Using luks is the standard way of boot from an encrypted disk. However luks header is not encrypted and it may cause a security shortcoming when it is necessary to hide the fact of encryption.
Standard section of grub.conf when root file system is placed on an unencrypted disk has the form:
title Fedora 12
kernel /boot/vmlinuz-188.8.131.52-174.2.3.fc12.i686.PAE ro root=/dev/sda1 LANG=ru_RU.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us rhgb quiet
After this I rsync this file system as a whole to a filesystem on an encrypted virtual disk /dev/mapper/hdd2 corresponding to another physical disk, for example /dev/sdb. Then I created an additional section in grub.conf so as to make it possible to boot from /dev/sdb. It looks the same as above, but with some distinctions. Location of bootloader and kernel image is unchanged (1st sector and /boot directory), only root filesystem is transferred onto an encrypted new device.
title Fedora 12 NEW
kernel /boot/vmlinuz-184.108.40.206-174.2.3.fc12.i686.PAE ro root=/dev/mapper/hdd2 LANG=ru_RU.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us rhgb quiet
Two modifications of the initial section have been done:
1. root=/dev/sda1 ---> root=/dev/mapper/hdd2
2. initramfs-220.127.116.11-174.2.3.fc12.i686.PAE.img ---> initramfs-NEW.img
The second modification is needed to prepare /dev/mapper/hdd2 before mounting it as a root filesystem. So changing initramfs is necessary. I did it in the following way.
1. At the beginning of /mount/mount-root.sh, before 'mount' command, I put the string:
cryptsetup -d /etc/key -c aes-cbc-essiv:sha256 -s 256 create hdd2 /dev/sdb
2. key file is added to /etc
After this I reboot and select the second item in grub menu. During the boot the messages appear:
WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/.
(... the same string repeats a number of times ...)
No root device found
Boot has failed, sleeping forever
Please, give me a suggestion what should I do to cope with this issue.