View previous topic :: View next topic |
Author |
Message |
Guest
|
Posted: Sat Apr 17, 2004 2:40 am Post subject: |
|
|
I am using the following versions:
linux-2.6.5-mm6
loop-AES-v2.0g
util-linux-2.12a
I am unable to compile as usual and have gone back to a 2.6.3 kernel. What precisely does one have to edit in order to get the above to work? |
|
Back to top |
|
|
twiggy n00b
Joined: 25 Nov 2003 Posts: 65 Location: Sweden
|
Posted: Sat Apr 24, 2004 8:24 am Post subject: |
|
|
I'm wondering if i can change the encryption after i already have encrypted it with aes128? (without any loss)
And is aes the best way to go? And thanks for the docs
I was a bit afraid in the beginning but it went just fine. _________________ Bite my shiny metal ass! |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Sat Apr 24, 2004 9:27 am Post subject: |
|
|
hmm, i havent tested it yet but theoretically it should be possible to pipe the already encrypted files trough another loop device with another cipher enabled ...
maybe you can test this with a file or some removable storage devices first?
greets,
hulk _________________ Linux: "Free as in free speech, not as in free beer" |
|
Back to top |
|
|
twiggy n00b
Joined: 25 Nov 2003 Posts: 65 Location: Sweden
|
Posted: Sat Apr 24, 2004 9:54 am Post subject: |
|
|
Thanks for the answer but i think i'll just stay with aes128 for now.
Anyway you wouldn't have anything else as cool as this to play around with on a saturday would ya? _________________ Bite my shiny metal ass! |
|
Back to top |
|
|
d4h0od Tux's lil' helper
Joined: 27 Jun 2002 Posts: 80 Location: Europe => Sweden => Blekinge => Karlskrona => h0odet
|
Posted: Mon Apr 26, 2004 4:55 pm Post subject: cant mount encrypted filesystem |
|
|
i tried doing "3. Encrypt your current root partition using a gpg encrypted key" and everything worked great (i think, no errors or such) until i rebooted and then i got error msg with something like
Code: | insmod /lib/modules-2.6.5-gentoo-r1/loop.ko no such file or device |
i guess i have done something wrong... maybe missed or did something wrong when i edited build-initrd.sh cuz its not finding the module...
then i turned to step "7. If something has gone wrong", i booted up knoppix cd and tried mounting the encrypted filesystem to go through the steps i did previously but i cant mount it ;(
first i just tried following the instructions exactly but after thinking a bit i thought about that those steps didnt say anything about uncrypting my filesystem using the gpg-key i used to encrypt it
so i mounted boot partion containing my gpg-key and added the option -K to losetup command. (is that correct ?)
Code: | losetup -e AES256 -K /mnt/tempboot/rootkey.gpg /dev/loop0 /dev/hda3 |
and then supplied the password i wrote earlier when i encrypted the partion with gpg (it seems to work cuz if i supply wrong password it says "Error: gpg key file decryption failed")
but when im doing
Code: | mount /dev/loop0 /mnt/gentoo |
i get error msg that it cant mount it ;(
Code: | FAT: bogus logical sector size 40229
VFS: Can´t find a valid FAT filesystem on dev 07:00.
mount: you must specify the filesystem type |
so then i of course try adding -t ext3 to mount command (cuz thats the fs o root partion
but get another error msg then
Code: | VFS: Can´t find ext3 filesystem on dev loop(7,0).
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
or too many mounted file systems |
think i have messed something up really bad and think im gonna try starting over but wanted to hear first if someone else maybe knows what i did wrong and/or how i can fix it.
another question regarding "4. Encrypt a clean root partition while installing gentoo" cuz if im gonna start all over i will try to encrypt etc before i install gentoo but i still wanna use gpg but there isnt any info regarding gpg in step 4. (guessing cuz there isnt any place to store gpg-keys when encrypting filesystem cuz the filesystem isnt there yet)
is it hard to add the extra layer of security with gpg afterwards or must i follow and make step 3 work if i want to use gpg+encryption ? _________________ // d4h0od |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Mon Apr 26, 2004 11:25 pm Post subject: |
|
|
this looks for me as if you forgot kernel support for something. could be several things. but i think it should be possible to do that right from the beginning of an installation. tomorrow i'll have a look at it, cause it's 1:30am and i hardly can keep my eyes open
so g'nite everyone,
greets,
hulk _________________ Linux: "Free as in free speech, not as in free beer" |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Mon May 03, 2004 3:31 pm Post subject: |
|
|
hmm i am not sure on how to encrypt a clean partition with gpg but maybe you should have a look at point 7.5 on http://loop-aes.sourceforge.net/loop-AES.README and compare it with this cause they also described it with gpg and maybe there is something wrong (or outdated) with the method described here.
thanks in advance for feedback!
greets,
hulk _________________ Linux: "Free as in free speech, not as in free beer" |
|
Back to top |
|
|
revoohc Tux's lil' helper
Joined: 12 Oct 2002 Posts: 128
|
Posted: Thu May 06, 2004 12:50 pm Post subject: |
|
|
I need some help.
I followed the instructions last night to encrypt my root partition with AES128. However, when I reboot my system with the new encrypted partition I get:
VFS: Mounted root (minix filesystem) readonly.
Mounded devfs on /dev
Freeing unused kernel memory: 152k freed
Mounting /dev/hda1 as /lib failed
System halted.
What did I do wrong? I'm running 2.6.5-gentoo-r1 and followed the steps for encrypting a pre-existing root partition using 2.6 with devfs.
thanks for any help,
Chris |
|
Back to top |
|
|
Jayh n00b
Joined: 07 May 2004 Posts: 4
|
Posted: Sat May 08, 2004 1:23 am Post subject: |
|
|
Hi Guys,
I was wondering if anyone would know how to encrypt a second hard disk (or even a third)...
Can I just take (for example) /dev/loop1 and encrypt the disk and use /dev/loop1 in /etc/fstab and so on using the root partition method to encrypt the disks?
Sorry for being a little vague but it's 3:22AM and i'm kinda tired
(p.s. wonderful faq Hulk! thanks |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
|
Back to top |
|
|
RinkyDinks_RJ n00b
Joined: 12 Aug 2003 Posts: 42
|
Posted: Mon May 10, 2004 5:51 pm Post subject: |
|
|
You should add the shred command to your guide. It is used to overwrite anything previously on the drive (data can remain on drive even if you reformat), (use for clean install/swap drives only)
shred /dev/hdaX
the default number of overwrites shred uses is 25. you can use -n X to specify a different number, though default is good enough.
Using shred -z /dev/hdaX will overwrite everything with zeroes.
Obviously, you only need to use this if you are concerned that previously unencrypted data on your hard disk may remain available to attack even after a format. (Yes, sometimes data can still hang on) |
|
Back to top |
|
|
Jayh n00b
Joined: 07 May 2004 Posts: 4
|
Posted: Mon May 10, 2004 8:07 pm Post subject: |
|
|
Allrite, I've managed to use the loop devices to encrypt a whole new hd.
For those interested, read this little howto:
First if you don't have enough /dev/loop devices, the best way to increase it is just to recompile your kernel.
Lookup the /usr/src/linux-2.4.25/drivers/block/loop.c and replace obviously the linux-2.4.25 with your kernelversion.
Edit it in your favourite editor and change the following:
Code: | static int max_loop = 16; |
change the 16 into how many loop devices you want.
After reboot, check /dev/loop/ to see if the loop devices are there. If they're not, use the mknod utility to create them. Read the man-page about that because I don't know how to make them via mknod
Now you can use the same setup as with encrypting the root partition.
Code: | /sbin/losetup -e AES256 /dev/loopX /dev/hdX
dd if=/dev/hdX of=/dev/loopX bs=64k conv=notrunc |
mount it and you're off!
you can use any loop device you want though I recommend you start with loop device 7 or 8 (you can make up to 64 loop devices anyway).
Now my question
I want to create a LVM using the loop devices in order to encrypt it.
Ok, followed the howto's, install/readme files etc and it was no problem setting it up using the /dev/loop devices. Kernel LVM driver was up to date so no recompiling was necessary.
Now the problem, I needed to make a filesystem on the LVM. I created reiserFS on it and also no problems (though I was a little uncomfortable to create a new filesystem on my already encrypted disks).
when I checked df -h, my mounted loop devices were 16T (Yea, 16 Terabytes) so I thought to unmount them and remount to see if they were still working. Then I got an Segmentation fault while trying to unmount the loop device (How nice) but the LVM was still active.
So I deactivated it and tried to remove the encryption on the loop device using losetup but the following error command keeps coming back:
Code: | ioctl: LOOP_CLR_FD: Device or resource busy |
Anyone an idea to kill the loop device or to disconnect it properly?
Only this is mounted:
Code: |
Filesystem Size Used Avail Use% Mounted on
/dev/loop/5 37G 891M 36G 3% /
/dev/root 11K 8.0K 3.0K 73% /initrd
/dev/ide/host0/bus0/target0/lun0/part1
48M 36M 12M 75% /boot
none 126M 0 126M 0% /dev/shm
|
LVM has been shut down and I can't see any more links to an active session with the loop devices.
Hope u guys have an answer!
See Ya,
Jayh |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Mon May 10, 2004 10:26 pm Post subject: |
|
|
@RinkyDinks_RJ
cool, thank you for that. of course i will add that! you can never be secure enough can't you
but why do you mean this should be used for swap partitions only and why only when installing on a clean drive?
@Jayh
losetup -d /dev/loopX ?
greets,
hulk _________________ Linux: "Free as in free speech, not as in free beer" |
|
Back to top |
|
|
Jayh n00b
Joined: 07 May 2004 Posts: 4
|
Posted: Tue May 11, 2004 8:45 am Post subject: |
|
|
hulk2nd,
That's the command I used to remove the loop devices and got the error
Code: | ioctl: LOOP_CLR_FD: Device or resource busy | while I couln't see any reason why the loop devices would be in use.
I've now realized after a reboot that the encrypted partition has been destroyed after the repartitioning the LVM.
So I'm thinking of trying to make the LVM and after the partitioning to create a loop device in order to encrypt the lvm |
|
Back to top |
|
|
d4h0od Tux's lil' helper
Joined: 27 Jun 2002 Posts: 80 Location: Europe => Sweden => Blekinge => Karlskrona => h0odet
|
Posted: Wed May 12, 2004 12:04 am Post subject: step 3h |
|
|
Not sure if this is really worht mentioning and i dont want to complain on the guide cuz i think its really nice.
But one thing that caused problems for me the first time i tried the guide following step 3 was that I couldnt boot my system.
I got an error that it couldnt find /lib/modules-2.6.5-gentoo-r1/loop.ko (atleast I think that was the error msg). Then I remebered that in step 3h) in the guide i copy the module loop.ko to /boot and name it to loop.o. I tried renaming it back to loop.ko and the next time i rebooted i didnt get the error msg
is there anyone else that has had the same problem and maybe did the same thing as me? maybe its just a typo in the guide? _________________ // d4h0od |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Wed May 12, 2004 10:35 am Post subject: Re: step 3h |
|
|
d4h0od wrote: | Not sure if this is really worht mentioning and i dont want to complain on the guide cuz i think its really nice.
But one thing that caused problems for me the first time i tried the guide following step 3 was that I couldnt boot my system.
I got an error that it couldnt find /lib/modules-2.6.5-gentoo-r1/loop.ko (atleast I think that was the error msg). Then I remebered that in step 3h) in the guide i copy the module loop.ko to /boot and name it to loop.o. I tried renaming it back to loop.ko and the next time i rebooted i didnt get the error msg
is there anyone else that has had the same problem and maybe did the same thing as me? maybe its just a typo in the guide? | yes, thank you for that, could be indeed problematic. changed it
greets,
hulk _________________ Linux: "Free as in free speech, not as in free beer" |
|
Back to top |
|
|
d4h0od Tux's lil' helper
Joined: 27 Jun 2002 Posts: 80 Location: Europe => Sweden => Blekinge => Karlskrona => h0odet
|
Posted: Wed May 12, 2004 12:53 pm Post subject: finally got it working ;)) |
|
|
got my system up and running with encrypted root fs now
thanx a lot for this excellent guide... without it i dont think i ever would have had the time/energy to try to do it
now i only need to encrypt the swap partion aswell but that seems to be quite easy... is it really just to change the line in fstab and then all data written to swap partion is encrypted ? _________________ // d4h0od |
|
Back to top |
|
|
RinkyDinks_RJ n00b
Joined: 12 Aug 2003 Posts: 42
|
Posted: Wed May 12, 2004 9:00 pm Post subject: |
|
|
Typing shred /dev/hdax will clean everything off the part. Also, there is a way to make it just wipe the clear areas on the part; I believe it uses /dev/zero. not sure, so I go check it out... |
|
Back to top |
|
|
abeowitz n00b
Joined: 17 Mar 2003 Posts: 20 Location: Seattle
|
Posted: Tue May 18, 2004 3:58 am Post subject: loop.ko |
|
|
Question.
Right now, I'm just doing an encrypted swap partition...
But loop.ko, if setup in /etc/modules.autoload.d/kernel-2.6 tends to load AFTER the swap partition is mounted.
How do I load this module BEFORE swap gets loaded?
BTW, it does work if I do a
Code: | swapoff -a
swapon -a
losetup -a
/dev/loop/7: [000c]:1812 (/dev/hda3) offset=4096 encryption=AES128 multi-key
|
Thanks |
|
Back to top |
|
|
CB2206 Tux's lil' helper
Joined: 27 May 2003 Posts: 127 Location: NRW
|
Posted: Tue May 18, 2004 5:52 am Post subject: |
|
|
hi,
i'm using a 2.6er kernel with cryptoloop support and i'm just wondering whether it would be possible to get back to bootpslash silent mode after typing in the password for my encrypted home partition.
does anyone know a solution for this? _________________ CB |
|
Back to top |
|
|
jeffrice Tux's lil' helper
Joined: 25 Jun 2003 Posts: 89 Location: New York, USA
|
Posted: Sat May 22, 2004 3:05 am Post subject: Boot from USB |
|
|
I'm having some trouble getting this to work from my USB drive. I put the pause in the build-initrd.sh script so that the USB hub and drive have a chance to initialize. But right after, I get the error
Code: | /dev/sda1 failed to mount as /lib |
So... what do I do? The message from the USB modules says it found my USB drive at sda1 and of course it is working because I boot from the USB up to that point. Am I specifying the device that should be mounted as /lib wrongly? There isn't a great deal of error message to work with!
Jeff |
|
Back to top |
|
|
markymarc n00b
Joined: 04 Dec 2003 Posts: 39 Location: Denmark
|
Posted: Sat May 22, 2004 10:01 pm Post subject: Will not make mount!!! |
|
|
Im trying to install the util-linux in 2b. But when I come to make SUBDIRS="lib mount". I get a lot of errors, the same if I just do a make in mount. Which result in no new mount umount etc etc.
I don't now if its related but when I applied the fix util-linux-2.12.diff it cant find the loop.h file. Is this normale?
Is im missing something or ????? |
|
Back to top |
|
|
jeffrice Tux's lil' helper
Joined: 25 Jun 2003 Posts: 89 Location: New York, USA
|
Posted: Sun May 23, 2004 12:04 am Post subject: Re: Boot from USB |
|
|
jeffrice wrote: | I'm having some trouble getting this to work from my USB drive. |
Alternatively, has anyone gotten this to work using an unencrypted boot with the gpg key on usb? It seems to work fine if my key is on CD, but that isn't quite what I want.
It still says it can't mount my usb... all the drivers are compiled into the kernel, so the problem isn't clear to me.
Jeff |
|
Back to top |
|
|
markymarc n00b
Joined: 04 Dec 2003 Posts: 39 Location: Denmark
|
Posted: Sun May 23, 2004 3:01 pm Post subject: Re: Will not make mount!!! |
|
|
By the way, this is what I get when I run the fix:
Code: | Perhaps you used the wrong -p or --strip option?
Skip this patch? [y]
> The text leading up to this was:
> --------------------------
> |diff -urN util-linux-2.12a/mount/loop.h util-linux-2.12a-AES/mount/loop.h
Hunk #3 FAILED at 128.
> |--- util-linux-2.12a/mount/loop.h Wed Jul 16 23:06:02 2003
> |+++ util-linux-2.12a-AES/mount/loop.h Fri Mar 5 18:48:49 2004
> --------------------------
> File to patch:
> Skip this patch? [y]
> Skipping patch.
> 3 out of 3 hunks ignored
> patching file mount/losetup.8
> Hunk #1 FAILED at 1.
> Hunk #2 FAILED at 30.
> Hunk #3 FAILED at 128.
> 3 out of 3 hunks FAILED -- saving rejects to file mount/losetup.8.rej
> patching file mount/loumount.c
> patching file mount/mount.8
> Hunk #2 succeeded at 270 (offset -1 lines).
> Hunk #3 FAILED at 321.
> Hunk #4 succeeded at 1686 (offset -29 lines).
> 1 out of 4 hunks FAILED -- saving rejects to file mount/mount.8.rej
> patching file mount/mount.c
> Hunk #2 FAILED at 114.
> Hunk #3 succeeded at 189 (offset -3 lines).
> Hunk #4 succeeded at 199 (offset -3 lines).
> Hunk #5 succeeded at 563 (offset -3 lines).
> Hunk #6 succeeded at 588 (offset -3 lines).
> Hunk #7 FAILED at 605.
> Hunk #8 FAILED at 664.
> Hunk #9 FAILED at 1478.
> 4 out of 9 hunks FAILED -- saving rejects to file mount/mount.c.rej
> patching file mount/rmd160.c
> patching file mount/rmd160.h
> patching file mount/sha512.c
> patching file mount/sha512.h
> patching file mount/swapon.8
> patching file mount/swapon.c
|
And this is what I get when I run "make SUBDIRS="lib mount""
Code: | mount.c:213: error: initializer element is not constant
mount.c:213: error: (near initialization for `string_opt_map[10]')
mount.c:214: error: initializer element is not constant
mount.c:214: error: (near initialization for `string_opt_map[11]')
mount.c:215: error: initializer element is not constant
mount.c:215: error: (near initialization for `string_opt_map[12]')
mount.c: In function `loop_check':
mount.c:594: error: `loopOffsetBytes' undeclared (first use in this function)
mount.c:594: error: (Each undeclared identifier is reported only once
mount.c:594: error: for each function it appears in.)
mount.c:594: error: `loopSizeBytes' undeclared (first use in this function)
mount.c:594: error: `loopEncryptionType' undeclared (first use in this function)
mount.c:611: error: `offset' undeclared (first use in this function)
mount.c:611: error: `opt_offset' undeclared (first use in this function)
mount.c:612: error: `opt_encryption' undeclared (first use in this function)
make[1]: *** [mount.o] Error 1
make[1]: Leaving directory `/tmp/env/loop-AES-v2.1a/util-linux-2.12pre/mount'
make: *** [all] Error 1
|
|
|
Back to top |
|
|
markymarc n00b
Joined: 04 Dec 2003 Posts: 39 Location: Denmark
|
|
Back to top |
|
|
|