Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Simple Encrypted Root Filesystem w/ Device Mapper (2.6)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
steeledan
n00b
n00b


Joined: 18 Jul 2004
Posts: 8

PostPosted: Sun Jul 18, 2004 9:48 am    Post subject: Simple Encrypted Root Filesystem w/ Device Mapper (2.6) Reply with quote

I recently encrypted my root file system, and I decided to write a how-to to help others save a lot of trouble. I may be forgetting something, so back up your system first. And you should BACK IT UP ANYWAY just in case something goes wrong - who knows if you'll lose power or something.... I flunked college writing 1 the first time through, so feel free to rewrite in a more descriptive idiot-proof way ;)

This assumes /dev/hda1 is /boot with grub and the kernel, and /dev/hda2 is the root file system. You'll need a 2.6 kernel with device mapper, crypt target, and aes compiled in. You'll also need cryptsetup installed. If you haven't already encrypted your swap file system with dm-crypt or similar, you should do it now so your pass phrase doesn't get swapped to disk.

You'll need these files in /boot in addition to grub and the kernel:
bin/bash bin/cat bin/chroot bin/dd bin/mount bin/sh bin/umount
dev/
etc/fstab etc/mtab
lib/ld-linux.so.2 lib/libc.so.6 lib/libdl.so.2 lib/libnsl.so.1
mnt/root/
sbin/cryptsetup sbin/init sbin/pivot_root
usr/lib/libgcrypt.so.11 usr/lib/libgpg-error.so.0 usr/lib/libpopt.so.0

/boot/etc/fstab contains the following:
/dev/hda1 / ext2 noauto,noatime 0 0
/dev/mapper/root /mnt/root reiserfs ro 0 0
none /dev devfs defaults 0 0

/boot/etc/mtab is an empty file.

/boot/sbin/init contains the following: chmod 755!
#!/bin/sh
/sbin/cryptsetup -c aes-plain -h sha512 -s 256 create root /dev/discs/disc0/part2
/bin/mount /mnt/root -n
cd /mnt/root
/sbin/pivot_root . ./boot
exec /bin/chroot . /bin/sh -c "/bin/umount /boot/dev -n;/bin/umount /boot -n;exec /sbin/init" </dev/console >/dev/console 2>&1

You'll need to change the root mount point in the real /etc/fstab and your grub config to root=/dev/hda1.

I used an extra hard drive to do the actual encryption, but you should be able to do the following:

Boot the kernel with root=/dev/hda1 init=/bin/sh
/sbin/cryptsetup -y -c aes-plain -h sha512 -s 256 create root /dev/discs/disc0/part2
/bin/dd if=/dev/discs/disc0/part2 of=/dev/mapper/root bs=4k

Then reboot as usual and pray everything isn't gone :)
Back to top
View user's profile Send private message
schachti
Advocate
Advocate


Joined: 28 Jul 2003
Posts: 3765
Location: Gifhorn, Germany

PostPosted: Mon Oct 11, 2004 5:00 pm    Post subject: Re: Simple Encrypted Root Filesystem w/ Device Mapper (2.6) Reply with quote

Has anyone tried this? I've got some questions...

Just to be sure:
steeledan wrote:

You'll need these files in /boot in addition to grub and the kernel:
bin/bash bin/cat bin/chroot bin/dd bin/mount bin/sh bin/umount
dev/
etc/fstab etc/mtab
lib/ld-linux.so.2 lib/libc.so.6 lib/libdl.so.2 lib/libnsl.so.1
mnt/root/
sbin/cryptsetup sbin/init sbin/pivot_root
usr/lib/libgcrypt.so.11 usr/lib/libgpg-error.so.0 usr/lib/libpopt.so.0


Am I supposed to copy all these file to /boot, or to /boot/bin/bash, /boot/bin/cat, ..., /boot/usr/lib/libpopt.so.0?

What do the entries "dev/" and "mnt/root" mean - do I have to create empty directories called "/boot/dev/" and "/boot/mnt/root"?

steeledan wrote:

/boot/etc/fstab contains the following:
/dev/hda1 / ext2 noauto,noatime 0 0
/dev/mapper/root /mnt/root reiserfs ro 0 0
none /dev devfs defaults 0 0


What about

Code:

none                    /dev/shm        tmpfs           defaults                0 0


from my /etc/fstab? Should I add this line, too?

Thanks in advance - maybe dumb questions, but I don't want to loose my data...
Back to top
View user's profile Send private message
westboy21
Tux's lil' helper
Tux's lil' helper


Joined: 10 Oct 2003
Posts: 135
Location: Raleigh, North Carolina

PostPosted: Tue Dec 14, 2004 4:45 pm    Post subject: Reply with quote

I followed these instructions, but for some reason, all I get when I boot is a kernel panic. The panic error suggests that I pass the kernel an init=. What did I do wrong?
When I compile the kernel, and I suppose to compile in support for devfs, and have it mount at boot time?
Back to top
View user's profile Send private message
c0rvus
n00b
n00b


Joined: 15 Dec 2004
Posts: 1
Location: S'toon

PostPosted: Mon Dec 27, 2004 8:29 pm    Post subject: [mini-HOWTO] Encrypting root file system with dm-crypt Reply with quote

samx put together another document regarding this which is fairly good...

you might want to take a look at http://forums.gentoo.org/viewtopic.php?t=163762
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum