[HOWTO] root, swap filesystem encryption for 2.4 and 2.6

Message

hulk2nd · Post by **hulk2nd** » Sun Jan 18, 2004 10:39 pm

hi there,
i'm terribly sorry, but my gentoo is broken atm, so i can't answer some question. you know, nearly almost you have to sit in front of your computer to understand a problem and that is sadly impossible for me atm. hopefully there's somebody else out there who can help you.

@viperlin
for me this looks like as if you forgot either to include the filesystem of your root partition or devfs support. i would check the kernel config and the build-initrd.sh again. which method did you chose?

greets,
hulk

viperlin · Post by **viperlin** » Sun Jan 18, 2004 10:55 pm

erm, none, if you read the post you would know i'm trying to read an encrypted DVD, i can read other DVD's so i have filesystem support.
i have no initrd as i dont use encrypted filesystems for harddrives on this PC, only my old backups.

trying not to sound insultive but, well.

hulk2nd · Post by **hulk2nd** » Mon Jan 19, 2004 10:18 am

oh indeed, sorry about that!
ok then did you have a look at this tutorial? i saw it once so maybe this could help you!

greets,
hulk

viperlin · Post by **viperlin** » Mon Jan 19, 2004 6:00 pm

hulk2nd wrote:oh indeed, sorry about that!
ok then did you have a look at this tutorial? i saw it once so maybe this could help you!

greets,
hulk

yep it gave me the original idea , but thanks

i'll keep experimenting

revoohc · Post by **revoohc** » Wed Jan 21, 2004 1:25 am

I need some help. I followed the instructions for building a clean encrypted system. I have used a 2.6 kernel (gentoo-dev-sources) and everything seemed to go well. However, when I try to boot into gentoo, it does not accempt my password. Any ideas what might be going on? I can boot back into Knoppix and am able to load the encrypted root file system w/o a problem

Any advice would be appreciated.

Thanks,

revoohc

hulk2nd · Post by **hulk2nd** » Wed Jan 21, 2004 1:34 pm

maybe you used another keyboard layout in knoppix than the default one that is chosen when booting into gentoo?

what is the exact error message you get?

greets,
hulk

kritip · Post by **kritip** » Wed Jan 21, 2004 6:05 pm

The latest util-linux in portage, util-linux-2.12-r4.ebuild, has the following references:

Code: Select all

IUSE="crypt nls static pam selinux"

Code: Select all

CRYPT_PATCH_P="${P}-cryptoapi-losetup"
SELINUX_PATCH="util-linux-2.12-selinux.diff.bz2"
DESCRIPTION="Various useful Linux utilities"
SRC_URI="mirror://kernel/linux/utils/${PN}/${P}.tar.gz
        ftp://ftp.cwi.nl/pub/aeb/${PN}/${P}.tar.gz
        crypt? ( mirror://gentoo/${CRYPT_PATCH_P}.patch.bz2 )"
HOMEPAGE="http://www.kernel.org/pub/linux/utils/util-linux/"

If i have crypt in my global use flags, then will the encryption patch be applied to the install, or is this something different??

I may be starting to encrypt my PC, so i may give the standard portage util-linux a go unless anyone corrects me, and this is to do with something completly different??!!

Cheers,

Kristian
[/code]

hulk2nd · Post by **hulk2nd** » Wed Jan 21, 2004 8:28 pm

i'm nearly sure that is not the needed patch. you can try that easily: emerge util-linux and then type losetup. keep the output in your mind or on another console and then install util-linux after the tutorial (by hand) and type losetup. if the one installed by hand gives you another output (a few more options and a few more lines) then it is still needed to install it by hand. otherwise use the one from the portage tree.

greets,
hulk

kritip · Post by **kritip** » Wed Jan 21, 2004 9:03 pm

hulk2nd wrote:i'm nearly sure that is not the needed patch. you can try that easily: emerge util-linux and then type losetup. keep the output in your mind or on another console and then install util-linux after the tutorial (by hand) and type losetup. if the one installed by hand gives you another output (a few more options and a few more lines) then it is still needed to install it by hand. otherwise use the one from the portage tree.

greets,
hulk

Yep, i think you are correct, so i have gone ahead and manually patched and installed it. Got a quick question though, at present i have the following entry in grub.conf:

Code: Select all

title Gentoo Testing (2.6.1-mm5)
root    (hd0,0)
kernel  (hd0,0)/boot/2.6.1-mm5 root=/dev/hde3 vga=792

and the guide states to change it to:

Code: Select all

title=Gentoo/GNU Linux 1.4 Encrypted ROOT
root (hd0,0)
kernel (hd0,0)/bzImage root=/dev/ram0 init=/linuxrc rootfstype=minix
initrd=/initrd.gz

so do i omit the /boot/2.6.1-mm5 and just change it to /bzImage??

I presume the kernel is the one i have built but will not be mounted under /boot so should i have /2.6.1-mm5 ??

IE. To this:

Code: Select all

title Gentoo Testing Encrypted (2.6.1-mm5)
root    (hd0,0)
kernel  (hd0,0)/2.6.1-mm5 root=/dev/ram0 init=/linuxrc rootfstype=minix
initrd=/initrd.gz

Cheers for your help, and please forgive my lack of knowledge, i just want to check that im gonna do this right!!

Cheers,

Kristian

hulk2nd · Post by **hulk2nd** » Wed Jan 21, 2004 9:28 pm

i think you can leave the kernel part as it is. i assume you use genkernel? i have no experience with that, but if you compile your kernel on your own, it is always kernel (hd0,0)/bzImage or kernel (hd0,0)/boot/bzImage. it does not make any difference if you have the /boot in the line or not.

so, i think it is ok the way it is already. changes according to the place of your kernel are not needed for the whole encryption thing.

greets,
hulk

kritip · Post by **kritip** » Wed Jan 21, 2004 9:34 pm

hulk2nd wrote:i think you can leave the kernel part as it is. i assume you use genkernel? i have no experience with that, but if you compile your kernel on your own, it is always kernel (hd0,0)/bzImage or kernel (hd0,0)/boot/bzImage. it does not make any difference if you have the /boot in the line or not.

so, i think it is ok the way it is already. changes according to the place of your kernel are not needed for the whole encryption thing.

greets,
hulk

Ok, cheers. I don't use genkernel but i manualy compile it, and then rename it to the kernel version and patch level, hence the name of it. I think i have it sorted, i shal probably know by tommorrow.

As another question, when you use knoppix, the only special program is losetup, so could you not just boot off any rescuse cd, mount /boot which is home to losesetup that was compiled and copied during the install, and just use that insted??

Kristian

hulk2nd · Post by **hulk2nd** » Wed Jan 21, 2004 9:59 pm

yes, it should be possible to use the losetup binary in combination with every other rescue cd, but i have not tested it.

greets,
hulk

kritip · Post by **kritip** » Wed Jan 21, 2004 11:05 pm

Well, i found a Knoppix CD lying about v3.3 so i used that in the end. After running the DD command, it stated:

Code: Select all

I/O error
30623+1 records in
30623+1 records out...

it listed the duration (about 30 minns) and it then said it was successul or something along those lines, great i thought.

Upon rebooting, the kernel begins to load, loads my drivers, mounts /dev, then says freeing space form kernl (157K) or something like that, and hangs.

I does state it found a ram disk and a compressed image at 0 and seems to uncompress it. I get no prompt for a password as it hangs though

Now im not sure if its something i've done or to do with the error that was liseted when i ran dd ......

I guess i will have to fiddle tommorrow to try and fix it. Any ideas would be more than welcome though

Cheers,

Kristian

lghman · Post by **lghman** » Thu Jan 22, 2004 2:41 am

Just wanted to say thanks hulk2nd. Freakin excellent job on the howto, worked like a damn charm for me!

--sonik

hulk2nd · Post by **hulk2nd** » Thu Jan 22, 2004 11:22 pm

kritip wrote:
Code: Select all
I/O error
30623+1 records in
30623+1 records out...

i don't remember that i/o error ...
in fact it doesn't look very well. i'm very sorry about that, i have no idea what to do ...
hope you backupped the important data ...
sorry

@sonikntails
glad to hear that. you're welcome

franklin · Post by **franklin** » Fri Jan 23, 2004 2:25 am

Have you look the file /etc/conf.d/crypto-loop?

Could I have more info about it, since the link to it is down.

And, where can I find build-initrd.sh?

kritip · Post by **kritip** » Fri Jan 23, 2004 7:19 am

hulk2nd wrote:
kritip wrote:
Code: Select all
I/O error
30623+1 records in
30623+1 records out...
i don't remember that i/o error ...
in fact it doesn't look very well. i'm very sorry about that, i have no idea what to do ...
hope you backupped the important data ...
sorry

Very odd, i poseted a big reply yesterday and it is nowhere to be seen!! Perhaps i hit preview and then closed the browser!!???

Anyway, the I/O error seemed to be no problem as i am now running unencrypted again after not being able to successfully boot. I tried rebuilding my kernel twice, checking all the options, rebuilding losetup with the aes patch twice, messing around with boot commands in grub, all to no avail!!! I even read in build-initrd.sh that i shouldn't use the root= line in grub as i use devfs and 2.6 kernel, so i ran rdev /kerenl-version /dev/ram0 and removed the root= line, but it did exactly the same!
It just hung on freeing kernel memory!

I have given up for now, the only thing it think i could be is the HPT374 controller my drives sit on, although it is compiled into my kernel, or that in buil-inintrd.sh i specified /dev/discs/disc0/part3 whereas my mount command gives me /dev/ide/host2/bus0/target0/lun0/part3, both exist though!!??

Cheers anyway for the great guide, it was an experience, and i will try again in a few weeks,

Kristian

kritip · Post by **kritip** » Fri Jan 23, 2004 7:20 am

franklin wrote:Have you look the file /etc/conf.d/crypto-loop?

Could I have more info about it, since the link to it is down.

And, where can I find build-initrd.sh?

build-initrd.sh will be in your /tmp/enc/loop-AES-v2.0d/ directory, or whever you exxtracted it.

Kristian

TheCoop · Post by **TheCoop** » Fri Jan 23, 2004 10:44 pm

so does the current util-linux-2.12-r4 work properly so you can run an encrypted root, or do you still need to install your own version? why doesnt util-linux just include the patch you patch yourself?

franklin · Post by **franklin** » Sat Jan 24, 2004 6:05 pm

Since it is not recommended to use a journaling filesystem, I would like to know what type of filesystem you use on your encrypted root partition.

kritip · Post by **kritip** » Sat Jan 24, 2004 8:37 pm

franklin wrote:Since it is not recommended to use a journaling filesystem, I would like to know what type of filesystem you use on your encrypted root partition.

I belive it is not any type of journalled file system, just certain ones, depending on how they write data to the disk. I believe that Reiserfs and XFS are OK in the way they order the data in their default configuration, but i do not have any references to hand, so don't solely rely on my information. I persoanlly tried it with Reiserfs 3.6 and succesfully encrytpted, used, and then decryted my root partition.

Kristian

franklin · Post by **franklin** » Sat Jan 24, 2004 10:12 pm

kritip wrote:
franklin wrote:Since it is not recommended to use a journaling filesystem, I would like to know what type of filesystem you use on your encrypted root partition.
I belive it is not any type of journalled file system, just certain ones, depending on how they write data to the disk. I believe that Reiserfs and XFS are OK in the way they order the data in their default configuration, but i do not have any references to hand, so don't solely rely on my information. I persoanlly tried it with Reiserfs 3.6 and succesfully encrytpted, used, and then decryted my root partition.

Kristian

Thx for the info, I will try it with Reiserfs

nx12 · Post by **nx12** » Thu Jan 29, 2004 10:33 pm

One question: somebody have working software suspend on encrypted swap?
I'm going to try it out, but can't find any materials about that. On swsusp.sourceforge.net they write that it's supported but I could not find anything neither in google nor in their mailing archives.

So it could be great if someone posted his experiences with encrypted swsusp.

gmoney · Post by **gmoney** » Sat Jan 31, 2004 5:57 pm

Just a word of advice, if you're doing this with the 2.6 kernel and your modules end with .ko instead of .o, you need to change the build-initrd.sh script so that it will look for loop.ko instead of loop.o (if you're using the loop module and not the in-kernel crypto). I've been stumped on this for an hour but it's working fine now. I was using the loop-aes 2.0d so maybe they've fixed this in the latest version but if not, just change line 389. Other that that, fantastic guide and great work to the loop-aes guys. I owe you a beer if you're ever in Santa Barbara, CA, USA.

sciwhiz007 · Post by **sciwhiz007** » Sun Feb 01, 2004 3:38 pm

Two things, a question and a word of advice.
Where does it say that journalling file systems are not recommended for our purposes? If you read through the loop-AES readme, it specifically states this:

2.2. Use of journaling file systems on loop device
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't use a journaling file system on top of file backed loop device, unless
underlying file system is journaled and guarantees data=ordered or
data=journal. Device backed loop device can be used with journaling file
systems as device backed loops guarantee that writes reach disk platters in
order required by journaling file system (write caching must be disabled on
the disk drive, of course). With file backed loop devices, correct write
ordering may extend only to page cache (which resides in RAM) of underlying
file system. VM can write such pages to disk in any order it wishes, and
thus break write order expectation of journaling file system.

What this means is that you can have a journalling file system on a loop device that's backed by a device, such as /dev/hda1 or /dev/sda1, but it is not recommended to have a journalling file system on a file backed loop device, such as one you create by typing this in.

Code: Select all

dd if=/dev/zero of=loop.img bs=1k count=65536		
losetup -e AES128 -S XXXXXX -T /dev/loop1 loop.img	
mke2fs /dev/loop1 								
mount -t ext2 /dev/loop1 /mnt/loop

Now for my tip, which may not be useful to most people. But just in case you've been trying to patch the hardened-sources kernel with the loop-AES patch and haven't had much success, you could try what I did. Essentially what I'm doing is removing the cryptoloop patch applied to the hardened-sources kernel and then patching it with loop-AES.

Code: Select all

cd /usr/src
cp /usr/portage/distfiles/patches-2.4.22-hardened.tar.bz2 ./
tar -xjvpf patches*.bz2
wget http://aleron.dl.sourceforge.net/sourceforge/loop-aes/loop-AES-v2.0e.tar.bz2
tar -xjvpf loop-A*.bz2
cd linux
patch -Rp1 -i ../2.4.22-hardened/70_crypto*.patch		# Remove the patch
patch -Np1 -i ../loop-A*/kernel-2.4.24.diff				# Apply the new patch
rm -rf ../*.bz2 ../2.4.22-hardened ../loop*
make menuconfig

Of course, I make a number of assumptions in the above code. I assume that you're patching hardened-sources-2.4.22 (any release), that your /usr/src/linux symlink correctly points to /usr/src/linux-2.4.22-hardened and that your portage distfiles are located at /usr/portage/distfiles. If any of this doesn't apply to you, you'll obviously have to change the code to suit your needs. Also, if you want to see whether a patch applies successfully, you can use the --dry-run switch with patch.

Hope that helps!