Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] root, swap filesystem encryption for 2.4 and 2.6
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Sun May 23, 2004 10:28 pm    Post subject: Re: Boot from USB Reply with quote

jeffrice wrote:
I'm having some trouble getting this to work from my USB drive. I put the pause in the build-initrd.sh script so that the USB hub and drive have a chance to initialize. But right after, I get the error

Code:
/dev/sda1 failed to mount as /lib


So... what do I do? The message from the USB modules says it found my USB drive at sda1 and of course it is working because I boot from the USB up to that point. Am I specifying the device that should be mounted as /lib wrongly? There isn't a great deal of error message to work with!

Jeff
maybe a little bit too late but im sure i know what your problem is/was:
you typed /dev/sda1 in the build-initrd.sh, right? it should have been /dev/discs/disc0/part1 if you have devfs enabled.

(replace disc0 with the actual disk. dunno which one sda is ...)


greets,
hulk
_________________
Linux: "Free as in free speech, not as in free beer"
Back to top
View user's profile Send private message
jeffrice
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2003
Posts: 89
Location: New York, USA

PostPosted: Mon May 24, 2004 12:49 am    Post subject: Re: Boot from USB Reply with quote

Quote:
maybe a little bit too late but im sure i know what your problem is/was:
you typed /dev/sda1 in the build-initrd.sh, right? it should have been /dev/discs/disc0/part1 if you have devfs enabled.


Thanks, but my system is pure udev so I don't think that is the problem. (good thought though)

But now I'm on to a new problem. I put my key an a CD (/dev/hdd works in the build_initrd, so I assume /dev/sda1 should have.) and went from there. But now I end up with pivot_root failing. The error says something about older kernels not including pivot, but that seems to be a default error. I'm using 2.6.4-ck2, which should be fine.

Very glad I copied my root to another HD!

Jeff
_________________
A computer is like an Old Testament god, with a lot of rules and no mercy. -Joseph Campbell
Kingfisher Athlon-XP: 2.6.7-love8-ck5 +nptl
Back to top
View user's profile Send private message
jeffrice
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2003
Posts: 89
Location: New York, USA

PostPosted: Tue May 25, 2004 1:01 am    Post subject: Re: Boot from USB Reply with quote

Quote:
I'm using 2.6.4-ck2, which should be fine.


Hmm, I'm baffled. If I boot from my backup root, I can decrypt and manually pivot to the new root. So the problem is neither a corrupted partition or a kernal that can't pivot. So... I'm not sure what to try next. build_initrd.sh doesn't copy /sbin/pivot_root to /boot but it looks like it makes its own version against dietlibc.

Doh. I wish I got a little more useful error messages on boot.

Jeff
_________________
A computer is like an Old Testament god, with a lot of rules and no mercy. -Joseph Campbell
Kingfisher Athlon-XP: 2.6.7-love8-ck5 +nptl
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Tue May 25, 2004 2:18 am    Post subject: Reply with quote

must have something to do with the ramdisk.
the error sounds familiar to me but atm i dont remeber what it was
_________________
Linux: "Free as in free speech, not as in free beer"
Back to top
View user's profile Send private message
kswtch
n00b
n00b


Joined: 07 Aug 2003
Posts: 47
Location: Düsseldorf, Germany

PostPosted: Tue May 25, 2004 6:18 am    Post subject: Reply with quote

i followed your instruction to encrypt my existing root partition with devfs. After rebooting i get this message:
Code:

RAMDISK: Compressed image found at block 0
VFS: Mounted root (minix filesystem) readonly.
Mounted devfs on /dev
.
.
EXT3-fs: mounted filesystem with ordered data mode.
insmod: can't read '/lib/modules-2.6.6-mm5/loop.ko': No such file or directory
Command "/lib/insmod /lib/modules-2.6.6-mm5/loop.ko " returned error
Shutdown: hda
System halted.



edit:
I had a typo in build_initrd.sh.

Now I get an error after entering my passphrase.
Code:

VFS: Can't find ext3 filesystem on dev loop5.
Looks like you didn't say the magic word. Mounting /dev/loop/5 failed


edit:
i had to load a special keymap file to make my passphrase work.
This is how to load your default keymap you are using.

make sure /boot is mounted
Code:
mount /boot

open your build_initrd.sh script and set LOADNATIONALKEYB=1

you have to copy an uncompressed keyboard layout file to /boot/default.kmap
you can use dumpkeys to do so. (This will copy the current keyboard layout to /boot/default.kmap)
Code:

dumpkeys >/boot/default.kmap


build a new initrd file
Code:

sh /tmp/enc/loop-AES-<version>/build_initrd.sh


reboot.
Back to top
View user's profile Send private message
jeffrice
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2003
Posts: 89
Location: New York, USA

PostPosted: Tue May 25, 2004 11:13 am    Post subject: Reply with quote

hulk2nd wrote:
must have something to do with the ramdisk.
the error sounds familiar to me but atm i dont remeber what it was


Aha! Got it... because I was running build-initrd from a root other than the one I was trying to pivot to, an empty but crucial directory was missing. Pivot_root takes 2 arguments: the new root to mount, and the mount point for the old root, relative to the new root. There was no place to mount my old root, so it failed.

Mounting the new root and creating /initrd was all it took.

(edit)
That, and changing my /sbin/rc to mount /dev/ram1 on /mnt/.init.d rather than /dev/ram0, since that was already in use. RC really should make sure the ramdisk isn't already in use before it tries to use it.

Now to get it to read my key off the USB drive...
(/edit)
_________________
A computer is like an Old Testament god, with a lot of rules and no mercy. -Joseph Campbell
Kingfisher Athlon-XP: 2.6.7-love8-ck5 +nptl
Back to top
View user's profile Send private message
jeffrice
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2003
Posts: 89
Location: New York, USA

PostPosted: Sat May 29, 2004 2:28 pm    Post subject: Reply with quote

jeffrice wrote:


Now to get it to read my key off the USB drive...


Figured this out finally... my USB drive is vfat, and I had that fs as a module so the kernel was failing to load it. Putting right in the kernel solved it.

J
_________________
A computer is like an Old Testament god, with a lot of rules and no mercy. -Joseph Campbell
Kingfisher Athlon-XP: 2.6.7-love8-ck5 +nptl
Back to top
View user's profile Send private message
Gruffi
Apprentice
Apprentice


Joined: 15 Aug 2003
Posts: 209
Location: Antwerpen - Flanders - Belgium

PostPosted: Sun May 30, 2004 5:48 pm    Post subject: Reply with quote

Thanks for your guide!! :D

in step "2c1)creating the ramdisk with devfs enabled in the kernel" i also had to tell the config file not to use GPG or i couldn't boot. (USEGPGKEY=0)

I suppose their is no way to load the keyboard driver before asking for the pasword? I don't have a querty keyboard.

I had a really, really, really hard time entering my password phrase!! :lol:
_________________
... and we will show Microsoft, that they cannot take whatever they want. And that Free Software is our software!
Back to top
View user's profile Send private message
jeffrice
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2003
Posts: 89
Location: New York, USA

PostPosted: Sun May 30, 2004 6:49 pm    Post subject: Reply with quote

Baron FrostFire wrote:
Thanks for your guide!! :D

in step "2c1)creating the ramdisk with devfs enabled in the kernel" i also had to tell the config file not to use GPG or i couldn't boot. (USEGPGKEY=0)

I suppose their is no way to load the keyboard driver before asking for the pasword? I don't have a querty keyboard.

I had a really, really, really hard time entering my password phrase!! :lol:


There is certainly a way! I use a dvorak keyboard and it takes me a long time to get my passphrase entered using qwerty!

In build_initrh.sh, set the option
Code:
LOADNATIONALKEYB=1


Then copy your keymap to /boot/default.kmap. Note that this file must not be zipped! So if you use the one in /usr/share/keymaps, unzip it! An easy way to get around this is to use dumpkeys after your layout is loaded.

Code:
dumpkeys > /boot/default.kmap


In fairness, I should point out that kswtch already said this, which I just noticed. Not trying to steal his/her thunder! ;)
_________________
A computer is like an Old Testament god, with a lot of rules and no mercy. -Joseph Campbell
Kingfisher Athlon-XP: 2.6.7-love8-ck5 +nptl
Back to top
View user's profile Send private message
eigen
n00b
n00b


Joined: 31 May 2004
Posts: 2

PostPosted: Mon May 31, 2004 1:02 am    Post subject: Reply with quote

Sorry to bog down this thread with a probably trivial question. But I have encounterd the following problem. When I attempt to run sh build-initrd.sh(last step in 2c2) I receive one of the two following errors.

1.tmp-c-4118.c: In function `main':
tmp-c-4118.c:331: warning: label `fail5' defined but not used
15+0 records in
15+0 records out
ioctl: LOOP_SET_FD: Device or resource busy
and the script fails.I am at a total loss as to how to work around this //edit figured it out.

2.Or sometimes the script returns "makefs.minix no such file or directory".
I understand(from the loop-aes readme) that there is mkminix directory in util-linux but the included documentation did not helo me with how to install or what ever needed to be done. This now where I am stuck.

Any help would be appreciiated (try to be explicit ,linux user for approx. 3 days : ] )
I am using the following Kernel=2.6.5. with devfs not enabled


:?:
Back to top
View user's profile Send private message
Gruffi
Apprentice
Apprentice


Joined: 15 Aug 2003
Posts: 209
Location: Antwerpen - Flanders - Belgium

PostPosted: Mon May 31, 2004 10:10 am    Post subject: Reply with quote

Baron FrostFire wrote:
What happens if the filesystem gets corrupted? What happens if the system goes down unexpectedly? As far as i know when you encrypt something all it takes is 1 damaged bit to lose everything... Will only open files be lost or the entire partition?

Just for your information, this is what some1 called "spider" replied to me on the security mailinglist:
Quote:
To note here is that when you talk about encrypted filesystems, You are in fact talking about encrypted block devices. The filesystem resides inside the encrypted block, so any damage on the filesystem level, will only damage files in the filesystem, it will not auto-corrupt the whole filesystem. (unless you get severe damage to the filesystem, and that'd be just as bad with as without the encryption)

True, encrypted devices are more sensitive to hardware errors, things like a loose cable, a faulty sector, will corrupt a block (Most encryptions are block ciphers based on 512 or larger blocks of data) which will then corrupt a bit more data than otherwise.

However, in practice this is less likely to be an issue, since if you care enough to encrypt your partitions, You already care enough to make regular backups in encrypted format, right? ;-)

_________________
... and we will show Microsoft, that they cannot take whatever they want. And that Free Software is our software!
Back to top
View user's profile Send private message
Gruffi
Apprentice
Apprentice


Joined: 15 Aug 2003
Posts: 209
Location: Antwerpen - Flanders - Belgium

PostPosted: Mon May 31, 2004 10:18 am    Post subject: Reply with quote

Is there a way to mount different partitions with the same password without having to type the pasword multiple times?
_________________
... and we will show Microsoft, that they cannot take whatever they want. And that Free Software is our software!
Back to top
View user's profile Send private message
jeffrice
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2003
Posts: 89
Location: New York, USA

PostPosted: Mon May 31, 2004 3:40 pm    Post subject: Reply with quote

eigen wrote:

2.Or sometimes the script returns "makefs.minix no such file or directory".


Did you remember to enable minix filesystems in your kernel? It may be complaining it can't find makefs.minix in /sbin.



Quote:

Any help would be appreciiated (try to be explicit ,linux user for approx. 3 days : ] )


Wow, you really like to hit the ground running, don't you!

J
_________________
A computer is like an Old Testament god, with a lot of rules and no mercy. -Joseph Campbell
Kingfisher Athlon-XP: 2.6.7-love8-ck5 +nptl
Back to top
View user's profile Send private message
eigen
n00b
n00b


Joined: 31 May 2004
Posts: 2

PostPosted: Mon May 31, 2004 6:16 pm    Post subject: Reply with quote

^^ jeffrice
You were right about mkfs.minix not being in /sbin , however I do have Minix fs support enabled. Could I get around this by using the included src code in util-linux
specifically in either .. /util-linux/disk-utils or /uitil-linux/mk-minix-0.1.
The loop-aes readme alludes to this stating
" build-initrd.sh script depends on having minix file
system support in the kernel and working mkfs.minix program binary.
Util-linux includes source for mkfs.minix if you don't have it and need to
build it yourself."
The included docs just don't seem to help me with installation.Any help would be appreciated
Back to top
View user's profile Send private message
jeffrice
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2003
Posts: 89
Location: New York, USA

PostPosted: Mon May 31, 2004 7:50 pm    Post subject: Reply with quote

Ah. Okay, first emerge util-linux. Then follow the instructions for patching and installing the components that loop-aes needs. Most of the components in the ebuild don't need patching, so I found it easier to emerge it and then download the source and patch mount and the couple other proggies that needed it.

J
_________________
A computer is like an Old Testament god, with a lot of rules and no mercy. -Joseph Campbell
Kingfisher Athlon-XP: 2.6.7-love8-ck5 +nptl
Back to top
View user's profile Send private message
jeffrice
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2003
Posts: 89
Location: New York, USA

PostPosted: Wed Jun 02, 2004 4:10 pm    Post subject: Reply with quote

In case anyone is looking for a good encryption system for Windows, Cross-Crypt is an open-source AES and Twofish-enabled system that will also easily use your GPG keys if GPG is installed. Encrypted containers are mounted as drives. A GUI is also available, although I don't think it supports GPG keys.

Jeff
_________________
A computer is like an Old Testament god, with a lot of rules and no mercy. -Joseph Campbell
Kingfisher Athlon-XP: 2.6.7-love8-ck5 +nptl
Back to top
View user's profile Send private message
gaboonal
n00b
n00b


Joined: 05 Mar 2004
Posts: 49

PostPosted: Thu Jun 03, 2004 7:50 pm    Post subject: Reply with quote

Is it possible to encrypt the /tmp partition in a similar way to the swap partition - a new random key is generated each time you boot?
My fstab entry for the swap partition is:
Code:
/dev/hda2               none            swap            sw,loop=/dev/loop7,encryption=AES256    0 0

Simply adding "loop=/dev/loop7,encryption=AES256" to my /tmp options doesn't work. It asks me for a password at start-up.

I do not have an encrypted root file system so encrypting it with a non-random key and then piping the password to losetup at start-up is not an option because the password file would not be encrypted. I already have an encrypted /home partition so typing two different very long passwords in would be annoying.

I suppose it would be possible to create a small encrypted partition with the passwords to my /home and /tmp partition on and then pipe the passwords to losetup from there. This seems like a good idea, especially since I am thinking of encrypting /var as well but I am not sure if this will work with the /etc/init.d/localmount script. Would I have to remove /home and /tmp from fstab, then change localmount to something like:
Code:
# Mount local file systems in /etc/fstab.
        ebegin "Mounting local filesystems"
        mount -at nocoda,nonfs,noproc,noncpfs,nosmbfs,noshm >/dev/null
        eend $? "Some local filesystem failed to mount"
cat /encryption/password-tmp.txt | losetup -p 0 -e AES256 -K /encryption/keyfile-tmp.gpg /dev/loop6 /dev/hda10
mount -o noatime,notail /dev/loop6 /tmp
cat /encryption/password-home.txt | losetup -p 0 -e AES256 -K /encryption/keyfile-home.gpg /dev/loop5 /dev/hda8
mount -o noatime,notail /dev/loop5 /home


Also is there a way to make it so you are asked for your password again if you type it in wrong instead of carrying on with the boot process? Asking for it again a maximum of 3 times would be useful.

Finally, for anyone who uses a multi-key gpg key file you will not be able to access your data from a KNOPPIX CD because it uses an older version of losetup. According to the loop-aes readme file, "Setting up multi-key gpg key-file and using that key-file with old single-key only aware losetup/mount programs is *dangerous*."
Back to top
View user's profile Send private message
Gruffi
Apprentice
Apprentice


Joined: 15 Aug 2003
Posts: 209
Location: Antwerpen - Flanders - Belgium

PostPosted: Wed Jun 09, 2004 8:35 am    Post subject: Reply with quote

gaboonal wrote:
Is it possible to encrypt the /tmp partition in a similar way to the swap partition - a new random key is generated each time you boot?


I guess you would have to create a new filesytem on the /tmp device each time.
_________________
... and we will show Microsoft, that they cannot take whatever they want. And that Free Software is our software!
Back to top
View user's profile Send private message
Gruffi
Apprentice
Apprentice


Joined: 15 Aug 2003
Posts: 209
Location: Antwerpen - Flanders - Belgium

PostPosted: Wed Jun 09, 2004 8:45 am    Post subject: Reply with quote

How do i UNencrypt the filesytem?
Set up the loop device with the right password
Code:
losetup -e AES256 /dev/loop0 /dev/hda3

En then what "dd" command do i use?
_________________
... and we will show Microsoft, that they cannot take whatever they want. And that Free Software is our software!
Back to top
View user's profile Send private message
gaboonal
n00b
n00b


Joined: 05 Mar 2004
Posts: 49

PostPosted: Wed Jun 09, 2004 1:44 pm    Post subject: Reply with quote

I just thought I would mention that in the UK, "It remains a criminal offence under the Act (s.53), punishable with up to two years imprisonment, to fail to surrender an encryption key. The Act places the onus on the recipient of the notice to show why any encryption key cannot be surrendered." -http://hamiltons-solicitors.co.uk/archive-docs/combat-cybercrime2.htm

This is quite frightening because you are guilty until proven innocent. If you can't prove that you have genuinely lost your key then you are in trouble. IANAL but I think that if you were to encrypted your /tmp partition with a random key at each boot and your init scripts reflected this you would be OK.

Steganography seems the only viable solution to making sure that no one else will be able to read your data. StegFS is a steganographic file system for Linux - http://stegfs.sourceforge.net/ Unfortunately it does not have support for 2.4/2.6 kernels at this point in time. StegHide (in portage) is good for hiding individual files, especially for sending them over the internet.
Back to top
View user's profile Send private message
angelacb
n00b
n00b


Joined: 31 Oct 2003
Posts: 50

PostPosted: Sat Jun 12, 2004 4:28 am    Post subject: Reply with quote

Hi,

I'm experiencing a very weird problem. I've successfully encrypted my root, swap, etc...
I've been running this machine for 3 months already. I haven't experienced any problems. However, today i try to extract a very large tar file. There's twelve 50 MB rar files within this huge tar file. There's also a checksum file that comes with the tar file in which it will validates all 12 of these large 50 MB rar files.
I've tried to extract these files many different times. Every time after I extracted these rar files from the huge tar file, I check it with the checksum file. And every single time, it gives errors but on different rar files.
The odd thing is, every time I extract from the tar file, different rar files gets corrupted. Therefore, i want to know if this has anything to do with encrypted file system, or is there something I might have done that may cause this error.
Just for the record, I run reiserfs on the loopback device backed by /dev/sdaX.

Best Regards,
_________________
Love Linux, Love Life
Back to top
View user's profile Send private message
markymarc
n00b
n00b


Joined: 04 Dec 2003
Posts: 39
Location: Denmark

PostPosted: Sat Jun 12, 2004 10:11 am    Post subject: Re: Boot from USB Reply with quote

jeffrice wrote:
I'm having some trouble getting this to work from my USB drive. I put the pause in the build-initrd.sh script so that the USB hub and drive have a chance to initialize. But right after, I get the error

Code:
/dev/sda1 failed to mount as /lib


So... what do I do? The message from the USB modules says it found my USB drive at sda1 and of course it is working because I boot from the USB up to that point. Am I specifying the device that should be mounted as /lib wrongly? There isn't a great deal of error message to work with!

Jeff


I get the same error when I try to boot from USB. I follow the guide abort gpg encyrption. And it works fin when BOOTDEV in build-initrd.sh is /dev/discs/disc0/part1 and boot is on the harddrive. But when I put me boot pation on me USB, and sets the BOOTDEV to /dev/discs/disc1/part1 I get the same error as Jeff. Have tryed the same as Jeff with pause no help.

PLS HELP
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Sat Jun 12, 2004 11:55 am    Post subject: Reply with quote

jeffrice wrote:
jeffrice wrote:


Now to get it to read my key off the USB drive...


Figured this out finally... my USB drive is vfat, and I had that fs as a module so the kernel was failing to load it. Putting right in the kernel solved it.

J

u have the fs of your usb drive in kernel?
_________________
Linux: "Free as in free speech, not as in free beer"
Back to top
View user's profile Send private message
markymarc
n00b
n00b


Joined: 04 Dec 2003
Posts: 39
Location: Denmark

PostPosted: Sat Jun 12, 2004 2:53 pm    Post subject: Reply with quote

I have made me usb drive ext2. So yes ther is support for it in the kernel. Also befor I encrypted the root pation, I mount the usb drive fine.
Back to top
View user's profile Send private message
jeffrice
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2003
Posts: 89
Location: New York, USA

PostPosted: Sat Jun 12, 2004 5:07 pm    Post subject: Re: Boot from USB Reply with quote

markymarc wrote:

I get the same error when I try to boot from USB. I follow the guide abort gpg encyrption. And it works fin when BOOTDEV in build-initrd.sh is /dev/discs/disc0/part1 and boot is on the harddrive. But when I put me boot pation on me USB, and sets the BOOTDEV to /dev/discs/disc1/part1 I get the same error as Jeff. Have tryed the same as Jeff with pause no help.


Hmm, well my situation was a little different. First, I use Udev so the drive IDs are different. But my problem mostly was the fact that I had a fat32 USB drive but compiled vfat as a module. Once I put it in the kernel, everything was fine.

J
_________________
A computer is like an Old Testament god, with a lot of rules and no mercy. -Joseph Campbell
Kingfisher Athlon-XP: 2.6.7-love8-ck5 +nptl
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Page 6 of 8

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum