Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Encrypted Root File System, Swap, etc...
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3 ... 11, 12, 13  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Tue Jan 21, 2003 8:56 pm    Post subject: Encrypted Root File System, Swap, etc... Reply with quote

First, Gentoo is great! I am 13 (and a half) and have installed it 4 times so far. It is hard at first but DON'T GIVE UP because it is worth it! If I can make it work SO CAN YOU!

I figured out how to make a encrypted root file system. It is pretty easy (and keeps your little brother from stealing your MP3 files). So for my first newbie post I will share how I did it.

Stuff you need first
----------------------

1) A working system with a seperate /boot partition. If Gentoo is not working right before you encrypt the root file system, it won't work very good afterwards either.

2) The loop-AES stuff... download from sourceforge. Read the loop-AES README so that if something don't work you don't feel like a clueless idiot later.

3) The source tarball for util-linux-2.11y (or whatever). Get from the standard kernel sites... ftp.kernel.org/pub/utils/util-linux.

4) The Knoppix (or Knoppix lite) CD from http://www.knoppix.net . Burn it to a CD and make sure you can boot from it. Knoppix is great rescue system and I use it it alot to fix stuff when I mess up bad. Knoppix comes with loop-AES already on it so you don't need to make your own rescue system. This is important later because to encrypt a root file system you can't be running on it at the same time.

How to do it steps
--------------------

1) Recompile your kernel. You HAVE to use CONFIG_MODULES=y, CONFIG_BLK_DEV_LOOP=n (y or m WONT WORK), CONFIG_BLK_DEV_RAM=y, CONFIG_BLK_DEV_RAM_SIZE=4096, CONFIG_BLK_DEV_INITRD=y, CONFIG_MINIX_FS=Y (this is because the ramdisk is minix), CONFIG_PROC_FS=y plus whateve FILESYSTEM YOUR ROOT IS HAS TO BE Y (modules wont work because the kernel can't get modules from the root file system until it knows how to read it and decrypt it when it is booting, other stuff can be modules if you want). Make sure that your new kernel works before going further.

2) cd to /usr/src and untar the loop-AES tar file. Type make. This makes a new loop device driver that knows how to encrypt and uncrypt stuff.

3) Put the util-linux-2.11y (or whatever) tar file in the loop-AES directory then untar it. cd to util-linux-2.11y. MAKE SURE YOU HAVE YOUR BOOT PARTITION MOUNTED AT /boot . Then type all of this stuff:
patch -p1 <../util-linux-2.11y.diff
export CFLAGS=-O2
export LDFLAGS='-static -s'
./configure
make SUBDIRS="lib mount"
cd mount
install -m 4755 -o root mount umount /bin
install -m 755 losetup swapon /sbin
rm -f /sbin/swapoff && ( cd /sbin && ln -s swapon swapoff )
rm -f /usr/share/man/man8/{mount,umount,losetup,swapon,swapoff}.8.gz
install -m 644 mount.8 umount.8 losetup.8 /usr/share/man/man8
install -m 644 swapon.8 swapoff.8 /usr/share/man/man8
rm -f /usr/share/man/man5/fstab.5.gz
install -m 644 fstab.5 /usr/share/man/man5
cp -p /lib/modules/`uname -r`/block/loop.o /boot/loop-`uname -r`.o

4) In the loop-AES directory edit build-initrd.sh. Change BOOTDEV, BOOTTYPE, CRYPTROOT, ROOTYPE and CIPHERTYPE to what you want. Then type sh build-initrd.sh . This makes a ramdisk so that the kernel knows how to get the pass phrase when you boot later.

5) Boot the knoppix CD. Type knoppix 2 so you get a root shell and not everything else because it makes it slow. Type this stuff:

losetup -e AES256 -T /dev/loop0 /dev/hda2 (or whatever is your root partition)
give the secret pass phrase that you want (DONT FORGET WHAT IT IS!)
dd if=/dev/hda2 of=/dev/loop0 bs=64k conv=notrunc (this will take a while if the partition is real big SO DONT WORRY)

6) Type mkdir /mnt/gentoo then mkdir /mnt/gentoo/boot then mount /dev/hda2 /mnt/gentoo then /mount /dev/hda1 /mnt/gentoo/boot (or whatever your partitions are). Then chroot /mnt/gentoo /bin/bash. Then edit fstab to make your root say /dev/loop5 instead of /dev/hdawhatever.

7) cd to /boot/grub and edit grub.conf to add a entry like this:
title=Encrypted Root
root (hd0,0)
kernel /bzImage ro root=/dev/ram1
initrd /initrd.gz

Reboot (TAKE OUT THE KNOPPIX CD) and tell grub you want the Encrypted Root and it will start booting then ask you for your secret pass phrase and EVERYTHING WORKS GREAT!

If it doesnt work it means that you did something wrong so then boot the knoppix cd again and do the losetup (FROM #6 LOOK UP A FEW LINES) again (DONT DO THE DD AGAIN NO MATTER WHAT) and mount it and then read the loop-AES README to find out what got messed up.

It is easy to encrypt swap and other partitions to. Read the loop-AES README!

Hope you like it!!!
Chad


Last edited by chadders on Sat Jul 05, 2003 4:47 pm; edited 1 time in total
Back to top
View user's profile Send private message
EvvL
n00b
n00b


Joined: 28 Nov 2002
Posts: 16
Location: Stockton, California

PostPosted: Tue Jan 21, 2003 10:11 pm    Post subject: Reply with quote

Great post.

Only got one question. Whats the overhead for running a encrypted file system?
_________________
If Microsoft really wanted to kill open source, they'd put you all in the same room together with weapons and tequila.
-- John Jasen, LKML
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Tue Jan 21, 2003 10:55 pm    Post subject: Reply with quote

I havent figured out how to tell that exactly.

I think it is pretty fast because I did a emerge -u world with the stage3 and all of GRP packages and it took about a whole day BEFORE encrypted root. Then i messed up bad and had to load everything again and this time I did a emerge -u world AFTER encrypted root and it still took a whole day but not two days. I think its a little bit slower but not a lot slower. I dont know exactly when it gets done because sometimes it gets done when im sleeping or at school.

I didn't keep good track because I was kinda mad at myself for messing it up.

When i browse and xchat and stuff like that it is about the same I can't tell the difference.

Chad
Back to top
View user's profile Send private message
klasikahl
Retired Dev
Retired Dev


Joined: 04 Nov 2002
Posts: 118
Location: Paradise Valley, Arizona

PostPosted: Wed Jan 22, 2003 6:46 am    Post subject: Reply with quote

what fs are you currently using?

it's not just the performance of a decrypted root fs vs. an encrypted root fs that intrigues me, but rather what fs performs the best when it's encrypted.
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Wed Jan 22, 2003 7:06 am    Post subject: Reply with quote

I used XFS for encrypted root. I tried REISERFS and EXT3 before. I think I like XFS best but it probably doesn't make very much difference because I can't tell if one is faster or not. I don't know very much about filesystem stuff yet but I am working on that. If you know that one is better please tell me so that I can try it out.

Chad
Back to top
View user's profile Send private message
klasikahl
Retired Dev
Retired Dev


Joined: 04 Nov 2002
Posts: 118
Location: Paradise Valley, Arizona

PostPosted: Wed Jan 22, 2003 7:45 am    Post subject: Reply with quote

if you are up to the benchmarking, i would like to see

jfs vs xfs vs reiser (vs ext3) < -- ext3 = not too important

the most accurate way to benchmark them is to crank out bzImages, compile after compile.... write a simple bash script to do it like 10 times
Code:
 time for i in 1 2 3 4 5 6 7 8 9 10; do make clean && make bzImage; done

and just run that on all the subject FSes. the time output should give you the accumulative time (unless i placed it wrong, i am running on 2hrs of sleep and it's 1am). LMK how it goes

i would help you test, but my server is down and i have to use my desktop to do emergency webserving and cant afford that much downtime...

good luck, keep us updated :)

[edit] just tested that bash line and it works fine with timings and all, just make sure you are in your kernel dir when you run it ;) [/edit]
Back to top
View user's profile Send private message
Loke^
n00b
n00b


Joined: 09 Jan 2003
Posts: 51
Location: Stockholm, Sweden

PostPosted: Wed Jan 22, 2003 8:11 am    Post subject: Reply with quote

Great post :-)
A question; Are you really 13 years old? :P
Not very often you see a 13 year old kid who han think by himself :)
(Not literally speaking..)
_________________
^L
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Wed Jan 22, 2003 8:14 am    Post subject: Reply with quote

That is hard because I have a crappy computer and its kinda old and not very fast and not a very big disk drive with no space for another partition on it. Changing the encrypted root partition from one kind of filesystem to another kind takes me 2 days each time because I have to reinstall gentoo.

We have another computer thats real fast but its my dads and he wont let me use it anymore because he says im to dangerous. :roll:

Chad
Back to top
View user's profile Send private message
klasikahl
Retired Dev
Retired Dev


Joined: 04 Nov 2002
Posts: 118
Location: Paradise Valley, Arizona

PostPosted: Wed Jan 22, 2003 2:13 pm    Post subject: Reply with quote

just woke up and leaving for class in like 5 minutes, so i must make this brief.

i understand your problem and would be willing to head up an effort to benchmark the different FS's while encrypted; however i cannot do it alone... (to anyone reading this) if you would like to help in the testing of the filesystems (note, you dont have to convert your root FS to test it in this fasion, but it would be more accurate that way), please contact me by using the phpbb (these forums) contact methods

klasikahl -- zack
Back to top
View user's profile Send private message
EvvL
n00b
n00b


Joined: 28 Nov 2002
Posts: 16
Location: Stockton, California

PostPosted: Wed Jan 22, 2003 11:54 pm    Post subject: Reply with quote

I'd be willing to help benchmark the speed difference. I got a spare Dual PIII 1GHz with 512 Ram at home thats not doing anything and some time to kill :). I can start some unencrypted benchmarks tonight and maybe some of the encrypted.
_________________
If Microsoft really wanted to kill open source, they'd put you all in the same room together with weapons and tequila.
-- John Jasen, LKML
Back to top
View user's profile Send private message
snowmoon
n00b
n00b


Joined: 05 Jun 2002
Posts: 64
Location: Albany,NY USA

PostPosted: Thu Jan 23, 2003 3:58 am    Post subject: Reply with quote

A simple compile of the kernel is not a good test of FS performance. Since with enough memory most of the files would be cached in buffers. Their are plenty of real fs benchmarking utils out there that would be more appropriate.

I can think of much more interesting reason to encrypt you r entire filesystem than keeping mp3's away from your family members. My fileserver would already be encrypted, but a p200 is not exactly well suited for the job.
Back to top
View user's profile Send private message
klasikahl
Retired Dev
Retired Dev


Joined: 04 Nov 2002
Posts: 118
Location: Paradise Valley, Arizona

PostPosted: Thu Jan 23, 2003 4:33 am    Post subject: Reply with quote

agreed, however, it would seem as though among mailing lists, cranking out bzImages is the standard... i do think bonnie may be more suited for this job, however.
Back to top
View user's profile Send private message
arkane
l33t
l33t


Joined: 30 Apr 2002
Posts: 918
Location: Phoenix, AZ

PostPosted: Thu Jan 23, 2003 6:21 am    Post subject: Reply with quote

I've always wanted to do this, but I've never gotten around to it. (or I guess I've never had a gun put to my head and told "make an encrypted filesystem setup in 5 minutes") Now, I'm running LVM.. expandable, shrinkable, etc. This is great for static partitions, but what would really be spack-dang-tacular if something like this was built into the IO of the kernel somehow to be independent of loopback.

My manager about 3-4 years back did this, and it was awesome though. (with slackware I believe it was) He ran it on a Pentium 400 or so, and it ran just like normal.
Back to top
View user's profile Send private message
klasikahl
Retired Dev
Retired Dev


Joined: 04 Nov 2002
Posts: 118
Location: Paradise Valley, Arizona

PostPosted: Thu Jan 23, 2003 6:29 am    Post subject: Reply with quote

OT: where in AZ are you from?

on topic: i use evms (atop lvm), so i dont know if that will contribute to the quickness or slowness of the system, although i ****highly**** doubt it will slow it down due to the fact that evms is kernel lowlevel (iirc)

side note: evms has everything else, now they need to implement an "encrypt" function


/me hounds IBM ;)

also: if a moderator comes accross this, you can feel free to split the discussion of benchmarking, etc. to a new topic as it feels as though we are deviating a wee bit too much to me.
Back to top
View user's profile Send private message
contigab
n00b
n00b


Joined: 18 Dec 2002
Posts: 57
Location: Italy

PostPosted: Thu Jan 23, 2003 5:15 pm    Post subject: about crypto filesystems Reply with quote

I actually used another way to do that.

I used crypoapi-0.1.0 compiled with the following syntax:

make modules KDIR=/usr/src/linux
make modules_install

and cryptoloop-0.0.1-pre1 compiled like that:

make modules KDIR=/usr/src/linux CDIR=/root/crypoapi-0.1.0
make modules_install

In this way I didn't even need to patch and recompile my kernel.

Then I added to my modules.autoload the needed modules:
cryptoloop
cryptoapi
cipher-twofish (you can choose as many ciphers you want)

then I have built a couple of perl scripts...
The first one acts like a server and runs on a server machine.
The second one queries the server from the client and mounts a crypto filesystem on demand of the user (it can be added to ~/.bashrc to do that automatically at login) getting the needed password from the server (I prefer not to store the password in the local filesystem for security problems).
All the communication between server and client is crypted with perl modules Crypt::Blowfish and Crypt::CBC.

I can publish the scripts on demand. But what do you think of my solution?
_________________
Linux! :)
Back to top
View user's profile Send private message
sethrab
n00b
n00b


Joined: 23 Jan 2003
Posts: 3

PostPosted: Thu Jan 23, 2003 10:10 pm    Post subject: Reply with quote

This kid has pulled off something that few fully appreciate, including himself in all likelihood. He has encrypted his root filesystem and by inference ALL of his other partitions (except a small Boot) as well.

That means that there is no information whatsoever available to attackers who may gain physical access to the machine. No logs, no software configuration information (registry/gconf and so forth), no deleted files, no hidden application files, no browser cookies, no residual trash on swap, nothing.

Perhaps someone could gain his pass phrases by attaching a hardware keystroke logger... and even then there are options, such as a GnuPG keyring on a diskette. I would hate to be the corporate spy (or law enforcement official) trying to extract useful information from such machine.

This configuration is perfect for laptop computers that might "walk away". Even windows users can benefit... Imagine a copy of Windows XP under VMware with the XP virtual disks themselves hosted beneath an encrypted filesystem. It would be impossible to determine that XP even existed on the box.
Back to top
View user's profile Send private message
klasikahl
Retired Dev
Retired Dev


Joined: 04 Nov 2002
Posts: 118
Location: Paradise Valley, Arizona

PostPosted: Thu Jan 23, 2003 11:23 pm    Post subject: Reply with quote

contigab: your soution sounds like a good one, but what did you do after emerging the package? the same post-kernel setup as chadders posted?
Back to top
View user's profile Send private message
kachaffeous
Tux's lil' helper
Tux's lil' helper


Joined: 07 Jun 2002
Posts: 86

PostPosted: Fri Jan 24, 2003 3:43 am    Post subject: Reply with quote

What are the benifits of this? Just wondering don't know much about encryption.
Back to top
View user's profile Send private message
klasikahl
Retired Dev
Retired Dev


Joined: 04 Nov 2002
Posts: 118
Location: Paradise Valley, Arizona

PostPosted: Fri Jan 24, 2003 4:07 am    Post subject: Reply with quote

should your computer be seized by the government, the harddrives are useless to them (unless they can crack a theoretically uncrackable password), noone can access your files unless you want them to, and general security.
Back to top
View user's profile Send private message
Vancouverite
Apprentice
Apprentice


Joined: 28 Sep 2002
Posts: 162
Location: Vancouver, Canada

PostPosted: Fri Jan 24, 2003 4:40 am    Post subject: Reply with quote

Has anyone else got this working? I don't have an expendable root partition to risk losing everything from.

BTW: How does compiling a kernel benchmark a file system, in any way?
Back to top
View user's profile Send private message
sethrab
n00b
n00b


Joined: 23 Jan 2003
Posts: 3

PostPosted: Fri Jan 24, 2003 2:56 pm    Post subject: Reply with quote

I have it working also. Chadder's instructions are adequate, especially when backed up by the loop-AES README material.

My experience with performance is very encouraging. The performance hit is much MUCH less than I anticipated across all filesystems. This is probably a result of how well the fs buffers data thus avoiding disk access (an corresponding encryption overhead).

IMHO, multiple passes compiling the kernel is not a very helpful benchmark. However, it does illustrate how trivially small the performance impact is on machines that are not memory constrained.

One caveat to the install, be sure *not* to have the filesystem mounted at the time the dd if=/dev/hda? of=/dev/loop? initially encrypts the partition. The unmount which will inevitably follow writes a few blocks of meta data (in the clear) which will damage the partition and may leave it unrecoverable.

An earlier post (contigab) made the comment that similar results can be achieved using modules taken from the cryptoloop package. If the similar result is an encrypted "root" filesystem then additional work is needed. The kernel will not have access to the root file system to retrieve the encryption module untilt he encryption module is retrieved... a chicken and egg problem. This is the reason that an intermediate root (initrd=/dev/ram) is required to boot. Contigab handles encrypted home, etc, very well and is useful, but does not appear to handle the encrypted root case. The original loop-AES post that started this thread does address this.

An interesting article recently appeared on the BBC that illustrates another case why one would want to do this: http://news.bbc.co.uk/1/hi/technology/2676461.stm . Due prudence?
Back to top
View user's profile Send private message
splooge
l33t
l33t


Joined: 30 Aug 2002
Posts: 636

PostPosted: Sat Jan 25, 2003 3:03 am    Post subject: Reply with quote

Ack!

I was doing the dd if/of part when something crashed =( System hard-locked. I think it's related to my SCSI card, though it's possible it could be related to ram but ... my kernel compiles have been going just fine, no weird errors...no odd panics or anything ... ever.

Well, I'm gonna try again. I'm always looking for a reason to reinstall anyways. =) Hey, I get to try the new live cd out now!
Back to top
View user's profile Send private message
hairyfeet
Tux's lil' helper
Tux's lil' helper


Joined: 07 Jan 2003
Posts: 118
Location: Århus, Denmark

PostPosted: Tue Jan 28, 2003 9:34 am    Post subject: Reply with quote

chadders wrote:
That is hard because I have a crappy computer and its kinda old and not very fast


How crappy is that? Because I'm considering using a C3 800 as file and webserver and was wondering how well it would perform if I encrypted the root file system?
Back to top
View user's profile Send private message
turbobri
n00b
n00b


Joined: 07 Oct 2002
Posts: 14

PostPosted: Mon Feb 03, 2003 4:04 am    Post subject: i messed it up Reply with quote

Well I followed chadders instructions and it all seemed to work as described. That is until I tried to do the final reboot into my newly encrypted root. It never asked me for a password on boot and the system quickly halted with a kernel panic.

I rebooted with Knoppix and was able to losetup and mount the encrypted partition, and everything seems to be in tact. All the necessary files are in the /boot partition, and my grub.conf looks ok. The only thing that was different was that I was using an older version of Knoppix and losetup did not recognize the -T option, so I omitted it. Any suggestions?

Also if I wanted to UN-encrypt this partition, would the following work:
1) Boot Knoppix
2) losetup -e AES256 /dev/loop0 /dev/hda5
3) dd if=/dev/loop0 of=/dev/hda5 bs=64k conv=notrunc

help!
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Mon Feb 03, 2003 12:57 pm    Post subject: Reply with quote

It sounds like it couldn't find the initrd.gz ram disk (because it didn't ask for the pass phrase). Look in build-initrd.gz in the loop-AES directory and follow the instructions EXACTLY. Especially the part about what to put in LILO or GRUB.

I don't think the -T on the losetup would mess it up it just means prompt for the passphrase two times.

This is what my grub.conf looks like:

default 0
timeout 15
splashimage=(hd0,0)/boot/grub/splash.xpm.gz

title=Gentoo Linux (Secure)
root (hd0,0)
kernel /bzImage ro root=/dev/ram1
initrd /initrd.gz

Also make sure that you got the right partitions in there, this is what I use:

# normal /boot partition
BOOTDEV=/dev/hda1

# /boot partition type
BOOTTYPE=ext2


# encrypted root partition
CRYPTROOT=/dev/hda3

# root partition type
ROOTTYPE=xfs

# encryption type (AES128 / AES192 / AES256) of root partition
CIPHERTYPE=AES256

Make sure that you copy the loop-`uname-r`.o to your /boot.

I think you can UNencrypt your root ok like you said but I never tried that before.

Chad

P.S. Make SURE you got your /boot mounted before you run build-initrd.sh
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2, 3 ... 11, 12, 13  Next
Page 1 of 13

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum