View previous topic :: View next topic |
Author |
Message |
steeledan n00b
Joined: 18 Jul 2004 Posts: 8
|
Posted: Sun Jul 18, 2004 9:48 am Post subject: Simple Encrypted Root Filesystem w/ Device Mapper (2.6) |
|
|
I recently encrypted my root file system, and I decided to write a how-to to help others save a lot of trouble. I may be forgetting something, so back up your system first. And you should BACK IT UP ANYWAY just in case something goes wrong - who knows if you'll lose power or something.... I flunked college writing 1 the first time through, so feel free to rewrite in a more descriptive idiot-proof way
This assumes /dev/hda1 is /boot with grub and the kernel, and /dev/hda2 is the root file system. You'll need a 2.6 kernel with device mapper, crypt target, and aes compiled in. You'll also need cryptsetup installed. If you haven't already encrypted your swap file system with dm-crypt or similar, you should do it now so your pass phrase doesn't get swapped to disk.
You'll need these files in /boot in addition to grub and the kernel:
bin/bash bin/cat bin/chroot bin/dd bin/mount bin/sh bin/umount
dev/
etc/fstab etc/mtab
lib/ld-linux.so.2 lib/libc.so.6 lib/libdl.so.2 lib/libnsl.so.1
mnt/root/
sbin/cryptsetup sbin/init sbin/pivot_root
usr/lib/libgcrypt.so.11 usr/lib/libgpg-error.so.0 usr/lib/libpopt.so.0
/boot/etc/fstab contains the following:
/dev/hda1 / ext2 noauto,noatime 0 0
/dev/mapper/root /mnt/root reiserfs ro 0 0
none /dev devfs defaults 0 0
/boot/etc/mtab is an empty file.
/boot/sbin/init contains the following: chmod 755!
#!/bin/sh
/sbin/cryptsetup -c aes-plain -h sha512 -s 256 create root /dev/discs/disc0/part2
/bin/mount /mnt/root -n
cd /mnt/root
/sbin/pivot_root . ./boot
exec /bin/chroot . /bin/sh -c "/bin/umount /boot/dev -n;/bin/umount /boot -n;exec /sbin/init" </dev/console >/dev/console 2>&1
You'll need to change the root mount point in the real /etc/fstab and your grub config to root=/dev/hda1.
I used an extra hard drive to do the actual encryption, but you should be able to do the following:
Boot the kernel with root=/dev/hda1 init=/bin/sh
/sbin/cryptsetup -y -c aes-plain -h sha512 -s 256 create root /dev/discs/disc0/part2
/bin/dd if=/dev/discs/disc0/part2 of=/dev/mapper/root bs=4k
Then reboot as usual and pray everything isn't gone |
|
Back to top |
|
|
schachti Advocate
Joined: 28 Jul 2003 Posts: 3765 Location: Gifhorn, Germany
|
Posted: Mon Oct 11, 2004 5:00 pm Post subject: Re: Simple Encrypted Root Filesystem w/ Device Mapper (2.6) |
|
|
Has anyone tried this? I've got some questions...
Just to be sure:
steeledan wrote: |
You'll need these files in /boot in addition to grub and the kernel:
bin/bash bin/cat bin/chroot bin/dd bin/mount bin/sh bin/umount
dev/
etc/fstab etc/mtab
lib/ld-linux.so.2 lib/libc.so.6 lib/libdl.so.2 lib/libnsl.so.1
mnt/root/
sbin/cryptsetup sbin/init sbin/pivot_root
usr/lib/libgcrypt.so.11 usr/lib/libgpg-error.so.0 usr/lib/libpopt.so.0
|
Am I supposed to copy all these file to /boot, or to /boot/bin/bash, /boot/bin/cat, ..., /boot/usr/lib/libpopt.so.0?
What do the entries "dev/" and "mnt/root" mean - do I have to create empty directories called "/boot/dev/" and "/boot/mnt/root"?
steeledan wrote: |
/boot/etc/fstab contains the following:
/dev/hda1 / ext2 noauto,noatime 0 0
/dev/mapper/root /mnt/root reiserfs ro 0 0
none /dev devfs defaults 0 0
|
What about
Code: |
none /dev/shm tmpfs defaults 0 0
|
from my /etc/fstab? Should I add this line, too?
Thanks in advance - maybe dumb questions, but I don't want to loose my data... |
|
Back to top |
|
|
westboy21 Tux's lil' helper
Joined: 10 Oct 2003 Posts: 135 Location: Raleigh, North Carolina
|
Posted: Tue Dec 14, 2004 4:45 pm Post subject: |
|
|
I followed these instructions, but for some reason, all I get when I boot is a kernel panic. The panic error suggests that I pass the kernel an init=. What did I do wrong?
When I compile the kernel, and I suppose to compile in support for devfs, and have it mount at boot time? |
|
Back to top |
|
|
c0rvus n00b
Joined: 15 Dec 2004 Posts: 1 Location: S'toon
|
Posted: Mon Dec 27, 2004 8:29 pm Post subject: [mini-HOWTO] Encrypting root file system with dm-crypt |
|
|
samx put together another document regarding this which is fairly good...
you might want to take a look at https://forums.gentoo.org/viewtopic.php?t=163762 |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|