Simple Encrypted Root Filesystem w/ Device Mapper (2.6)

[steeledan]

I recently encrypted my root file system, and I decided to write a how-to to help others save a lot of trouble. I may be forgetting something, so back up your system first. And you should BACK IT UP ANYWAY just in case something goes wrong - who knows if you'll lose power or something.... I flunked college writing 1 the first time through, so feel free to rewrite in a more descriptive idiot-proof way

This assumes /dev/hda1 is /boot with grub and the kernel, and /dev/hda2 is the root file system. You'll need a 2.6 kernel with device mapper, crypt target, and aes compiled in. You'll also need cryptsetup installed. If you haven't already encrypted your swap file system with dm-crypt or similar, you should do it now so your pass phrase doesn't get swapped to disk.

You'll need these files in /boot in addition to grub and the kernel:
bin/bash bin/cat bin/chroot bin/dd bin/mount bin/sh bin/umount
dev/
etc/fstab etc/mtab
lib/ld-linux.so.2 lib/libc.so.6 lib/libdl.so.2 lib/libnsl.so.1
mnt/root/
sbin/cryptsetup sbin/init sbin/pivot_root
usr/lib/libgcrypt.so.11 usr/lib/libgpg-error.so.0 usr/lib/libpopt.so.0

/boot/etc/fstab contains the following:
/dev/hda1 / ext2 noauto,noatime 0 0
/dev/mapper/root /mnt/root reiserfs ro 0 0
none /dev devfs defaults 0 0

/boot/etc/mtab is an empty file.

/boot/sbin/init contains the following: chmod 755!
#!/bin/sh
/sbin/cryptsetup -c aes-plain -h sha512 -s 256 create root /dev/discs/disc0/part2
/bin/mount /mnt/root -n
cd /mnt/root
/sbin/pivot_root . ./boot
exec /bin/chroot . /bin/sh -c "/bin/umount /boot/dev -n;/bin/umount /boot -n;exec /sbin/init" </dev/console >/dev/console 2>&1

You'll need to change the root mount point in the real /etc/fstab and your grub config to root=/dev/hda1.

I used an extra hard drive to do the actual encryption, but you should be able to do the following:

Boot the kernel with root=/dev/hda1 init=/bin/sh
/sbin/cryptsetup -y -c aes-plain -h sha512 -s 256 create root /dev/discs/disc0/part2
/bin/dd if=/dev/discs/disc0/part2 of=/dev/mapper/root bs=4k

Then reboot as usual and pray everything isn't gone

[schachti]

Has anyone tried this? I've got some questions...

Just to be sure:

[westboy21]

I followed these instructions, but for some reason, all I get when I boot is a kernel panic. The panic error suggests that I pass the kernel an init=. What did I do wrong?
When I compile the kernel, and I suppose to compile in support for devfs, and have it mount at boot time?

[c0rvus]

samx put together another document regarding this which is fairly good...

you might want to take a look at https://forums.gentoo.org/viewtopic.php?t=163762