View previous topic :: View next topic |
Author |
Message |
westboy21 Tux's lil' helper
Joined: 10 Oct 2003 Posts: 135 Location: Raleigh, North Carolina
|
Posted: Thu Dec 23, 2004 4:25 am Post subject: |
|
|
This is the beauty of the dm-crypt module and the cryptsetup program. Any live cd with crypto support and the cryptsetup program can create the map to the encrypted filesystem with the command
Code: | cryptsetup create root /dev/hd** |
then you can just mount the /dev/mapper/root device anywhere in the livecd ram filesystem. Whalla. |
|
Back to top |
|
|
ross8653 n00b
Joined: 14 Jan 2004 Posts: 51
|
Posted: Mon Dec 27, 2004 8:12 pm Post subject: |
|
|
westboy21 can you post your devmap_mknod.sh
Last edited by ross8653 on Wed Jan 19, 2005 3:17 pm; edited 1 time in total |
|
Back to top |
|
|
westboy21 Tux's lil' helper
Joined: 10 Oct 2003 Posts: 135 Location: Raleigh, North Carolina
|
Posted: Fri Jan 14, 2005 5:42 am Post subject: |
|
|
Well ... looks like I need to log into here every now and then. Sorry about missing the PM by about a month. Here is my dev_mknod script
Code: | #! /bin/sh
# Startup script to create the device-mapper control device
# on non-devfs systems.
# Non-zero exit status indicates failure.
# These must correspond to the definitions in device-mapper.h and dm.h
DM_DIR="mapper"
DM_NAME="device-mapper"
set -e
DIR="/dev/$DM_DIR"
CONTROL="$DIR/control"
# Check for devfs, procfs
if test -e /dev/.devfsd ; then
echo "devfs detected: devmap_mknod.sh script not required."
exit
fi
if test ! -e /proc/devices ; then
echo "procfs not found: please create $CONTROL manually."
exit 1
fi
# Get major, minor, and mknod
MAJOR=$(sed -n 's/^ *\([0-9]\+\) \+misc$/\1/p' /proc/devices)
MINOR=$(sed -n "s/^ *\([0-9]\+\) \+$DM_NAME\$/\1/p" /proc/misc)
if test -z "$MAJOR" -o -z "$MINOR" ; then
echo "$DM_NAME kernel module not loaded: can't create $CONTROL."
exit 1
fi
mkdir -p --mode=755 $DIR
test -e $CONTROL && rm -f $CONTROL
echo "Creating $CONTROL character device with major:$MAJOR minor:$MINOR."
mknod --mode=600 $CONTROL c $MAJOR $MINOR
|
Here is my linuxrc script
Code: |
#!/bin/sh
export PATH=/bin
mount -t proc proc /proc
CMDLINE=`cat /proc/cmdline`
devmap_mknod.sh
umount /proc
if [ -L /dev/mapper/root ] ; then
rm -f /dev/mapper/root
fi
if [ -b /dev/mapper/root ] ; then
rm -f /dev/mapper/root
fi
cryptsetup create root /dev/hda4
mount -t reiser4 /dev/mapper/root /new
cd /new
mkdir initrd
pivot_root . initrd
exec chroot . /bin/sh <<- EOF >/dev/console 2>&1
umount initrd
rm -rf initrd
blockdev --flushbufs /dev/ram0
exec /sbin/init ${CMDLINE}
EOF |
Maybe this can help someone else in the future. |
|
Back to top |
|
|
QuizMasta n00b
Joined: 07 Mar 2004 Posts: 10
|
Posted: Fri Jan 28, 2005 11:45 am Post subject: |
|
|
I've run in to a problem following this guide (and another one for that matter). My root partition is encrypted and the linuxrc script mounts the root just fine. After typing the passphrase my root is mounted (together with my swap?) and I get this:
Code: | Give root password for maintence
(or type Control-D for normal start up): |
If I type ctrl+d the damn thing restarts
If I login using the root pass I get my normal root shell. Snooping around in there only adds to the confusion:
1) Mount reports that the root device is /dev/hda7 (and not /dev/mapper/cryptroot)
2) /dev/mapper/cryptroot does not exist. Only /dev/mapper/control
3) When looking at dmesg, these are the last entries:
Code: | ReiserFS: dm-0: found reiserfs format "3.6" with standard journal
ReiserFS: dm-0: using ordered data mode
ReiserFS: dm-0: journal params: device dm-0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30
ReiserFS: dm-0: checking transaction log (dm-0)
ReiserFS: dm-0: Using r5 hash to sort names
Adding 506008k swap on /dev/hda5. Priority:-1 extents:1 |
And is far as I know, mounting swap is part of the actual init, not the ramdisk init - or am I wrong?
And why would ReiserFS report the device to be dm-0 when I've named it cryptroot?
ANY help/input is greatly appreciated! _________________ Dr. Frankenstein: Damn your eyes!!
Igor: Too late! |
|
Back to top |
|
|
westboy21 Tux's lil' helper
Joined: 10 Oct 2003 Posts: 135 Location: Raleigh, North Carolina
|
Posted: Tue Feb 01, 2005 5:17 am Post subject: |
|
|
Man ... I wish I could help you out on this one. Just last week I tried another gentoo installation using this guide and ended up with the same problems as you. Let me guess. Right before you get the prompt asking for your root password for maintence, you probably got some error saying that the root device couldn't be checked or something to that effect.
My problem was that /dev/mapper/root was getting created but once udev started up, it was removing everything in /dev and repopulating it.
I didn't use to have this issues. Anyone have this issue? Seems to be an LVM naming issue. I've researched most of the posts I can find relating to LVM and UDEV, but can't find any substantial answer that WORKS.
I finally gave up. Please post anything else you may find! |
|
Back to top |
|
|
westboy21 Tux's lil' helper
Joined: 10 Oct 2003 Posts: 135 Location: Raleigh, North Carolina
|
|
Back to top |
|
|
schachti Advocate
Joined: 28 Jul 2003 Posts: 3765 Location: Gifhorn, Germany
|
Posted: Thu Feb 17, 2005 7:04 pm Post subject: |
|
|
Does someone know what I have to do in a different way if I'm not using udev? |
|
Back to top |
|
|
schachti Advocate
Joined: 28 Jul 2003 Posts: 3765 Location: Gifhorn, Germany
|
Posted: Tue Feb 22, 2005 6:49 am Post subject: Re: [mini-HOWTO] Encrypting root file system with dm-crypt |
|
|
veezi wrote: |
Now to encrypting the file system (make sure you have backup!!!). How you encrypt it depends on you. Here I'm assuming you've enough space in hda3, and you've a linux boot CD or linux installed on a another partition, and you've booted from that:
|
Where can I get a boot CD that supports cryptsetup? I tried a recent version of knoppix, it does not. |
|
Back to top |
|
|
ross8653 n00b
Joined: 14 Jan 2004 Posts: 51
|
Posted: Mon Feb 28, 2005 9:56 pm Post subject: |
|
|
gentoo live cd universal 2004.3 has it |
|
Back to top |
|
|
Coper n00b
Joined: 02 Mar 2005 Posts: 1
|
Posted: Wed Mar 02, 2005 6:13 pm Post subject: |
|
|
Hi I trid to mount my USB stick in my linuxrc file, but it just say that the device don't exists.
I have make /dev/uba1 b 180 1
any idees? runing 2.6.10 |
|
Back to top |
|
|
ross8653 n00b
Joined: 14 Jan 2004 Posts: 51
|
Posted: Wed Jul 20, 2005 9:03 pm Post subject: |
|
|
i have been playing with swap encryption and can not get udev to do what i want so i've just created the swap in /etc/conf.d/local.start
the wiki entry is updated with info about my quick solution.
Also for people that are having problems with creating the mapping to swap taking ages check the wiki. The problem is your /dev/random runs out of entropy, you can move the mouse around or use /dev/urandom.
http://en.wikipedia.org/wiki//dev/random |
|
Back to top |
|
|
mahatmah n00b
Joined: 08 Apr 2004 Posts: 17 Location: Graz
|
Posted: Thu Jul 21, 2005 7:14 pm Post subject: |
|
|
I have encrypted my root filesystem with dm-crypt. Instead of standard cryptsetup i preferred cryptosetup-luks. In my opinion a little bit better because it supports more than one key...
i have created my root partition with the following Parameters:
Code: | cryptsetup -c aes-cbc-essiv:sha356 -s 128 luksFormat /dev/hda3 |
Everything working fine, only my hard drive throughput is really bad. Gkrellm shows up 2,5M (mbyte/s) it isn't really funny to copy something from or to my unencryptet second disk.
I have a 2,8GHZ P4, cpu is up to 99%, ram usage is low (512 mb, around 150mb used).
I don't think it is because i choose cryptsetup-luks instead of crypsetup because only the handling of the passphrase is different (i think).maybe because i choose "essiv" instead of the standard "plain". i have choosen essiv because i read it helps a lot against watermark attacks.
So, my question is, is it normal that the hard drive performance is that poor? |
|
Back to top |
|
|
ross8653 n00b
Joined: 14 Jan 2004 Posts: 51
|
Posted: Thu Jul 21, 2005 10:05 pm Post subject: |
|
|
assuming you're not on a laptop and using a 7200 rpm ide/sata drive no it should be a bit better. Here's an example with my craptastic 4200rpm laptop harddrive and a p3 500mhz. using AES and 256bit key. /dev/mapper/root maps to /dev/hda3
Code: |
taptap linux # hdparm -t /dev/mapper/root /dev/hda3
/dev/mapper/root:
Timing buffered disk reads: 26 MB in 3.11 seconds = 8.37 MB/sec
/dev/hda3:
Timing buffered disk reads: 40 MB in 3.13 seconds = 12.77 MB/sec
|
say your partition that is encrypted is /dev/hda3 and your devicemap to that partition is /dev/mapper/root
you can check the difference encryption has on the speed of your drive by
Code: |
hdparm -t /dev/hda3 /dev/mapper/root
|
run that a few times, also on your second drive to make sure that is not holding anything up. If it is still slow due to encryption you can check if using cryptsetup-luks has anything to do with it by making a map with cryptsetup and testing cryptsetup's performance. This shouldnt hurt any data since you are only read testing, but to be sure you can do this to your swap partition (after shutting off swap of course)
say hda2 is swap
Code: |
swapoff /dev/hda2
free (check if swap is gone)
cryptsetup -d /dev/urandom create testmap /dev/hda2
(now create a map from /dev/hda2 using your cryptosetup-luks with the same algorithm and key size that you normally use)
|
now you should have two encrypted maps to the same partition /dev/hda2 (testmap, and the one you created). lets run hdparm again
Code: |
hdparm -t /dev/hda2 /dev/mapper/testmap /dev/mapper/YOURMAPHERE
|
whare are the results? |
|
Back to top |
|
|
mahatmah n00b
Joined: 08 Apr 2004 Posts: 17 Location: Graz
|
Posted: Thu Jul 21, 2005 11:07 pm Post subject: |
|
|
Quote: |
Code:
taptap linux # hdparm -t /dev/mapper/root /dev/hda3
/dev/mapper/root:
Timing buffered disk reads: 26 MB in 3.11 seconds = 8.37 MB/sec
/dev/hda3:
Timing buffered disk reads: 40 MB in 3.13 seconds = 12.77 MB/sec
|
Oh my goodness, so silly, i have forgotten to include my settings for dma into the kernel. i'm sorry.
but i didn't know the dma -t testing thing. Here is my output after finally enabling dma
Code: |
nozomi ftp # hdparm -t /dev/mapper/root /dev/hda3
/dev/mapper/root:
Timing buffered disk reads: 60 MB in 3.07 seconds = 19.53 MB/sec
HDIO_DRIVE_CMD(null) (wait for flush complete) failed: Inappropriate ioctl for device
/dev/hda3:
Timing buffered disk reads: 160 MB in 3.04 seconds = 52.62 MB/sec
|
not that bad i think, it is really great
thanks for your response, i didn't even think about dma, i thought it can only be the encryption... |
|
Back to top |
|
|
|