View previous topic :: View next topic |
Author |
Message |
discomfitor l33t
Joined: 21 Feb 2003 Posts: 927 Location: None
|
Posted: Sat Dec 20, 2003 1:56 pm Post subject: |
|
|
Have you tested it with udev? _________________ There is no substitute for experience.
Imperfection indicates a lack of effort. |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Sat Dec 20, 2003 3:04 pm Post subject: |
|
|
Death Valley Pete wrote: | Holy wow.
I tried it (with 256-bit encryption because I'm a tad OCD) with kernel 2.6.0 final. It works. I've been waiting for a guide to come out for a couple of months now, and hulk2nd, thank you very much.
I've already upgraded loop-aes (basically, repeat steps 2b and 2c) from 2.0c to 2.0d.
I'm thinking that when I upgrade my kernel (down the road) it will just be a matter of repacing the bzImage and that's it. Does that sound right?
Now I just need to figure out how to make this work with a gpg key on a usb stick... when and if I get the money for that I'll probably give it a shot. If anybody wanted to write a howto for that that would be even cooler.
I'm not sure I have the expertise to write an ebuild for the modified util-linux, but if I (or somebody) did would it be an appropriate thing to put into portage?
Perhaps you should submit the whole clean install onto an encrypted partition procedure to the alternative install guide.
Anyway, good work! | maybe i will add gpg and the usb stick thing to the howto. i already have some experience with that.
greets,
hulk |
|
Back to top |
|
|
Gentoo Server Apprentice
Joined: 21 Jul 2003 Posts: 279
|
Posted: Sat Dec 20, 2003 10:55 pm Post subject: |
|
|
this is power of gentoo
one helps other
|
|
Back to top |
|
|
Lord Tocharian Tux's lil' helper
Joined: 11 Mar 2003 Posts: 75
|
Posted: Thu Dec 25, 2003 3:27 pm Post subject: |
|
|
First thanks a lot for your guide, it was very helpful. I have all of my partitions encrypted with the exception of /boot and I really don't notice any slowdown at all.
I know I would also greatly appreciate it if you added some information about working with gpg/a usb stick. I don't think there is as much information about that on the internet and I am trying to figure out what is the correct way to do it. Thanks |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Thu Dec 25, 2003 5:23 pm Post subject: |
|
|
you are welcome!
yesterday i ordered a sony memory stick on ebay (cause my vaio has a memory stick reader). and guess why i bought it as soon as it will arrive and as i got it working, i will give a message here. it is not hard at all, i think!
greets,
hulk |
|
Back to top |
|
|
Lord Tocharian Tux's lil' helper
Joined: 11 Mar 2003 Posts: 75
|
Posted: Sun Dec 28, 2003 1:24 am Post subject: |
|
|
I have been playing around with encryption and by using hulk2nd's great guide along with the loop-AES.README I have setup an encrypted root partition using a gpg encrypted key. I thought I would add on to his guide with how I setup my system.
All I basically did is put the loop-AES.README into an easier to read format. I would highly suggest reading the entire thing before attempting to encrypt your hard drive. Also a current backup of your hard drive definitely helps.
7. Encrypt your current root partition using a gpg encrypted key.
7a) Requirements:
-loop-AES-v2.0d (same as in 1. Requirements)
-latest loop-AES patch (loop-AES-v2.0d-20031226.diff.bz2)
-util-linux-2.12 (same as in 1. Requirements)
-Knoppix / Gentoo LiveCD (same as in 1. Requirements)
-gnupg-1.2.3
-aespipe-v2.2a
7b) Recompile Kernel (2.6.x Instructions Only):
Code: | cd /usr/src/linux
make menuconfig |
Follow Section 2a3 with the following exceptions:
Extra things to set:
Code: | CONFIG_MODULES=y
CONFIG_KMOD=y (recommended but not required)
CONFIG_CRAMFS=n(or CONFIG_CRAMFS=m) |
Differences:
Code: | CONFIG_BLK_DEV_LOOP=n |
This step is VERY important! As opposed to the other guide loop support cannot be in your kernel at all, even as a module (therefore Cryptoloop Support will not be built into your kernel)!
From the loop-AES.README:
Quote: | After building and installing your new kernel, do not attempt to clean kernel tree, or rename path to kernel sources. |
Follow the end of 2a3 to recompile your kernel and then optionally reboot into your new kernel (if you want to make sure it is working).
7c) Compile loop.o module for your kernel:
Code: | mkdir /tmp/enc
cd /tmp/enc
tar jxvf loop-AES-v2.0d.tar.bz2
bunzip2 loop-AES-v2.0d-20031226.diff.bz2
patch -p0 <./loop-AES-v2.0d-20031226.diff
make clean
make LINUX_SOURCE=/usr/src/linux-2.6.0-gentoo
|
replace 2.6.0-gentoo with the kernel version you have.
7d) Install util-linux:
Use the instructions in 2b) install util-linux
7e) Setup GPG:
Code: | cd /tmp/enc/loop-AES-v2.0d
tar zxvf gnupg-1.2.3.tar.gz
cd gnupg-1.2.3
patch -p1 <../gnupg-1.2.3.diff
CFLAGS="-O2" LDFLAGS="-static -s" ./configure --prefix=/usr --enable-static-rnd=linux
make
rm -f /usr/share/man/man1/{gpg,gpgv}.1.gz
make install
chown root:root /usr/bin/gpg
chmod 4755 /usr/bin/gpg |
7f) Test loop-AES:
Code: | cd /tmp/enc/loop-AES-v2.0d
make tests |
From the loop-AES.README:
Quote: | Makefile will display "*** Test results ok ***" message if tests are
completed successfully. If tests fail, do not use the driver as it is
broken.
If gpg isn't available, then tests that involve decrypting gpg encrypted key
files will fail. You can skip gpg key file tests by specifying
TEST_GPG_TYPES=n on make command line. |
7g) Build aespipe program:
Code: | CFLAGS="-O2" LDFLAGS="-static -s" ./configure
make
make tests
cp -p aespipe /boot |
7h) Copy kernel version specific loop.o to /boot/modules-KERNELRELEASE/
Code: | mkdir /boot/modules-2.6.0-gentoo
cp -p /lib/modules/2.6.0-gentoo/block/loop.*o /boot/modules-2.6.0-gentoo/loop.o |
replace 2.6.0-gentoo with the kernel version you have.
7i) Create 64 random encryption keys and encrypt those keys using gpg.
Code: | umask 077
head -c 2880 /dev/random | uuencode -m - | head -n 65 | tail -n 64 | gpg --symmetric -a >/boot/rootkey.gpg |
7j) Build /boot/initrd.gz
Follow the bottom part of 2c) create the ramdisk to setup and execute your build-initrd.sh with the following changes:
-change USEGPGKEY to 1
-leave USEMODULE set to 1
I would note that I have used both AES128 and AES256 on the same system at different times and in my desktop usage I noticed no difference between the two as far as slow down.
7k) Modify /etc/fstab
Use the same procedure as in 2d) modifying /etc/fstab
7l) Edit grub.conf / lilo.conf
Use the same procedure as in 2e) modifying your grub.conf
NOTE: if you use lilo read the top of build-initrd.sh for instructions on how to setup lilo
7m) Do the actual encryption using some sort of bootable CD:
First reboot onto Knoppix/Gentoo LiveCD or some other form of bootable CD so your root partition will not be mounted. Then do the following steps:
Code: | mkdir /mnt/tempboot
mount -r -t ext2 /dev/hda1 /mnt/tempboot |
Replace /dev/hda1 with whatever your boot partition is, and change the type as well.
Finally encrypt your hard drive, this may take several hours depending on the size of your hard drive:
Code: | dd if=/dev/hda2 bs=64k \
| /mnt/aespipe -e AES128 -K /mnt/rootkey.gpg -G / \
| dd of=/dev/hda2 bs=64k conv=notrunc |
Replace /dev/hda2 with whatever your root partition is.
Unmount and reboot onto new encrypted partition!
Code: | umount /mnt/tempboot
sync
reboot |
|
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Sun Dec 28, 2003 4:51 am Post subject: |
|
|
wow, this is awesome!
thanks for these additions! of course i will update the howto with these informations (btw, thank you for keeping the same "layout" as the original howto, this makes it much easier). i'm sure several people are very interested in this!
so big thanks again for the great work you have done here!!
greets,
hulk |
|
Back to top |
|
|
innocentbeats Tux's lil' helper
Joined: 15 Jul 2003 Posts: 76
|
Posted: Sun Dec 28, 2003 8:32 pm Post subject: |
|
|
Hi, thank you for this interesting guide.
I have another question, I just want to encrypt one partition or filesystem, where I can "host" the home directory for example.
I used the search function, but I did not find good results for the 2.6. kernel. I have the cryptoloop function compiled in. What steps do I have to take?
CU
Chris |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Sun Dec 28, 2003 11:16 pm Post subject: |
|
|
as far as i know you can even encrypt only one directory. but i haven't done this yet. have a look at the loop-aes readme or try to google.
greets,
hulk |
|
Back to top |
|
|
innocentbeats Tux's lil' helper
Joined: 15 Jul 2003 Posts: 76
|
Posted: Sun Dec 28, 2003 11:24 pm Post subject: |
|
|
Searching google, it found this little how to:
http://www.ece.cmu.edu/~rholzer/cryptoloop_mini_howto.html
which is exactly what I was looking for, but when I typ this command
losetup -e aes-256 /dev/loop0 /dev/sda1
I get the error, that the cipher is unknown, althought it is definetely compiled into the kernel and it can be seen in /proc/cryp as well.
CU
Chris |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Sun Dec 28, 2003 11:28 pm Post subject: |
|
|
either boot with knoppix or do step 2b). the util-linux from the portage tree does not work with aes until you have patched it.
greets,
hulk |
|
Back to top |
|
|
Lord Tocharian Tux's lil' helper
Joined: 11 Mar 2003 Posts: 75
|
Posted: Mon Dec 29, 2003 12:49 am Post subject: |
|
|
I wanted to post an update regarding encryption using a gpg encrypted key. After some reading I have not found a way to use the key to encrypt swap with. Therefore it seems that swap is encrypted the same way as normal (step 4) in hulk2nd's guide, which works fine. |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
|
Back to top |
|
|
ZaCi n00b
Joined: 29 Dec 2003 Posts: 1
|
Posted: Mon Dec 29, 2003 5:01 pm Post subject: |
|
|
Is it possbile to easily encrypt other non root or boot partitions? How? |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Sat Jan 03, 2004 4:05 pm Post subject: |
|
|
so i'm right back from holidays and finally got my memory stick, but unfortunatly i can't boot from it. obviously i can't boot from any external device like an usb stick. that is really bad but that's how it is, so no update for the howto in this case at least from my side.
greets,
hulk |
|
Back to top |
|
|
TPC Tux's lil' helper
Joined: 16 Sep 2003 Posts: 135 Location: Sweden
|
Posted: Sun Jan 04, 2004 4:52 pm Post subject: |
|
|
I messed it up
I must have made the same typo twice while entering the pass-phrase because it doesn't work. I tried all common typos of that password that I can think of. I just can't get access to the root partition.
I probably have to re-install... but I'm just making sure that there isn't somtething I can do. |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Sun Jan 04, 2004 6:19 pm Post subject: |
|
|
hmm, that is strange cause you have to type the passphrase twice if you used the parameter 'T' in the losetup command. what error do you get? does it also not work with the knoppix cd? (maybe there is another keyboard layout)
maybe you had caps lock or num enabled? |
|
Back to top |
|
|
TPC Tux's lil' helper
Joined: 16 Sep 2003 Posts: 135 Location: Sweden
|
Posted: Sun Jan 04, 2004 6:23 pm Post subject: |
|
|
oh, you're right! a different keyboard layout! why didn't I think of that? thanks! |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Sun Jan 04, 2004 6:35 pm Post subject: |
|
|
no problem!
have a look at the build-initrd.sh. you can enable the option to use another keyboard layout. it's not hard at all. just enable that option and copy the layout over to your /boot partition and you are done.
greets,
hulk |
|
Back to top |
|
|
phlef n00b
Joined: 08 Jun 2002 Posts: 6 Location: Earth
|
Posted: Sat Jan 10, 2004 6:50 pm Post subject: |
|
|
Lord Tocharian wrote: | I have been playing around with encryption and by using hulk2nd's great guide along with the loop-AES.README I have setup an encrypted root partition using a gpg encrypted key. I thought I would add on to his guide with how I setup my system.
All I basically did is put the loop-AES.README into an easier to read format. I would highly suggest reading the entire thing before attempting to encrypt your hard drive. Also a current backup of your hard drive definitely helps.
7. Encrypt your current root partition using a gpg encrypted key.
|
Is there a way that the encrypted Root FS does not need a password? For instance, I already have my gpg Private Key on floppy, is there a way that the boot process verifies that the floppy in the drive has the proper gpg key and decrypts the FS w/o user intervention enabling me to unlock the FS by inserting the floppy before PowerOn? Thus allowing me to restart the Server remotely as long as the floppy is in the Server's Drive? _________________ There are 10 types of people on Earth.
Those who know BINARY and those who don't. |
|
Back to top |
|
|
braindead0 Tux's lil' helper
Joined: 29 Apr 2003 Posts: 146 Location: Ohio
|
Posted: Tue Jan 13, 2004 8:06 pm Post subject: |
|
|
You'll find that the gpg key on your floppy is your private key and encrypted using your passphrase.
otherwise, anybody that has the floppy could access your system.. not good security. |
|
Back to top |
|
|
viperlin Veteran
Joined: 15 Apr 2003 Posts: 1319 Location: UK
|
Posted: Tue Jan 13, 2004 9:15 pm Post subject: |
|
|
i've got cryptoloop set up
but when mounting my backup DVD's (yes correct password, i have correct cipher set )
Code: |
$ mount /mnt/ecd
Password:
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
or too many mounted file systems
(could this be the IDE device where you in fact use
ide-scsi so that sr0 or sda or so is needed?)
$
|
sadly "auto" filesystem does not seem work with cryptoloop anymore.
fstab entry:
Code: |
/dev/sr0 /mnt/ecd udf defaults,user,noauto,encryption=aes-256,itercountk=100 0 0
|
EDIT:
latest fstab entry:
Code: |
/dev/sr0 /mnt/ecd auto defaults,user,noauto,encryption=aes-256 0 0
|
seems better but now i get:
Code: |
mount: /dev/loop0: can't read superblock
|
|
|
Back to top |
|
|
braindead0 Tux's lil' helper
Joined: 29 Apr 2003 Posts: 146 Location: Ohio
|
Posted: Sat Jan 17, 2004 11:04 pm Post subject: |
|
|
I followed the instructions and double checked everything, after the ramdisk loads I get an error that VFS can't open /dev/ram0
RAMDISK: Compressed image found at block 0
VFS: Cannot open root device "ram0" or ram0
Please append a correct "root=" boot option
I tried without the root=/dev/ram0 option, and with root=/dev/loop5, with no luck on that front. I double checked my kernel config (2.6.1) and I've got all the options specified, triple checked ram disk support and initrd support, both are as they should (with automount option).
Could this have anything to do with that I'm running SCSI drives?
Any suggestions? Luckily I'm going this on my laptop
**** Scratch all that above, found the problem. In my grub.conf I had incorrectly specified minux filesystem, instead of minix! .
typed linux way too many times I think... Booting up like a champ now. Perhaps this message will help somebody else.. |
|
Back to top |
|
|
braindead0 Tux's lil' helper
Joined: 29 Apr 2003 Posts: 146 Location: Ohio
|
Posted: Sat Jan 17, 2004 11:18 pm Post subject: |
|
|
Which leads to another question, how come /dev/loop/5 is shown twice when running mount (or df for that matter)?
I've only got one line in fstab mounting it... should that be removed because the initrd does the mount? |
|
Back to top |
|
|
|