I use Ubuntu Server 10.04. I more or less only want the server to be accessible over SSH after a reboot. I will then login and mount the encrypted partition myself, after which I start the services which uses it.
How would I go about setting something like that up?
(My first idea was to have everything except /boot in an encrypted LVM, but I never got logging in through SSH and mounting the LVM to work. Initramfs was a bit too complicated for me. Otherwise I think this would have been the best solution.)
Services get started via entries in the various /etc/rc.d/ folders (they are named from rc1.d through to rc6.d). You will need to identify the services you don't want to start, and then change the Sxxservicename links (xx is a number between 01 and 99) to Kxxservicename. Please be aware that these changes may get overwritten when the relevant packages are upgraded. If you want to keep the changes, I would recommend changing the start/stop level definitions in /etc/init.d/servicename (each service has a script in that folder that actually executes the start/stop, and it also contains the default settings for the runlevels where the service should start and stop).
Then simply change the line for the encrypted partition in /etc/fstab to include the "noauto" option, which will prevent it from getting mounted at boot time. You can still mount it manually using the mount command.
WARNING: You must make sure that your boot process can complete without any of the data on the encrypted partition. Otherwise you are digging a big hole for yourself (and you'll need a live CD to get out of it).
Your distribution uses upstart to manage services, so you need to take care of both upstart services and “old-style” (system V) services.
For all upstart services that require the encrypted filesystem, edit the corresponding file in
/etc/init.dand changestart on footostart on (foo and encrypted-filesystems)andstop on bartostop on (bar or runlevel [0126]).For all system V services that require the encrypted filesystem, rename the symbolic link
/etc/rc2.d/S??footo/etc/rc2.d/K50foo.After you've mounted the encrypted filesystems, run the commands
If you want to unmount the encrypted filesystems without rebooting, I think
telinit 2will stop all the affected services with the scheme I've proposed.I'd advise using update-rc.d (check the man page) to disable startups in runlevel two since it should always "do the right thing".
It would also be a good idea to put something in runlevel 2 to alert you, eg email, so it doesn't sit there unnoticed after an unexpected reboot.
Then ssh in, mount the crypt volume and init 3.
[Double check that it's still OK after package updates]