Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Encrypted Root File System, Swap, etc...
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, ... 11, 12, 13  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
turbobri
n00b
n00b


Joined: 07 Oct 2002
Posts: 14

PostPosted: Mon Feb 03, 2003 3:12 pm    Post subject: Reply with quote

I think the problem might be my kernel. I set all the CONFIG options correctly, but I didn't do a "make clean" before recompiling. I will try recompiling and see if that makes a difference.
Back to top
View user's profile Send private message
turbobri
n00b
n00b


Joined: 07 Oct 2002
Posts: 14

PostPosted: Mon Feb 03, 2003 4:04 pm    Post subject: Reply with quote

Recompile had no effect. Just for reference, how far along into the boot process should it ask for the password?

I also went to the grub command line and typed each command in to see if grub was finding the kernel and initrd.gz, seemed to be fine. I also saw no error messages during boot up until the kernel panic when it tries to find my root partition.

I am using ReiserFS for boot and root partitions, but I don't think that should matter.

I guess I am stuck at this point with an unusable system. I will try to unencrypt it and start the process over. At least then we will know how to unencrypt your root partition if the need ever arises.
Back to top
View user's profile Send private message
turbobri
n00b
n00b


Joined: 07 Oct 2002
Posts: 14

PostPosted: Mon Feb 03, 2003 6:13 pm    Post subject: Reply with quote

Update: unencryption worked perfectly.

Just to recap how to unencrypt the root partition:
1) Boot Knoppix
2) losetup -e AES256 /dev/loop0 /dev/hda5 (or whatever your root is)
3) dd if=/dev/loop0 of=/dev/hda5 bs=64k conv=notrunc

You can do some extra steps in between if you want to double check:
2.5) mount /dev/loop0 /mnt/bla
2.6) ls /mnt/bla (you should see all your stuff)
2.7) umount /mnt/bla

I'll start the whole process over again and see if I can figure out where it went wrong.
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Mon Feb 03, 2003 6:57 pm    Post subject: Reply with quote

Here is part of my DMESG:

PCI: Found IRQ 9 for device 00:1f.4
PCI: Setting latency timer of device 00:1f.4 to 64
uhci.c: USB UHCI at I/O 0xd400, IRQ 9
usb.c: new USB bus registered, assigned bus number 2
hub.c: USB hub found
hub.c: 2 ports detected
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 4096 buckets, 32Kbytes
TCP: Hash tables configured (established 32768 bind 65536)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
ds: no socket drivers loaded!
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 1k freed
VFS: Mounted root (minix filesystem).
loop: loaded (max 8 devices)

IT ASKS FOR PASSPHRASE RIGHT HERE

read_super_block: can't find a reiserfs filesystem on (dev 07:05, block 64, size
1024)
read_super_block: can't find a reiserfs filesystem on (dev 07:05, block 8, size
1024)
XFS mounting filesystem loop(7,5)
VFS: Mounted root (xfs filesystem) readonly.
Trying to move old root to /initrd ... okay
Freeing unused kernel memory: 80k freed
SCSI subsystem driver Revision: 1.00
scsi0 : SCSI host adapter emulation for IDE ATAPI devices
Vendor: MITSUMI Model: CR-48X9TE Rev: 5.0D
Type: CD-ROM ANSI SCSI revision: 02
Attached scsi CD-ROM sr0 at scsi0, channel 0, id 0, lun 0
sr0: scsi3-mmc drive: 40x/40x writer cd/rw xa/form2 cdda tray
Uniform CD-ROM driver Revision: 3.12


If you know everything else is right then maybe it is the the old losetup that you are using. Knoppix is 3.1 works good.

LOSETUP makes a key from the pass phrase. I think old ones are different. The losetup that ram disk uses is the one that you made when you made util-linux as part of loop-AES. Can you use that one instead? It should work because its static.

I can't get on anymore until after school (im at home sneaking on at lunch) so I can't answer anymore for awhile.

Chad
Back to top
View user's profile Send private message
turbobri
n00b
n00b


Joined: 07 Oct 2002
Posts: 14

PostPosted: Mon Feb 03, 2003 9:19 pm    Post subject: Reply with quote

I am not seeing the RAMDISK: line during boot. It seems like it is not using the initrd.gz file at all.
Back to top
View user's profile Send private message
BlackBart
Apprentice
Apprentice


Joined: 07 Oct 2002
Posts: 252

PostPosted: Tue Feb 04, 2003 1:45 am    Post subject: Reply with quote

a couple of comments:
you forgot to gzip the manuals
also you don't technicaly need to install the tools, just copy the static losetup to the boot partition after you make the initrd.

Also you can install gentoo from scratch onto an encrypted partition by booting from the knoptix cd. I can write out directions if anyone wants.

Performance wise, compiling a bzImage was about 1.5% slower on an encrypted file system than unencrypted. Note that the partitions were on different parts of the disk and I had more stuff installed on the unencrypted fs so it probably had greater fragmentation.

Another thing, does anybody know how to compile a static version of loadkeys that I can put in my boot partition so that it will load my keymap before the password prompt.

And yet another thing, in the loop-AES readme FAQ they mention setting a random seed for the encryption, you mention nothing of this in you howto, would it be more secure to use a random seed, how would I do this, do I need to reinstall?

-edit-
Also if you do this you should build usb in as a module so it dosn't bug you while your typing in your password
Back to top
View user's profile Send private message
Leoric
n00b
n00b


Joined: 27 May 2002
Posts: 8
Location: Oslo, Norway

PostPosted: Wed Feb 05, 2003 9:58 am    Post subject: install gentoo from scratch onto an encrypted partition by b Reply with quote

I would really like the guide :)
Back to top
View user's profile Send private message
BlackBart
Apprentice
Apprentice


Joined: 07 Oct 2002
Posts: 252

PostPosted: Thu Feb 06, 2003 3:21 am    Post subject: Re: install gentoo from scratch onto an encrypted partition Reply with quote

Leoric wrote:
I would really like the guide :)

Ok boot into knoppix w/o the graphical
run losetup -e AES256 -T /dev/loop0 /dev/hda2 (or whatever is your root partition)
then do mke2fs /dev/loop0 (or whatever file system you want)
then mkdir /mnt/gentoo
and then mount /dev/loop0 /mnt/gentoo
and mkdir /mnt/gentoo/boot
and mount /dev/hda1 /mnt/gentoo/boot
then cd into /mnt/gentoo
and then extract whatever stage you want and procede from there following the instruction guide.
when you get to the kernel:

Quote:
You HAVE to use CONFIG_MODULES=y, CONFIG_BLK_DEV_LOOP=n (y or m WONT WORK), CONFIG_BLK_DEV_RAM=y, CONFIG_BLK_DEV_RAM_SIZE=4096, CONFIG_BLK_DEV_INITRD=y, CONFIG_MINIX_FS=Y (this is because the ramdisk is minix), CONFIG_PROC_FS=y plus whateve FILESYSTEM YOUR ROOT IS HAS TO BE Y (modules wont work because the kernel can't get modules from the root file system until it knows how to read it and decrypt it when it is booting, other stuff can be modules if you want). Make sure that your new kernel works before going further.


and then

do this
Quote:

patch -p1 <../util-linux-2.11y.diff
export CFLAGS=-O2
export LDFLAGS='-static -s'
./configure
make SUBDIRS="lib mount"
cd mount
install -m 4755 -o root mount umount /bin
install -m 755 losetup swapon /sbin
rm -f /sbin/swapoff && ( cd /sbin && ln -s swapon swapoff )
rm -f /usr/share/man/man8/{mount,umount,losetup,swapon,swapoff}.8.gz
install -m 644 mount.8 umount.8 losetup.8 /usr/share/man/man8
install -m 644 swapon.8 swapoff.8 /usr/share/man/man8
rm -f /usr/share/man/man5/fstab.5.gz
install -m 644 fstab.5 /usr/share/man/man5

but instead of the normal last step:
cp -p /lib/modules/`uname -r`/block/loop.o /boot/loop-NAMEOFTHEKERNELYOUWILLBEUSING.o

and then do these steps
In the loop-AES directory edit build-initrd.sh. Change BOOTDEV, BOOTTYPE, CRYPTROOT, ROOTYPE and CIPHERTYPE to what you want. Then type sh build-initrd.sh . This makes a ramdisk so that the kernel knows how to get the pass phrase when you boot later.

edit fstab to make your root say /dev/loop5 instead of /dev/hdawhatever.

cd to /boot/grub and edit grub.conf to add a entry like this:
title=Encrypted Root
root (hd0,0)
kernel /bzImage ro root=/dev/ram1
initrd /initrd.gz

then reboot, if it dosn't work you can boot from the knopix cd again, do losetup and mount your / partinion and fix it.
Back to top
View user's profile Send private message
turbobri
n00b
n00b


Joined: 07 Oct 2002
Posts: 14

PostPosted: Fri Feb 07, 2003 5:35 pm    Post subject: Reply with quote

Ok I tried installing a fresh Gentoo as BlackBart described and it worked perfectly, aside from a couple minor errors.

He forgot the compiling of the patched loop module, after compiling the kernel:
Code:

cd /usr/src/loop-AES-v1.7b
make LINUX_SOURCE=/usr/src/linux-2.4.19-gentoo-r10 (or whatever vers. you have)


Also note that this latest loop-AES source is looking for util-linux-2.11z so make sure you get the right versions, then proceed as instructed.

Then when copying the module to /boot, `uname -r` will give you the currently running kernel from Knoppix which is not the same one you compiled the module for, so:
Code:

cp -p /lib/modules/2.4.19-gentoo-r10/block/loop.o /boot/loop-2.4.19-gentoo-r10.o


The loop-AES README does mention stuff about creating a random seed, but it works fine without it. I think the seed is supposed to make it that much harder to brute force an attack, but since the seed would be easily available from the unencrypted boot partition, I don't really see the point. Although I am not an encryption guru so I may be misunderstanding.

Now I just have to figure out why my first attempt at converting an existing system didn't work. I think I am having some problems with GRUB and the initrd.gz file.

Also has anyone gotten the swap encryption working? The instructions in the README make it seem simple, but how can one verify if its working?
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Mon Feb 10, 2003 4:05 am    Post subject: Reply with quote

I use encrypted swap too. I did this to test it:

1) swapoff -a
2) changed fstab swap like it says in loop-AES readme
3) losetup -e AES256 /dev/loop0 /dev/hda(swap)
(typed bunch of random keys for passphrase)
4) dd if=/dev/hda(swap) of=/dev/loop0 bs=64k conv=notrunc
(this makes it initialized with random junk)
5) losetup -d /dev/loop0
6) swapon -a
7) od -xa /dev/hda(swap) | less
(if still looks like random junk after bunch of zeros at first of partition then i think its working ok. I don't know why there is a bunch of zeros at beginning)

Chad
Back to top
View user's profile Send private message
sam974
n00b
n00b


Joined: 21 Jan 2003
Posts: 3

PostPosted: Mon Feb 10, 2003 1:01 pm    Post subject: Reply with quote

And what about crashes while running encrypted root filesystem? I suppose people out there are usually setting up encrypted FS on laptops. So, a crash example may be : running out of battery.

Did you experience some corrupted FS? And more important, did you recover your data without any problem?

Thx for the post!
_________________
Sam.
Back to top
View user's profile Send private message
kasper
n00b
n00b


Joined: 22 Jul 2002
Posts: 55
Location: Montpellier

PostPosted: Tue Feb 11, 2003 2:06 pm    Post subject: Reply with quote

sam974 wrote:
And what about crashes while running encrypted root filesystem? I suppose people out there are usually setting up encrypted FS on laptops. So, a crash example may be : running out of battery.

Did you experience some corrupted FS? And more important, did you recover your data without any problem?
I'm thinking installing this on my laptop but i'd like to know too if someone has tried to turn it of violently, make it krash, say, press Ctrl.Alt.PrtScr.B for exemple :) and experienced success reboot w/o problems or not.

BTW, thanx all for thoses posts, really interesting :!:
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Tue Feb 11, 2003 10:03 pm    Post subject: Reply with quote

I have turned off my computer a few times without shutting it down with an encrypted root. One time was with a kernel compiling. It rebooted ok. Root was a XFS file system. I don't know if it would always reboot ok.

Chad
Back to top
View user's profile Send private message
bryon
Apprentice
Apprentice


Joined: 14 Feb 2003
Posts: 163

PostPosted: Fri Mar 07, 2003 3:14 pm    Post subject: question about sending files Reply with quote

I was wonderign waht would happen if turned my computer into a encytripted one, and say I wanted to send a file to a friend so that he could read it. Woudl all my friends be screwed and not be able to read files that i wanted them to?
Back to top
View user's profile Send private message
6169
n00b
n00b


Joined: 08 Mar 2003
Posts: 7

PostPosted: Sat Mar 08, 2003 12:29 am    Post subject: Re: question about sending files Reply with quote

bryon wrote:
I was wonderign waht would happen if turned my computer into a encytripted one, and say I wanted to send a file to a friend so that he could read it. Woudl all my friends be screwed and not be able to read files that i wanted them to?


No, the data in your filesystems would be encrypted, but is transparently decrypted as Linux or any of your applications access it, and encrypted again when it is written to disk. Hence your programs think they are dealing with unencrypted files, because they are, and your files would work fine on other computers.
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Mon Mar 10, 2003 2:54 pm    Post subject: Reply with quote

Main reason I encrypt root is to keep ANYONE (mostly my brother) from booting my computer. If you dont encrypt root then peeps can use knoppix or other things to change root password and to steal your files. EVEN IF THEY PUT YOUR DISK IN ANOTHER COMPUTER like at a computer shop they cant get anything!

With encrypted root NOONE can take stuff or add stuff on your computer unless they find a way to break in when it is already running and if you have a good firewall and don't run anything that you dont need and keep up to date on portage/emerge then that probably wont happen.

It works good. Its hardly any slower (i thought it would be lots slower but its not) and it doesnt break even when computer crashes because of no power.

Chad :D
Back to top
View user's profile Send private message
bryon
Apprentice
Apprentice


Joined: 14 Feb 2003
Posts: 163

PostPosted: Wed Mar 12, 2003 6:36 pm    Post subject: bootable cd question Reply with quote

I trited booting from the Knoppix cd but once it trited to boot into K it got a error, and stopped booting. But I have trited using cool linux beofre and it worked fine. Could I just use cool linux insed since it works? I am not relly sure if it has loop-AES.


Quote:

4) The Knoppix (or Knoppix lite) CD from http://www.knoppix.net . Burn it to a CD and make sure you can boot from it. Knoppix is great rescue system and I use it it alot to fix stuff when I mess up bad. Knoppix comes with loop-AES already on it so you don't need to make your own rescue system.
Back to top
View user's profile Send private message
thehyperintelligentslug
n00b
n00b


Joined: 30 Jun 2002
Posts: 49
Location: Edinburgh

PostPosted: Thu Mar 13, 2003 1:10 pm    Post subject: Reply with quote

Just a drop-in...

This link may be worth a look. It's a loop-AES ebuild (by Ravage).
_________________
Cheers,

Neil.

---
http://www.thehyperintelligentslug.co.uk
Back to top
View user's profile Send private message
sparks
Guru
Guru


Joined: 05 Mar 2003
Posts: 331
Location: Nashville, TN

PostPosted: Thu Mar 13, 2003 9:46 pm    Post subject: Reply with quote

I followed chadders instructions, well written by the way, and everything is great. As far as the performance goes I can see a small hit when playing videos, but that's about it. I rip DVD's to my hard drive so I can watch them when I travel without the disk. I was watching Office Space the other day and it got choppy in one or two places, but it was not unbearable. So, from my experience the file system takes a minimal performance hit that is only noticable when performing a function that requires heavy disk access.

(I'm using XFS by the way) :D
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Sun Mar 16, 2003 12:14 am    Post subject: Reply with quote

Thanks :D
Back to top
View user's profile Send private message
slickwheel
n00b
n00b


Joined: 21 Mar 2003
Posts: 2

PostPosted: Fri Mar 21, 2003 2:32 am    Post subject: Reply with quote

I cant boot knoppix on my laptop because it uses a pcmcia cdrom drive. Does anyone know of a distro cd that includes the losetup with encryption that works well with laptops? Any help is greatly appeciated, I really want to encrypt my root partition.
_________________
-- slickwheel
Back to top
View user's profile Send private message
m00re
n00b
n00b


Joined: 17 Jun 2002
Posts: 65
Location: Germany

PostPosted: Sat Mar 22, 2003 5:48 pm    Post subject: Reply with quote

I've too problems getting the system to boot after the encryption.
I've set up everything as said and finally encrypted the partition (i can also mount it under knoppix) but when I reboot to my gentoo, it always says it can't mount the root-partition on 01:01.

The error looks like this: (sorry, the message is not copypasted, so the last line is not exactly the same as on my system, but the content is still the same *hmm, bad english*)
Code:

NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
ds: no socket drivers loaded!
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 1k freed
VFS: failed to mount root partition on 01:01


And here are my configs:

build-initrd.sh
Code:

# normal /boot partition
BOOTDEV=/dev/hda1

# /boot partition type
BOOTTYPE=ext3

# encrypted root partition
CRYPTROOT=/dev/hda6

# root partition type
ROOTTYPE=ext3

# encryption type (AES128 / AES192 / AES256) of root partition
CIPHERTYPE=AES256


grub.conf
Code:

title=Gentoo Linux 1.4 Release Candidate 3
root (hd0,0)
kernel /gentoo-2.4.20 ro acpi=off root=/dev/ram1
initrd /initrd.gz


In fstab.conf, I only changed /dev/hda6 to /dev/loop5.
Maybe, someone can help.

Greets Jens
_________________
"Fall seven times, stand up eight."
Back to top
View user's profile Send private message
easykill
Apprentice
Apprentice


Joined: 07 Dec 2002
Posts: 230

PostPosted: Wed Mar 26, 2003 1:15 am    Post subject: Reply with quote

m00re wrote:
I've too problems getting the system to boot after the encryption.
I've set up everything as said and finally encrypted the partition (i can also mount it under knoppix) but when I reboot to my gentoo, it always says it can't mount the root-partition on 01:01.

The error looks like this: (sorry, the message is not copypasted, so the last line is not exactly the same as on my system, but the content is still the same *hmm, bad english*)
Code:

NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
ds: no socket drivers loaded!
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 1k freed
VFS: failed to mount root partition on 01:01


I had a similar problem, mainly it wouldn't find any sort of loop device...that wasn't getting loaded. It would complain about unable to mount /dev/hdb1 on /lib (/dev/hdb1 is /boot for me...?) and I gave up before i hosed my system.
I ended up unencrypting, and re-encrypting with the instructions in the loop-AES README file (that way you get the seed, as well) and I also recompiled my kernel to take out Mount devfs at boot (as I suspect that may not have been helping) before I re-encrypted, so I suggest trying those approaches. I would unencrypt, redo your kernel if you have devfs mounting at boot, and then either encrypt with these instructions or with the instructions in the loop-AES readme.

So, I did eventually get it working...now to encrypt my other partitions.
I hope that made sense, I'm tired and on percoset right now.
Back to top
View user's profile Send private message
easykill
Apprentice
Apprentice


Joined: 07 Dec 2002
Posts: 230

PostPosted: Wed Mar 26, 2003 1:35 am    Post subject: Reply with quote

I hate replying to myself, but here goes....

I'm on percoset right now (as i mentioned before) and i am having issues figuring out how to encrypt my other partitions and have them mount without asking me for a password for EVERY partition that I want to have encrypted (ideally all)

layout is as follows:

hda: windows stuff, ignore it
hdb1: /boot (DO NOT ENCRYPT THIS!)
hdb2: swap (already done, trivial)
hdb5: /home (I want to encrypt this)
hdb6: /usr/local (encrypt this as well)
hdb7: / (already encrypted)

I am at a loss right now cause I can't think straight, anybody got a solution for me? I havne't found anything in the loop-AES readme that is really helping much...I've thought of
losetup -e AES256 -T -S `cat /boot/seed.txt` /dev/loop1 /dev/hdb5
and then dding the drive to the loop, and setting something or other up, but I'd like to encrypt those drives (preferably without data loss, although I can back it all up rather easily, I just would rather not) and I don't want to have to enter a password for each partition. I want them to "trust" the root decryption password I give on boot. One 20 character password is plenty on startup, thank you, heh

but then it wants a password, and I don't want to have to type my password in 3 times on boot.
Back to top
View user's profile Send private message
Woody2143
n00b
n00b


Joined: 26 Mar 2003
Posts: 19
Location: Atlanta, GA

PostPosted: Wed Mar 26, 2003 7:13 am    Post subject: If you are using devFS, read below! Reply with quote

First I wanted to say that I found this thread to be an excellent help when encrypting my root fs. Thanks guys.

A couple of points I wanted to post in the thread for anyone else who may run in to the same problems I had.

1) Make sure to read the README and the comments in build-initrd.sh, pay attention to the parts about using devFS (if you use devFS of course). I scratched my head for a couple days until I learned to read. For those wanting to skip to the good stuff.
Set these options in build-initrd.sh
Code:
USEDEVFS=1

and
Code:
USEPIVOT=1

Then just make sure to update your grub.conf accordingly
Code:
title=Encrypted
root (hd0,0)
kernel /boot/bzImage-crypt root=/dev/ram0 init=/linuxrc
initrd /boot/initrd.gz

Note: init=/linuxrc, not init=/boot/linuxrc.

All of the above alone will end your "Failed to mount /dev/hd*1 as /lib" problems... But wait! There's more!

2) Another point about using devFS which I had to search for, in build-initrd.sh under BOOTDEV and CRYPTROOT make sure to edit these options like below, according to your equipment:

This is /dev/hde1
Code:
BOOTDEV=/dev/ide/host2/bus0/target0/lun0/part1

This is /dev/hda10
Code:
CRYPTROOT=/dev/ide/host0/bus0/target0/lun0/part10


God Bless the creators and maintainers of Google.

And credit goes to the linux-crypto mailing list for point #2 http://mail.nl.linux.org/linux-crypto/2003-01/msg00034.html


My apoligies for any spelling/grammer/things that don't make sense. I'm tired and just happy to have a working system again. :)
_________________
-- Woody2143
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, ... 11, 12, 13  Next
Page 2 of 13

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum