Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] root, swap filesystem encryption for 2.4 and 2.6
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
Guest






PostPosted: Sat Apr 17, 2004 2:40 am    Post subject: Reply with quote

I am using the following versions:
    linux-2.6.5-mm6
    loop-AES-v2.0g
    util-linux-2.12a

I am unable to compile as usual and have gone back to a 2.6.3 kernel. What precisely does one have to edit in order to get the above to work?
Back to top
twiggy
n00b
n00b


Joined: 25 Nov 2003
Posts: 65
Location: Sweden

PostPosted: Sat Apr 24, 2004 8:24 am    Post subject: Reply with quote

I'm wondering if i can change the encryption after i already have encrypted it with aes128? (without any loss)
And is aes the best way to go? And thanks for the docs 8)
I was a bit afraid in the beginning but it went just fine.
_________________
Bite my shiny metal ass!
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Sat Apr 24, 2004 9:27 am    Post subject: Reply with quote

hmm, i havent tested it yet but theoretically it should be possible to pipe the already encrypted files trough another loop device with another cipher enabled ...

maybe you can test this with a file or some removable storage devices first?

greets,
hulk
_________________
Linux: "Free as in free speech, not as in free beer"
Back to top
View user's profile Send private message
twiggy
n00b
n00b


Joined: 25 Nov 2003
Posts: 65
Location: Sweden

PostPosted: Sat Apr 24, 2004 9:54 am    Post subject: Reply with quote

Thanks for the answer but i think i'll just stay with aes128 for now.
Anyway you wouldn't have anything else as cool as this to play around with on a saturday would ya? :lol:
_________________
Bite my shiny metal ass!
Back to top
View user's profile Send private message
d4h0od
Tux's lil' helper
Tux's lil' helper


Joined: 27 Jun 2002
Posts: 80
Location: Europe => Sweden => Blekinge => Karlskrona => h0odet

PostPosted: Mon Apr 26, 2004 4:55 pm    Post subject: cant mount encrypted filesystem Reply with quote

i tried doing "3. Encrypt your current root partition using a gpg encrypted key" and everything worked great (i think, no errors or such) until i rebooted and then i got error msg with something like
Code:
insmod /lib/modules-2.6.5-gentoo-r1/loop.ko no such file or device

i guess i have done something wrong... maybe missed or did something wrong when i edited build-initrd.sh cuz its not finding the module...

then i turned to step "7. If something has gone wrong", i booted up knoppix cd and tried mounting the encrypted filesystem to go through the steps i did previously but i cant mount it ;(
first i just tried following the instructions exactly but after thinking a bit i thought about that those steps didnt say anything about uncrypting my filesystem using the gpg-key i used to encrypt it
so i mounted boot partion containing my gpg-key and added the option -K to losetup command. (is that correct ?)
Code:
losetup -e AES256 -K /mnt/tempboot/rootkey.gpg /dev/loop0 /dev/hda3

and then supplied the password i wrote earlier when i encrypted the partion with gpg (it seems to work cuz if i supply wrong password it says "Error: gpg key file decryption failed")

but when im doing
Code:
mount /dev/loop0 /mnt/gentoo

i get error msg that it cant mount it ;(
Code:
FAT: bogus logical sector size 40229
VFS: Can´t find a valid FAT filesystem on dev 07:00.
mount: you must specify the filesystem type

so then i of course try adding -t ext3 to mount command (cuz thats the fs o root partion ;)
but get another error msg then
Code:
VFS: Can´t find ext3 filesystem on dev loop(7,0).
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
or too many mounted file systems


think i have messed something up really bad and think im gonna try starting over but wanted to hear first if someone else maybe knows what i did wrong and/or how i can fix it.

another question regarding "4. Encrypt a clean root partition while installing gentoo" cuz if im gonna start all over i will try to encrypt etc before i install gentoo but i still wanna use gpg but there isnt any info regarding gpg in step 4. (guessing cuz there isnt any place to store gpg-keys when encrypting filesystem cuz the filesystem isnt there yet)
is it hard to add the extra layer of security with gpg afterwards or must i follow and make step 3 work if i want to use gpg+encryption ?
_________________
// d4h0od
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Mon Apr 26, 2004 11:25 pm    Post subject: Reply with quote

this looks for me as if you forgot kernel support for something. could be several things. but i think it should be possible to do that right from the beginning of an installation. tomorrow i'll have a look at it, cause it's 1:30am and i hardly can keep my eyes open 8O

so g'nite everyone,
greets,
hulk
_________________
Linux: "Free as in free speech, not as in free beer"
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Mon May 03, 2004 3:31 pm    Post subject: Reply with quote

hmm i am not sure on how to encrypt a clean partition with gpg but maybe you should have a look at point 7.5 on http://loop-aes.sourceforge.net/loop-AES.README and compare it with this cause they also described it with gpg and maybe there is something wrong (or outdated) with the method described here.

thanks in advance for feedback!
greets,
hulk
_________________
Linux: "Free as in free speech, not as in free beer"
Back to top
View user's profile Send private message
revoohc
Tux's lil' helper
Tux's lil' helper


Joined: 12 Oct 2002
Posts: 128

PostPosted: Thu May 06, 2004 12:50 pm    Post subject: Reply with quote

I need some help.

I followed the instructions last night to encrypt my root partition with AES128. However, when I reboot my system with the new encrypted partition I get:
VFS: Mounted root (minix filesystem) readonly.
Mounded devfs on /dev
Freeing unused kernel memory: 152k freed
Mounting /dev/hda1 as /lib failed
System halted.

What did I do wrong? I'm running 2.6.5-gentoo-r1 and followed the steps for encrypting a pre-existing root partition using 2.6 with devfs.

thanks for any help,

Chris
Back to top
View user's profile Send private message
Jayh
n00b
n00b


Joined: 07 May 2004
Posts: 4

PostPosted: Sat May 08, 2004 1:23 am    Post subject: Reply with quote

Hi Guys,

I was wondering if anyone would know how to encrypt a second hard disk (or even a third)...
Can I just take (for example) /dev/loop1 and encrypt the disk and use /dev/loop1 in /etc/fstab and so on using the root partition method to encrypt the disks?


Sorry for being a little vague but it's 3:22AM and i'm kinda tired 8)

(p.s. wonderful faq Hulk! thanks :)
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Sat May 08, 2004 11:03 am    Post subject: Reply with quote

have a look at this:
http://tldp.org/HOWTO/Cryptoloop-HOWTO/index.html

greets,
hulk
_________________
Linux: "Free as in free speech, not as in free beer"
Back to top
View user's profile Send private message
RinkyDinks_RJ
n00b
n00b


Joined: 12 Aug 2003
Posts: 42

PostPosted: Mon May 10, 2004 5:51 pm    Post subject: Reply with quote

You should add the shred command to your guide. It is used to overwrite anything previously on the drive (data can remain on drive even if you reformat), (use for clean install/swap drives only)

shred /dev/hdaX

the default number of overwrites shred uses is 25. you can use -n X to specify a different number, though default is good enough.

Using shred -z /dev/hdaX will overwrite everything with zeroes.

Obviously, you only need to use this if you are concerned that previously unencrypted data on your hard disk may remain available to attack even after a format. (Yes, sometimes data can still hang on)
Back to top
View user's profile Send private message
Jayh
n00b
n00b


Joined: 07 May 2004
Posts: 4

PostPosted: Mon May 10, 2004 8:07 pm    Post subject: Reply with quote

Allrite, I've managed to use the loop devices to encrypt a whole new hd.
For those interested, read this little howto:

First if you don't have enough /dev/loop devices, the best way to increase it is just to recompile your kernel.

Lookup the /usr/src/linux-2.4.25/drivers/block/loop.c and replace obviously the linux-2.4.25 with your kernelversion.

Edit it in your favourite editor and change the following:
Code:
static int max_loop = 16;

change the 16 into how many loop devices you want.

After reboot, check /dev/loop/ to see if the loop devices are there. If they're not, use the mknod utility to create them. Read the man-page about that because I don't know how to make them via mknod ;)

Now you can use the same setup as with encrypting the root partition.
Code:
/sbin/losetup -e AES256 /dev/loopX /dev/hdX
dd if=/dev/hdX of=/dev/loopX bs=64k conv=notrunc

mount it and you're off!

you can use any loop device you want though I recommend you start with loop device 7 or 8 (you can make up to 64 loop devices anyway).

Now my question 8)

I want to create a LVM using the loop devices in order to encrypt it.
Ok, followed the howto's, install/readme files etc and it was no problem setting it up using the /dev/loop devices. Kernel LVM driver was up to date so no recompiling was necessary.

Now the problem, I needed to make a filesystem on the LVM. I created reiserFS on it and also no problems (though I was a little uncomfortable to create a new filesystem on my already encrypted disks).

when I checked df -h, my mounted loop devices were 16T (Yea, 16 Terabytes) so I thought to unmount them and remount to see if they were still working. Then I got an Segmentation fault while trying to unmount the loop device (How nice) but the LVM was still active.
So I deactivated it and tried to remove the encryption on the loop device using losetup but the following error command keeps coming back:

Code:
ioctl: LOOP_CLR_FD: Device or resource busy


Anyone an idea to kill the loop device or to disconnect it properly?

Only this is mounted:
Code:

Filesystem            Size  Used Avail Use% Mounted on
/dev/loop/5            37G  891M   36G   3% /
/dev/root              11K  8.0K  3.0K  73% /initrd
/dev/ide/host0/bus0/target0/lun0/part1
                       48M   36M   12M  75% /boot
none                  126M     0  126M   0% /dev/shm


LVM has been shut down and I can't see any more links to an active session with the loop devices.

Hope u guys have an answer!

See Ya,
Jayh
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Mon May 10, 2004 10:26 pm    Post subject: Reply with quote

@RinkyDinks_RJ
cool, thank you for that. of course i will add that! you can never be secure enough can't you ;)
but why do you mean this should be used for swap partitions only and why only when installing on a clean drive?

@Jayh
losetup -d /dev/loopX ?


greets,
hulk
_________________
Linux: "Free as in free speech, not as in free beer"
Back to top
View user's profile Send private message
Jayh
n00b
n00b


Joined: 07 May 2004
Posts: 4

PostPosted: Tue May 11, 2004 8:45 am    Post subject: Reply with quote

hulk2nd,

That's the command I used to remove the loop devices and got the error
Code:
ioctl: LOOP_CLR_FD: Device or resource busy
while I couln't see any reason why the loop devices would be in use.

I've now realized after a reboot that the encrypted partition has been destroyed after the repartitioning the LVM.

So I'm thinking of trying to make the LVM and after the partitioning to create a loop device in order to encrypt the lvm :)
Back to top
View user's profile Send private message
d4h0od
Tux's lil' helper
Tux's lil' helper


Joined: 27 Jun 2002
Posts: 80
Location: Europe => Sweden => Blekinge => Karlskrona => h0odet

PostPosted: Wed May 12, 2004 12:04 am    Post subject: step 3h Reply with quote

Not sure if this is really worht mentioning and i dont want to complain on the guide cuz i think its really nice.
But one thing that caused problems for me the first time i tried the guide following step 3 was that I couldnt boot my system.
I got an error that it couldnt find /lib/modules-2.6.5-gentoo-r1/loop.ko (atleast I think that was the error msg). Then I remebered that in step 3h) in the guide i copy the module loop.ko to /boot and name it to loop.o. I tried renaming it back to loop.ko and the next time i rebooted i didnt get the error msg ;)

is there anyone else that has had the same problem and maybe did the same thing as me? maybe its just a typo in the guide?
_________________
// d4h0od
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Wed May 12, 2004 10:35 am    Post subject: Re: step 3h Reply with quote

d4h0od wrote:
Not sure if this is really worht mentioning and i dont want to complain on the guide cuz i think its really nice.
But one thing that caused problems for me the first time i tried the guide following step 3 was that I couldnt boot my system.
I got an error that it couldnt find /lib/modules-2.6.5-gentoo-r1/loop.ko (atleast I think that was the error msg). Then I remebered that in step 3h) in the guide i copy the module loop.ko to /boot and name it to loop.o. I tried renaming it back to loop.ko and the next time i rebooted i didnt get the error msg ;)

is there anyone else that has had the same problem and maybe did the same thing as me? maybe its just a typo in the guide?
yes, thank you for that, could be indeed problematic. changed it :)

greets,
hulk
_________________
Linux: "Free as in free speech, not as in free beer"
Back to top
View user's profile Send private message
d4h0od
Tux's lil' helper
Tux's lil' helper


Joined: 27 Jun 2002
Posts: 80
Location: Europe => Sweden => Blekinge => Karlskrona => h0odet

PostPosted: Wed May 12, 2004 12:53 pm    Post subject: finally got it working ;)) Reply with quote

got my system up and running with encrypted root fs now ;)
thanx a lot for this excellent guide... without it i dont think i ever would have had the time/energy to try to do it

now i only need to encrypt the swap partion aswell but that seems to be quite easy... is it really just to change the line in fstab and then all data written to swap partion is encrypted ;)?
_________________
// d4h0od
Back to top
View user's profile Send private message
RinkyDinks_RJ
n00b
n00b


Joined: 12 Aug 2003
Posts: 42

PostPosted: Wed May 12, 2004 9:00 pm    Post subject: Reply with quote

Typing shred /dev/hdax will clean everything off the part. Also, there is a way to make it just wipe the clear areas on the part; I believe it uses /dev/zero. not sure, so I go check it out...
Back to top
View user's profile Send private message
abeowitz
n00b
n00b


Joined: 17 Mar 2003
Posts: 20
Location: Seattle

PostPosted: Tue May 18, 2004 3:58 am    Post subject: loop.ko Reply with quote

Question.

Right now, I'm just doing an encrypted swap partition...

But loop.ko, if setup in /etc/modules.autoload.d/kernel-2.6 tends to load AFTER the swap partition is mounted.

How do I load this module BEFORE swap gets loaded?

BTW, it does work if I do a

Code:
swapoff -a
swapon -a
losetup -a
/dev/loop/7: [000c]:1812 (/dev/hda3) offset=4096 encryption=AES128 multi-key



Thanks
Back to top
View user's profile Send private message
CB2206
Tux's lil' helper
Tux's lil' helper


Joined: 27 May 2003
Posts: 127
Location: NRW

PostPosted: Tue May 18, 2004 5:52 am    Post subject: Reply with quote

hi,

i'm using a 2.6er kernel with cryptoloop support and i'm just wondering whether it would be possible to get back to bootpslash silent mode after typing in the password for my encrypted home partition.

does anyone know a solution for this?
_________________
CB
Back to top
View user's profile Send private message
jeffrice
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2003
Posts: 89
Location: New York, USA

PostPosted: Sat May 22, 2004 3:05 am    Post subject: Boot from USB Reply with quote

I'm having some trouble getting this to work from my USB drive. I put the pause in the build-initrd.sh script so that the USB hub and drive have a chance to initialize. But right after, I get the error

Code:
/dev/sda1 failed to mount as /lib


So... what do I do? The message from the USB modules says it found my USB drive at sda1 and of course it is working because I boot from the USB up to that point. Am I specifying the device that should be mounted as /lib wrongly? There isn't a great deal of error message to work with!

Jeff
Back to top
View user's profile Send private message
markymarc
n00b
n00b


Joined: 04 Dec 2003
Posts: 39
Location: Denmark

PostPosted: Sat May 22, 2004 10:01 pm    Post subject: Will not make mount!!! Reply with quote

Im trying to install the util-linux in 2b. But when I come to make SUBDIRS="lib mount". I get a lot of errors, the same if I just do a make in mount. Which result in no new mount umount etc etc.
I don't now if its related but when I applied the fix util-linux-2.12.diff it cant find the loop.h file. Is this normale?

Is im missing something or ?????
Back to top
View user's profile Send private message
jeffrice
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2003
Posts: 89
Location: New York, USA

PostPosted: Sun May 23, 2004 12:04 am    Post subject: Re: Boot from USB Reply with quote

jeffrice wrote:
I'm having some trouble getting this to work from my USB drive.


Alternatively, has anyone gotten this to work using an unencrypted boot with the gpg key on usb? It seems to work fine if my key is on CD, but that isn't quite what I want.

It still says it can't mount my usb... all the drivers are compiled into the kernel, so the problem isn't clear to me.

Jeff
Back to top
View user's profile Send private message
markymarc
n00b
n00b


Joined: 04 Dec 2003
Posts: 39
Location: Denmark

PostPosted: Sun May 23, 2004 3:01 pm    Post subject: Re: Will not make mount!!! Reply with quote

By the way, this is what I get when I run the fix:

Code:
 Perhaps you used the wrong -p or --strip option?
Skip this patch? [y]
> The text leading up to this was:
> --------------------------
> |diff -urN util-linux-2.12a/mount/loop.h util-linux-2.12a-AES/mount/loop.h
Hunk #3 FAILED at 128.
> |--- util-linux-2.12a/mount/loop.h      Wed Jul 16 23:06:02 2003
> |+++ util-linux-2.12a-AES/mount/loop.h  Fri Mar  5 18:48:49 2004
> --------------------------
> File to patch:
> Skip this patch? [y]
> Skipping patch.
> 3 out of 3 hunks ignored
> patching file mount/losetup.8
> Hunk #1 FAILED at 1.
> Hunk #2 FAILED at 30.
> Hunk #3 FAILED at 128.
> 3 out of 3 hunks FAILED -- saving rejects to file mount/losetup.8.rej
> patching file mount/loumount.c
> patching file mount/mount.8
> Hunk #2 succeeded at 270 (offset -1 lines).
> Hunk #3 FAILED at 321.
> Hunk #4 succeeded at 1686 (offset -29 lines).
> 1 out of 4 hunks FAILED -- saving rejects to file mount/mount.8.rej
> patching file mount/mount.c
> Hunk #2 FAILED at 114.
> Hunk #3 succeeded at 189 (offset -3 lines).
> Hunk #4 succeeded at 199 (offset -3 lines).
> Hunk #5 succeeded at 563 (offset -3 lines).
> Hunk #6 succeeded at 588 (offset -3 lines).
> Hunk #7 FAILED at 605.
> Hunk #8 FAILED at 664.
> Hunk #9 FAILED at 1478.
> 4 out of 9 hunks FAILED -- saving rejects to file mount/mount.c.rej
> patching file mount/rmd160.c
> patching file mount/rmd160.h
> patching file mount/sha512.c
> patching file mount/sha512.h
> patching file mount/swapon.8
> patching file mount/swapon.c


And this is what I get when I run "make SUBDIRS="lib mount""
Code:
mount.c:213: error: initializer element is not constant
mount.c:213: error: (near initialization for `string_opt_map[10]')
mount.c:214: error: initializer element is not constant
mount.c:214: error: (near initialization for `string_opt_map[11]')
mount.c:215: error: initializer element is not constant
mount.c:215: error: (near initialization for `string_opt_map[12]')
mount.c: In function `loop_check':
mount.c:594: error: `loopOffsetBytes' undeclared (first use in this function)
mount.c:594: error: (Each undeclared identifier is reported only once
mount.c:594: error: for each function it appears in.)
mount.c:594: error: `loopSizeBytes' undeclared (first use in this function)
mount.c:594: error: `loopEncryptionType' undeclared (first use in this function)
mount.c:611: error: `offset' undeclared (first use in this function)
mount.c:611: error: `opt_offset' undeclared (first use in this function)
mount.c:612: error: `opt_encryption' undeclared (first use in this function)
make[1]: *** [mount.o] Error 1
make[1]: Leaving directory `/tmp/env/loop-AES-v2.1a/util-linux-2.12pre/mount'
make: *** [all] Error 1
Back to top
View user's profile Send private message
markymarc
n00b
n00b


Joined: 04 Dec 2003
Posts: 39
Location: Denmark

PostPosted: Sun May 23, 2004 3:22 pm    Post subject: Re: Will not make mount!!!(SOLVED) Reply with quote

Solved with some great help from hulk2nd. Insted of using the util-linux packed from kernel.org, him pointed me at this one:
http://gentoo.oregonstate.edu/distfiles/util-linux-2.12.tar.gz

And It just works like a charm.

:D
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Page 5 of 8

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum