Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
+encryption +LVM [solved]
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
Beelzebub_
Apprentice
Apprentice


Joined: 21 May 2012
Posts: 256
Location: outside/todesstern-2.01

PostPosted: Sun Mar 10, 2013 4:05 pm    Post subject: +encryption +LVM [solved] Reply with quote

Hi,

i have installed gentoo a long time ago, without any encryption and without a LVM.
I dont want to install gentoo and all my stuff once again. Therefore i am looking for a way to change my installation in some steps. The problem is i have no experience in that topic.


I have one SSD and one HDD.
At the SSD is my /boot / and some free space about the half. - 50GB
At the HDD is my /more partition which i use for my stuff (videos, dokuments..) - 400GB

I think i should start to make a new partition with a encrypted LVM at my sdb (HDD) and copy my stuff over to a /more partition at the LVM, but how can i prozess that i get a complete encrypted system?

Do you have any ideas?
_________________
Ich habe keine Angst vorm Sterben, ich habe nur Angst ich habe nicht genug gelebt.


Last edited by Beelzebub_ on Fri Mar 22, 2013 10:32 pm; edited 1 time in total
Back to top
View user's profile Send private message
jpc22
Apprentice
Apprentice


Joined: 29 Jan 2012
Posts: 195

PostPosted: Sun Mar 10, 2013 6:34 pm    Post subject: Reply with quote

To get a fully encrypted system like you asked, if you really require and want the best security, means you will need an external drive to backup your data.

There are many ways to set up a such system, depending on your needs / level of paranoia.

Tell us what you want to acheive with crypto and we will know beter what to reccomend you.

Like if it's a laptop and you want to protect data if it is stolen, or you want the device to be protected against high profile attacks including physical acess to your machine, like keyloggers / van eck phreacking , cold boot attacks , tampering with your bootloader and ultimately a tree letter agency breaking in when the computer is running pushing you away from it and dumping it in a liquid nitrogen vat and taking it to a lab.

You surely dont need protection against the latest(s), but it is always good to know what hackers have pulled off in the past.


The best encryption will only protect your data when the machine is turned off and the ram content has been cleared by waiting long enough or was wiped during the shutdown.
Encryption itself does not have a huge performance impact on modern hardware, especially with the AES cipher, compared to security measures you can implement to protect your machine when its running, like selinux+pax+grsecurity+hardened kernel+ firewall/iptables.

You should forget about hibernation on an encrypted system , for it has many security issues.

There is a kernel patch (TRESOR) that keeps the encryption key in cpu registers instead of ram for protection against cold reboot attacks http://www1.informatik.uni-erlangen.de/tresor .

Ultimately you should remember that the user will always be the weakest part of any system as they can be forced by law or tortured to reveal encryption keys/passwords.


That being said, the boot partition cannot be encrypted and will remain vulnerable unless you put it on a usb key that you always carry with you.this is the best protection against tampering with your bootloader. If you happen to loose the usb key you can always make another one with a livecd by chrooting in your system after you decrypt and mount your partitions.
If you dont need that much security just leave a normal boot partition on one of your disks.

If the root partition is encrypted, you will need an initramfs and bootloader that supports it and the proper config. Personally i use mkinitcpio to make my initramfs and grub2 as my bootloader.
Your initramfs also needs lvm support if you go that way.


You may opt to fully encrypt the disk(s) and have lvm over the encryption, or split the disk with lvm and encrypt only the partitions with your personal data.
Since you intend to move data around your disks a few encrypted partitions with lvm on them might be better unless you have a spare disk to make backups, which would be a good idea with 400gb of data you mentionned. Each encrypted partition will require you to enter a password at boot if the are required by the system, like the root partition so a single encrypted partition with lvm over it to keep some flexibility might be better.

Encrypting only your personal stuff should be enough if your machine is stolen as long as your encryption has not been compromised.
Full encryption with separate boot makes it harder to compromise your system, but may not be necessary.

For encryption to be effective, you need to write random data on the hard drive, which is always best done on a brand new disk.
SSD's also have some security and performance issues with encryption:
They keep a mapping of used sectors which can be used to determine where there is data, and help in some cryptographic attacks.
Their use of wear leveling(mapping bad sectors) wich could leave unencrypted data behind since your disk is not new, and means you cannot be certain to have completely deleted something.
TRIM tells the disk about deleted data and keeps a mapping of free sectors, but this data is no deleted until something takes its place, which can leave data behind and also be used in attacks.
If you disable trim or other some features to increase security , your ssd performance will decrease faster with time.


If you have a processor(some intel core and i-series) that carries AES-NI instruction, i would recommend you use aes as you cipher and put it in your use flags, as it will give you a performance boost on decryption speed. #cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat <device/logical partiton>

Dm-crypt with luks is interesting ,since it allows for up to 8 passwords/keyfiles to decrypt the disk. keyfiles are kept on your usb key and can be password protected.
The encryption will only be as good as the password protecting it so a long truly random password and correct PBKDF2 iteration parameter will make it unlikely someone can bruteforce your password in a lifetime, the ciphers will have to be changed as they get less secure in a few years tough.


Remember that encryption can and go wrong sometimes , and that you should really backup your data and encryption headers.

Feel free to ask if i missed something, or you need help with something.
Back to top
View user's profile Send private message
Beelzebub_
Apprentice
Apprentice


Joined: 21 May 2012
Posts: 256
Location: outside/todesstern-2.01

PostPosted: Sun Mar 10, 2013 7:18 pm    Post subject: Reply with quote

Thanks for your detailed reply.

Now, i know i have to do a lot to get a full secure system....

I have a desktop pc [AMD Bulldozer FX6100,12GB RAM] and at the moment i am not using TRIM because my system is kinda like construction area..
i have switched my window manager (to awesome and i am still figuring out how it works) and i also have to upgrade to systemd.

To come back to your question what i want to archive, i really want to get a super save system whitch should resist against high profile attacks and cold reboot attacks.

That being said, its maybe better when i install gentoo again at my free space including all these aspekts (selinux+pax+grsecurity+hardened kernel+ firewall/iptables).
But whats the reason for the boot partition at the usb-stick i mean it doesnt contain important informations or does it? I really like the idea.

Thanks again for all these detailed informations.

Beelzebub
_________________
Ich habe keine Angst vorm Sterben, ich habe nur Angst ich habe nicht genug gelebt.
Back to top
View user's profile Send private message
jpc22
Apprentice
Apprentice


Joined: 29 Jan 2012
Posts: 195

PostPosted: Sun Mar 10, 2013 7:34 pm    Post subject: Reply with quote

The boot on usb key is like the key to your car, you cant start the computer whitout it.if the key is big enough and fast enough you could have an entire encrypted squashed live system with aufs.
you could use that live system to checksum your boot partition to be sure no one has messed with it and added keyloggers or implemented other nasty things at the kernel level.

With 12gb ram and a such processor you could ramdisk a wholesystem, something i tought of since i got my laptop with 16gb ram.


My computers too are like a construction site at the moment, building a 3 nodes cluster with multiscreen and maybe multiseat.
Back to top
View user's profile Send private message
Beelzebub_
Apprentice
Apprentice


Joined: 21 May 2012
Posts: 256
Location: outside/todesstern-2.01

PostPosted: Sun Mar 17, 2013 7:28 pm    Post subject: Reply with quote

Hi,

i have now created my lvm, but i am not sure which encryption i should use for the partitions.
_________________
Ich habe keine Angst vorm Sterben, ich habe nur Angst ich habe nicht genug gelebt.
Back to top
View user's profile Send private message
SlashBeast
Retired Dev
Retired Dev


Joined: 23 May 2006
Posts: 2922

PostPosted: Sun Mar 17, 2013 9:04 pm    Post subject: Reply with quote

Depends on how big the partition is I would go with aes-xts-plain64 with sha512.
Back to top
View user's profile Send private message
Beelzebub_
Apprentice
Apprentice


Joined: 21 May 2012
Posts: 256
Location: outside/todesstern-2.01

PostPosted: Mon Mar 18, 2013 11:36 am    Post subject: Reply with quote

Something went wrong:

Code:
cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/vg/root

WARNING!
========
Hiermit überschreiben Sie Daten auf /dev/vg/root unwiderruflich.

Are you sure? (Type uppercase yes): YES
LUKS-Passsatz eingeben:
Verify passphrase:
device-mapper: reload ioctl on temporary-cryptsetup-4789 failed: Das Argument ist ungültig
Failed to setup dm-crypt key mapping for device /dev/vg/root.
Check that kernel supports aes-xts-plain64 cipher (check syslog for more info)

_________________
Ich habe keine Angst vorm Sterben, ich habe nur Angst ich habe nicht genug gelebt.
Back to top
View user's profile Send private message
SlashBeast
Retired Dev
Retired Dev


Joined: 23 May 2006
Posts: 2922

PostPosted: Mon Mar 18, 2013 12:02 pm    Post subject: Reply with quote

Try reduce the command a bit and see if that does work, to at least narrow the issue:
Code:
cryptsetup -c aes-xts-plain64 -h sha512 luksFormat /path/to/device


Also I used to encrypt the lvm's pv instead of lv using better-initramfs to boot from it. Then my kernel boot params looks like:
Code:
rootfstype=ext4 luks enc_root=/dev/sda2 lvm root=/dev/mapper/sabre-rootfs swsusp resume=/dev/mapper/sabre-swap
Back to top
View user's profile Send private message
Beelzebub_
Apprentice
Apprentice


Joined: 21 May 2012
Posts: 256
Location: outside/todesstern-2.01

PostPosted: Mon Mar 18, 2013 12:53 pm    Post subject: Reply with quote

I tried to reduce the command by myself with
Code:
cryptsetup  luksFormat /path/to/device
and now with
Code:
cryptsetup -c aes-xts-plain64 -h sha512 luksFormat /path/to/device
but i have the same issue.

I will now try to encrypt the lvm's pv maybe thats even better.- Thanks for the idea. - I use Grub2, but i will do that later.

//EDIT:

I got the same error again with:

Code:
cryptsetup --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5000 --use-random --verify-passphrase luksFormat /dev/sda1



Code:
 WARNING!
========
Hiermit überschreiben Sie Daten auf /dev/vg/root unwiderruflich.

Are you sure? (Type uppercase yes): YES
LUKS-Passsatz eingeben:
Verify passphrase:
device-mapper: reload ioctl on temporary-cryptsetup-10715 failed: Das Argument ist ungültig (Invalide Argument)
Failed to setup dm-crypt key mapping for device /dev/vg/root.
Check that kernel supports aes-xts-plain64 cipher (check syslog for more info)

_________________
Ich habe keine Angst vorm Sterben, ich habe nur Angst ich habe nicht genug gelebt.


Last edited by Beelzebub_ on Mon Mar 18, 2013 3:04 pm; edited 1 time in total
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Mon Mar 18, 2013 2:53 pm    Post subject: Reply with quote

Beelzebub_ ...

The most obvious reason would be missing one or other of the following:

CONFIG_CRYPTO_XTS
CONFIG_CRYPTO_SHA512

This is what the error points to ... though if that is too *obvious* then please ignore.

best ... khay
Back to top
View user's profile Send private message
SlashBeast
Retired Dev
Retired Dev


Joined: 23 May 2006
Posts: 2922

PostPosted: Mon Mar 18, 2013 2:54 pm    Post subject: Reply with quote

You sure you have aes, xts and sha512 support in kernel that you are running? is that a livecd maybe?

edit: ninje'd by khayyam. ;)
Back to top
View user's profile Send private message
Beelzebub_
Apprentice
Apprentice


Joined: 21 May 2012
Posts: 256
Location: outside/todesstern-2.01

PostPosted: Mon Mar 18, 2013 3:26 pm    Post subject: Reply with quote

Solved.. before reading your comments. :P

You are right is was a missing kernel option. (Crypt target support)

..thought i already had checked it.

That side helped me. (http://wiki.gentoo.org/wiki/DM-Crypt) - But thank you, too.
_________________
Ich habe keine Angst vorm Sterben, ich habe nur Angst ich habe nicht genug gelebt.
Back to top
View user's profile Send private message
Beelzebub_
Apprentice
Apprentice


Joined: 21 May 2012
Posts: 256
Location: outside/todesstern-2.01

PostPosted: Mon Mar 18, 2013 3:58 pm    Post subject: Reply with quote

At the moment i have created something

Code:

cryptsetup luksOpen /dev/sda1 lvm2-pv1
cryptsetup luksOpen /dev/sdb2 lvm2-pv2

vgcreate vg /dev/mapper/lvm2-pv1 /dev/mapper/lvm2-pv2

lvcreate -L10G  -ntmp  vg
..
..
..


mkfs.ext4 /dev/vg/tmp
..
..
..


mount /dev/vg/root /mnt/gentoo
mount: wrong fs type, bad option, bad superblock on /dev/mapper/vg-root,
       missing codepage or helper program, or other error
       In some cases useful info is found in syslog - try
       dmesg | tail or so





Code:

dmesg | tail
[ 2631.134088] EXT4-fs (dm-4): VFS: Can't find ext4 filesystem
[ 2631.134266] EXT4-fs (dm-4): VFS: Can't find ext4 filesystem
[ 2631.134449] FAT-fs (dm-4): bogus number of reserved sectors
[ 2631.134453] FAT-fs (dm-4): Can't find a valid FAT filesystem
[ 2631.134672] FAT-fs (dm-4): bogus number of reserved sectors
[ 2631.134673] FAT-fs (dm-4): Can't find a valid FAT filesystem
[ 2631.147563] ISOFS: Unable to identify CD-ROM format.
[ 2631.147840] NTFS-fs error (device dm-4): read_ntfs_boot_sector(): Primary boot sector is invalid.
[ 2631.147843] NTFS-fs error (device dm-4): read_ntfs_boot_sector(): Mount option errors=recover not used. Aborting without trying to recover.
[ 2631.147845] NTFS-fs error (device dm-4): ntfs_fill_super(): Not an NTFS volume.


Hmm.. was my way the wrong one?
_________________
Ich habe keine Angst vorm Sterben, ich habe nur Angst ich habe nicht genug gelebt.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Mon Mar 18, 2013 4:11 pm    Post subject: Reply with quote

Beelzebub_ ...

After the 'lvcreate' you would need to 'vgscan && vgchange -ay' ... which looks to be missing in the above.

HTH & best ... khay
Back to top
View user's profile Send private message
Beelzebub_
Apprentice
Apprentice


Joined: 21 May 2012
Posts: 256
Location: outside/todesstern-2.01

PostPosted: Mon Mar 18, 2013 4:14 pm    Post subject: Reply with quote

Solved.

Filesystem was not working, now it is.
_________________
Ich habe keine Angst vorm Sterben, ich habe nur Angst ich habe nicht genug gelebt.
Back to top
View user's profile Send private message
Beelzebub_
Apprentice
Apprentice


Joined: 21 May 2012
Posts: 256
Location: outside/todesstern-2.01

PostPosted: Mon Mar 18, 2013 4:25 pm    Post subject: Reply with quote

Would it make sense to copy my old installaton over to the new locations?
Or should i install gentoo completly new?
_________________
Ich habe keine Angst vorm Sterben, ich habe nur Angst ich habe nicht genug gelebt.
Back to top
View user's profile Send private message
SlashBeast
Retired Dev
Retired Dev


Joined: 23 May 2006
Posts: 2922

PostPosted: Mon Mar 18, 2013 5:16 pm    Post subject: Reply with quote

If you have no real reason to start with new install, just backup your current one. I sugest you do it from livecd so no /proc, /dev or /sys are mounted and dev some static nodes, tarball it with numeric-ids and extract it with -p.
Back to top
View user's profile Send private message
Beelzebub_
Apprentice
Apprentice


Joined: 21 May 2012
Posts: 256
Location: outside/todesstern-2.01

PostPosted: Tue Mar 19, 2013 2:40 pm    Post subject: Reply with quote

Code:

#!/bin/busybox sh

# Mount the /proc and /sys filesystems.
mount -t proc none /proc
mount -t sysfs none /sys

# Do your stuff here.
cryptsetup -T 5 luksOpen /dev/sda1 lvm2-pv1
cryptsetup -T 5 luksOpen /dev/sdb2 lvm2-pv2
lvm vgscan --mknodes
lvm lvchange -aly vg/root
lvm lvchange -aly vg/home

#Mount the root filesystem.
mount -o ro /dev/vg/root /mnt/root

# Clean up.
umount /proc
umount /sys

# Boot the real thing.
exec switch_root /mnt/root /sbin/init


http://en.gentoo-wiki.com/wiki/Initramfs

I have done everything so far but it is still not working. What have i missed?
_________________
Ich habe keine Angst vorm Sterben, ich habe nur Angst ich habe nicht genug gelebt.
Back to top
View user's profile Send private message
SlashBeast
Retired Dev
Retired Dev


Joined: 23 May 2006
Posts: 2922

PostPosted: Tue Mar 19, 2013 3:36 pm    Post subject: Reply with quote

Define not working.
Back to top
View user's profile Send private message
Beelzebub_
Apprentice
Apprentice


Joined: 21 May 2012
Posts: 256
Location: outside/todesstern-2.01

PostPosted: Tue Mar 19, 2013 3:44 pm    Post subject: Reply with quote

The boot process abort with the new kernel before i could enter a password for the encrypted partitions.
_________________
Ich habe keine Angst vorm Sterben, ich habe nur Angst ich habe nicht genug gelebt.
Back to top
View user's profile Send private message
SlashBeast
Retired Dev
Retired Dev


Joined: 23 May 2006
Posts: 2922

PostPosted: Tue Mar 19, 2013 4:46 pm    Post subject: Reply with quote

Provide at least blurry photo of the error. Maybe your inittramfs's /init is not +x or something, or fetch better-initramfs binary image and test if that work to at least tell if the initramfs is to blame, with better-initramfs you need to add to kernel params:
Code:
luks enc_root=/dev/sda1:/dev/sdb2 luks root=/dev/mapper/vg-root
Back to top
View user's profile Send private message
Beelzebub_
Apprentice
Apprentice


Joined: 21 May 2012
Posts: 256
Location: outside/todesstern-2.01

PostPosted: Tue Mar 19, 2013 5:55 pm    Post subject: Reply with quote

Some part of the error tells me:

Code:
 busybox not tainted 3.8.3-gentoo-r1
Call Tace:
<
<
<
<
<
<

_________________
Ich habe keine Angst vorm Sterben, ich habe nur Angst ich habe nicht genug gelebt.
Back to top
View user's profile Send private message
SlashBeast
Retired Dev
Retired Dev


Joined: 23 May 2006
Posts: 2922

PostPosted: Tue Mar 19, 2013 6:55 pm    Post subject: Reply with quote

So you got to the initramfs's part, check my initramfs and see if you have the same issue.
Back to top
View user's profile Send private message
Beelzebub_
Apprentice
Apprentice


Joined: 21 May 2012
Posts: 256
Location: outside/todesstern-2.01

PostPosted: Tue Mar 19, 2013 7:50 pm    Post subject: Reply with quote

So i am trying to install your better-initramfs i got that error:
Code:




gentoo-desktop piotrkarbowski-better-initramfs-fd5f0d9a15b2 # make prepare
>>> ERROR: Not under git?
make: *** [prepare] Fehler 1


Maybe i am just a noob... i have never installed something by hand..
_________________
Ich habe keine Angst vorm Sterben, ich habe nur Angst ich habe nicht genug gelebt.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6227
Location: Room 101

PostPosted: Tue Mar 19, 2013 8:17 pm    Post subject: Reply with quote

Beelzebub_ ...

Did you run 'bootstrap/bootstrap-all' prior to the above? ... anyhow, I guess you downloaded the zip, which should work none the less ... but here is the recommended method.

Code:
# git clone https://bitbucket.org/piotrkarbowski/better-initramfs.git
# cd better-initramfs
###### (optional: tweek bootstrap/bootstrap-all.conf) ######
# bootstrap/bootstrap-all
# make prepare
# make image

You will need dev-vcs/git installed for the 'git clone'

best ... khay
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum