Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[mini-HOWTO] Encrypting root file system with dm-crypt
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
westboy21
Tux's lil' helper
Tux's lil' helper


Joined: 10 Oct 2003
Posts: 135
Location: Raleigh, North Carolina

PostPosted: Thu Dec 23, 2004 4:25 am    Post subject: Reply with quote

This is the beauty of the dm-crypt module and the cryptsetup program. Any live cd with crypto support and the cryptsetup program can create the map to the encrypted filesystem with the command

Code:
cryptsetup create root /dev/hd**


then you can just mount the /dev/mapper/root device anywhere in the livecd ram filesystem. Whalla.
Back to top
View user's profile Send private message
ross8653
n00b
n00b


Joined: 14 Jan 2004
Posts: 51

PostPosted: Mon Dec 27, 2004 8:12 pm    Post subject: Reply with quote

westboy21 can you post your devmap_mknod.sh

Last edited by ross8653 on Wed Jan 19, 2005 3:17 pm; edited 1 time in total
Back to top
View user's profile Send private message
westboy21
Tux's lil' helper
Tux's lil' helper


Joined: 10 Oct 2003
Posts: 135
Location: Raleigh, North Carolina

PostPosted: Fri Jan 14, 2005 5:42 am    Post subject: Reply with quote

Well ... looks like I need to log into here every now and then. Sorry about missing the PM by about a month. Here is my dev_mknod script

Code:
#! /bin/sh

# Startup script to create the device-mapper control device
# on non-devfs systems.
# Non-zero exit status indicates failure.

# These must correspond to the definitions in device-mapper.h and dm.h
DM_DIR="mapper"
DM_NAME="device-mapper"

set -e

DIR="/dev/$DM_DIR"
CONTROL="$DIR/control"

# Check for devfs, procfs
if test -e /dev/.devfsd ; then
        echo "devfs detected: devmap_mknod.sh script not required."
        exit
fi

if test ! -e /proc/devices ; then
        echo "procfs not found: please create $CONTROL manually."
        exit 1
fi

# Get major, minor, and mknod
MAJOR=$(sed -n 's/^ *\([0-9]\+\) \+misc$/\1/p' /proc/devices)
MINOR=$(sed -n "s/^ *\([0-9]\+\) \+$DM_NAME\$/\1/p" /proc/misc)

if test -z "$MAJOR" -o -z "$MINOR" ; then
        echo "$DM_NAME kernel module not loaded: can't create $CONTROL."
        exit 1
fi

mkdir -p --mode=755 $DIR
test -e $CONTROL && rm -f $CONTROL

echo "Creating $CONTROL character device with major:$MAJOR minor:$MINOR."
mknod --mode=600 $CONTROL c $MAJOR $MINOR


Here is my linuxrc script
Code:

#!/bin/sh
export PATH=/bin

mount -t proc proc /proc
CMDLINE=`cat /proc/cmdline`
devmap_mknod.sh
umount /proc

if [ -L /dev/mapper/root ] ; then
        rm -f /dev/mapper/root
fi
if [ -b /dev/mapper/root ] ; then
        rm -f /dev/mapper/root
fi
cryptsetup create root /dev/hda4
mount -t reiser4 /dev/mapper/root /new
cd /new
mkdir initrd
pivot_root . initrd

exec chroot . /bin/sh <<- EOF >/dev/console 2>&1
umount initrd
rm -rf initrd
blockdev --flushbufs /dev/ram0
exec /sbin/init ${CMDLINE}
EOF


Maybe this can help someone else in the future. :)
Back to top
View user's profile Send private message
QuizMasta
n00b
n00b


Joined: 07 Mar 2004
Posts: 10

PostPosted: Fri Jan 28, 2005 11:45 am    Post subject: Reply with quote

I've run in to a problem following this guide (and another one for that matter). My root partition is encrypted and the linuxrc script mounts the root just fine. After typing the passphrase my root is mounted (together with my swap?) and I get this:
Code:
Give root password for maintence
(or type Control-D for normal start up):


If I type ctrl+d the damn thing restarts :(

If I login using the root pass I get my normal root shell. Snooping around in there only adds to the confusion:
1) Mount reports that the root device is /dev/hda7 (and not /dev/mapper/cryptroot)
2) /dev/mapper/cryptroot does not exist. Only /dev/mapper/control
3) When looking at dmesg, these are the last entries:
Code:
ReiserFS: dm-0: found reiserfs format "3.6" with standard journal
ReiserFS: dm-0: using ordered data mode
ReiserFS: dm-0: journal params: device dm-0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30
ReiserFS: dm-0: checking transaction log (dm-0)
ReiserFS: dm-0: Using r5 hash to sort names
Adding 506008k swap on /dev/hda5.  Priority:-1 extents:1

And is far as I know, mounting swap is part of the actual init, not the ramdisk init - or am I wrong?

And why would ReiserFS report the device to be dm-0 when I've named it cryptroot?

ANY help/input is greatly appreciated!
_________________
Dr. Frankenstein: Damn your eyes!!
Igor: Too late!
Back to top
View user's profile Send private message
westboy21
Tux's lil' helper
Tux's lil' helper


Joined: 10 Oct 2003
Posts: 135
Location: Raleigh, North Carolina

PostPosted: Tue Feb 01, 2005 5:17 am    Post subject: Reply with quote

Man ... I wish I could help you out on this one. Just last week I tried another gentoo installation using this guide and ended up with the same problems as you. Let me guess. Right before you get the prompt asking for your root password for maintence, you probably got some error saying that the root device couldn't be checked or something to that effect.

My problem was that /dev/mapper/root was getting created but once udev started up, it was removing everything in /dev and repopulating it.

I didn't use to have this issues. Anyone have this issue? Seems to be an LVM naming issue. I've researched most of the posts I can find relating to LVM and UDEV, but can't find any substantial answer that WORKS.

I finally gave up. Please post anything else you may find!
Back to top
View user's profile Send private message
westboy21
Tux's lil' helper
Tux's lil' helper


Joined: 10 Oct 2003
Posts: 135
Location: Raleigh, North Carolina

PostPosted: Tue Feb 01, 2005 5:33 am    Post subject: Reply with quote

Try this post!

https://forums.gentoo.org/viewtopic.php?t=283948&highlight=
Back to top
View user's profile Send private message
schachti
Advocate
Advocate


Joined: 28 Jul 2003
Posts: 3765
Location: Gifhorn, Germany

PostPosted: Thu Feb 17, 2005 7:04 pm    Post subject: Reply with quote

Does someone know what I have to do in a different way if I'm not using udev?
Back to top
View user's profile Send private message
schachti
Advocate
Advocate


Joined: 28 Jul 2003
Posts: 3765
Location: Gifhorn, Germany

PostPosted: Tue Feb 22, 2005 6:49 am    Post subject: Re: [mini-HOWTO] Encrypting root file system with dm-crypt Reply with quote

veezi wrote:

Now to encrypting the file system (make sure you have backup!!!). How you encrypt it depends on you. Here I'm assuming you've enough space in hda3, and you've a linux boot CD or linux installed on a another partition, and you've booted from that:


Where can I get a boot CD that supports cryptsetup? I tried a recent version of knoppix, it does not. :cry:
Back to top
View user's profile Send private message
ross8653
n00b
n00b


Joined: 14 Jan 2004
Posts: 51

PostPosted: Mon Feb 28, 2005 9:56 pm    Post subject: Reply with quote

gentoo live cd universal 2004.3 has it
Back to top
View user's profile Send private message
Coper
n00b
n00b


Joined: 02 Mar 2005
Posts: 1

PostPosted: Wed Mar 02, 2005 6:13 pm    Post subject: Reply with quote

Hi I trid to mount my USB stick in my linuxrc file, but it just say that the device don't exists.

I have make /dev/uba1 b 180 1

any idees? runing 2.6.10
Back to top
View user's profile Send private message
ross8653
n00b
n00b


Joined: 14 Jan 2004
Posts: 51

PostPosted: Wed Jul 20, 2005 9:03 pm    Post subject: Reply with quote

i have been playing with swap encryption and can not get udev to do what i want so i've just created the swap in /etc/conf.d/local.start
the wiki entry is updated with info about my quick solution.

Also for people that are having problems with creating the mapping to swap taking ages check the wiki. The problem is your /dev/random runs out of entropy, you can move the mouse around or use /dev/urandom.
http://en.wikipedia.org/wiki//dev/random
Back to top
View user's profile Send private message
mahatmah
n00b
n00b


Joined: 08 Apr 2004
Posts: 17
Location: Graz

PostPosted: Thu Jul 21, 2005 7:14 pm    Post subject: Reply with quote

I have encrypted my root filesystem with dm-crypt. Instead of standard cryptsetup i preferred cryptosetup-luks. In my opinion a little bit better because it supports more than one key...

i have created my root partition with the following Parameters:

Code:
cryptsetup -c aes-cbc-essiv:sha356 -s 128 luksFormat /dev/hda3


Everything working fine, only my hard drive throughput is really bad. Gkrellm shows up 2,5M (mbyte/s) it isn't really funny to copy something from or to my unencryptet second disk.
I have a 2,8GHZ P4, cpu is up to 99%, ram usage is low (512 mb, around 150mb used).
I don't think it is because i choose cryptsetup-luks instead of crypsetup because only the handling of the passphrase is different (i think).maybe because i choose "essiv" instead of the standard "plain". i have choosen essiv because i read it helps a lot against watermark attacks.
So, my question is, is it normal that the hard drive performance is that poor?
Back to top
View user's profile Send private message
ross8653
n00b
n00b


Joined: 14 Jan 2004
Posts: 51

PostPosted: Thu Jul 21, 2005 10:05 pm    Post subject: Reply with quote

assuming you're not on a laptop and using a 7200 rpm ide/sata drive no it should be a bit better. Here's an example with my craptastic 4200rpm laptop harddrive and a p3 500mhz. using AES and 256bit key. /dev/mapper/root maps to /dev/hda3
Code:

taptap linux # hdparm -t /dev/mapper/root /dev/hda3

/dev/mapper/root:
 Timing buffered disk reads:   26 MB in  3.11 seconds =   8.37 MB/sec

/dev/hda3:
 Timing buffered disk reads:   40 MB in  3.13 seconds =  12.77 MB/sec


say your partition that is encrypted is /dev/hda3 and your devicemap to that partition is /dev/mapper/root

you can check the difference encryption has on the speed of your drive by
Code:

hdparm -t /dev/hda3 /dev/mapper/root

run that a few times, also on your second drive to make sure that is not holding anything up. If it is still slow due to encryption you can check if using cryptsetup-luks has anything to do with it by making a map with cryptsetup and testing cryptsetup's performance. This shouldnt hurt any data since you are only read testing, but to be sure you can do this to your swap partition (after shutting off swap of course)
say hda2 is swap

Code:

swapoff /dev/hda2
free          (check if swap is gone)
cryptsetup -d /dev/urandom create testmap /dev/hda2
(now create a map from /dev/hda2 using your cryptosetup-luks with the same algorithm and key size that you normally use)


now you should have two encrypted maps to the same partition /dev/hda2 (testmap, and the one you created). lets run hdparm again
Code:

hdparm -t /dev/hda2 /dev/mapper/testmap /dev/mapper/YOURMAPHERE


whare are the results?
Back to top
View user's profile Send private message
mahatmah
n00b
n00b


Joined: 08 Apr 2004
Posts: 17
Location: Graz

PostPosted: Thu Jul 21, 2005 11:07 pm    Post subject: Reply with quote

Quote:


Code:

taptap linux # hdparm -t /dev/mapper/root /dev/hda3

/dev/mapper/root:
Timing buffered disk reads: 26 MB in 3.11 seconds = 8.37 MB/sec

/dev/hda3:
Timing buffered disk reads: 40 MB in 3.13 seconds = 12.77 MB/sec



Oh my goodness, so silly, i have forgotten to include my settings for dma into the kernel. i'm sorry.
but i didn't know the dma -t testing thing. Here is my output after finally enabling dma
Code:

nozomi ftp # hdparm -t /dev/mapper/root /dev/hda3

/dev/mapper/root:
 Timing buffered disk reads:   60 MB in  3.07 seconds =  19.53 MB/sec
HDIO_DRIVE_CMD(null) (wait for flush complete) failed: Inappropriate ioctl for device

/dev/hda3:
 Timing buffered disk reads:  160 MB in  3.04 seconds =  52.62 MB/sec



not that bad i think, it is really great :)
thanks for your response, i didn't even think about dma, i thought it can only be the encryption...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum