovery in case of controller failure, but setting it up will be a little different from the instructions in this guide.
Things you need to be aware of if you are using RAID with encrypted root filesystem as described in this guide:
* Your first couple of steps (preparing the disk and installing the system) will be a bit more complicated
* It might be easier to create all three RAID drives up front (rather than two of them, then add the third later, as we do with the partitions)
* The final storage setup should be layered thusly:
*# (top layer) Your filesystems are all contained in logical volumes within your primary volume group
*# Your primary (and probably only) volume group sits on a single [[LVM]] physical volume
*# Your LVM physical volume sits on top of a [[LUKS]]-encrypted volume
*# The ~LUKS-encrypted volume sits on top of a RAID drive
*# (bottom layer) The RAID drive is built from two or more paritions (each on a different physical drive)
* The patches make the above assumption about layering of storage
!Hacking {{command{mkinitrd}}}
As if the above weren't enough to make using RAID harder: although {{command{mkinitrd}}} will normally detect the RAID array that your main volume group sits on, when you introduce another layer of indirection between the RAID array and the volume group, {{command{mkinitrd}}} can't find the RAID aray.
Even if it could find the RAID array underneath LUKS, it wouldn't find it until you added the LUKS volume to the LVM volume group, leaving a window for failure whereby your volume group is using the LUKS volume, but your initrd has not yet been updated. (Note that the MainInstructions help you ensure that the encrypted volume is handled correctly by the initrd before moving the volume group onto it.)
So, rather than an elaborate patch to automatically detect and add the RAID array under the LUKS volume, you could use a simpler patch that just adds the array based on the parameter you specified (ie: {{literal{~CRYPT_PARTITION}}}).
Just below the large chunk of code that tries to handle your root filesystem (it's a large 'if'/'fi' section that contains a couple of calls to handlelvordev(), and tries to guess swsuspdev), add something like this:
{{{
# handle cryptroot on raid
if [ -n "$CRYPT_PARTITION" ]; then
handlelvordev $CRYPT_PARTITION
fi
}}}
This is almost completely untested, so use at your own risk!
The main differences without [[LVM]] is that you must copy the contents of the unencrypted partition to the encrypted partition yourself using {{command{dd}}}, and that you only get to encrypt one partition. Having an unencrypted swap is not a good idea, but there are many howto's on the 'net about how to do it.
Instead of using LVM's physical volume and volume group management commands to move your volume group from {{file{/dev/sda3}}} to {{file{/dev/mapper/cryptpv}}}, you would do something like this:
* {{command{dd if=/dev/sda3 of=/dev/mapper/cryptpv}}}
You could still remove {{literal{sda3}}} and grow {{literal{sda2}}} into it's place, and grow the encrypted volume to fill it, then the filesystem to fill that.
You would also have to modify {{file{/etc/fstab}}}, unless the root filesystem is mounted by label rather than by device.
Just remember that LVM lets you encrypt all of your logical partitions more easily than you could without it.
The common name for the 'initial RAM disk'. The initial RAM disk is a very small filesystem that fits inside a single file. The filesystem has just enough configuration, tools, and libraries to help the kernel find, mount, and use the root filesystem.
An initial RAM disk is not always required, since the kernel can include all the modules required to find and mount the root filesystem. However, using an initial RAM disk gives you a bit more flexibility and power in setting up the root filesystem.
On a Red Hat based system, {{command{[[mkinitrd]]}}} is used to build the initrd. We will modify {{command{mkinitrd}}} to build an initial RAM disk that will try to decrypt a partition with either a file from a USB key, or a passphrase that you can type in.
!Additional information
* http://en.wikipedia.org/wiki/Initrd
On a Red Hat based system, {{command{mkinitrd}}} is the tool that builds [[initrd]] (the initial ram disk). We need to modify it so that it builds a modified initrd that supports encrypted disks.
See [[Patches]] for a list of patches.
This patch is suitable for {{command{mkinitrd}}} version 5.1.19.6-1 (shipped with ~CentOS 5.0).
{{{
--- mkinitrd.orig 2007-03-29 06:58:20.000000000 +0800
+++ mkinitrd 2007-12-07 02:01:44.000000000 +0800
@@ -1006,6 +1006,26 @@
findmodule $n
done
+# Include modules for decryption
+if [ -n "$CRYPT_PARTITION" ]; then
+ for n in aes sha256 dm_crypt cbc; do
+ findmodule $n
+ done
+fi
+
+# Include modules for typical USB drives for decryption key
+if [ -n "$CRYPT_PARTITION" -a -n "$CRYPT_KEYDRIVE" ]; then
+ CRYPTFSMODS="usb_storage"
+ if [ -n "$CRYPT_KEYDRIVEFSMOD" ]; then
+ CRYPTFSMODS="$CRYPTFSMODS $CRYPT_KEYDRIVEFSMOD"
+ else
+ CRYPTFSMODS="$CRYPTFSMODS vfat"
+ fi
+ for n in $CRYPTFSMODS; do
+ findmodule $n
+ done
+fi
+
for n in $CONFMODS; do
findmodule $n
done
@@ -1082,6 +1102,7 @@
inst /sbin/nash "$MNTIMAGE/bin/nash"
inst /sbin/insmod.static "$MNTIMAGE/bin/insmod"
ln -s /sbin/nash $MNTIMAGE/sbin/modprobe
+inst /sbin/cryptsetup "$MNTIMAGE/bin/cryptsetup"
for MODULE in $MODULES; do
if [ -x /usr/bin/strip ]; then
@@ -1273,6 +1294,25 @@
done
fi
+if [ -n "$CRYPT_PARTITION" -a -n "$CRYPT_DMNAME" ]; then
+ emit "echo Decrypting root device"
+ if [ -n "$CRYPT_KEYDRIVE" -a -n "$CRYPT_KEYPATH" ]; then
+ emit "mkdir /mnt"
+ emit "mkdir /mnt/thumb"
+ if [ -n "$CRYPT_KEYDRIVEFSMOD" ]; then
+ emit "mount -o ro -t $CRYPT_KEYDRIVEFSMOD $CRYPT_KEYDRIVE /mnt/thumb"
+ else
+ emit "mount -o ro -t vfat $CRYPT_KEYDRIVE /mnt/thumb"
+ emit "cond -ne 0 mount -o ro -t ext3 $CRYPT_KEYDRIVE /mnt/thumb"
+ fi
+ emit "cryptsetup --key-file /mnt/thumb/$CRYPT_KEYPATH luksOpen $CRYPT_PARTITION $CRYPT_DMNAME"
+ emit "cond -ne 0 cryptsetup luksOpen $CRYPT_PARTITION $CRYPT_DMNAME"
+ emit "umount /mnt/thumb"
+ else
+ emit "cryptsetup luksOpen $CRYPT_PARTITION $CRYPT_DMNAME"
+ fi
+fi
+
if [ -n "$vg_list" ]; then
emit "echo Scanning logical volumes"
emit "lvm vgscan --ignorelockingfailure"
}}}
This patch is suitable for {{command{mkinitrd}}} version 5.1.19.6-19 (shipped with ~CentOS 5.1, and the latest update available for ~CentOS 5.//x// as of 7-Dec-2007).
{{{
--- mkinitrd.orig 2007-11-11 09:57:35.000000000 +0800
+++ mkinitrd 2007-12-07 03:17:57.000000000 +0800
@@ -1060,10 +1060,32 @@
findmodule $n
done
+# Include modules for decryption
+if [ -n "$CRYPT_PARTITION" ]; then
+ for n in aes sha256 dm_crypt; do
+ findmodule $n
+ done
+fi
+
+# Include modules for typical USB drives for decryption key
+if [ -n "$CRYPT_PARTITION" -a -n "$CRYPT_KEYDRIVE" ]; then
+ CRYPTFSMODS="usb_storage"
+ if [ -n "$CRYPT_KEYDRIVEFSMOD" ]; then
+ CRYPTFSMODS="$CRYPTFSMODS $CRYPT_KEYDRIVEFSMOD"
+ else
+ CRYPTFSMODS="$CRYPTFSMODS vfat"
+ fi
+ for n in $CRYPTFSMODS; do
+ findmodule $n
+ done
+fi
+
for n in $CONFMODS; do
findmodule $n
done
+findmodule -dm-crypt
+
vecho "Using modules: $MODULES"
MNTIMAGE=`mktemp -d ${TMPDIR}/initrd.XXXXXX`
@@ -1106,6 +1128,7 @@
inst /sbin/nash "$MNTIMAGE/bin/nash"
inst /sbin/insmod.static "$MNTIMAGE/bin/insmod"
ln -s /sbin/nash $MNTIMAGE/sbin/modprobe
+inst /sbin/cryptsetup "$MNTIMAGE/bin/cryptsetup"
for MODULE in $MODULES; do
if [ -x /usr/bin/strip ]; then
@@ -1351,6 +1374,25 @@
done
fi
+if [ -n "$CRYPT_PARTITION" -a -n "$CRYPT_DMNAME" ]; then
+ emit "echo Decrypting root device"
+ if [ -n "$CRYPT_KEYDRIVE" -a -n "$CRYPT_KEYPATH" ]; then
+ emit "mkdir /mnt"
+ emit "mkdir /mnt/thumb"
+ if [ -n "$CRYPT_KEYDRIVEFSMOD" ]; then
+ emit "mount -o ro -t $CRYPT_KEYDRIVEFSMOD $CRYPT_KEYDRIVE /mnt/thumb"
+ else
+ emit "mount -o ro -t vfat $CRYPT_KEYDRIVE /mnt/thumb"
+ emit "cond -ne 0 mount -o ro -t ext3 $CRYPT_KEYDRIVE /mnt/thumb"
+ fi
+ emit "cryptsetup --key-file /mnt/thumb/$CRYPT_KEYPATH luksOpen $CRYPT_PARTITION $CRYPT_DMNAME"
+ emit "cond -ne 0 cryptsetup luksOpen $CRYPT_PARTITION $CRYPT_DMNAME"
+ emit "umount /mnt/thumb"
+ else
+ emit "cryptsetup luksOpen $CRYPT_PARTITION $CRYPT_DMNAME"
+ fi
+fi
+
if [ -n "$vg_list" ]; then
emit "echo Scanning logical volumes"
emit "lvm vgscan --ignorelockingfailure"
}}}
This patch is suitable for {{command{mkinitrd}}} version 6.0.19-4 (shipped with Fedora 8).
{{{
--- mkinitrd.orig 2007-10-31 03:05:44.000000000 +0900
+++ mkinitrd 2007-11-29 01:21:16.000000000 +0900
@@ -1243,6 +1243,26 @@
findmodule $n
done
+# Include modules for decryption
+if [ -n "$CRYPT_PARTITION" ]; then
+ for n in aes sha256 dm_crypt cbc; do
+ findmodule $n
+ done
+fi
+
+# Include modules for typical USB drives for decryption key
+if [ -n "$CRYPT_PARTITION" -a -n "$CRYPT_KEYDRIVE" ]; then
+ CRYPTFSMODS="usb_storage"
+ if [ -n "$CRYPT_KEYDRIVEFSMOD" ]; then
+ CRYPTFSMODS="$CRYPTFSMODS $CRYPT_KEYDRIVEFSMOD"
+ else
+ CRYPTFSMODS="$CRYPTFSMODS vfat"
+ fi
+ for n in $CRYPTFSMODS; do
+ findmodule $n
+ done
+fi
+
for n in $CONFMODS; do
findmodule $n
done
@@ -1317,6 +1337,7 @@
inst /sbin/insmod "$MNTIMAGE" /bin/insmod
inst /sbin/rmmod "$MNTIMAGE" /bin/rmmod
+inst /sbin/cryptsetup "$MNTIMAGE" /bin/cryptsetup
if [ -e /etc/fstab.sys ]; then
inst /etc/fstab.sys "$MNTIMAGE"
@@ -1540,6 +1561,25 @@
done
fi
+if [ -n "$CRYPT_PARTITION" -a -n "$CRYPT_DMNAME" ]; then
+ emit "echo Decrypting root device"
+ if [ -n "$CRYPT_KEYDRIVE" -a -n "$CRYPT_KEYPATH" ]; then
+ emit "mkdir /mnt"
+ emit "mkdir /mnt/thumb"
+ if [ -n "$CRYPT_KEYDRIVEFSMOD" ]; then
+ emit "mount -o ro -t $CRYPT_KEYDRIVEFSMOD $CRYPT_KEYDRIVE /mnt/thumb"
+ else
+ emit "mount -o ro -t vfat $CRYPT_KEYDRIVE /mnt/thumb"
+ emit "cond -ne 0 mount -o ro -t ext3 $CRYPT_KEYDRIVE /mnt/thumb"
+ fi
+ emit "cryptsetup --key-file /mnt/thumb/$CRYPT_KEYPATH luksOpen $CRYPT_PARTITION $CRYPT_DMNAME"
+ emit "cond -ne 0 cryptsetup luksOpen $CRYPT_PARTITION $CRYPT_DMNAME"
+ emit "umount /mnt/thumb"
+ else
+ emit "cryptsetup luksOpen $CRYPT_PARTITION $CRYPT_DMNAME"
+ fi
+fi
+
if [ -z "$nolvm" -a -n "$vg_list" ]; then
emit "echo Scanning logical volumes"
emit "lvm vgscan --ignorelockingfailure"
}}}
This patch is suitable for {{command{mkinitrd}}} version 6.0.52-2 (shipped with Fedora 9).
Note that this patch only adds USB key support, as Fedora 9 already has [[LUKS]]-based encrypted filesystem support build-in.
{{{
--- mkinitrd.orig 2008-05-28 21:40:59.000000000 +0800
+++ mkinitrd 2008-05-28 22:53:54.000000000 +0800
@@ -1351,6 +1351,19 @@
findmodule $n
done
+# Include modules for typical USB drive decryption key
+if [ -n "$CRYPT_KEYDRIVE" -a -n "$CRYPT_KEYPATH" ]; then
+ CRYPTFSMODS="usb-storage"
+ if [ -n "$CRYPT_KEYDRIVEFSMOD" ]; then
+ CRYPTFSMODS="$CRYPTFSMODS $CRYPT_KEYDRIVEFSMOD"
+ else
+ CRYPTFSMODS="$CRYPTFSMODS vfat"
+ fi
+ for n in $CRYPTFSMODS; do
+ findmodule $n
+ done
+fi
+
for n in $CONFMODS; do
findmodule $n
done
@@ -1790,7 +1803,12 @@
emitcrypto()
{
emit "echo Setting up disk encryption: $1"
- emit "cryptsetup luksOpen $1 $2"
+ if [ -n "$CRYPT_KEYDRIVE" -a -n "$CRYPT_KEYPATH" ]; then
+ emit "cryptsetup --key-file /mnt/keydrive/$CRYPT_KEYPATH luksOpen $1 $2"
+ emit "cond -ne 0 cryptsetup luksOpen $1 $2"
+ else
+ emit "cryptsetup luksOpen $1 $2"
+ fi
}
if [ -n "$KEYMAP" ]; then
@@ -1798,6 +1816,17 @@
emit "$LOADKEYS $KEYMAP"
fi
+if [ -n "$CRYPT_KEYDRIVE" -a -n "$CRYPT_KEYPATH" ]; then
+ emit "mkdir /mnt"
+ emit "mkdir /mnt/keydrive"
+ if [ -n "$CRYPT_KEYDRIVEFSMOD" ]; then
+ emit "mount -o ro -t $CRYPT_KEYDRIVEFSMOD $CRYPT_KEYDRIVE /mnt/keydrive"
+ else
+ emit "mount -o ro -t vfat $CRYPT_KEYDRIVE /mnt/keydrive"
+ emit "cond -ne 0 mount -o ro -t ext3 $CRYPT_KEYDRIVE /mnt/keydrive"
+ fi
+fi
+
for cryptdev in ${!cryptopart@} ; do
emitcrypto `eval echo '$'$cryptdev`
done
@@ -1823,6 +1852,11 @@
emitcrypto `eval echo '$'$cryptdev`
done
+if [ -n "$CRYPT_KEYDRIVE" -a -n "$CRYPT_KEYPATH" ]; then
+ emit "umount /mnt/keydrive"
+ emit "rmdir /mnt/keydrive"
+fi
+
if [ -z "$noresume" -a -n "$swsuspdev" ]; then
emit "resume $swsuspdev"
fi
}}}
This patch is suitable for {{command{mkinitrd}}} version 6.0.9-5 (shipped with Fedora 7).
This patch is also suitable for {{command{mkinitrd}}} version 6.0.9-7.1 (the latest update for Fedora7 as of 10-Dec-2007).
Note that this patch must be re-applied after you update {{command{mkinitrd}}} from version 6.0.9-5 to version 6.0.9-7.1
{{{
--- mkinitrd.orig 2007-06-12 06:20:01.000000000 +0800
+++ mkinitrd 2007-12-09 09:28:10.000000000 +0900
@@ -1168,6 +1168,26 @@
findmodule $n
done
+# Include modules for decryption
+if [ -n "$CRYPT_PARTITION" ]; then
+ for n in aes sha256 dm_crypt cbc; do
+ findmodule $n
+ done
+fi
+
+# Include modules for typical USB drives for decryption key
+if [ -n "$CRYPT_PARTITION" -a -n "$CRYPT_KEYDRIVE" ]; then
+ CRYPTFSMODS="usb_storage"
+ if [ -n "$CRYPT_KEYDRIVEFSMOD" ]; then
+ CRYPTFSMODS="$CRYPTFSMODS $CRYPT_KEYDRIVEFSMOD"
+ else
+ CRYPTFSMODS="$CRYPTFSMODS vfat"
+ fi
+ for n in $CRYPTFSMODS; do
+ findmodule $n
+ done
+fi
+
for n in $CONFMODS; do
findmodule $n
done
@@ -1242,6 +1262,7 @@
inst /sbin/insmod "$MNTIMAGE" /bin/insmod
inst /sbin/rmmod "$MNTIMAGE" /bin/rmmod
+inst /sbin/cryptsetup "$MNTIMAGE" /bin/cryptsetup
if [ -e /etc/fstab.sys ]; then
inst /etc/fstab.sys "$MNTIMAGE"
@@ -1460,6 +1481,25 @@
done
fi
+if [ -n "$CRYPT_PARTITION" -a -n "$CRYPT_DMNAME" ]; then
+ emit "echo Decrypting root device"
+ if [ -n "$CRYPT_KEYDRIVE" -a -n "$CRYPT_KEYPATH" ]; then
+ emit "mkdir /mnt"
+ emit "mkdir /mnt/thumb"
+ if [ -n "$CRYPT_KEYDRIVEFSMOD" ]; then
+ emit "mount -o ro -t $CRYPT_KEYDRIVEFSMOD $CRYPT_KEYDRIVE /mnt/thumb"
+ else
+ emit "mount -o ro -t vfat $CRYPT_KEYDRIVE /mnt/thumb"
+ emit "cond -ne 0 mount -o ro -t ext3 $CRYPT_KEYDRIVE /mnt/thumb"
+ fi
+ emit "cryptsetup --key-file /mnt/thumb/$CRYPT_KEYPATH luksOpen $CRYPT_PARTITION $CRYPT_DMNAME"
+ emit "cond -ne 0 cryptsetup luksOpen $CRYPT_PARTITION $CRYPT_DMNAME"
+ emit "umount /mnt/thumb"
+ else
+ emit "cryptsetup luksOpen $CRYPT_PARTITION $CRYPT_DMNAME"
+ fi
+fi
+
if [ -n "$vg_list" ]; then
emit "echo Scanning logical volumes"
emit "lvm vgscan --ignorelockingfailure"
}}}