Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Encrypted Root File System, Swap, etc...
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3 ... 10, 11, 12, 13  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
joeatsalot
n00b
n00b


Joined: 08 Sep 2003
Posts: 2

PostPosted: Wed Sep 10, 2003 5:51 am    Post subject: Reply with quote

Gosh - I'm 28 and a half and I'm confused.

I've been following the instructions from the Linux from Scratch people, to do a similar thing. http://archives.linuxfromscratch.org/mail-archives/hints/2003-February/001539.html

I've got the encrypted part all working, but then /sbin/init crashes horribly, because of the way I'm running it. Perhaps LFS is different to gentoo?

Is the LFS stuff out of date? Badly?

I hope somebody can help.

Jonathan

PS My init script on the unencrypted partition is as follows:

#/sbin/init
#!/bin/sh

/bin/mount -n -t proc proc /proc
/sbin/losetup -e aes -k 128 /dev/loop0 /dev/hda9
/bin/mount -n -t reiserfs /dev/loop0 /mnt

/bin/umount /proc
cd /mnt
/sbin/pivot_root . loader
exec /usr/sbin/chroot . /sbin/init
Back to top
View user's profile Send private message
watersb
Apprentice
Apprentice


Joined: 04 Sep 2002
Posts: 287
Location: where the hell is Tesuque, New Mexico?

PostPosted: Thu Sep 11, 2003 9:47 pm    Post subject: Reply with quote

Kernel 2.6 System Encryption

I am pleased to announce that with Mike Petullo's and David Braun's help, I have been able
to get an encrypted-root system WORKING with my Gentoo 2.6 laptop, using
a random string that is stored on a USB dongle; this string is encrypted
with GPG.

Work in progress documentation is available at

http://www.sdc.org/~leila/usb-dongle/rough-readme.txt

and at

http://www.sdc.org/~leila/usb-dongle/readme.html

The entire setup - a minix-based RAMDisk, and a tarballed filesystem for
the USB-dongle - has been posted to

http://www.sdc.org/~leila/usb-dongle/


This setup is working for me on an x86 system; you will need to replace
the binaries on the usb tarball with your actual binaries (just copy
them over from a working linux system, taking care to copy over any
shared libs as well).

Although I am starting to use this setup in production use, I keep
backups of everything, and assume it is going to eat my hard disk at any
moment. More pounding is needed.

At this point I want to focus on getting the documentation completed.

How does it look so far?
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Fri Sep 12, 2003 5:15 am    Post subject: Reply with quote

Woah COOL! I'm gonna try that! Thanks watersb :)

Chad :D
Back to top
View user's profile Send private message
gmoney
n00b
n00b


Joined: 04 Aug 2003
Posts: 20
Location: Santa Barbara

PostPosted: Mon Sep 15, 2003 12:23 am    Post subject: Reply with quote

I've had no luck at all getting my filesystems which were originally encrypted with the loopback-aes system to work with the kernli crypto systems in the 2.6 kernel. The 2.12 util-linux package seems to work fine but doesn't give me all the options the kernli crypto seems to need (-k, -p, etc...). I've tried every combination of losetup I can think of and some of them actually "work", but when I try to mount no valid filesystem is found. My existing fstab entry is:

/secure/home /home ext3 encryption=AES256,sync,exec,noatime 0 0

and my 2.6 version is:

/secure/home /home ext3 sync,loop,keybits=256,encryption=aes,exec,noatime 0 0

I've seen information on the kernli website about how to convert your losetup options for loopback-aes to the kerneli version, but the gentoo build for util-linux doesn't include the needed options. Has anyone has any luck with mounting a loopback-aes encrypted filesystem from 2.4 to the kernli system in 2.6?
Back to top
View user's profile Send private message
Death Valley Pete
n00b
n00b


Joined: 25 Mar 2003
Posts: 49
Location: The Inland Empire

PostPosted: Mon Sep 15, 2003 1:52 am    Post subject: Reply with quote

Looks promising. I'm trying to figure out how to make this whole thing work, but without the usb dongle. (i.e. with a prompt for a password, the thought being that a dongle would be too easily compromised). Any hints?
_________________
<instert pithy statement here>
Back to top
View user's profile Send private message
bonsaikitten
Apprentice
Apprentice


Joined: 01 Jan 2003
Posts: 213
Location: Shanghai, China

PostPosted: Mon Sep 15, 2003 9:46 am    Post subject: Reply with quote

Death Valley Pete wrote:
Looks promising. I'm trying to figure out how to make this whole thing work, but without the usb dongle. (i.e. with a prompt for a password, the thought being that a dongle would be too easily compromised). Any hints?

The key on the dongle is password protected, so effectively you add another level of encryption by using a dongle. Using a plaintext key would be quite dumb from a crypto point of view.
Back to top
View user's profile Send private message
watersb
Apprentice
Apprentice


Joined: 04 Sep 2002
Posts: 287
Location: where the hell is Tesuque, New Mexico?

PostPosted: Mon Sep 15, 2003 4:04 pm    Post subject: Reply with quote

Death Valley Pete wrote:
Looks promising. I'm trying to figure out how to make this whole thing work, but without the usb dongle. (i.e. with a prompt for a password, the thought being that a dongle would be too easily compromised). Any hints?


I am sincerely sorry if the documentation is too complex -- I am trying to write it all down, and afterwards some editing to get some simple "paths" through all this.

I will be adding the more-simple, non-USB method to the documentation soon. The section "framework" should already be there.

Until then, see http://www.flyn.org/projects/cryptoswap/index.html
Back to top
View user's profile Send private message
watersb
Apprentice
Apprentice


Joined: 04 Sep 2002
Posts: 287
Location: where the hell is Tesuque, New Mexico?

PostPosted: Mon Sep 15, 2003 6:18 pm    Post subject: Reply with quote

gmoney wrote:
My existing fstab entry is:

/secure/home /home ext3 encryption=AES256,sync,exec,noatime 0 0

and my 2.6 version is:

/secure/home /home ext3 sync,loop,keybits=256,encryption=aes,exec,noatime 0 0

Has anyone has any luck with mounting a loopback-aes encrypted filesystem from 2.4 to the kernli system in 2.6?



What sort of error are you getting?

One thing to try, with new util-linux, is to specify key size in the encryption name:

Code:

/secure/home /home ext3 sync,loop,encryption=aes-256-cbc,exec,noatime 0 0



I recommend that you build the crypto TESTING MODULE in the kernel options under CRYPTOGRAPHIC OPTIONS, then load it with
Code:

# modprobe tcrypt


and then examine the kernel debug message output with dmesg -- you will see the names of the various crypto algorithms in the format the kernel is expecting, which you can then try as arguments to the encryption option to mount.
Back to top
View user's profile Send private message
Death Valley Pete
n00b
n00b


Joined: 25 Mar 2003
Posts: 49
Location: The Inland Empire

PostPosted: Mon Sep 15, 2003 9:38 pm    Post subject: Reply with quote

watersb wrote:

I am sincerely sorry if the documentation is too complex -- I am trying to write it all down, and afterwards some editing to get some simple "paths" through all this.

I will be adding the more-simple, non-USB method to the documentation soon. The section "framework" should already be there.

Until then, see http://www.flyn.org/projects/cryptoswap/index.html


Well then, I guess I'll just shut up and let you finish. :wink:

bonsaikitten wrote:

The key on the dongle is password protected, so effectively you add another level of encryption by using a dongle. Using a plaintext key would be quite dumb from a crypto point of view.


Good point. I guess I'll start saving my pocket change...
_________________
<instert pithy statement here>
Back to top
View user's profile Send private message
usingloser
Apprentice
Apprentice


Joined: 18 May 2003
Posts: 297
Location: ->Here<-

PostPosted: Tue Sep 16, 2003 5:09 pm    Post subject: Reply with quote

--editted--

I left out the "lun0" in my partition identifier in my initrd build script.

All better now.
Back to top
View user's profile Send private message
lazarous
n00b
n00b


Joined: 13 Sep 2003
Posts: 18
Location: Charlottesville, Virginia

PostPosted: Fri Sep 26, 2003 3:25 am    Post subject: Reply with quote

If a court has a search warrant in the US and you do not give the password for the system, you can be held in contempt of the court and get jail time too.
_________________
http://www.kuro5hin.org/story/2002/4/13/182028/722
Back to top
View user's profile Send private message
Garbz
Apprentice
Apprentice


Joined: 02 Jul 2003
Posts: 260
Location: Brisbane, Australia

PostPosted: Mon Sep 29, 2003 9:59 am    Post subject: Reply with quote

got similar issues in australia to the uk.

If the court has reason to believe there is incriminating evidence on the encrypted partition you can be forced to hand over the key. Or else 5 years or max $200,000 AUD i believe.

If you destroy the key and render the partiton useless then u can be charged on destroying evidents (although there was apparently a loophole whereby someone escaped conviction for that act by claiming the evidents was still there in it's entireity and hadn't been touched, and that not being able to read it wasn't his problem. It think there was also an arguement that if the data was scrambeled in such a way then the evidents which is presumably destroyed didn't exist in the first place :S )
_________________
Every begining is another begining's end.
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Thu Oct 02, 2003 4:30 am    Post subject: Reply with quote

Wooo! Im finally up on 2.6 kernel, now i can check out watersb stuff instead of loop-AES. Anyone know of anything I gotta watch out for especially?

Oh, Im supposed to say hi to Bo so hi Bo and everyone else ignore this part especially Garbz.

Chad :D
Back to top
View user's profile Send private message
Garbz
Apprentice
Apprentice


Joined: 02 Jul 2003
Posts: 260
Location: Brisbane, Australia

PostPosted: Thu Oct 02, 2003 5:38 am    Post subject: Reply with quote

bah fine then :P
_________________
Every begining is another begining's end.
Back to top
View user's profile Send private message
cayenne
l33t
l33t


Joined: 17 Oct 2002
Posts: 886
Location: New Orleans

PostPosted: Fri Oct 03, 2003 8:39 pm    Post subject: Just starting to read on this.. Reply with quote

Hello...read through all this, and looks interesting. I noticed that this thread started awhile back...and had a question.

It originally says to get aes-loop from sourceforge. I did an emerge search and found there is app-crypt/aes-crypt availble.

Can this be a new starting point or are these 2 completely different apps?

Thanks!

cayenne
_________________
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
Back to top
View user's profile Send private message
bosko
Tux's lil' helper
Tux's lil' helper


Joined: 07 Mar 2003
Posts: 114
Location: The Netherlands

PostPosted: Fri Oct 03, 2003 9:05 pm    Post subject: Reply with quote

I have read the how-to posted earlier in this thread (http://www.sdc.org/~leila/usb-dongle/rough-readme.txt), but I still don't completely understand what I have to do.
I would like to do is to use Linux 2.6 (so I would have to use the crypto api) and encrypt both my swap and my root partition. I want to store the key on a USB dongle (only the key, I want the kernel to be in /boot). But basically I have no clue about how I can do this. Could someone be so kind to post the exact steps I need to do?
I did try to extract the relevant information from the instructions posted in this thread, but it's a bit consufing to me :(

Thank you very much in advance.
Back to top
View user's profile Send private message
ro0t
n00b
n00b


Joined: 09 Oct 2003
Posts: 1

PostPosted: Thu Oct 09, 2003 7:41 am    Post subject: Initrd Remains Mounted After Boot ! :? Reply with quote

this question is no really related to gentoo .. i m using slackware 9 and kernel 2.4.22 ..
i followed the steps given by "Disk Encryption HOWTO" David Braun
2003-09-13 Revision History
Revision 1.1 2003-09-13 Revised by: DB

the system is workin fine the only problem i am havin is that .. /initrd .. is mounted readonly ..
if i try umount /initrd .. it sayz DEVICE BUSY . :?

can n e one explain y its still mounted after booting and how to umount it automatically when system boots ..
Back to top
View user's profile Send private message
curmudgeon
Veteran
Veteran


Joined: 08 Aug 2003
Posts: 1353

PostPosted: Fri Oct 10, 2003 6:59 pm    Post subject: Re: Initrd Remains Mounted After Boot ! :? Reply with quote

ro0t wrote:

the system is workin fine the only problem i am havin is that .. /initrd .. is mounted readonly ..
if i try umount /initrd .. it sayz DEVICE BUSY . :?

can n e one explain y its still mounted after booting and how to umount it automatically when system boots ..


http://loop-aes.sourceforge.net/loop-AES.README

"Root partition loop device node is inside initrd, and that device node
will remain busy forever. This means that encrypted root initrd can't be
unmounted and RAM used by initrd file system can't be freed. This
unable-to-unmount side effect is the reason why initrd is intentionally
made as small as possible."
Back to top
View user's profile Send private message
DingoStick
n00b
n00b


Joined: 05 Mar 2003
Posts: 63
Location: The Keweenaw

PostPosted: Sat Oct 11, 2003 6:30 am    Post subject: Reply with quote

I seem to have everything going (mostly) fine, but when I try to mount my partition (it's non-root, so the system is up, but the encrypted partition is not yet mounted), it fails:

Code:
root@outback home # mount ./ftp
Password:
ioctl: LOOP_SET_FD: Device or resource busy


I've read a bit of the documentation, but can't find out why this is occurring. Anyone know about this? My /etc/fstab contains this line:

Code:
/dev/loop5              /home/ftp       reiserfs        defaults,noauto,loop=/dev/loop5,encryption=AES256       0 0


I've tried switching between loop5 and loop0 (the howto uses both, which seems kinda odd...). Nothing works as of now.
_________________

Linux programs, themes, howtos, etc.
Back to top
View user's profile Send private message
echto
Tux's lil' helper
Tux's lil' helper


Joined: 30 Jun 2002
Posts: 107

PostPosted: Thu Oct 23, 2003 6:58 pm    Post subject: Reply with quote

Thanks for your time on this.

watersb wrote:
Kernel 2.6 System Encryption

I am pleased to announce that with Mike Petullo's and David Braun's help, I have been able
to get an encrypted-root system WORKING with my Gentoo 2.6 laptop, using
a random string that is stored on a USB dongle; this string is encrypted
with GPG.

Work in progress documentation is available at

http://www.sdc.org/~leila/usb-dongle/rough-readme.txt

and at

http://www.sdc.org/~leila/usb-dongle/readme.html

The entire setup - a minix-based RAMDisk, and a tarballed filesystem for
the USB-dongle - has been posted to

http://www.sdc.org/~leila/usb-dongle/


This setup is working for me on an x86 system; you will need to replace
the binaries on the usb tarball with your actual binaries (just copy
them over from a working linux system, taking care to copy over any
shared libs as well).

Although I am starting to use this setup in production use, I keep
backups of everything, and assume it is going to eat my hard disk at any
moment. More pounding is needed.

At this point I want to focus on getting the documentation completed.

How does it look so far?
Back to top
View user's profile Send private message
watersb
Apprentice
Apprentice


Joined: 04 Sep 2002
Posts: 287
Location: where the hell is Tesuque, New Mexico?

PostPosted: Tue Oct 28, 2003 12:36 am    Post subject: Reply with quote

Folks, nothing more to see here, just checking in to apologize for how long it's taking to complete that documentation. :oops:

If you want to help out, then of course you are free to take a whack at it...

Also, it is a complex document, and it would be useful to have a very quick step-by-step path through the cruft. If someone could post a particular trajectory of commands through it, in the "QuickStart Guide" style like you see in this unrelated document, then I'm sure people would be helped.

And FWIW, I'm up to kernel-test8-love3, the process has worked for all 2.6.0-series kernels that I've tried, and we're getting close to an API freeze for the test series...
Back to top
View user's profile Send private message
rajl
Apprentice
Apprentice


Joined: 25 Sep 2002
Posts: 287

PostPosted: Wed Oct 29, 2003 3:28 am    Post subject: Reply with quote

Just my two cents on algorithm choice: While invesitgating harddisk encryption further, I've noticed that people have offered the opinion that Rinjdael should be used, and not Serpent; Rinjdael was chosen as the winner of the AES, and some people are saying that Serpent has been possibly broken. Doing some research, the only attack against Serpent I've found is one that also works against Rinjdael. Because of similarities in the algorithms (essentially the same, AES is designed to be faster, Serpent throws in more transformations, rounds, etc than necessary to be more secure) they both suffer from the same algebraic exploit, detailed here:

http://eprint.iacr.org/2002/044/

a better explanation in prettier colors is here:

http://www.cryptosystem.net/aes/

and apparently, the initial publicity that got everyone scared is here:

http://slashdot.org/articles/02/09/16/0653224.shtml?tid=93

However, the workability of the attack is still in doubt, as shown here:

http://www.usdsi.com/aes.html

but even if the attack turns out to be successful, both algorithms are still more secure than DES.
_________________
-Rajl

-----------------------------------------------------------
It's easy to be brave once you consider the alternatives.
Back to top
View user's profile Send private message
snowjob
n00b
n00b


Joined: 03 Nov 2003
Posts: 3

PostPosted: Mon Nov 03, 2003 10:03 pm    Post subject: Hardened 2.4.22 Reply with quote

Using aes with a 128 bit key was working great with a haredened 2.4.20 and 2.4.21 kernel but wont work with 2.4.22.

The first problem I had was the losetup program couldn't find aes even though it is in /proc/crypto
- So I emerge util-linux-2.12.ebuild

The new losetup doesn't support -k so I told it to use aes-cbc-128. That didn't complain but when I went to mount the /dev/loop0 device mount complained that it didn't know the fs type of the device. (My guess is it isn't decrypting correctly)

Has anyone else had a problem with the gentoo hardened 2.4.22 kernel. More importantly can anyone help me?
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Tue Nov 18, 2003 2:34 am    Post subject: Reply with quote

hi there,

i have problems doing this. first i shoot my old installation but doesnt matter. then i reinstalled gentoo and did the following like BlackBart and turbobri said:

hda1: winxp
hda2: boot part. (ext3)
hda3: swap
hda4: root part. (reiserfs)

Quote:
Ok boot into knoppix w/o the graphical
run losetup -e AES256 -T /dev/loop0 /dev/hda2 (or whatever is your root partition)

i did "losetup -e AES256 -T /dev/loop0 /dev/hda4"
Quote:
then do mke2fs /dev/loop0 (or whatever file system you want)

i did mkreiserfs /dev/loop
Quote:
then mkdir /mnt/gentoo
and then mount /dev/loop0 /mnt/gentoo
and mkdir /mnt/gentoo/boot
and mount /dev/hda1 /mnt/gentoo/boot
then cd into /mnt/gentoo
and then extract whatever stage you want and procede from there following the instruction guide.
when you get to the kernel:

Quote:
You HAVE to use CONFIG_MODULES=y, CONFIG_BLK_DEV_LOOP=n (y or m WONT WORK), CONFIG_BLK_DEV_RAM=y, CONFIG_BLK_DEV_RAM_SIZE=4096, CONFIG_BLK_DEV_INITRD=y, CONFIG_MINIX_FS=Y (this is because the ramdisk is minix), CONFIG_PROC_FS=y plus whateve FILESYSTEM YOUR ROOT IS HAS TO BE Y (modules wont work because the kernel can't get modules from the root file system until it knows how to read it and decrypt it when it is booting, other stuff can be modules if you want). Make sure that your new kernel works before going further.

done (except of replacing "mount /dev/hda1 with mount /dev/hda2" i did the same).
Quote:
patch -p1 <../util-linux-2.11y.diff
export CFLAGS=-O2
export LDFLAGS='-static -s'
./configure
make SUBDIRS="lib mount"
cd mount
install -m 4755 -o root mount umount /bin
install -m 755 losetup swapon /sbin
rm -f /sbin/swapoff && ( cd /sbin && ln -s swapon swapoff )
rm -f /usr/share/man/man8/{mount,umount,losetup,swapon,swapoff}.8.gz
install -m 644 mount.8 umount.8 losetup.8 /usr/share/man/man8
install -m 644 swapon.8 swapoff.8 /usr/share/man/man8
rm -f /usr/share/man/man5/fstab.5.gz
install -m 644 fstab.5 /usr/share/man/man5

done
Quote:
cd /usr/src/loop-AES-v1.7b
make LINUX_SOURCE=/usr/src/linux-2.4.19-gentoo-r10 (or whatever vers. you have)

i did "cd /usr/src/loop-AES..." and then "make LINUX_SOURCES=/usr/src/linux-2.4.22-ac4"
Quote:
cp -p /lib/modules/2.4.19-gentoo-r10/block/loop.o /boot/loop-2.4.19-gentoo-r10.o

i did "cp -p /lib/modules/2.4.22-ac4/block/loop.o /boot/loop-2-4.22-ac4.o"
Quote:
and then do these steps
In the loop-AES directory edit build-initrd.sh. Change BOOTDEV, BOOTTYPE, CRYPTROOT, ROOTYPE and CIPHERTYPE to what you want. Then type sh build-initrd.sh . This makes a ramdisk so that the kernel knows how to get the pass phrase when you boot later.

i did BOOTDEV=hda2, BOOTTYPE=ext3, CRYPTOROOT=hda4, ROOTYPE=reiserfs, CYPHERTYPE=AES256
Quote:
edit fstab to make your root say /dev/loop5 instead of /dev/hdawhatever.

replaced /dev/ROOT with /dev/loop5 (/dev/hda4 wasn't there cause the installation was fresh where the default entries are /dev/BOOT, /dev/SWAP and /dev/ROOT). and changed the /boot filesystem to ext3 and the /root filesystem to reiserfs.
Quote:
cd to /boot/grub and edit grub.conf to add a entry like this:
title=Encrypted Root
root (hd0,0)
kernel /bzImage ro root=/dev/ram1
initrd /initrd.gz

jup, done.


but still doesn't work. anyone can see the error(s) i've done?
i tried to describe exactly what i've done with the hope that it would be most easy for you to find the errors i made.

thanks in advance and greets,
hulk
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Wed Nov 19, 2003 5:01 pm    Post subject: Reply with quote

i get a kernel panic, can not find reiserfs on ramdisk
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3 ... 10, 11, 12, 13  Next
Page 11 of 13

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum