Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Using dm-crypt in 2.6.4 for an encrypted filesystem
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
tweakt
Tux's lil' helper
Tux's lil' helper


Joined: 16 Sep 2003
Posts: 92
Location: Boston, MA. USA

PostPosted: Sun May 09, 2004 3:06 pm    Post subject: Reply with quote

Nate_S wrote:
Here's a very dirty hack I'm using to encrypt swapspace on bootup with local.start and local.stop

This is insecure. If you've got unencrypted swap mounted while an encrypted device is mounted, the possibility exists for cleartext to remain in your swap even after you remount in encrpyted since mkswap does not wipe the partition, it only writes a signature. So ideally, encrypted swap should be mounted before any other encrypted devices. Or do a dd if=/dev/urandom of=/dev/swapdevice before the mkswap.
Back to top
View user's profile Send private message
Nate_S
Guru
Guru


Joined: 18 Mar 2004
Posts: 414

PostPosted: Tue May 11, 2004 7:02 pm    Post subject: Reply with quote

I'm sure you don't mean that it might write the key used for encryption to swap? It shouldn't do that anyways...

Otherwise, I don't think there'd be any information in swap that was not already encrypted. I had it use the swap unencrypted at first, partially because I didn't know if it might speed up boot up, but mostly because I have an old installation of Gentoo on another partition that I still boot in to occasionally, and it uses the swap unencrypted ( I don't need it encrypted when I boot into that install anyways.) So the only thing that should be in swap at bootup is either swap from a previous bootup, encrypted with a random key, lost on shutdown, or unencrypted swap from the other install that I don't care about.

Regardless, from what I've read about people not using swap entirely, even with small amounts of ram, you should be able to not have any swap activated until local.start. Or I suppose you could do a dd if=/dev/(zero,urandom) of=/dev/mapper/swap, but I chose not to because I think it'd really slow down bootup.

Pretty much it's just mirroring the commands I would type when setting it up initally, just having it do so automatically on startup. I've heard that encrypted loopback devices are out, but I have yet to see anyone say they got encrypted swap to work with dm-crypt. So, (hoping there's not good reason for this,) I invented my own method.

So, to amend my previous disclaimer, I can't guarntee that this method will be very secure. Heck, going by what I know about security and encryption, I can go so far as to say it probably won't be. As I said, this is the method I use, so I believe that it offers at least partial security, but use at your own risk.

Tweakt, I do appriciate the criticisim. If I've missed any other big gaping security holes, please do point them out as well.
Back to top
View user's profile Send private message
Devsforev
n00b
n00b


Joined: 06 Sep 2003
Posts: 17
Location: New York

PostPosted: Mon May 24, 2004 12:04 am    Post subject: Reply with quote

Excellent tutorial! I just used it as an outline to create an encrypted partition of my own. Nice little 20gig, reiserfs partition, using the Blowfish algorithm.

An afterthought just occured to me. At no time during the process was I asked for how many 'bits' should be used for my Blowfish algorithm. I know the keys go from 32 -> 448 bits. How do you specify how many bits? What is the default? Thanks a bunch!!

Once again, great guide!!!

-- Devsforev
Back to top
View user's profile Send private message
martinm1000
Apprentice
Apprentice


Joined: 17 Apr 2003
Posts: 174
Location: Montréal, Canada

PostPosted: Mon May 24, 2004 8:11 am    Post subject: Little question ! Reply with quote

Hi!

I'm using 2.6.6 and I just recompiled my kernel to be able to use dmcrypt;
I wanted to compile cryptsetup, but it needs libdevmapper.

I suppose that I need to emerge device-mapper ? Well he want to ALSO
install gentoo-sources-2.4.26_pre6... But I'm on 2.6.6 ! I don't want 2.4 !

What did you do to make it work ?

Thanks.
Back to top
View user's profile Send private message
Q
Tux's lil' helper
Tux's lil' helper


Joined: 17 Apr 2002
Posts: 149
Location: Oxford, UK

PostPosted: Wed Jun 09, 2004 8:53 am    Post subject: Reply with quote

What filesystems are you using?
Is there an issue with journaling file systems?
_________________
AMD 64 3200
Shuttle SN85G4/NForce 3 Chipset
Back to top
View user's profile Send private message
Tazok
Guru
Guru


Joined: 25 Oct 2003
Posts: 310

PostPosted: Thu Jun 10, 2004 11:31 am    Post subject: Re: Little question ! Reply with quote

martinm1000 wrote:
Hi!

I'm using 2.6.6 and I just recompiled my kernel to be able to use dmcrypt;
I wanted to compile cryptsetup, but it needs libdevmapper.

I suppose that I need to emerge device-mapper ? Well he want to ALSO
install gentoo-sources-2.4.26_pre6... But I'm on 2.6.6 ! I don't want 2.4 !

What did you do to make it work ?

Thanks.


You should check your virtual/linux-sources inside /var/cache/edb/virtuals.

Btw, has anyone gotten dm-crypt with gpg-encrypted keys to work?
Would be nice to hear which steps are needed for that.
Back to top
View user's profile Send private message
Petyr
Guru
Guru


Joined: 08 Jan 2003
Posts: 471
Location: San Diego, CA, USA

PostPosted: Fri Jun 18, 2004 5:00 am    Post subject: Reply with quote

Much thanks the original author for posting this thread. I've been considering how to go about encrypting at least my home_vlm for a good while now.

dm-crypt has been a great solution.

In answer to the previous two posts, I've had ext3 up and running for a few days now. I'm highly inclined to think that there are no issues with using a journalated file system on dm-crypt. Effectivly dm-crypt just looks like a block device, which is all a HD really is... so *shrug*
I dunno I could be wrong, so don't take just my word for it.

As for GPG keys, I'm using a slightly different solution. I recently bought a usb keychain ($30 for 128 Meg! Gotta love Fry's) and I just store a loopback file on there. Using losetup and dm-crypt in an initrd setup, I'm able to have my real HD key stored on the USB keychain. While this doesn't make use of GPG, it has the same end result. Yes one can argue about how GPG encrypts this way while AES does it another way, but ultimatly one has to ask the question, "If my data secure?"
I figure with the setup I've got I can safely say yes to that.
Both setups have an added benifit (or risk depending...) Without the USB keychain, the laptop the /home dir's are junk. Now if it gets stolen while I'm traveling, and the keychain is not with it, well at least my personal data is safe.

Now I just have to encrypt the whole friggin HD... wonder if the live CD can help me out here...

Petyr Rahl
Back to top
View user's profile Send private message
Petyr
Guru
Guru


Joined: 08 Jan 2003
Posts: 471
Location: San Diego, CA, USA

PostPosted: Mon Jun 21, 2004 11:23 pm    Post subject: Reply with quote

Meebe if I had read a little closer I woulda saved myself some time... oh well. So the LiveCD won't help, however since I spent all this time creating an initrd I decided to take a pretty massive risk.
Since I already had /bin/bash on the initrd I just made it so the initrd just dumped me into a shell. I had copied over the commands that I was going to need, and just encrypted the HD from the initrd (I had 2 of them setup and I had booted from the second one).
Then I just rebooted and had the system boot using the first initrd and *poof* system worked and everything was encrypted, except /boot of course ;)

Damn that was scary doing though... I was convinced that I'd missed something and that all my data on my laptop was hosed.
Guess I had enough coffee this morning or something because it all came out well.

Anyways cheers! Now my laptop is much safer ^^

Petyr Rahl
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum