View previous topic :: View next topic |
Author |
Message |
afabbro Tux's lil' helper
Joined: 12 Jan 2003 Posts: 92 Location: Portland, OR
|
Posted: Mon Mar 01, 2004 5:28 am Post subject: Using dm-crypt in 2.6.4 for an encrypted filesystem |
|
|
Note: This is too lame to be a HOWTO since I just followed directions I found elsewhere,
but I'm so happy I finally got a solid, large encrypted filesystem working under linux that I'm
posting my experience
The Goal
A 100GB encrypted filesystem on a USB2 external drive.
My Trevails
I started with cryptoloop and the cryptoAPI. I had nothing but problems. Looking back, I realize it may
be that I had HIGHMEM set, and I think there are cryptoAPI bugs when that is set. With it set, I had
frequent hard lockups, either working with a block device or a file. I'll chalk it up to HIGHMEM (for
now), though I've read of others' problems. At any rate, cryptoloop looks to be on the way out,
according to http://kerneltrap.org/node/view/2433/ One other thing I don't like about
cryptoloop is that losetup doesn't ask for your password twice. If you pick a good, long passphrase,
you could easily typo it and find yourself unable to access your data.
Next I looked at loop-AES. This package has gotten good reviews, but requires (a) replacing your kernel's
loop module, and (b) patching util-linux (though Gentoo does this for you). I held this as a last resort
(what if I need my loop module for something some day?) and happily, never needed to use it.
Finally, I looked at BestCrypt, a commercial product from Jetico. BestCrypt is very well-documented but
is not free ($50 US after a 30-day trial; they give you the source code, so it's an honor system thing).
I downloaded and tested it, but 1.5.1 didn't work well with my 2.6.3 system. When using a block device,
it ran out of space or gave strange "bogus i_mode" messages in dmesg while attempting to fetch impossible
inodes, which hung the box. When I tried to use containers (of 100Gb size), mkfs would freeze. Since
BestCrypt provides its own kernel modules, I'm going to have to lay the blame at their doorstep. (The
product works very well under Windows, incidentally).
Eureka!
Just as I was about to shoot myself out in frustration (see https://forums.gentoo.org/viewtopic.php?t=143108&highlight=),
I learned about dm-crypt. This is new in 2.6.4 and was available in 2.6.3-mm. The above-mentioned thread
(http://kerneltrap.org/node/view/2433) discusses the future of kernel cryptography, and it looks
to be dm-crypt instead of cryptoloop. The main dm-crypt page is at http://www.saout.de/misc/dm-crypt/
Before 2.6.4, you needed to do some special patches on the -mm tree...that's a little too bleeding edge for me.
But the good news is that 2.6.4-rc1 has dm-crypt support built in. Note: HIGHMEM is still broken in
regard to CryptoAPI/dm-crypt, so don't use it if you want dm-crypt (yes, this sucks - see the dm-crypt page
above for some patches to fix it).
To get up and running, I did the following:
Code: |
emerge -u development-sources (to get to 2.6.4-rc1)
emerge device-mapper |
device-mapper is needed for dm, which is an option in the 2.6.4 kernel (under the RAID section).
You will also need hashalot, but that's pretty common (and just emerge hashalot if you don't have it).
After rebuilding the kernel, I downloaded cryptsetup (http://www.saout.de/misc/cryptsetup),
a script that makes working with encrypted volumes really easy. Once downloaded (and chmod'd 755), setting
up the volume is easy. I chose to use AES (The defaults are aes with a 256 bit key, hashed using rmd160):
Code: |
modprobe dm-mod
modprobe aes (needed?)
./cryptsetup -c aes -y create my-data /dev/sda1
mke2fs /dev/mapper/my-data
mount /dev/mapper/my-data /data
|
You'll get a warning that -y isn't implemented yet - see below (I put it in the example in case someone
is cutting/pasting a month from now).
crypsetup will ask you for a password when you run it. Unfortunately, the -y flag, which would ask you
for the password twice, is not implemented yet - a hack is to type your password in an editor somewhere
and cut and paste it, thus insuring that your long string of characters is not typo'd.
The mkfs ran pretty hot in terms of system load - 2 to 2.5 on a 1.6Ghz P-IV. After the filesystem was
built, I started the copy. It cooked along pretty well - I didn't really notice much of a slowdown compared
to a normal copy (though this is USB2, so it's not as fast as writing to a ATA133 anyway The load average
moved between 1 and 2, with 'pdflush' hogging most of it.
When I was finished, it was simply
Yep, that simple.
Status
2.6.4-rc1 has only been out a few days, so this is all barely tested. However, unlike my earlier experiences, I've written tens of gigabytes
of data on top of a dm-crypted filesystem and mounted and unmounted it several times without a problem.
Future Projects
I haven't investigated how to put this in /etc/fstab, but that's my next step.
I don't really see much use for an encrypted root/swap at home (since I'm religious about linking everything
unique *off* of root, such as /var/www, /home, /usr/local, etc.) It would be interesting to play with
dm-crypt on a laptop...but that's a project for another day |
|
Back to top |
|
|
bluephile n00b
Joined: 01 Mar 2004 Posts: 6
|
Posted: Sun Mar 07, 2004 6:28 am Post subject: |
|
|
afabbro,
I have 2.6.4-rc1 installed and would really like to try this, but the cryptsetup script that you link to no longer exists. Do you think you could post it here?
Cheers,
bluephile
EDIT:
Ah, although archive.org didn't have the page, Google's cache does. I'll be back later with my results!
EDIT2:
Unfortunately, it appears to be older than the one you used, as there is no mention of a -y option anywhere in the script.
EDIT3:
I realized that cryptsetup was linked from the dm-crypt page. They have a new verison of the script (er, program!) now in C: http://www.saout.de/misc/dm-crypt/cryptsetup-0.1.tar.bz2 |
|
Back to top |
|
|
mossmann n00b
Joined: 23 Apr 2002 Posts: 13
|
Posted: Sun Mar 07, 2004 4:39 pm Post subject: encrypted root and swap with dm-crypt |
|
|
I've been running my laptop with the entire hard disk encrypted using dm-crypt for over a week now. Works great! I'm using a USB flash drive for my /boot and initrd, roughly following the method described in the Disk-Encryption-HOWTO. I wanted to build a swap device on top of the same encrypted device as my root filesystem and also have flexibility for multiple filesystems, so I'm using lvm2 on top of the encrypted block device. I had to build a custom initrd and linuxrc script to deal with a root filesystem over lvm2 over dm-crypt, but it was fairly straightforward (except for the conflicting documentation regarding what, exactly, the linuxrc script must accomplish). Minimal documentation follows:
Warning: You may destroy your data if you follow these instructions!
First I wrote a mkkey script to create a completely random key for the disk encryption and store the key on my flash drive in an encrypted loop file, protected by a passphrase. Note that all my scripts use the soon to be defunct cryptsetup.sh but should be easily adapted to the new cryptsetup.
Code: |
#!/bin/bash
LOOP_FILE="/boot/keyloop"
KEY_DMTARGET="key"
LOOP="/dev/loop7"
modprobe dm-mod
if [ ! -f "$LOOP_FILE" ]; then
# making a 512 byte key even though only a portion will be used
dd if=/dev/zero of=$LOOP_FILE bs=512 count=1
chmod 600 $LOOP_FILE
losetup $LOOP $LOOP_FILE
cryptsetup.sh -b 1 create $KEY_DMTARGET $LOOP
dd if=/dev/random of=/dev/mapper/$KEY_DMTARGET bs=512 count=1
cryptsetup.sh remove $KEY_DMTARGET
losetup -d $LOOP
chmod 400 $LOOP_FILE
else
echo "Don't make me destroy your key!"
fi
|
Then I backed up my hard drive, double-checked the backup, shredded my hard drive, and built a new partition table. I chose to build my encrypted device on /dev/hda1 (maximum size) rather than /dev/hda just in case a new partition table accidently gets written to the disk or something. Then I wrote a cryptup script to create the encrypted block device:
Code: |
#!/bin/bash
LOOP_FILE="/boot/keyloop"
KEY_DMTARGET="key"
LOOP="/dev/loop7"
DMTARGET="pvcrypt"
DEVICE="/dev/hda1"
modprobe dm-mod
if [ -r "$LOOP_FILE" ]; then
losetup $LOOP $LOOP_FILE
# it would be better to do this readonly
cryptsetup.sh -b 1 create $KEY_DMTARGET $LOOP
cryptsetup.sh -s 16 -d /dev/mapper/$KEY_DMTARGET create $DMTARGET $DEVICE
cryptsetup.sh remove $KEY_DMTARGET
losetup -d $LOOP
else
echo "Key not found."
fi
|
Then I built my lvm2 setup on top of the encrypted device with a mkvols script. I chose to use a 1GB swap volume and a 10GB root volume to get me started:
Code: |
#!/bin/bash
PV="/dev/mapper/pvcrypt"
VG="vgcrypt"
if [ -r "$PV" ]; then
pvcreate $PV
vgcreate $VG $PV
# YMMV
lvcreate -C y -L 1G -n lvswap $VG
lvcreate -L 10G -n lvroot $VG
mkswap /dev/$VG/lvswap
mke2fs -j /dev/$VG/lvroot
else
echo "$PV not found."
fi
|
The above script failed the first time I tried it because lvm2 does not consider device-mapper block devices (such as a dm-crypt device) for use as physical volumes by default. I had to add a line to the devices block in /etc/lvm/lvm.conf:
Code: |
types = [ "device-mapper", 16 ]
|
Now is a good time to verify that the encrypted block device can be remounted correctly, especially because cryptsetup.sh didn't ask for the password twice during setup (thanks to hashalot). First I used cryptdown:
Code: |
#!/bin/bash
DMTARGET="pvcrypt"
# 'vgchange -a n' fails if I don't do this first. Not sure why.
# Asking lvm folks about this but no answer yet.
for lv in $(lvs --noheadings | awk '{print $2 "-" $1}'); do
dmsetup remove $lv
done
vgchange -a n vgcrypt
cryptsetup.sh remove $DMTARGET
|
Then I could run cryptup and vgscan. vgscan found the vgcrypt volume group, so everything worked. Then I copied my old root filesystem onto /dev/vgcrypt/lvroot from the backup and built my initrd in /boot. I copied my keyloop to the initrd and wrote a new linuxrc:
Code: |
#!/bin/bash
export PATH=/bin:/sbin
LOOP_FILE="keyloop"
KEY_DMTARGET="key"
LOOP="/dev/loop/4"
DMTARGET="pvcrypt"
VG="vgcrypt"
LV="/dev/vgcrypt/lvroot"
DEVICE="/dev/ide/host0/bus0/target0/lun0/part1"
if [ -r "$LOOP_FILE" ]; then
mount -t proc none /proc
modprobe loop
modprobe aes
modprobe dm-mod
modprobe dm-crypt
for ((TRY=1; TRY <= 3; TRY++)); do
# it would be better to use key readonly
losetup $LOOP $LOOP_FILE
# This is easier than figuring out why hashalot's password
# prompt isn't showing up:
echo -n "Passphrase: "
cryptsetup.sh -b 1 create $KEY_DMTARGET $LOOP
echo
cryptsetup.sh -s 16 -d /dev/mapper/$KEY_DMTARGET create $DMTARGET $DEVICE
cryptsetup.sh remove $KEY_DMTARGET
losetup -d $LOOP
if (vgchange -a y $VG); then
exit 0
else
cryptsetup.sh remove $DMTARGET
fi
done
echo "Sorry."
else
echo "Key not found."
fi
while true; do
read
done
|
This took a few tries. Setting up all the files necessary to run cryptsetup.sh on the initrd was a bit of a pain but this will be easier with the new cryptsetup. The lvm2 tools also have to be on the initrd along with a customized /etc/lvm/lvm.conf.
My grub.conf entry looks like:
Code: |
title gentoo 2.6.4-rc1
root (hd0,0)
kernel /vmlinuz-2.6.4-rc1 root=/dev/vgcrypt/lvroot vga=791
initrd /boot/initrd.gz
|
|
|
Back to top |
|
|
Gentoo Server Apprentice
Joined: 21 Jul 2003 Posts: 279
|
Posted: Tue Mar 09, 2004 6:22 pm Post subject: |
|
|
hi i was the unlucky dude with highmem and cryptloop!
ok lets look forward
how can i mount my cryptloop drive with dm-crypt? 2.6 |
|
Back to top |
|
|
chadders Tux's lil' helper
Joined: 21 Jan 2003 Posts: 113
|
Posted: Tue Mar 09, 2004 6:54 pm Post subject: |
|
|
CooL! I think like this idea better than using loop based encryption. Thanks for the howto.
Chadders (the other root encryption howto guy) |
|
Back to top |
|
|
bluephile n00b
Joined: 01 Mar 2004 Posts: 6
|
Posted: Mon Mar 15, 2004 9:57 pm Post subject: |
|
|
mossmann:
I'm trying to follow your instructions, but I'm confused on one major point:
What system are you booted into when you're running cryptsetup, etc.? The LiveCD kernel is too old for device-mapper support, and I don't know how to connect a laptop harddrive to my desktop to set this up with another machine. Please let me know how you did this!
Cheers,
bluephile |
|
Back to top |
|
|
epic n00b
Joined: 16 Jan 2003 Posts: 44 Location: norway
|
Posted: Sun Mar 21, 2004 7:13 pm Post subject: |
|
|
seems like all this thing needs is a bit more time for developers to make util-linux(mount) and alike support this thing... i run cryptsetup from /etc/init.d/local , to mount my disk, this would ofcourse not work for a root/swap partition ;) i would love any hints to do it a easier way though..(hi to bluephile btw, who fixed the compile error in dmconvert for me! :) ) |
|
Back to top |
|
|
bluephile n00b
Joined: 01 Mar 2004 Posts: 6
|
Posted: Mon Mar 22, 2004 6:44 am Post subject: |
|
|
(Hi epic!)
Well, I've gotten somewhat further along ...
I used catalyst to create a new livecd based on 2.6.4 that included device-mapper, gcrypt, and cryptsetup. I successfully created my encrypted LVM partition, but I'm having trouble with the initrd: the kernel oopses when it boots up before panicing due to being unable to mount root. I've had the same problem with an encrypted root without LVM. I can't figure out how to read what the oops is to try and track down what's wrong. I'm afraid I'm stuck until development of dmcrypt/cryptsetup/etc. progresses somewhat (perhaps it'll include scripts to create the initrd & do this stuff automatically?) and I don't have to figure out why my initrd is failing, unless someone has a suggestion.
Thanks,
bluephile |
|
Back to top |
|
|
mossmann n00b
Joined: 23 Apr 2002 Posts: 13
|
Posted: Tue Mar 23, 2004 10:50 pm Post subject: |
|
|
bluephile wrote: | What system are you booted into when you're running cryptsetup, etc.? |
Good question! I was using a minimal system installed on a second partition on my hard disk that I failed to mention. Someday it won't be there, but, as I have been on the road constantly over the past few weeks, I'm not quite ready to be without a safety net! I haven't had the time or motivation to use catalyst yet, but I would like to.
I found it useful to use bash or sash as my linuxrc when I was first trying to get my initrd to work. Being able to interact with the process was very helpful for debugging. Have you figured out if the oops is prior to, during, or after linuxrc?
I haven't been following it closely, but I know there has been some discussion of initrd on the dm-crypt mailing list: http://news.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt |
|
Back to top |
|
|
DerRalf n00b
Joined: 13 Dec 2003 Posts: 34 Location: Bay Area, CA
|
|
Back to top |
|
|
davidblewett Apprentice
Joined: 15 Feb 2004 Posts: 274 Location: Indiana
|
Posted: Tue Mar 30, 2004 5:09 pm Post subject: |
|
|
I would like to use this procedure to create an encrypted USB flash drive. Will this work in Windows, or is it a *nix only solution? Thanks! |
|
Back to top |
|
|
epic n00b
Joined: 16 Jan 2003 Posts: 44 Location: norway
|
Posted: Tue Mar 30, 2004 10:40 pm Post subject: |
|
|
i cant get this to work with firewire... i have a 250 gb disk in a firewire enclousure. It works perfectly, but if i try to encrypt the device i get:
Code: |
ieee1394: sbp2: aborting sbp2 command
0x2a 00 0e 90 40 57 00 00 80 00
ieee1394: sbp2: aborting sbp2 command
0x2a 00 0e 90 40 d7 00 00 80 00
ieee1394: sbp2: aborting sbp2 command
0x2a 00 0e 90 41 57 00 00 80 00
ieee1394: sbp2: aborting sbp2 command
0x2a 00 0e 90 41 d7 00 00 80 00
|
the command i use to set up the device is:
Code: |
./cryptsetup -c aes -s 128 -y create cryptdev /dev/sda1
|
earlier i got the thing mounted... but it startet showing errormsg's after i tried to copy something to it... now, it cant get through mkfs.xfs before showing errors, so i cant mount it.
As i said earlier the disk works perfectly without the encryption.
Anyone got any ideas?
Another question i have in this dm-crypt matter is, when will we see this dm-crypt stuff merging into mount and such, so that the whole matter could be easilier managed(would be a breeze to encrypt root and such), since it's becoming the future in linux disk encryption since 2.6.4 i mean.... |
|
Back to top |
|
|
keschrich n00b
Joined: 09 Apr 2002 Posts: 69 Location: Branford, CT
|
Posted: Wed Mar 31, 2004 2:40 pm Post subject: |
|
|
Just a thought:
I don't know all too much about encryption and modern algorithms, but isn't encrypting the root partition a bit dangerous due to the amount of known plaintext? As long as the intruder knows that you're running Linux, there are quite a few libraries and such that are fairly standard to just about any Linux system. Not to mention those of us like me who've installed the howtos, now theres a lot of plaintext just waiting to be exploited..
There must be something I'm missing here otherwise I'm sure it would've been mentioned long ago.. is known plaintext no longer an issue? |
|
Back to top |
|
|
tdb Apprentice
Joined: 19 Sep 2002 Posts: 293 Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)
|
Posted: Thu Apr 01, 2004 4:58 am Post subject: |
|
|
Feel free to correct any inaccuacies in my post, I'm no expert.
Here is something, although I think that most modern ciphers themselves are not vulnerable to a known plaintext attack. (which is what you are describing) Chaning modes (CFB and CBC) and Initialization Vectors (IV) were invented to prevent this, I think.
http://lwn.net/Articles/67216/ _________________ Do you know what a usufruct is? |
|
Back to top |
|
|
rwallace Tux's lil' helper
Joined: 22 May 2003 Posts: 107 Location: Phoenix, AZ US
|
Posted: Fri Apr 02, 2004 5:21 am Post subject: Mounting w/o entering password or key? |
|
|
Ok. I successfully created an encrypted filesystem with dm-crypt. But...
I wanted to try this so I could protect data from theft if the server was taken. But if all a person needs to do to mount the encrypted partition is Code: | mount /dev/mapper/crypt /data | and they don't have to enter a key, what's the point? Am I missing something?
[EDIT]
I guess I should have read a little more. Quote: | Don't forget: cryptsetup only creates a mapping. If you call cryptsetup again after a reboot and supply the same passphrase you will be able to mount your filesystem you created before. |
So I guess now my question is how do I kill this mapping without having to reboot?
[/EDIT] |
|
Back to top |
|
|
drfunfrock Tux's lil' helper
Joined: 05 Aug 2003 Posts: 114
|
Posted: Fri Apr 02, 2004 11:16 am Post subject: Re: Mounting w/o entering password or key? |
|
|
rwallace wrote: | Ok. I successfully created an encrypted filesystem with dm-crypt. But...
So I guess now my question is how do I kill this mapping without having to reboot?
[/EDIT] |
On the commandline only type cryptsetup -h and you get help
or
> cryptsetup delete [name] [device] |
|
Back to top |
|
|
rwallace Tux's lil' helper
Joined: 22 May 2003 Posts: 107 Location: Phoenix, AZ US
|
Posted: Fri Apr 02, 2004 8:39 pm Post subject: |
|
|
Yah, I read some more of the dm-crypt page docs and lo' and behold found that its as simple as
Code: |
umount /data
cryptsetup remove crypt
|
Very nice. Very simple. I did a 50GB transfer of the data I wanted to encrypt last night and it completed without a problem. I'm very happy now.
Before I was trying cryptfs and cfs on FreeBSD 4.9-R, 4.9-S, 5.1-R and 5.2-R and none of the combinations could get past 15G. Most of the time the system would hard lock at between 3 and 6G.
Thanks for this little pointer. The gentoo forums strike again |
|
Back to top |
|
|
mossmann n00b
Joined: 23 Apr 2002 Posts: 13
|
Posted: Tue Apr 06, 2004 7:57 pm Post subject: known plaintext attacks |
|
|
keschrich wrote: | I don't know all too much about encryption and modern algorithms, but isn't encrypting the root partition a bit dangerous due to the amount of known plaintext? |
The only known plaintext attack I'm aware of that we need to be concerned about is the optimized dictionary attack described in the link provided by tbd. This attack only works if the attacker knows some plaintext, including its exact location on the block device. Even though there is a lot of known plaintext on a root filesystem, very little of it is in a predictable location. That's why the attack in the link targets something in the filesystem header rather than any individual data files within the filesystem.
Personally, I don't trust any IV method to protect me from an optimized dictionary attack, at least not until the method and the specific implementation have undergone significant peer review. That's why my key is a chunk of completely random bits that would never be found in a dictionary. Then I encrypt my key with an easier to remember passphrase. The encrypted block device can't be attacked with an optimized dictionary because the key would not be in anyone's dictionary (even though there is known plaintext on the device); the encrypted key can't be attacked with an optimized dictionary because it contains no known plaintext (even though my passphrase could conceivably be in someone's dictionary).
If someone had both my hard disk (encrypted block device) and my flash device (encrypted key), then they could perform a dictionary attack, but it would be very computationally expensive and could not be optimized for multiple targets. |
|
Back to top |
|
|
mossmann n00b
Joined: 23 Apr 2002 Posts: 13
|
Posted: Tue Apr 06, 2004 10:32 pm Post subject: |
|
|
epic wrote: | As i said earlier the disk works perfectly without the encryption. |
Hmmm. Does it work perfectly with the same kernel that you are using for dm-crypt? Have you tried an intensive write test like "badblocks -w"?
epic wrote: | Another question i have in this dm-crypt matter is, when will we see this dm-crypt stuff merging into mount and such |
That is being worked on. See http://article.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/34 |
|
Back to top |
|
|
crculver n00b
Joined: 02 Mar 2004 Posts: 17
|
Posted: Mon Apr 12, 2004 8:10 am Post subject: |
|
|
I already have a partition set up with encryption and mounting provided by the loopback driver. How do I use device-mapper functionality to mount the drive?
Note that I only want to mount an existing encrypted filesystem with this new method, I do NOT want to have to reformat or reencrypt. In fact, the first time I want to mount it read-only so I can make sure I'm not going to lose my home dir. |
|
Back to top |
|
|
tdb Apprentice
Joined: 19 Sep 2002 Posts: 293 Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)
|
Posted: Tue Apr 13, 2004 3:35 pm Post subject: |
|
|
crculver wrote: | I already have a partition set up with encryption and mounting provided by the loopback driver. How do I use device-mapper functionality to mount the drive?
|
Try here:
http://www.saout.de/misc/dm-crypt/
About halfway down the page is a section about migration. It looks like dm-crypt can do cryptoloop created by 2.6 kernels. There are a few links to follow from there as well. _________________ Do you know what a usufruct is? |
|
Back to top |
|
|
GentooBox Veteran
Joined: 22 Jun 2003 Posts: 1168 Location: Denmark
|
Posted: Thu Apr 15, 2004 9:25 pm Post subject: |
|
|
Hi.
I have some experience with loop-AES with gpg keys.
but for loop-AES to work perfectly i need to patch util-linux and build a loop.ko module.
is there any reason why i should switch to dm-crypt ?
EDIT: has anyone encrypted their whole harddisk ? how does it work ?
did you guys figure out how to add the encrypted drive to fstab ? _________________ Encrypt, lock up everything and duct tape the rest |
|
Back to top |
|
|
epic n00b
Joined: 16 Jan 2003 Posts: 44 Location: norway
|
Posted: Tue Apr 27, 2004 2:04 pm Post subject: |
|
|
GentooBox wrote: | Hi.
I have some experience with loop-AES with gpg keys.
but for loop-AES to work perfectly i need to patch util-linux and build a loop.ko module.
is there any reason why i should switch to dm-crypt ?
EDIT: has anyone encrypted their whole harddisk ? how does it work ?
did you guys figure out how to add the encrypted drive to fstab ? |
yes there is a good reason to switch to dm-crypt. Because the 2.6 maintainer morton has deprecated the loop-crypt.
To set up the encrypted partitions in fstab you would need to patch your util-linux with the patch located in the mailinglist(for util-linux 2.12 i belive, dunno if this works with a root/swap partition though)
Anyone know how to use dmconvert to encrypt a already existing partition? |
|
Back to top |
|
|
misc Tux's lil' helper
Joined: 09 Sep 2003 Posts: 109
|
Posted: Fri May 07, 2004 6:43 am Post subject: |
|
|
Hi,
I haven't began to do this yet but I have a backup server that a lot of servers backup to. I store all this data on a separate partition, and it's a raid device as well (mirror). Is this going to cause trouble? Do I need to delete the partition before I encrypt it?
One last question, I noticed that when you unmount the drive that you type 'cryptsetup remove crypt' which will make it so that on a reboot, it will still ask for a pass phrase. My question is, what happens if this drive needs to be mounted at all times? I'm guessing that you can still type the cryptsetup command to remove the key even while it's mounted? Otherwise theres no point for me in using this, because if the backup server gets stolen then they will have access to the partition. |
|
Back to top |
|
|
Nate_S Guru
Joined: 18 Mar 2004 Posts: 414
|
Posted: Fri May 07, 2004 5:18 pm Post subject: |
|
|
Here's a very dirty hack I'm using to encrypt swapspace on bootup with local.start and local.stop
DISCLAIMER: Use at your own risk. This is what I am using on my system, and it works for me, but I can't promise it won't make your hard drive scream in pain or your mouseball to get filled with dust twice as quick. However, I'd highly doubt it could do worse than cause the swap not to work, which could be easily fixed by simply removing this hack, and mkswap on your swap partition again.
/etc/fstab
Code: | /dev/hda9 none swap sw 0 0
|
I still have an unencrypted swap in my fstab that the kernel activates during bootup. This is most likely not necessary, but I left it just in case it uses swap as it boots.
/etc/conf.d/local.start
Code: | swapoff /dev/hda9 #turn off swap activated in fstab
cryptsetup -d /dev/urandom create swap /dev/hda9 #encrypt partition using a random key from /dev/urandom
mkswap /dev/mapper/swap #setup the swap space on the encypted partition
swapon /dev/mapper/swap #activate the encrypted swap
|
/etc/conf.d/local.stop
Code: | swapoff /dev/mapper/swap #deactivate the swap device
cryptsetup remove swap #remove encrypted device
mkswap /dev/hda9 #set it up for unencrypted use on next reboot
|
I hope this helps some of you
-Nate |
|
Back to top |
|
|
|