Comments on Creating A Fully Encrypted Para-Virtualised Xen Guest System Using Debian Lenny

Creating A Fully Encrypted Para-Virtualised Xen Guest System Using Debian Lenny This document explains how to set up a fully encrypted para-virtualized XEN instance. In this howto, the host system is running Debian Etch, while the guest system to be installed will be using Debian Lenny. If you are concerned about your privacy, you might want to consider using hard disk encryption to protect your valuable private data from spying eyes. Usually, the easiest way would be to use your distribution's installer to set up a fully encrypted system; I think most recent Linux distributions support this. However, when you are using XEN to provide virtualization, there are situations where you might not want to encrypt your whole computer with all guest instances, but instead only encrypt one OS instance. This howto will deal with exactly this situation. It assumes that the XEN host system is already up and running.

4 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Exadios
Reply  

I think that there are some errors in this article. For instance, where does /dev/vg0/crypto.example.com_disk come from?

By:
Reply  

please be more specific about what you think is not correct. /dev/vg0/crypto.example.com_disk is created by the call to xen-create-image in the beginning.

By: applesphere
Reply  

Hi,

thanks for this great manual! 

I have had some troubles with the section:

crypto:~# mount /dev/vg-crypt/root /mnt/target/

---8<--

crypto:~# cp -apx / /target/

Your cp-command should read "cp -apx / /mnt/target", but cp then tries to copy /mnt/target to itself and exits. I have used the following to solve this problem and to avoid the need for cleanups:

 crypto:~#find . -path ./mnt -prune -o -path ./target -prune -o -path ./sys -prune -o -path ./proc -prune -o -print | cpio -pumd /mnt/target && mkdir /mnt/target/mnt/ && mkdir /mnt/target/proc && mkdir /mnt/target/sys

 

By: Brock Tice
Reply  

Looking at the initrd scripts, Debian 6 does not try to mount a crypt device if there are no crypt command line arguments, even if the correct parameters are in the conf.d/cryptroot file.  In order to get this to work, I emptied that file, and then added this line to the xen-tools config:

 extra = 'cryptopts=target=crypt,source=/dev/xvda3,key=none,lvm=vg--crypt-root,rootdev'

 

where I'm using xvda3 but the tutorial is using sda1, change as appropriate.

 

This problem presented itself as not prompting for the password, then dropping to a shell. I was able to manually activate the luks partition and boot after that, so I knew it was just a problem with the boot scripts somehow. After adding the kernel command line arguments, it worked just fine. Thanks for the excellent tutorial!