Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] root, swap filesystem encryption for 2.4 and 2.6
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
nx12
Apprentice
Apprentice


Joined: 14 Jan 2004
Posts: 193

PostPosted: Tue Feb 03, 2004 9:48 am    Post subject: Reply with quote

Hi there.
I still dream about suspend to loop device. But the only one thing I've found is a patch for 2.6.0 kernel supposed to work only with built-in swsusp, not the one from swsusp.sourceforge.net.
You can try it out there.
But even so it doesn't compile with kernel-2.6.1. It exits with error. :(
May be someone has any ideas how to encrypt swsusp? :roll:
Currently I'm using encrypted root filesystem with absolutely unencrypted suspend to disk. And it's really a stupid thing... :twisted: :twisted:
_________________
signature sucks
Back to top
View user's profile Send private message
Phrenic
n00b
n00b


Joined: 01 Feb 2004
Posts: 21
Location: Knoxville, TN

PostPosted: Tue Feb 03, 2004 3:21 pm    Post subject: question Reply with quote

first of all, thanks hulk2nd, great guide. Very simple to use. I have one question that I"m still a little confused about. I already encrypted my root and swap, but I was wondering if I could encrypt another hard drive as well. I read the http://www.ece.cmu.edu/~rholzer/cryptoloop_mini_howto.html
but am still confused. Do I have to use a different loop device from my root partition, or can I just run a command to convert it to the same cryptography as the root drive? It'd be nice if my root encryption password would unlock everything. Do I do it more like the swap space where you don't have to run losetup? Thanks.
Back to top
View user's profile Send private message
sciwhiz007
n00b
n00b


Joined: 01 Jan 2004
Posts: 31
Location: /dev/random

PostPosted: Wed Feb 04, 2004 2:02 am    Post subject: Reply with quote

I recently decided to put a system of mine that was lying around to some good use and hence decided to set up Gentoo on it as well, but with an encrypted root partition and read-only boot partition on CD-ROM. Using hulk2nd's amazing guide, I got through it quite successfully. Well, almost. The problem arises when I boot the system. Essentially what happens is when it displays the message "Encrypted root filesystem...", it encounters an error and prints
Code:
Command "/lib/losetup -e AES128 -S XXXXX /dev/loop/0 /dev/discs/disc0/part1" returned error.

It then continues to do this 5 times and then halts the system. Now, I've checked and rechecked the seed, so there's nothing wrong there. I'm also positive about the /dev/discs.. entry, because my root partition is /dev/hda1. I realize this information is a bit vague, so I'll try to give more information. I'm running kernel 2.4.22-hardened and util-linux 2.12 with loop-AES 2.0e. Running file on losetup returns
Code:
file losetup
losetup: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.4.1, statically linked, stripped
.
My isolinux.cfg is as follows:
Code:
DEFAULT vmlinuz initrd=initrd.gz root=/dev/ram0 rootfstype=minix init=/linuxrc

The relevant options in build-initrd.sh are as follows:
Code:
BOOTDEV=/dev/cdroms/cdrom0
BOOTTYPE=iso9660
CRYPTROOT=/dev/discs/disc0/part1
ROOTTYPE=reiserfs
CIPHERTYPE=AES128
PSEED="-S XXXXXX"
USEMODULE=0
USEPIVOT=1
INITRDONLY=0
ROOTLOOPINDEX=0
TEMPLOOPINDEX=7
USEDEVFS=1
USEROOTSETUP=0

For obvious reasons, I replaced the real seed with XXXXXX for displaying purposes. If there's any other information you would like me to provide, please feel free to ask. Note that I can freely access the partition as normal when I use Knoppix. My system has been unbootable (if there is such a word) for the past few days and this really is very frustrating. Thanks in advance for any help or insight you can provide!
_________________
You can take a horse to water but you can't make it drink.
You can give a person facts, but you can't make them think.
Back to top
View user's profile Send private message
gmoney
n00b
n00b


Joined: 04 Aug 2003
Posts: 20
Location: Santa Barbara

PostPosted: Wed Feb 04, 2004 6:15 pm    Post subject: Problems (and fixes) on 2.6 kernel Reply with quote

A new version of loop-aes will be out soon to address the problems of having a loop.ko instead of a loop.o like build-initrd.sh expects. One other problem I ran across is that on my highly tweaked ~x86 system, any initrd I built would fail. I tried a few different things and it turns out that enabling dietlibc support (DIETLIBC=1) in build-initrd fixed my problems. Just make sure to emerge dietlibc first or you'll get some complaints. This works for both devfs and udev enabled kernels.
One problem I haven't fixed yet is having / mounted twice. I haven't dug around too much yet but if anyone else gets something similar to
/dev/loop/5 on / type ext3 (rw,noatime)
/dev/loop5 on / type ext3 (rw,noatime)
and they have a fix, I would love to hear it.
Back to top
View user's profile Send private message
braindead0
Tux's lil' helper
Tux's lil' helper


Joined: 29 Apr 2003
Posts: 146
Location: Ohio

PostPosted: Fri Feb 27, 2004 12:55 am    Post subject: Reply with quote

I think there's something missing in:
"4. Encrypt a clean root partition while installing gentoo"

The first step is to boot with knoppix cd, then several steps later ' continue with Step "8. Stage tarballs and chroot" from the Gentoo Installation doc.'

How can you install stage tarballs and stuff, when booted up on the knoppix cd???
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Fri Feb 27, 2004 1:36 am    Post subject: Reply with quote

you can install gentoo with mostly every linux live cd. there is no need to use the gentoo cds.
of course, the stage tarballs are not included in a knoppix iso, so you have to get it from somewhere else (from the net, from your lan, or from any other storage device) but since you need internet access to install gentoo at all, i can't see any differences.

greets,
hulk
_________________
Linux: "Free as in free speech, not as in free beer"
Back to top
View user's profile Send private message
braindead0
Tux's lil' helper
Tux's lil' helper


Joined: 29 Apr 2003
Posts: 146
Location: Ohio

PostPosted: Fri Feb 27, 2004 10:19 pm    Post subject: Reply with quote

Yeah, I suppose once you've got a stage tarball you're good to go.. I usually use the one on the CD as I want to rebuild everything....

Just seems that there could be some mention of this ;-)
Back to top
View user's profile Send private message
Gentoo Server
Apprentice
Apprentice


Joined: 21 Jul 2003
Posts: 279

PostPosted: Sun Feb 29, 2004 4:36 pm    Post subject: Reply with quote

this howto has somebugs with 2.6 so i post the right stuff to save somebody else time
all part i paypack to gentoo community

1) add as usual cryptloop , cipher etc to your kenrnel
check cipher with
cat /proc/crypto
name : blowfish
module : blowfish
type : cipher
blocksize : 8
min keysize : 4
max keysize : 56

if you cant losetup with cipher not found or something like that emerge losetup new (emerge linux-util) 2.12 then losetup works

new losetup has new syntax


losetup -e blowfish-128 /dev/loop0 /dev/md0

you have to add the keysize after the cipher

so to make a encrypted drive

1) start drive e.g. raidstart /dev/md0
2) add crypt losetup -e blowfish-128 /dev/loop0 /dev/md0 (you can enter the password only one time)
3) make filesystem mkreiserfs /dev/loop0
4) add fstab
/dev/md0 /mnt/crypt reiserfs noauto,noatime,loop,encryption=blowfish-128 0 0
now you can mount your crypt drive with mount /mnt/crypt

each start you need to start raid in my example

raidstart /dev/md0
then mount cour crypt mount /mnt/crypt
enter pass

if your pass is is ok you can use your crypt drive

use blowfish-128 with is 100% secure and less cpu demand then other cipher

please add that stuff to this howto to save time for other people!
Back to top
View user's profile Send private message
echo6
Guru
Guru


Joined: 04 Jan 2003
Posts: 587

PostPosted: Sun Feb 29, 2004 5:01 pm    Post subject: Reply with quote

Gentoo Server wrote:
if you cant losetup with cipher not found or something like that emerge losetup new (emerge linux-util)
Shouldn't that be emerge util-linux ?
Back to top
View user's profile Send private message
Gentoo Server
Apprentice
Apprentice


Joined: 21 Jul 2003
Posts: 279

PostPosted: Sun Feb 29, 2004 5:33 pm    Post subject: Reply with quote

echo6 wrote:
Gentoo Server wrote:
if you cant losetup with cipher not found or something like that emerge losetup new (emerge linux-util)
Shouldn't that be emerge util-linux ?


yes

typo
Back to top
View user's profile Send private message
TheCoop
Veteran
Veteran


Joined: 15 Jun 2002
Posts: 1814
Location: Where you least expect it

PostPosted: Sun Feb 29, 2004 7:39 pm    Post subject: Reply with quote

I'm thinking about an encrypted raid setup with reiser4 as the fs, am i just taking my life into my own hands here?
_________________
95% of all computer errors occur between chair and keyboard (TM)

"One World, One web, One program" - Microsoft Promo ad.
"Ein Volk, Ein Reich, Ein Führer" - Adolf Hitler

Change the world - move a rock
Back to top
View user's profile Send private message
compuboy86
Tux's lil' helper
Tux's lil' helper


Joined: 03 Apr 2003
Posts: 79

PostPosted: Sun Feb 29, 2004 8:09 pm    Post subject: Reply with quote

I'm certainly not an authority on this but it seems to me that encrypting a raid array wouldn't allow for rebuilding the array (should a drive go down) Software raid might work. Any thoughts?
Back to top
View user's profile Send private message
Gentoo Server
Apprentice
Apprentice


Joined: 21 Jul 2003
Posts: 279

PostPosted: Sun Feb 29, 2004 10:34 pm    Post subject: Reply with quote

TheCoop wrote:
I'm thinking about an encrypted raid setup with reiser4 as the fs, am i just taking my life into my own hands here?


when you are using encryption anyway your performance is low

use reiser3 then

when your files are cached you will have good speed
Back to top
View user's profile Send private message
bluephile
n00b
n00b


Joined: 01 Mar 2004
Posts: 6

PostPosted: Mon Mar 01, 2004 9:44 pm    Post subject: Reply with quote

I'm having trouble getting this to work. I'm trying to use method number 6 (with a GPG key). When I run "make tests," I get this about 15 seconds into the test:

Code:
md5sum test-file1 >test-file2
echo "cb38b603f96f0deac1891d423983d69c  test-file1" | cmp test-file2 -
cmp test-file3 test-file4
make[1]: Leaving directory `/tmp/enc/loop-AES-v2.0e'
make test-part2 CT=AES128 ITER=0 HF=sha256 GK="-K gpgkey2.asc -G test-dir1" MD=f9825b79873f5c439ae9371c1a929a6c TF=test-file1 PSW=12345678901234567890
make[1]: Entering directory `/tmp/enc/loop-AES-v2.0e'
echo 12345678901234567890 | /sbin/losetup -p 0 -e AES128 -H sha256 -C 0 -K gpgkey2.asc -G test-dir1 /dev/loop7 test-file1
ioctl: LOOP_MULTI_KEY_SETUP: Invalid argument
make[1]: *** [test-part2] Error 1
make[1]: Leaving directory `/tmp/enc/loop-AES-v2.0e'
make: *** [tests] Error 2


I'm not sure what other info you might need. I am doing this with loop-AES-v2.0e, but I had identical problems with f. I'm hesitent to go back too many versions for fear of what other bugs might be in them.

Thank you very much for all the time and effort you've put into this tutorial!

Cheers,
Bluephile
Back to top
View user's profile Send private message
yottabit
Guru
Guru


Joined: 11 Nov 2002
Posts: 313
Location: Columbus, Ohio, US

PostPosted: Sat Mar 13, 2004 6:35 pm    Post subject: Reply with quote

Can't seem to figure out how to setup swap part with GPG key. I've done this:
Code:
losetup -e AES256 -K /mnt/floppy/rootkey.gpg /dev/loop6 /dev/hda2


I guess this encrypts /dev/loop6 -> /dev/hda2 to my GPG key. It asks for my password, so I guess it worked.

And then I've made the guide-recommended changes to my /etc/fstab, but when I mount /dev/hda2 I get this:
Code:
# mount /dev/hda2
Password:
ioctl: LOOP_SET_FD: Device or resource busy


Any ideas?

Cheers,

J
_________________
Play The Hitchhiker's Guide to the Galaxy!
Back to top
View user's profile Send private message
yottabit
Guru
Guru


Joined: 11 Nov 2002
Posts: 313
Location: Columbus, Ohio, US

PostPosted: Mon Mar 15, 2004 4:36 pm    Post subject: Reply with quote

Okay, it works... I did what I said in the previous post and then just rebooted...

Still not sure why I had to reboot though...

J
_________________
Play The Hitchhiker's Guide to the Galaxy!
Back to top
View user's profile Send private message
Gentoo Server
Apprentice
Apprentice


Joined: 21 Jul 2003
Posts: 279

PostPosted: Mon Mar 15, 2004 8:00 pm    Post subject: Reply with quote

as cryptapi seems to be bugy and broken and its replaced with dm-crypt i suggets rebuild this howto with dm-crypt its pretty easy

cryptapi is dead and will be deleted soon from kernel!
Back to top
View user's profile Send private message
MrPrez
n00b
n00b


Joined: 02 Sep 2003
Posts: 67

PostPosted: Sun Mar 21, 2004 11:55 am    Post subject: Reply with quote

I tried to encrypt my root partition. But after reboot and type in my password the computer reboots again :( There are no entries in /var/log/messages or /var/log/kern.log

My Configuration:

build-initrd.sh

Code:
BOOTDEV=/dev/hda8
BOOTTYPE=ext2
CRYPTROOT=/dev/hda6
ROOTTYPE=ext3
CIPHERTYPE=AES128
LOINIT="-I 0"
USEGPGKEY=0
GPGKEYFILE=rootkey.gpg
EXTERNALGPGFILES=0
EXTERNALGPGDEV=/dev/fd0
EXTERNALGPGTYPE=ext2
USEMODULE=0
USEPIVOT=1
INITRDONLY=0
SOURCEROOT=
DESTINATIONROOT=
DESTINATIONPREFIX=/boot
INITRDGZNAME=initrd.gz
ROOTLOOPINDEX=5
TEMPLOOPINDEX=7
LOOPMODPARAMS=""
USEDEVFS=0
LOADNATIANALKEYB=0
INITIALDELAY=0
TOOLSPROMPT=0
USEROOTSETUP=0
USEDIETLIBC=1


lilo.conf:

Code:
menu-scheme=Wb
boot = /dev/hda

disk=/dev/hda
  bios=0x80
  cylinders=15017
  heads=255
  sectors=63

prompt
append="apm=on,power_off"
map = /boot/System.map
lba32
timeout=200
delay = 50
vga = 791

image = /boot/bzImage-2.6.4
append = "init=/linuxrc rootfstype=minix"
initrd = /boot/initrd.gz
root = /dev/ram0
label = crypted
read-only


fstab:

Code:
/dev/hda1               /win            ntfs            defaults                                                 0 0
/dev/loop5              /               ext3            defaults                                                 0 0
/dev/hda4               /data            ext3            defaults,loop=/dev/loop2,encryption=aes-128              0 0
/dev/hda8               /boot           ext2            defaults                                  0 0
/root/.crypto           /root/crypted   ext2            defaults,noauto,loop=/dev/loop3,encryption=aes-256         0 0

#Swap
/dev/hda7               none            swap            sw,loop=/dev/loop4,encryption=aes-128                    0 0


I can't find any fault, I dont't know why it doesn't work :(
Back to top
View user's profile Send private message
MrPrez
n00b
n00b


Joined: 02 Sep 2003
Posts: 67

PostPosted: Sun Mar 21, 2004 3:43 pm    Post subject: Reply with quote

I tried it with "/dev file system support" and it works. But this configuration isn't what I want. Any idea why it won't work without?
Back to top
View user's profile Send private message
Mr Evil
n00b
n00b


Joined: 22 Dec 2003
Posts: 3

PostPosted: Mon Mar 22, 2004 12:15 am    Post subject: Reply with quote

many thanks to hulk2nd and Lord Tocharian ! this guide definately rocks !

as i am in the process of installing a new system which i want fully encrypted , i got to the following question : how usefull (or contra productive) is it to use losetup seeding together with gpg keys ?
couldnt find any documentation on that .

as i understand it , the key passed to losetup is passed on to pgp , which will use the key to decrypt the real keys which are used for the multikey hd encryption ?

adding seed to losetup would then
a) change (salt/seed) the key passed on to pgp ? OR :
b) change (salt/seed) the key(s) from pgp used for en/decryption ?

so in my oppinion adding seed would not really have any effect , since the key's given back by pgp should already be dictionary attack safe ? (in both cases) (given that the pgp keys were generated randomly , as described in the tutorial)

sorry for so many questions ;)
_________________
no RISC no fun ;)
Back to top
View user's profile Send private message
MrPrez
n00b
n00b


Joined: 02 Sep 2003
Posts: 67

PostPosted: Mon Mar 22, 2004 10:56 pm    Post subject: Reply with quote

MrPrez wrote:
I tried it with "/dev file system support" and it works. But this configuration isn't what I want. Any idea why it won't work without?


I forgot to create the necessary device node files on the new file system:

Code:
# mknod -m 660 /dev/console c 5 1
# mknod -m 660 /dev/null c 1 3
Back to top
View user's profile Send private message
GentooBox
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1168
Location: Denmark

PostPosted: Sat Apr 03, 2004 10:20 am    Post subject: Reply with quote

I just followed this guide, and not i cant start my system normal.

I have a 2.6 kernel and i installed linux-utils with the patch from loop-AES.

When i startup my kernel then it shows kernel messages (it boots), but then a error comes up:

Quote:

Unable to mount hda1 on /lib
system halted


:S i dont know what to do, i cant figure out WHY it wants to mount my boot partition at /lib.
in build-initrd.sh from loop-AES it also mounts my boot partition at /lib - its in the script.

help me getting my system back. :roll:
_________________
Encrypt, lock up everything and duct tape the rest
Back to top
View user's profile Send private message
Takker
Tux's lil' helper
Tux's lil' helper


Joined: 17 Mar 2004
Posts: 98
Location: Münster, Germany

PostPosted: Tue Apr 06, 2004 1:57 pm    Post subject: Reply with quote

Hi!

For weeks I'm reading this guide now trying around and today i`ve found the time to end it

Well, I'd liked one special partition (which is SATA -> sda6 over here) crypted. The key should be entered once after a reboot, no USB Key Stick or that stuff.

Thx to Gentoo Server post above it worked for me with the 2.6:
Quote:

this howto has somebugs with 2.6 so i post the right stuff to save somebody else time
all part i paypack to gentoo community

etc ... read above.


I just followed the steps ... changed them a bit for my system here. So I did something like this (doesn't exactly remind but should be allright in general)

Remind to enable the cryption you like and cryptoloop in kernel :)

1) add crypt losetup -e blowfish-128 /dev/loop0 /dev/sda6 (you can enter the password only one time)
2) make filesystem mkreiserfs /dev/loop0

3) I added the following line to fstab
Code:

/dev/sda6 /opt/glftpd/site/crypt reiserfs noauto,users,noatime,loop,encryption=blowfish-128 0 0


Well, crypting works as I have to enter a password when I mount the drive (wrong pw -> error with filesystem).

However, mounting /dev/sda6 is confusing me a bit, don't I have to mount /dev/loop0 (which actually doesn't work).

Has somebody a small explanation or maybe anybody has some more tips etc?
_________________
Gentoo e.V.
takkahz.de
Gentoo Tips & Tricks
Back to top
View user's profile Send private message
tracker
n00b
n00b


Joined: 04 Jan 2004
Posts: 7
Location: United States

PostPosted: Wed Apr 14, 2004 9:13 pm    Post subject: Reply with quote

In no particular order:

TheCoop wrote:
I'm thinking about an encrypted raid setup with reiser4 as the fs, am i just taking my life into my own hands here?


Let us all know how that goes/went. Be sure to throw some LVM in as well for good measure. Oh, and do it on an Opteron box.

compuboy86 wrote:
I'm certainly not an authority on this but it seems to me that encrypting a raid array wouldn't allow for rebuilding the array (should a drive go down) Software raid might work. Any thoughts?


RAID (1,3,4,5) bases it's parity data on the low-level contents of the partition, rather then the actual high-level contents (files and folders) of your filesystem, so encrypting the blocks your filesystem sits on really doesn't matter one way or the other to a RAID controller (it will calculate the parity for the encrypted data instead). On top of that, you COULD run a software RAID on some cypher-loops, and then run the resulting /dev/md* through a cypher-loop, but .... don't do that.

Gentoo Server wrote:
when you are using encryption anyway your performance is low

use reiser3 then

when your files are cached you will have good speed

Reading from the HD is several orders of magnitude more time consuming then manipulating data in RAM and usually when intense filesystem activity is going on, the CPU and RAM aren’t being utilized fully (they’re waiting on the FS operation to complete). It’s been a while since my last thesis on this, but as I remember, block cipher operations are pretty much O(n) (as compared to block compression operations, thank you NTFS), so you can sneak an encryption/decryption operation into a block device without too much of a hit to your CPU/RAM (which is fine, since they’re usually not the bottleneck anyways).

According to Hans Reiser, v4 is ‘the fastest filesystem’. http://www.namesys.com/benchmarks.html

File caching is nice if you have the RAM, but usually people have more space on disk then they do RAM.

/replies


I'm deploying a server into a hostile physical environment. It's all old hardware, so I'm really not too worried about someone hitting it with a truck or otherwise lighting it on fire, but to facilitate several key functions of this server, it has passwordless SSH keys that handle unmanned logins to some fairly important servers, keys I don’t want falling into the wrong hands, like those of a kid with a Knoppix CD for example.

I’ve been looking into encryption of the root partition (the only partition besides boot and swap, is 2G in size and currently has ~600M used with a full portage tree and kernel sources sitting in /usr/src. Filesystem is ReiserFS btw). Due to the possibility for abuse, the node will be headless (possibly even hidden in a ceiling); and it’s fairly hard to enter a password when there’s no keyboard attached.

I decided to follow Option 3 of the howto, encryption with a gpg key. The following are my setup notes.

Hardware:
AMD-K6, 400mhz processor (64K cache)
64M,16M RAM
WDC AC22500L 2.5G running in udma2 mode

Kernel: Linux 2.6.5-love4

In 3i
Code:
 umask 077
head -c 2880 /dev/random | uuencode -m - | head -n 65 | tail -n 64 | gpg --symetric -a >/boot/rootkey.gpg

Changed --symmetric to --store. I don’t want a password on this encryption key.


In 3j -> 2c2
Code:
*****************************************************************
***  This script was configured to build linuxrc using        ***
***  dietlibc, but it appears that dietlibc is unavailable.   ***
***  Script aborted.                                          ***
*****************************************************************


Apparently dietlibc should be in the requirements as well, I emerged it and continued on.

In 3m
Code:
 dd if=/dev/hda2 bs=64k \
            | /mnt/aespipe -e AES128 -K /mnt/rootkey.gpg -G / \
            | dd of=/dev/hda2 bs=64k conv=notrunc


Shouldn’t /mnt/aespipe be /mnt/tempboot/aespipe? same for /mnt/rootkey.gpg.

Note: The current version of Loop-AES (v2.0g) recognizes ‘ko’ as being the proper kernel module extension for the 2.6 series. Had to change ‘loop.o’ to ‘loop.ko’.

After several runs through Knoppix, I got it working. On to performance testing.

Code:
 # hdparm -tT /dev/hda
/dev/hda:
 Timing buffer-cache reads:   124 MB in  2.04 seconds =  60.78 MB/sec
 Timing buffered disk reads:   26 MB in  3.01 seconds =   8.64 MB/sec


The performance hit for running ‘cat /dev/loop/5 > /dev/null’ was CPU usage ranging from 50% to 75% by the ‘loop5’ kernel process, and a pretty much solid 99% overall system CPU usage. So decrypting data coming from the drive at 8.64M/s was at par or too much for a 400mhz K6 processor. Interestingly enough, while running ‘updatedb’ the loop5 processes stayed around 5-15% proc usage.

Code:
 # time dd if=/dev/zero of=./testfile bs=1024k count=100 ; time sync
100+0 records in
100+0 records out

real    0m13.770s
user    0m0.000s
sys     0m3.880s

real    0m11.033s
user    0m0.000s
sys     0m0.240s


Time required to create a 100M file, and flush all data to the drives. I suppose I should have done a control test with ReiserFS on an unencrypted partition …. oh well.

So far so good, one thing I am eyeing pretty carefully is:
Code:
# dmesg
….
is_leaf: free space seems wrong: level=1, nr_items=21, free_space=0 rdkey
vs-5150: search_by_key: invalid format found in block 97760. Fsck?
vs-13070: reiserfs_read_locked_inode: i/o failure occurred trying to find stat data of [34361 35781 0x0 SD]
….

I’m not sure what that’s all about, but if it keeps working through multiple reboots, I’ll try not to worry about it.

One other thing I’m going to continue looking into is loosing the password prompt from the initrd. It would be nice if loop-aes could detect if the gpg key presented is in fact password protected before asking for one. After reading through the loop-AES readme file though, it would seem that the gpg key is never examined by losetup or mount (just passed along to gpg) so I suppose I’ll have to look into using the -p option in losetup, and piping /dev/null or something into it.

Final note, I’ve been having random seg faults coming from emerge and runscript (possibly other apps) while running an encrypted root partition. I’m going to compile a stock 2.6 kernel to rule out love-sources as being the cause. I’ll post again assuming I succeed in getting it stable.
_________________
--Tracker

Not to be confused with BitTorrent
Back to top
View user's profile Send private message
Gruffi
Apprentice
Apprentice


Joined: 15 Aug 2003
Posts: 209
Location: Antwerpen - Flanders - Belgium

PostPosted: Fri Apr 16, 2004 12:24 pm    Post subject: Reply with quote

What happens if the filesystem gets corrupted? What happens if the system goes down unexpectedly? As far as i know when you encrypt something all it takes is 1 damaged bit to lose everything... Will only open files be lost or the entire partition?
_________________
... and we will show Microsoft, that they cannot take whatever they want. And that Free Software is our software!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Page 4 of 8

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum