Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Support] System Encryption DM-Crypt with LUKS
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, ... 18, 19, 20  Next  
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
Mr.Pink
n00b
n00b


Joined: 02 Mar 2004
Posts: 2

PostPosted: Fri Oct 14, 2005 8:50 am    Post subject: Reply with quote

Hi all,

sorry swit for interrupting you and posting a new question without yours being answered...

I read the HOWTO and the posts in here and now I'd like to try to setup an encrypted system. The problem thereby is that I'd like to use LVM to create individual resizable partitions for not only root but also /home, /usr etc.
Am I right when I say that in this case it would be necessary to encrypt the whole harddisc at once using /dev/hda for instance and then setting up the LVM partitions to use with LVM or will I have to encrypt every LVM partition itself with a different key/passphrase?
Or is it even impossible to use LVM and encryption at the same time?

Regards
Mr.Pink
Back to top
View user's profile Send private message
unixtroll
n00b
n00b


Joined: 19 Aug 2003
Posts: 41

PostPosted: Tue Oct 25, 2005 7:49 pm    Post subject: Reply with quote

Quote:
but, i've a problem: i tried to starting the system with an usb-device, but when starting the system syslinux print out a message that say "the sysstem is not avabile for this device, inserit the corret device"


I have no idea how to fix the syslinux issue, but if it does not work I would recommend to keep a boot partition with the kernel image etc. unencrypted on your harddisk. Since this partition doesn't contain any sensitive data, there's no need for it to be encrypted. You can then modify the linuxrc file in the initrd image to mount a usb-stick with your keyfiles stored on and after that mount your encrypted partitions.
Back to top
View user's profile Send private message
alecpap
n00b
n00b


Joined: 12 Oct 2005
Posts: 11

PostPosted: Sat Nov 05, 2005 4:39 am    Post subject: Reply with quote

I don't mean to beat a dead horse, but I'm also getting the failed to setup dm-crypt mapping error message. I have all of the kernel additions compiled into the kernel, as well as all of the crypto options, as in the howto. Here are some exerpts form my config file:
Code:

CONFIG_BLK_DEV_DM=y
CONFIG_DM_CRYPT=y
CONFIG_BLK_DEV_LOOP=y
CONFIG_BLK_DEV_INITRD=y
CONFIG_BLK_DEV_RAM=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_BLOWFISH=y
CONFIG_CRYPTO_SERPENT=y



I'm pretty lost with this. When I boot off of the live cd and download the precompiled binary, everything goes smoothly. I can decrypt the partition and chroot into it fine, but when I boot off of the hard disk, I get that message. Any ideas?
Back to top
View user's profile Send private message
rr
n00b
n00b


Joined: 22 Feb 2005
Posts: 35

PostPosted: Mon Nov 07, 2005 6:47 pm    Post subject: Reply with quote

Great article on file encryption. I'm trying to set it up now, but have run into a problem. You say to download the
precompiled cryptsetup-luks binary from http://luks.endorphin.org/dm-crypt, but you don't say how. My Gentoo 2005.1 install does not have FTP or Lynx. How do you download?
Back to top
View user's profile Send private message
rr
n00b
n00b


Joined: 22 Feb 2005
Posts: 35

PostPosted: Mon Nov 07, 2005 11:27 pm    Post subject: Reply with quote

Answered my own question. It's called links2.
Back to top
View user's profile Send private message
rainbow flag
n00b
n00b


Joined: 03 Jul 2005
Posts: 33

PostPosted: Tue Nov 15, 2005 4:29 pm    Post subject: Reply with quote

alecpap wrote:
I don't mean to beat a dead horse, but I'm also getting the failed to setup dm-crypt mapping error message.


it seems that this is a question for me, isn't it?
i'm sorry to answer very late - the last time i wasn't here very often..

my mistake, that resulted in this error message, had been not to compile dm-mod (CONFIG_BLK_DEV_DM), dm_crypt (CONFIG_DM_CRYPT) and my cipher into the kernel but as modules and to forget to insmod them, later to insmod them accidently in the wrong order. the error might occure if you try to use any other cipher than sha256, blowfish and serpent (wich are included in your kernel) - but that doesn't seem to be the case, does it?

since you have built everything into the kernel your problem seems to be another one - something that is icluded in either the lifecd or the binary but not in your initrd. i have no idea :( . but - if you did not just solve it during the last 10 days - maybe, you want to include dmesg into the initrd-image and call it somewhere in the linuxrc-script (just to see if it provides some more information).
Back to top
View user's profile Send private message
alecpap
n00b
n00b


Joined: 12 Oct 2005
Posts: 11

PostPosted: Thu Nov 17, 2005 10:16 pm    Post subject: Reply with quote

rainbow flag-
thanks for your reply. I did solve it, I think. I was using the 2.6.13 kernel, and when I tried it with 2.6.12, it worked perfectly! Maybe I changed something else that I didn't know about, but, it works now.

Now I have another question, though. I'd like to be able to use a key on a usb stick to decrypt it (actually, I'd like to encrypt the key on the usb stick, decrypt that, and then use that key to decrypt the hdd). So, I put
Code:
 exec /bin/sh
in the linuxrc and re-do the initrd process, and reboot. I get the shell, like I should, and I plug in the usb stick. dmesg reports:
Code:
usb 2-1: new full speed USB device using ohci_hcd and address 2
ub(2.2): GetMaxLUN returned 0, using 1 LUNs
 uba: uba1 < uba5 >

So, I do:
Code:

mkdir /mnt
mkdir /mnt/usbkey
mount -t ext2 /dev/uba5 /mnt/usbkey

But it tells me that device /dev/uba5 does not exist.

I had already formatted that partition with ext2, and it works fine. If I boot up normally, I can mount the drive and use it normally.

Any ideas?
Back to top
View user's profile Send private message
rainbow flag
n00b
n00b


Joined: 03 Jul 2005
Posts: 33

PostPosted: Fri Nov 18, 2005 2:28 am    Post subject: Reply with quote

hi again.

i'm just not sure if my proposals are very useful (as you can see, i'm a newbie like you)

but maybe, the device node /dev/uba5 does not exist and you have to create it (by something like "mknod /dev/uba5 b <major> <minor>") ...
Back to top
View user's profile Send private message
alecpap
n00b
n00b


Joined: 12 Oct 2005
Posts: 11

PostPosted: Fri Nov 18, 2005 8:09 am    Post subject: Reply with quote

rainbow flag-
Thanks for the help! That sure did the trick, I can't believe I forgot that part - I was going crazy! Everything is working very smoothly now, thanks again!

I just had to make the nod /dev/uba and /dev/uba5

And thanks for the great How-To Reikinio!
Back to top
View user's profile Send private message
jester42
n00b
n00b


Joined: 10 Dec 2005
Posts: 1

PostPosted: Sat Dec 10, 2005 5:17 pm    Post subject: ascii-skull available? Reply with quote

I just read the Wiki and used some information from there to encrypt a single hdd... Around X-Mas I will try the whole encryption of my system, impressions will follow.

I have got one question right now: is the skull-ascii-art shown in the article available for download somewhere? i quite like it ;)

Well... more in two weeks then.
jester
Back to top
View user's profile Send private message
Armageddon
n00b
n00b


Joined: 29 Dec 2004
Posts: 39

PostPosted: Sat Jan 28, 2006 7:51 pm    Post subject: Reply with quote

hello,

first of all thank you for this really great howto

i installed a encryptet system and all works fine.

The only thing not working correctly is the Encypting swap at boot.

It needs more then 15 mins to make the swap is that normal?
Back to top
View user's profile Send private message
GenKreton
l33t
l33t


Joined: 20 Sep 2003
Posts: 828
Location: Cambridge, MA

PostPosted: Sun Jan 29, 2006 5:50 am    Post subject: Reply with quote

Armageddon wrote:
It needs more then 15 mins to make the swap is that normal?


Nope. If it weren't for the script telling me I was making an encrypted swap, I wouldn't even know it happened.
Back to top
View user's profile Send private message
daff
Apprentice
Apprentice


Joined: 02 Jul 2003
Posts: 232
Location: Vienna, Austria

PostPosted: Thu Feb 02, 2006 7:44 pm    Post subject: Reply with quote

Could it be that there are no CONFIG_BLK_DEV_DM or CONFIG_DM_CRYPT options in gentoo-sources-2.6.15-r1? I can't seem to find them.

EDIT: Feeling stupid right now. These options are available only if you enable Multiple devices driver support (RAID and LVM) under Device Drivers.
_________________
Instead of asking why a piece of software is using 1970s technology,
start asking why software is ignoring 30 years of accumulated wisdom.
Back to top
View user's profile Send private message
fuzebest
n00b
n00b


Joined: 19 Jan 2006
Posts: 5

PostPosted: Fri Feb 24, 2006 10:22 am    Post subject: Reply with quote

Sorry, for little offtopic.
Are there any guide how to create encrypted CD/DVD images using LUKS?

thank you!
sorry again
Back to top
View user's profile Send private message
b0rsten
n00b
n00b


Joined: 08 Mar 2006
Posts: 1

PostPosted: Wed Mar 08, 2006 11:18 pm    Post subject: Reply with quote

i've tried this howto, but after reboot i get this error:

Code:
unable to mount root fs on unknown-block{1,0)


but i had nowhere typed (1,0) in... im using hda1 for boot, 2 for swap and 3 for root...
any idea what i have done wrong?


my menu.lst
Code:
default 0
timeout 5
splashimage=(hd0,0)/grub/splash.xpm.gz

title=Gentoo
root(hd0,0)
kernel /kernel-2.6.15-gentoo-r1 root=/dev/ram0 rw init=/linuxrc vga=0x318 video=vedafb:mtrr,ywrap
initid (hd0,0)/initrd
Back to top
View user's profile Send private message
mephist0
Tux's lil' helper
Tux's lil' helper


Joined: 19 Sep 2005
Posts: 94
Location: Germany, near Frankfurt/Main

PostPosted: Tue Mar 14, 2006 6:46 pm    Post subject: Reply with quote

Very good HOWTO ! :wink:

works perfectly ! :D

Thanks very much ! :D

Is it possible to install windows xp afterwards ? is it safe ?

I mean, I dont want to loose my data ;)

EDIT : As I installed Gentoo I left 50GB free space for windows for gaming ... someone got a tip ?

Thanks :)
_________________
There is only one God, and his name is Death. And there is only one thing we say to Death: 'Not today!'

Fotoblog
Back to top
View user's profile Send private message
mephist0
Tux's lil' helper
Tux's lil' helper


Joined: 19 Sep 2005
Posts: 94
Location: Germany, near Frankfurt/Main

PostPosted: Fri Mar 17, 2006 7:14 am    Post subject: Reply with quote

*push*
_________________
There is only one God, and his name is Death. And there is only one thing we say to Death: 'Not today!'

Fotoblog
Back to top
View user's profile Send private message
GenKreton
l33t
l33t


Joined: 20 Sep 2003
Posts: 828
Location: Cambridge, MA

PostPosted: Tue Mar 21, 2006 1:30 am    Post subject: Reply with quote

mephist0 wrote:

Is it possible to install windows xp afterwards ? is it safe ?

I mean, I dont want to loose my data ;)

EDIT : As I installed Gentoo I left 50GB free space for windows for gaming ... someone got a tip ?

Thanks :)


luks encryption is done to the partition, not the disk. It is safe to install windows IF you left free space for it. Be aware that windows will overwrite your MBR though.
Back to top
View user's profile Send private message
mephist0
Tux's lil' helper
Tux's lil' helper


Joined: 19 Sep 2005
Posts: 94
Location: Germany, near Frankfurt/Main

PostPosted: Tue Mar 21, 2006 10:47 pm    Post subject: Reply with quote

GenKreton wrote:
mephist0 wrote:

Is it possible to install windows xp afterwards ? is it safe ?

I mean, I dont want to loose my data ;)

EDIT : As I installed Gentoo I left 50GB free space for windows for gaming ... someone got a tip ?

Thanks :)


luks encryption is done to the partition, not the disk. It is safe to install windows IF you left free space for it. Be aware that windows will overwrite your MBR though.


Thanks for the info ! :D

After installing Windows, I think I can boot from the Gentoo installCD and launch grub-install again ?

so, time to go to bed ...

gn8 all ;)
_________________
There is only one God, and his name is Death. And there is only one thing we say to Death: 'Not today!'

Fotoblog
Back to top
View user's profile Send private message
GenKreton
l33t
l33t


Joined: 20 Sep 2003
Posts: 828
Location: Cambridge, MA

PostPosted: Thu Mar 23, 2006 4:54 am    Post subject: Reply with quote

mephist0 wrote:

Thanks for the info ! :D

After installing Windows, I think I can boot from the Gentoo installCD and launch grub-install again ?

so, time to go to bed ...

gn8 all ;)


That should be sufficient. You just need to add it to the grub menu as well. It's actually easier to get grub to boot windows than it is Linux ironically...
Back to top
View user's profile Send private message
anuron
n00b
n00b


Joined: 01 Feb 2005
Posts: 4

PostPosted: Thu Apr 13, 2006 11:38 am    Post subject: Reply with quote

nice work.

just for the record and for people expieriencing the same problem as I. sys-fs/cryptsetup-luks-1.0.1-r1 is somehow broken (see http://bugs.gentoo.org/show_bug.cgi?id=128925) and produces regardless of what you try the error "invalid argument".

anuron
Back to top
View user's profile Send private message
Reikinio
Apprentice
Apprentice


Joined: 14 Aug 2005
Posts: 203
Location: Uruguay

PostPosted: Thu May 11, 2006 8:39 pm    Post subject: Reply with quote

Hello,
I forgot about this thread, I am sorry :oops:
The email notifications for this thread stopped, I didn't knew that you had to be logged in for the email notification system log that you have followed the link sent by email, it won't happen again.

Anyway, I have rewrited the guide, many things have been added, I spent a _lot_ of time on it so you better like it. :P

ChangeLog:
* Added initramfs support, initrd is gone.
* Using BusyBox for the initramfs image.
* Added a bash script to handle initramfs images.
* Added steps for booting from an USB-stick.
* Added steps for gpg protected keys(randomly generated).
* Removed all the childish comments and excessive smileys that made the guide look it was written by a five year old kid.
* Guide wikified(using wiki code, should look better now)
* And more...

What do you guys think of the new guide ?

Bye. 8)
Back to top
View user's profile Send private message
Reikinio
Apprentice
Apprentice


Joined: 14 Aug 2005
Posts: 203
Location: Uruguay

PostPosted: Thu May 11, 2006 8:51 pm    Post subject: Reply with quote

I am looking for people interested in helping to mantain and improve the guide, also there is another guide on gentoo-wiki which has the same goal of this guide, so I proposed merging the two guides into one.
This is the other guide: http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUKS

What do you think?
Back to top
View user's profile Send private message
Reikinio
Apprentice
Apprentice


Joined: 14 Aug 2005
Posts: 203
Location: Uruguay

PostPosted: Thu May 11, 2006 9:03 pm    Post subject: Reply with quote

fuzebest wrote:
Sorry, for little offtopic.
Are there any guide how to create encrypted CD/DVD images using LUKS?

thank you!
sorry again

Yes, read the last entry of the FAQ section.

Those of you who wanted to boot from an USB-stick but couldn't, should read the new guide, I did it using extlinux(a syslinux derivative) and it works fine.

Those of you having problems with the linuxrc and the initrd, should read the new guide, the new initramfs method should work without problems.

Armageddon wrote:

hello,

first of all thank you for this really great howto

i installed a encryptet system and all works fine.

The only thing not working correctly is the Encypting swap at boot.

It needs more then 15 mins to make the swap is that normal?

No, it's not, make sure you're not reading the passphrase from /dev/random.
Anyway, the old method(the one you used) is now deprecated. so check the new guide, it'll tell you to use the cryptfs file from the Gentoo cryptsetup-luks package.


jester42 wrote:


I have got one question right now: is the skull-ascii-art shown in the article available for download somewhere? i quite like it ;)

here

Mr.Pink wrote:

Hi all,

sorry swit for interrupting you and posting a new question without yours being answered...

I read the HOWTO and the posts in here and now I'd like to try to setup an encrypted system. The problem thereby is that I'd like to use LVM to create individual resizable partitions for not only root but also /home, /usr etc.
Am I right when I say that in this case it would be necessary to encrypt the whole harddisc at once using /dev/hda for instance and then setting up the LVM partitions to use with LVM or will I have to encrypt every LVM partition itself with a different key/passphrase?
Or is it even impossible to use LVM and encryption at the same time?

Regards
Mr.Pink

I have no idea, I think i remember seeing something about this in on some Mailing lists, but I dont have the links to it, sorry.


Regards,
Back to top
View user's profile Send private message
andersenep
n00b
n00b


Joined: 31 Dec 2004
Posts: 20
Location: Everett, Washington

PostPosted: Mon May 15, 2006 4:34 am    Post subject: having problems with initramfs Reply with quote

Hi, I've been trying to get this working all day with no luck. I've stuck to the howto as closely as possible and I think my main problem is with initramfs. I'm using gentoo-sources-2.6.16-r7 and for starters there is no default initramfs_date.cpio.gz in /usr/src/linux/usr. I've tried adding the gzip'd cpio I created following the howto (in /output) and touching it but when I build the kernel it is overwritten. I gunzip'd the cpio to / and set CONFIG_INITRAMFS_SOURCE="/initramfs_data.cpio" and rebuilt and this generates what seems to be the right image in /usr/src/linux/usr (zcat initramfs_date.cpio.gz | cpio -t spits out the files/dirs in my testimage dir) but I still can seem to get a working kernel. It will boot and go through everything until it tries to init (I forget the actual error) and then the kernel panics and I have to reboot.
I'm not sure if I have something wrong in my kernel config or in the init script in my initramfs_data.cpio.gz. I set set the line:
Code:
root=*) # get root and fs type

to:
Code:
root=/dev/sda2:ext3) # get root and fs type

which is my encrypted root partition.

This is my grub.conf
Code:
default 0
timeout 90
splashimage=(hd0,0)/grub/splash.xpm.gz

title=Gentoo Linux 2.6.16
root (hd0,0)
kernel /kernel-2.6.16-gentoo-r7 root=/dev/sda2:ext3 vga=0x31B video=vesafb:ywrap,mtrr:3


Any ideas what I'm doing wrong?

thanks
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Goto page Previous  1, 2, 3, ... 18, 19, 20  Next
Page 2 of 20

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum