Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Support] System Encryption DM-Crypt with LUKS
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3 ... , 18, 19, 20  Next  
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
jordanwb
l33t
l33t


Joined: 10 Jul 2008
Posts: 642
Location: Ottawa, Canada

PostPosted: Thu Jan 29, 2009 4:46 pm    Post subject: Reply with quote

Let's say I don't want the initramfs built into the kernel? what would I do then?
Back to top
View user's profile Send private message
Paczesiowa
Guru
Guru


Joined: 06 Mar 2006
Posts: 593
Location: Oborniki Śląskie, Poland

PostPosted: Thu Jan 29, 2009 5:44 pm    Post subject: Reply with quote

cpio it, gzip that and tell grub to pass it to the kernel.
Back to top
View user's profile Send private message
jordanwb
l33t
l33t


Joined: 10 Jul 2008
Posts: 642
Location: Ottawa, Canada

PostPosted: Thu Jan 29, 2009 9:39 pm    Post subject: Reply with quote

"cpio" it?
Back to top
View user's profile Send private message
Paczesiowa
Guru
Guru


Joined: 06 Mar 2006
Posts: 593
Location: Oborniki Śląskie, Poland

PostPosted: Fri Jan 30, 2009 9:18 am    Post subject: Reply with quote

man cpio:) you create root filesystem layout (/dev with few devices, /lib and /[s]bin with whatever you need, and /init script ) than you make an archive of that directory with cpio, gzip and it is ready to pass to grub.
Back to top
View user's profile Send private message
bonnietyler
n00b
n00b


Joined: 30 Sep 2006
Posts: 7

PostPosted: Fri Jan 30, 2009 1:02 pm    Post subject: one pw for swap and root Reply with quote

hey,
i use the init script from Alon Bar-Lev, which works pretty fine for me (symmetric encrypted swap and root)
( http://wiki.tuxonice.net/EncryptedSwapAndRoot ). normally my computer doesn't need swap, just for hibernation with tuxonice, so no problem if both got the same password.

my grub conf says:

title=Gentoo toi 2.6.28 r1 toi init
kernel /kernel-2.6.28-gentoo-r1-toi root=/dev/hda3 initrd_encmode=dm-crypt
initrd_util=passphrase:id,id initrd_devices=/dev/hda2,/dev/hda3 initrd_dmnames
=swap,root initrd_suspend_mode=tuxonice resume=swap:/dev/mapper/swap
initrd /initramfs-gentoo-crypt-susp2tux

(from kernel...till /swap must be one line in the grub.conf!)

good luck!
Back to top
View user's profile Send private message
jordanwb
l33t
l33t


Joined: 10 Jul 2008
Posts: 642
Location: Ottawa, Canada

PostPosted: Fri Jan 30, 2009 7:48 pm    Post subject: Reply with quote

Paczesiowa wrote:
man cpio:) you create root filesystem layout (/dev with few devices, /lib and /[s]bin with whatever you need, and /init script ) than you make an archive of that directory with cpio, gzip and it is ready to pass to grub.


Could you give an example?
Back to top
View user's profile Send private message
Paczesiowa
Guru
Guru


Joined: 06 Mar 2006
Posts: 593
Location: Oborniki Śląskie, Poland

PostPosted: Fri Jan 30, 2009 8:31 pm    Post subject: Reply with quote

http://en.gentoo-wiki.com/wiki/Initramfs#Basic_File_structure
Back to top
View user's profile Send private message
jordanwb
l33t
l33t


Joined: 10 Jul 2008
Posts: 642
Location: Ottawa, Canada

PostPosted: Fri Jan 30, 2009 8:44 pm    Post subject: Reply with quote

Paczesiowa wrote:
http://en.gentoo-wiki.com/wiki/Initramfs#Basic_File_structure


Uh yeah you already showed me that. I'm talking about cpio, "0 occurances onf 'cpio' found".
Back to top
View user's profile Send private message
Paczesiowa
Guru
Guru


Joined: 06 Mar 2006
Posts: 593
Location: Oborniki Śląskie, Poland

PostPosted: Fri Jan 30, 2009 10:49 pm    Post subject: Reply with quote

weird that they don't mention the final step, my bad. anyway, when you have all things in /usr/src/initramfs/ then you do this:
Code:
cd /usr/src/initramfs/ && find . | cpio -o -H newc | gzip -9 > /boot/initramfs.gz

and adjust grub cfg.
Back to top
View user's profile Send private message
blacksheep
n00b
n00b


Joined: 04 Aug 2006
Posts: 25

PostPosted: Sat Feb 21, 2009 10:27 pm    Post subject: Reply with quote

I'm currently running a system with kernel linux-2.6.24-gentoo-r4 (everything is encrypted with dm-crypt with luks) as a fileserver. I've recently noticed that on a hardware raid volume (encrypted too) that whilst it's being written to there is significant delay to anything reading from the same directory.

I've had a little read around and noticed that several people were saying this was a kernel issue and supposedly fixed in 2.6.24 - my question is, do you think a kernel upgrade would help and/or any other ideas?

Thanks
Back to top
View user's profile Send private message
jordanwb
l33t
l33t


Joined: 10 Jul 2008
Posts: 642
Location: Ottawa, Canada

PostPosted: Sat Feb 21, 2009 10:40 pm    Post subject: Reply with quote

Give it a try.
Back to top
View user's profile Send private message
chr0n0
n00b
n00b


Joined: 08 Aug 2008
Posts: 40

PostPosted: Sun May 10, 2009 1:09 pm    Post subject: Reply with quote

How does one go about encrypting a /home and /swap partition during a stage3 install? There are so many different guides out there and none of them seem to agree on anything. And worse, none of them are up to date (including the guide posted in this thread).

I have tried creating /dev/mapper/home and a /dev/mapper/swap using the guide here, but when I boot it says it cannot find them. I did some looking around in /etc/conf.d and found a file called crypto-loop. So I edited it and now I can get a prompt for my passphrase at boot, but after I enter it, it says:

Failed to configure /dev/mapper/home. Skipping.

I think what's happening is that it is looking for my /home partition early in the boot phase, it gives an error and then later it comes back asking for my passphrase. Something is screwed up in the boot order.

I just wish there was a simple, up-to-date guide out there!
_________________
Athlon 64 x2 4000+, GA-M57SLI-S4 mobo, 2GB PC-6400 RAM, WD 500GB HDD SATA, Internet: eth0 cable modem.
Back to top
View user's profile Send private message
Paczesiowa
Guru
Guru


Joined: 06 Mar 2006
Posts: 593
Location: Oborniki Śląskie, Poland

PostPosted: Sun May 10, 2009 3:19 pm    Post subject: Reply with quote

you can do it later, when your system is already working.
Back to top
View user's profile Send private message
Sujao
l33t
l33t


Joined: 25 Sep 2004
Posts: 677
Location: Germany

PostPosted: Mon May 11, 2009 12:18 pm    Post subject: Reply with quote

Your ramdisk only has to decrypt the root partition. Everything else is done by the "real" gentoo system. Edit /etc/conf.d/dmcrypt and add your entries. It's commented pretty good.
Back to top
View user's profile Send private message
chip007
n00b
n00b


Joined: 16 May 2009
Posts: 14
Location: Germany

PostPosted: Sun May 17, 2009 1:32 pm    Post subject: Reply with quote

Hi,

I've set up an encrypted root partition with busybox and initramfs and everything works fine, besides the fact that I am only able to use AES as cipher. If I use twofish for example I get an error message while booting. Something like "alg: no test for twofish(....)" Of course twofish is compiled into the kernel. (not as a module)

Any ideas?

init script:
#!/bin/sh
export PATH=/bin
umask 0077
mount -t proc proc /proc
mount -t sysfs sysfs /sys
mount -t tmpfs tmpfs /dev
busybox --install -s
echo /bin/mdev > /proc/sys/kernel/hotplug
mdev -s
while ! mount -n -o ro /dev/hda1 /bootram ; do
        sleep 5
done
rm /dev/tty
ln -s /dev/console /dev/tty
cryptsetup luksOpen /dev/hda2 root
mount /dev/mapper/root /new-root
echo > /proc/sys/kernel/hotplug
umount -l /proc /sys /dev /bootram
exec /bin/busybox switch_root /new-root /sbin/init root=/dev/mapper/root
Back to top
View user's profile Send private message
avx
Advocate
Advocate


Joined: 21 Jun 2004
Posts: 2070

PostPosted: Sun May 17, 2009 1:59 pm    Post subject: Reply with quote

Quote:
If I use twofish for example I get an error message while booting. Something like "alg: no test for twofish(....)"
Dito for me, but with serpent. Some googling reveals, that it's more of an cosmetic issue than a real problem.
Back to top
View user's profile Send private message
chip007
n00b
n00b


Joined: 16 May 2009
Posts: 14
Location: Germany

PostPosted: Sun May 17, 2009 3:22 pm    Post subject: Reply with quote

Well I cannot boot using my preferred cipher. For me it isn't cosmetic. Or are you speaking about the advantages and disadvantages between the ciphers?
Back to top
View user's profile Send private message
avx
Advocate
Advocate


Joined: 21 Jun 2004
Posts: 2070

PostPosted: Sun May 17, 2009 3:29 pm    Post subject: Reply with quote

Than I guess there must be something wrong with your setup, I get the "alg..."-message, too, but booting works without problems and the encryption does work.
Back to top
View user's profile Send private message
lkraav
Tux's lil' helper
Tux's lil' helper


Joined: 13 Oct 2004
Posts: 120
Location: Estonia

PostPosted: Wed Jun 03, 2009 6:39 pm    Post subject: Reply with quote

hrm, like few guys before mentioned about newer kernels, my tuxonice-sources-2.6.28-r10 also gets stuck after inserting USB stick with keyfile.

sda1 prompt shows up, but nothing else happens, no "Opening root" and "Opening swap" appears. initrd_shell=rescue hangs right before shell prompt is supposed to appear, no input from keyboard is recognized, power off is only choice.

tuxonice-sources-2.6.24-r9 keeps on working fine.

has anyone figured anything out?

edit: make sure CONFIG_SYSFS_DEPRECATED_V2 stays on, everything is working.
Back to top
View user's profile Send private message
Dheath
Tux's lil' helper
Tux's lil' helper


Joined: 06 Aug 2006
Posts: 131

PostPosted: Sun Jul 26, 2009 7:31 pm    Post subject: Reply with quote

I have amd64 system with baselayout2 and cryptsetup 1.0.6 and I'm trying to have an encrypted partition mounted on boot.
For some weird reason I get this at the beginning of boot messages:
Code:

...
* Setting up dm-crypt mappings...
* dm-crypt map crypt-token...
* cryptsetup will be called with : -c serpent-cbc-essiv:sha256 -d /etc/conf.d/token.key create crypt-token /dev/sde
Command failed: Error opening device: No such file or directory
* failure running cryptsetup                                                                                                                              [ !! ]
* dm-crypt map crypt-maxi...
* cryptsetup will be called with : -c serpent-cbc-essiv:sha256 -d /mnt/token/maxi.key create crypt-maxi /dev/sdc2
Command failed: Error opening device: No such file or directory
* failure running cryptsetup                                                                                                                              [ !! ]
* Checking swap is not LUKS
* dm-crypt map crypt-swap1...
* cryptsetup will be called with : -c aes -h sha1 -d /dev/urandom create crypt-swap1 /dev/disk/by-id/ata-WDC_WD6401AALS-00L3B2_WD-WCASY5803499-part3      [ ok ]
*   Running pre_mount commands for crypt-swap1...                                                                                                         [ ok ]
* Checking swap is not LUKS
* dm-crypt map crypt-swap2...
* cryptsetup will be called with : -c aes -h sha1 -d /dev/urandom create crypt-swap2 /dev/disk/by-id/ata-WDC_WD6401AALS-00L3B2_WD-WCASY5783237-part3      [ ok ]
*   Running pre_mount commands for crypt-swap2...                                                                                                         [ ok ]
* Failed to setup dm-crypt devices                                                                                                                        [ !! ]
* ERROR: dmcrypt failed to start
* Checking local filesystems ...
/dev/disk/by-uuid/23fafc47-37dc-431f-9da2-fc9e0c67f772: clean, 457077/3278576 files, 1964888/13109024 blocks
/dev/disk/by-uuid/4e573612-c6ca-483e-81df-90aef20e7820: clean, 401/35528704 files, 2301289/142094896 blocks
/dev/disk/by-uuid/7362ee33-b769-4be2-b878-6adb518be0c9: clean, 47/28112 files, 34071/112320 blocks                                                        [ ok ]
* Remounting root filesystem read/write...                                                                                                                [ ok ]
* Updating /etc/mtab...                                                                                                                                   [ ok ]
* Mounting local filesystems...
mount: special device /dev/mapper/crypt-maxi does not exist
* Some local filesystem failed to mount                                                                                                                   [ !! ]
...

and this at the end of boot messages:
Code:

...
* Mounting USB device filesystem [usbfs]...                                                                                                               [ ok ]
* Mounting misc binary format filesystem...                                                                                                               [ ok ]
* Activating swap devices...                                                                                                                              [ ok ]
* Initializing random number generator...                                                                                                                 [ ok ]
INIT: Entering          runlevel: 3
* Setting up dm-crypt mappings...
* dm-crypt map crypt-token...
* cryptsetup will be called with : -c serpent-cbc-essiv:sha256 -d /etc/conf.d/token.key luksOpen /dev/sde crypt-token
key slot 0 unlocked.
Command successful.                                                                                                                                       [ ok ]
*   Running pre_mount commands for crypt-token...                                                                                                         [ ok ]
* dm-crypt map crypt-maxi...
* cryptsetup will be called with : -c serpent-cbc-essiv:sha256 -d /mnt/token/maxi.key luksOpen /dev/sdc2 crypt-maxi
key slot 0 unlocked.
Command successful.                                                                                                                                       [ ok ]
* Checking swap is not LUKS
* dm-crypt mapping crypt-swap1 is already configured
* Checking swap is not LUKS
* dm-crypt mapping crypt-swap2 is already configured                                                                                                      [ ok ]
...


dmcrypt should be starting only at the boot level. If I delete dmcrypt from the boot level then none of the encrypted partitions will be mounted.
In /etc/conf.d/dmcrypt I have:
Code:

target=crypt-token
source='/dev/sde'
options='-c serpent-cbc-essiv:sha256 -d /etc/conf.d/token.key'
pre_mount='mount -o ro /dev/mapper/crypt-token /mnt/token'
post_mount='umount /mnt/token; cryptsetup luksClose crypt-token'

target=crypt-maxi
source='/dev/sdc2'
options='-c serpent-cbc-essiv:sha256 -d /mnt/token/maxi.key'


swap=crypt-swap1
source='/dev/disk/by-id/ata-WDC_WD6401AALS-00L3B2_WD-WCASY5803499-part3'

swap=crypt-swap2
source='/dev/disk/by-id/ata-WDC_WD6401AALS-00L3B2_WD-WCASY5783237-part3'


In /etc/fstab I have:
Code:

/dev/disk/by-uuid/7362ee33-b769-4be2-b878-6adb518be0c9  /boot   ext2    noatime         1 2
/dev/disk/by-uuid/23fafc47-37dc-431f-9da2-fc9e0c67f772  /       ext3    noatime         0 1
/dev/mapper/crypt-swap1                                 none    swap    sw              0 0
/dev/mapper/crypt-swap2                                 none    swap    sw              0 0
tmpfs                           /tmp    tmpfs   defaults,nosuid,size=1024M,mode=1777    0 1
/dev/disk/by-uuid/4e573612-c6ca-483e-81df-90aef20e7820  /home       ext2    noatime     0 1
/dev/disk/by-uuid/6727f0a7-97ec-4489-9bde-05311351316c  /mnt/puxi   ext2    rw          0 0
/dev/mapper/crypt-maxi                                  /mnt/maxi   ext2    rw          0 0
...


So, why is it trying to decrypt the partitions without Luks and why is the Luks used to decrypt the partitions before mounting the filesystems in /etc/fstab?
Back to top
View user's profile Send private message
NotQuiteSane
Guru
Guru


Joined: 30 Jan 2005
Posts: 471
Location: Klamath Falls, Jefferson, USA, North America, Midgarth

PostPosted: Thu Nov 12, 2009 9:00 pm    Post subject: Reply with quote

I'm trying to follow this guide after failing first try

when I reboot I see:
Code:
/init: line 615: syntax error: EOF in backquote substitution
init used greatest stack depth: 2336 bytes left!
Kernel Panic - not syncing:  Attempted to kill init!
Pid: 1, comm: init Not tainted 2.6.31-zen8-12nov09-08430-gaa0b3ad #5


what's really confusing me is that /init is only 614 lines, triple verified.

I can pastebin any needed info

NQS
_________________
These opinions are mine, mine I say! Piss off and get your own.

As I see it -- An irregular blog, Improved with new location

To delete French language packs from system use 'sudo rm -fr /'
Back to top
View user's profile Send private message
mephist0
Tux's lil' helper
Tux's lil' helper


Joined: 19 Sep 2005
Posts: 92
Location: Germany, near Frankfurt/Main

PostPosted: Tue Dec 15, 2009 8:43 pm    Post subject: Reply with quote

@frostschutz

I setup my system as described in your guide http://en.gentoo-wiki.com/wiki/Booting_encrypted_system_from_USB_stick

I used a gpg key for the password

this is my init:

Code:

#!/bin/busybox sh

# Function rescue shell
rescue_shell() {
   echo "Something went wrong. Dropping you to a shell."
   busybox --install -s
   exec /bin/sh
}

# Mount the /proc and /sys filesystems.
mount -t proc none /proc
mount -t sysfs none /sys

# Do your stuff here.
echo "This script decrypts and mounts rootfs and boots it up, nothing more!"

# Decrypting root LUKS device
gpg --decrypt etc/root.gpg 2>/dev/null | cryptsetup luksOpen /dev/sda3 root

# enabling lvm devices
lvm vgscan
lvm vgchange -a y

# Mount the root filesystem.
mount -o ro /dev/lvm/root /mnt/root || rescue_shell

# Clean up.
umount /proc
umount /sys

# Boot the real thing.
exec switch_root /mnt/root /sbin/init


But gpg doesnt ask for the password ?!?!?!
It says decrypted with 1 password
and then false session key or so

whats wrong?!?
_________________
Life sux, but graphics are awesome !

Fotoblog
Back to top
View user's profile Send private message
mephist0
Tux's lil' helper
Tux's lil' helper


Joined: 19 Sep 2005
Posts: 92
Location: Germany, near Frankfurt/Main

PostPosted: Tue Dec 15, 2009 9:47 pm    Post subject: Reply with quote

This F***ING gpg-agent is messing with me

I booted the Gentoo LiveDVD 10.1 again and executed gpg under chroot:
(I touched the S.gpg-agent file)

Code:

gpg --decrypt /root/system.encryption/root.gpg
gpg: 3DES encrypted data
can't connect to `/root/.gnupg/S.gpg-agent': Connection refused
gpg-agent[10612]: command get_passphrase failed: Operation cancelled
gpg: cancelled by user
gpg: encrypted with 1 passphrase
gpg: decryption failed: No secret key


how do I turn this off for my init-script ?


[EDIT]
from man-page:
--no-use-agent
This is dummy option. gpg2 always requires the agent.
rofl ?!?! WTF?

[EDIT2]
luckily gentoo still has gpg-1.4.9 with static useflag and it asks for password on my chroot :D
If it doenst work now I must beat something with a big hammer :D :D

For now I have the root.gpg inside the initramfs
That isnt secure right?
_________________
Life sux, but graphics are awesome !

Fotoblog
Back to top
View user's profile Send private message
kingfame_147
Apprentice
Apprentice


Joined: 11 Oct 2008
Posts: 167

PostPosted: Sun Mar 21, 2010 9:39 am    Post subject: kernel panic Reply with quote

Hi,

when i try to use this guide with the "init" file from here (Alon Bar-Lev) and want to decrypt any partition i'm getting this error:

error picture


Even when i just try to decrypt the swap partiton like this:

Code:

kernel /boot/kernel-2.6.32-gentoo-r7 root=/dev/sdb3 video=uvesafb:2560x1600-32,mtrr:3,ywrap initrd_encmode=dm-crypt initrd_util=passphrase:id initrd_devices=/dev/sdb2 initrd_dmnames=swap


I'm asked for the password, then the screen goes black, and then the given error occurs :/ Any ideas?
Back to top
View user's profile Send private message
darkbasic
Tux's lil' helper
Tux's lil' helper


Joined: 06 Sep 2006
Posts: 123

PostPosted: Sun Mar 21, 2010 1:35 pm    Post subject: Reply with quote

This script simply doesn't work out of the box, I had to modify it to make it work.
Unfortunately I have fixed only the "encrypted keyfile" path, so it will not help you...
I also added (partial) LVM2 support, but it's still not finished.
_________________
Computers are like air conditioners:
they stop working properly when you open Windows...

Coltiva Linux, Windows si pianta da solo.


http://www.linuxsystems.it/
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Goto page Previous  1, 2, 3 ... , 18, 19, 20  Next
Page 19 of 20

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum