Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

how to start microvm with LUKS encrypted file system(rootfs.ext4) using firecracker#4327

Unanswered
jahnavilatha589 asked this question inQ&A
Discussion options

I have created an encrypted filesystem(rootfs.ext4) using LUKS. Trying to start microvm by using LUKS encrypted file system with firecracker.

Is it possible to start microvm with encrypted file system..? Can anyone suggest on this.

You must be logged in to vote

Replies: 3 comments 1 reply

Comment options

Hi@jahnavilatha589,

Thanks for the interest in Firecracker :)

We haven't tried booting a microVM with an encrypted rootfs, so I am not sure if it would work.

Firecracker microVMs do not use a boot-loader to boot. I am not sure whetherdm-crypt prompts you for a password to unlock the partition at boot-time. Maybe if you used aninitrd:https://github.com/firecracker-microvm/firecracker/blob/main/docs/initrd.md to boot from, which you have setup for LUKS and then pivot to your encrypted file-system, withswitch_root itcould work.

You should definitely be able to use an un-encrypted root filesystem with additional encrypted drives which you unecrypt at boottime.

You must be logged in to vote
0 replies
Comment options

Hello,
I am trying to run a microVM with a LUKS encrypted file system (using dm-crypt) and am encountering the same issue as you@jahnavilatha589. Did you manage to find a solution?

@bchalios do you have any recommendations on how to start microvms with encrypted file system ?

Thanks

You must be logged in to vote
0 replies
Comment options

I am in the same boat. Any resolution on this?

You must be logged in to vote
1 reply
@Manciukic
Comment options

Hey,

I think the solution proposed by bchalios is the way to go but I'm not aware of anybody actually implementing it:

  1. build a small initrd with an init process that
    a. mounts the LUKS filesystem usigcryptsetup luksOpen
    b. pivots the root to the new file system (example in firecracker-containerd)
    c. delegates the boot to the init executable in the decrypted image
  2. package the initrd as acpio archive
  3. start firecracker with the initrd (docs)

Note that the initrd is copied to the VM memory, consuming it. You can technically do the same with a separate (unencrypted) boot disk that prepares the system and then delegates to the other init process.

If you manage to get the setup working, don't forget to provide the details here for the community!

Update: the kernel documentation has a nice guide on what is the initrd and how to make one:https://docs.kernel.org/admin-guide/initrd.html . It's only missing the LUKS mounting part, but there's a complete example on how to pivot_root to a new filesystem.

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Category
Q&A
Labels
None yet
5 participants
@jahnavilatha589@Manciukic@qasmi@bchalios@MrKoberman
[8]ページ先頭
©2009-2025 Movatter.jp