From Fedora Project Wiki

< QA‎ | TestCases
Revision as of 13:21, 11 August 2008 by Mganisin (talk | contribs) (New page: == Description == Support the use of encrypted filesystems for anything other than /boot using cryptsetup and LUKS. This includes install time creation/configuration, as well as integrated...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Description

Support the use of encrypted filesystems for anything other than /boot using cryptsetup and LUKS. This includes install time creation/configuration, as well as integrated support in mkinitrd and initscripts (others?). Currently we are only pursuing support for encrypted devices using cryptsetup/LUKS.

When using encrypted file systems/block devices, the selinux functionality should continue to work as expected, and not create situations where the encryption leads to undesired selinux errors; in particular, a successful installation using any of the operating selinux modes "enforcing", "permissive" and "disabled" should be successful.

References:

  1. Anaconda/Features/EncryptedBlockDevices
  2. Releases/FeatureEncryptedFilesystems

Steps To Reproduce

  • Boot anaconda
  • Proceed to the partitioning dialog
  • Select the checkbox item "Encrypt system"
  • Enable the "disabled" selinux setting
  • Enter and confirm the passphrase in a pop up dialog for the encrypted filesystem
  • choose default partitioning layout and continue to the disk druid partition screen
  • continue with installation

"Remove linux partitions on selected drives and create default layout"

Expected Results

  • Confirmed "Encrypt system" item is checked
  • Verify installation completes successfully
  • Upon reboot, the user is asked for the LUKS passphrase at the console
  • Verify entry in /etc/crypttab is present for LUKS device
  • Verify selinux is in disabled in post-install system
  • post-install system boots completely and is usable, and does not have selinux errors that would significantly hamper system operation


/etc/crypttab may look something like:

luks-sda2    /dev/sda2    none