Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[mini-HOWTO] Encrypting root file system with dm-crypt
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
veezi
Apprentice
Apprentice


Joined: 10 Nov 2003
Posts: 226

PostPosted: Sun Jun 27, 2004 11:09 pm    Post subject: [mini-HOWTO] Encrypting root file system with dm-crypt Reply with quote

There're probably many threads out there on how to encrypt your root file system. And I'm probably a n00b, but anyway, here is my mini-contribution. Make sure you backup your system first, and if you trash it (highly probable!) then don't blame me :)

Assumptions:
1. Kernel 2.6.6: disk driver builtin, ext2/reiserfs filesystem drivers builtint, device mapper/encryption modules dm-crypt/dm-mod builtin, aes builtin, ramdisk and initial ramdisk (initrd) builtin.
2. Boot partition on /dev/hda1 filesystem is ext2.
3. Root partition on /dev/hda2 filesystem is reiserfs.
4. You will be prompted for encryption passphrase at boot time.
5. You are using udev.
6. You are using grub boot loader.
7. You're logged in as root.

Requirements:
1. You'll need to emerge device-mapper:
Code:

emerge device-mapper

2. You'll need to download and install cryptsetup available at http://www.saout.de/misc/dm-crypt/:
Code:

tar jxvf cryptsetup-0.1.tar.bz2
cd cryptsetup-0.1
./configure
make && make install

Note: cryptsetup is now in portage. Just emerge cryptsetup instead of the above!

Creating initrd image:
Now we need to create our initrd, I'll call it myinitrd. It's a simple task once you played around a bit with it. I highly recommed playing with initrd's before you go actually and encrypt your root (last step in this mini-howto) :)

First create the image, I'm using a 4MB initrd but feel free ot expand that if you need more, just remember to set the option in your kernel configuration for the maximum ramdisk size properly.
Code:

touch myinitrd
dd if=/dev/zero of=myinitrd bs=1024k count=4
losetup /dev/loop0 myinitrd
mke2fs /dev/loop0
mkdir /mnt/initrd
mount /dev/loop0 /mnt/initrd

Now populate the image with required directories and files:
Code:

cd /mnt/initrd
mkdir etc dev lib bin proc new
touch linuxrc
chmod +x linuxrc

linuxrc is where the action will be. It's a script file to be loaded by linux on initial boot, more below.

Now you need to copy necessary files into bin and lib. For bin, copy the following from your current system:
Code:

/bin/sh
/bin/cat
/bin/mount
/bin/umount
/bin/mkdir
/bin/chroot
/usr/bin/cryptsetup
/sbin/pivot_root

For lib, you'll need to find out which lib files are needed by each of the binaries above. The way to do it is to run 'ldd' for each file above and copy the required libs over. Example
Code:

ldd /bin/mount
        linux-gate.so.1 =>  (0xffffe000)
        libc.so.6 => /lib/libc.so.6 (0x4002e000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
cp /lib/libc.so.6 /mnt/initrd/lib/
cp /lib/ld-linux.so.2 /mnt/initrd/lib/

And so on for the rest of the binaries.

Now, we need to create necessary devices under dev directory:
Code:

mknod /mnt/initrd/dev/console c 5 1
mknod /mnt/initrd/dev/null c 1 3
mknod /mnt/initrd/dev/hda2 b 3 2
mknod /mnt/initrd/dev/tty c 4 0
mkdir /mnt/initrd/dev/mapper
mknod /mnt/initrd/dev/mapper/control c 10 63

Finally we need to create our linuxrc script. The script should setup dm-crypt and mount root on it, then start the real init of the system. Here's it is:
Code:

#!/bin/sh
export PATH=/bin

# Get cmdline from proc
mount -t proc proc /proc
CMDLINE=`cat /proc/cmdline`
umount /proc

# Mount real root and change to it
cryptsetup create root /dev/hda2
mount /dev/mapper/root /new
cd /new
mkdir initrd
pivot_root . initrd

# Start init and flush ram device
exec chroot . /bin/sh <<- EOF >dev/console 2>&1
umount initrd
rm -rf initrd
blockdev --flushbufs /dev/ram0
exec /sbin/init ${CMDLINE}
EOF

Done with initrd. Test all bin files in it by chrooting and running them one by one. You should get no error messages about missing libraries:
Code:

chroot /mnt/initrd /bin/sh
/bin/chroot --help
/bin/mkdir --help
....

Unmount initrd and copy it over to /boot. Since I'm using bootsplash I've appended my bootsplash initrd to it. Note that you can still mount/unmount the image and play with it event after cat'ing bootsplash image to it. mount knows it's start and end.
Code:

umount /mnt/initrd
mount /boot
cat /boot/bootsplash-initrd >> myinitrd
cp myinitrd /boot/
umount /boot

Modifying fstab and grub.conf :
We need to modify /etc/fstab to point to our new root. Here's my new fstab:
Code:

/dev/mapper/root   /   reiserfs   noatime   0 1
/dev/hda1   /boot   ext2 noauto   0 0
/dev/hda4   none   swap   sw   0 0
none   /proc   proc   defaults   0 0
none   /dev/shm   tmpfs   defaults   0 0

And here's my new grub.conf:
Code:

default 1
timeout 5
splashimage=(hd0,0)/grub/splash.xpm.gz

title=Gentoo Linux (2.6.6)
        root (hd0,0)
        kernel (hd0,0)/vmlinuz-2.6.6 video=mtrr,vesa:1024x768 vga=0x317 splash=verbose root=/dev/ram0 rw init=/linuxrc
        initrd (hd0,0)/myinitrd


Encrypting the filesystem:
Now to encrypting the file system (make sure you have backup!!!). How you encrypt it depends on you. Here I'm assuming you've enough space in hda3, and you've a linux boot CD or linux installed on a another partition, and you've booted from that:
Code:

mkdir /mnt/partition2 /mnt/partition3
mount /dev/hda2 /mn/partition2
mount /dev/hda3 /mnt/partition3
cp -r -p -v /mnt/partition2/* /mnt/partition3/
umount /mnt/partition2
cryptsetup create root /dev/hda2
--> enter passphrase when prompted
mkreiserfs /dev/mapper/root
mount /dev/mapper/root /mnt/partition2
cp -r -p -v /mnt/partition3/* /mnt/partition2

The above simply copies your current root to another partition, sets up an encrypted filesystem there (accessible through /dev/mapper/root from now on), and copies back files to it.

Next, we need to create necessary devices which will be needed at the initial phase of booting before the real system starts and udev takes over. It's important.
Code:

mknod /mnt/partition2/dev/console c 5 1
mknod /mnt/partition2/dev/null c 1 3

That's it! Unmount all.

Notes:
1. If you can't find a bootable CD with all ingredients in to encrypt your root, no problem! Just change your grub.conf line above to 'init=/bin/sh'. Now when you boot you'll get a nice little shell inside a ram disk that you can work from. Of course you'll need all necessary tools in the initrd image (e.g. mkreiserfs, fdisk, etc.).

2. If you have the default gentoo behaviour of saving '/dev' at reboot and restoring it at boot, make sure that your '/dev/mapper' directory contains a 'root' entry with major 254 minor 0 (mknod /dev/mapper/root b 254 0) just before your last reboot into the new encrypted root. Otherwise, it'll fail at boot time.

3. If you're running a modular kernel, no problem! Add a modules directory to myinitrd, say '/mod'. Copy the modules you'll need to it. Copy 'insmod' and requited libs to '/bin' and '/lib' and that's it. Just don't forget to modify 'linuxrc' to insert the modules before 'cryptsetup' line. Example, 'insmod /mods/dm-mod.ko' .. and so on.


Reboot, and cross your fingers. :)


Last edited by veezi on Mon Oct 25, 2004 7:05 pm; edited 4 times in total
Back to top
View user's profile Send private message
GentooBox
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1168
Location: Denmark

PostPosted: Sun Jun 27, 2004 11:52 pm    Post subject: Reply with quote

Nice guide :)
but you posted it the wrong place.
_________________
Encrypt, lock up everything and duct tape the rest
Back to top
View user's profile Send private message
veezi
Apprentice
Apprentice


Joined: 10 Nov 2003
Posts: 226

PostPosted: Tue Jun 29, 2004 5:21 am    Post subject: Reply with quote

Why wrong place?! Encryption is security .. right? 8O
Back to top
View user's profile Send private message
Souperman
Guru
Guru


Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa

PostPosted: Wed Jun 30, 2004 1:39 pm    Post subject: Reply with quote

Indeed it is, but it's a howto, not a support question and thus belongs in Documentation, Tips and Tricks. I've reported it.

edit: hot damn! already moved! ;)
_________________
moo


Last edited by Souperman on Wed Jun 30, 2004 1:41 pm; edited 1 time in total
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20048

PostPosted: Wed Jun 30, 2004 1:40 pm    Post subject: Reply with quote

vzeidat wrote:
Why wrong place?! Encryption is security .. right? 8O
Encryption is security related, but the Documentation, Tips & Tricks forum is for "howtos" and other similar documentation.


Moved from Networking & Security.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Wed Jun 30, 2004 4:22 pm    Post subject: Reply with quote

Vzeidat I am glad you posted your how to and thanks.

I like device mapper crypto alot and have been using it for awhile. I think it is better and cleaner than loop device driver based stuff (especially for encrypting root file system).

Chadders :D
Back to top
View user's profile Send private message
veezi
Apprentice
Apprentice


Joined: 10 Nov 2003
Posts: 226

PostPosted: Wed Jun 30, 2004 7:29 pm    Post subject: Reply with quote

No problem. Glad I could help.

I made some modifications (since I've written it without actually trying it :lol: )
- added '/bin/cat' to myinitrd
- added '/etc' to myinitrd
- added 'root=/dev/ram0 rw' to grub.conf line
- added '/dev/tty' to myinitrd
- added notes.


Cheers
Back to top
View user's profile Send private message
rajl
Apprentice
Apprentice


Joined: 25 Sep 2002
Posts: 287

PostPosted: Fri Jul 09, 2004 2:44 pm    Post subject: Reply with quote

Can you post up how I could safely encrypt my swap using device-mapper? Also, what about people who have more than just a root partition?

For example: my /etc/fstab is:

Code:

/dev/hda1               /boot           ext2            noauto,noatime          1 1
/dev/hda4               /home           xfs             noatime                 0 0
/dev/hda2               none            swap            sw                      0 0
/dev/hda3               /               reiserfs        noatime                 0 0


I basically want to encrypt my root, home, and swap partitions. Will you please expand upon your guide?
_________________
-Rajl

-----------------------------------------------------------
It's easy to be brave once you consider the alternatives.
Back to top
View user's profile Send private message
veezi
Apprentice
Apprentice


Joined: 10 Nov 2003
Posts: 226

PostPosted: Fri Jul 09, 2004 5:38 pm    Post subject: Reply with quote

I don't know much about encrypting swap. You may want to look around for an answer.

As for other partitions, well, if you can encrypt the root partition, then you can encrypt anything else :) . For the home partition, I just add the following to my '/etc/conf.d/local.start'
Code:

/usr/bin/cryptsetup create home /dev/whatever
/bin/mount /home

Of course, you'll need to have the corresponding entry in /etc/fstab:
Code:

/dev/mapper/home       /home        reiserfs       noatime,noauto       0 0

Notice that the home partition isn't accessed by the init boot scripts. That's why it's easy to leave it to the last stage (through local.start). If you have other partitions which need to be mounted earlier, you might want to mount them inside your linuxrc script.

Notice also the 'noauto' option in /etc/fstab. You'll need to have that in there to prevent the init scripts from automatically mounting those partitions.

Hope that helps,

Cheers,
Back to top
View user's profile Send private message
chingo
n00b
n00b


Joined: 09 Jul 2004
Posts: 2
Location: Newcastle, UK

PostPosted: Fri Jul 09, 2004 8:12 pm    Post subject: Reply with quote

Thanks for the guide veezi, along with this RootCryptoraid guide it helped me get it all working great.

rajl, here's how I set it up with multiple partitions and encrypted swap. I had problems compiling cryptsetup-0.1 statically which means it needs /usr mounted, so I set up all the devices with linuxrc first then copy them to /dev after pivot_root. When i get cryptsetup compiled statically, I'll change it to set up other partitions in the initscript rather than in linuxrc.

My key is encrypted on a usb flash drive, as described by mossmann in this thread, but I can't get the usb stick booting (yet) so /boot is left unencrypted on the hard drive, which has this layout:
Code:

/dev/hda1       /boot
/dev/hda2       /
/dev/hda3       /usr
/dev/hda5       /usr/local
/dev/hda6       /var
/dev/hda7       /var/tmp
/dev/hda8       /home
/dev/hda9       swap

I added the following to my initrd:

Directories:
Code:

bin dev/mapper lib/modules mnt/{root,usb} proc sbin usr/lib

Contents of initrd directories:
Code:

bin
cat chroot cryptsetup dmesg mount sh sleep umount

sbin
insmod losetup pivot_root rmmod

lib
ld-linux.so.2 libc.so.6 libdl.so.2 libm.so.6 libnsl.so.1 libpthread.so.0 librt.so.1

usr/lib
libgcrypt.so.11 libgpg-error.so.0 libpopt.so.0

dev
console hda hda1 hda2 hda3 hda4 hda5 hda6 hda7 hda8 hda9 loop0 null random sda sda1 tty

dev/mapper
control

In dev add a device file for all your encrypted partitions, in my case hda1 to 9. I also need sda1 for the usb stick and loop0 to use losetup.

Add any modules you need to lib/modules (or wherever), in my case loop, sd_mod & usb_storage.

Here's my linuxrc, which mounts the loopback key on usb, and after checking the passphrase sets up the data partitions with that key (/dev/mapper/bootkey), and recreates swap with /dev/random. It just checks the passphrase by tring to mount root, if the passphrase is wrong then there'll be no mapped filesystem to mount.
Code:

#!/bin/sh

PATH=/bin:/sbin

dmesg -n 1

# halt on error
stop_init () {
 crypsetup remove bootkey 2>/dev/null
 losetup -d /dev/loop0 2>/dev/null
 umount -n /mnt/usb 2>/dev/null
 umount -n /mnt/root 2>/dev/null
 count=0
 while [ "$count" = 0 ]; do
  sleep 60
 done
}

mount -n -t proc none /proc 2>/dev/null
if [ ! -e "/proc/devices" ]; then
 echo "procfs not found, halting."
 stop_init
fi

CMDLINE=`cat /proc/cmdline`

echo "Loading modules..."
insmod /lib/modules/loop.ko
insmod /lib/modules/sd_mod.ko
insmod /lib/modules/usb-storage.ko

# give usb time to sort itself
sleep 4

# mount keyfile on usb device
mount -r -n -t ext2 /dev/sda1 /mnt/usb 2>/dev/null
if [ ! -e "/mnt/usb/keys/laptop_key" ]; then
 echo "Can't continue boot sequence, halting."
 stop_init
fi
losetup /dev/loop0 /mnt/usb/keys/laptop_key

# check passphrase
count=0
while [ "$count" -lt 3 ]; do
 cryptsetup create bootkey /dev/loop0 # prompts for passphrase
 cryptsetup -d /dev/mapper/bootkey create rootfs /dev/hda2
 mount -r -n -t ext2 /dev/mapper/rootfs /mnt/root 2>/dev/null
 if [ "$?" = 0 ]; then
  echo "Root mounted, preparing filesystems..."
  break
 else
  cryptsetup remove rootfs
  cryptsetup remove bootkey
  let count=$count+1
  if [ "$count" -ge 3 ]; then
   echo "Halting."
   stop_init
  fi
 fi
done

cryptsetup -d /dev/mapper/bootkey create usrfs /dev/hda3
cryptsetup -d /dev/mapper/bootkey create localfs /dev/hda5
cryptsetup -d /dev/mapper/bootkey create varfs /dev/hda6
cryptsetup -d /dev/mapper/bootkey create vartmpfs /dev/hda7
cryptsetup -d /dev/mapper/bootkey create homefs /dev/hda8
cryptsetup -d /dev/random create swapfs /dev/hda9

echo "Unmounting usb storage..."
cryptsetup remove bootkey
losetup -d /dev/loop0
umount -n /mnt/usb

rmmod loop.ko
rmmod usb-storage.ko
rmmod sd_mod.ko

umount -n /proc

echo "Switching to full system..."
cd /mnt/root
pivot_root . initrd
exec chroot . /bin/sh -c 'exec /sbin/init ${CMDLINE}' \
        <dev/console >dev/console 2>&1

As you can see initrd doesn't get unmounted yet, that means the devices created with cryptsetup in linuxrc can be copied from /initrd/dev/mapper/ to /dev/mapper/ proper once the main init starts.

After backing up the system, encrypting the partitions with my key from boot media and copying everything back over (I used a ramdisk with cryptsetup added), I mounted root then the other partitions and chrooted in to update fstab and grub.conf, add the initscript below to the boot runlevel, and create the /initrd partition (to mkdir it from linuxrc root has to be mounted rw).

fstab now looks like this:
Code:

/dev/hda1               /boot           ext2
/dev/mapper/rootfs      /               ext2
/dev/mapper/usrfs       /usr            ext2
/dev/mapper/localfs     /usr/local      ext2
/dev/mapper/varfs       /var            ext2
/dev/mapper/vartmpfs    /var/tmp        ext2
/dev/mapper/homefs      /home           ext2
/dev/mapper/swapfs      none            swap

relevant bit of grub.conf:
Code:

title=gentoo-2.6.7
root (hd0,0)
kernel /bzimage-2.6.7 root=/dev/ram0 init=/linuxrc
initrd /initrd

And the dm-crypt initscript I'm using:
Code:

#!/sbin/runscript

crypt_part="rootfs usrfs localfs varfs vartmpfs homefs swapfs"

start() {
 ebegin "Setting up encrypted filesystems"
 for i in $crypt_part; do
  if [ ! -e "/dev/mapper/${i}" ]; then
   cp -a /initrd/dev/mapper/${i} /dev/mapper/
  fi
 done
 
 einfo "Creating encrypted swap..."
 mkswap /dev/mapper/swapfs 1>/dev/null
 einfo "Unmounting initrd & flushing ram..."
 umount -n /initrd
 blockdev --flushbufs /dev/ram0
 eend $?
}

(edited the initscript, / doesn't need mounting rw there as /dev is on a different filesystem.. doh.)

The initscript has to be run before checkroot, which is the first thing run in the boot runlevel. /sbin/rc has a list of critical services which are run first regardless of depends etc... to get the dm-crypt script running first, create the file /etc/runlevels/boot/.critical and add the following line:
Code:

dm-crypt checkroot hostname modules checkfs localmount


And that's it. Woo-hoo! Now, if I can just get a usb stick to boot. :D
Back to top
View user's profile Send private message
rajl
Apprentice
Apprentice


Joined: 25 Sep 2002
Posts: 287

PostPosted: Wed Jul 14, 2004 1:30 pm    Post subject: Reply with quote

Thanks for the help. Much appreciation. My gcc and xfree/xorg decided not too play nice this weekend (some stupid error involving the hardened toolchain that just won't fix) so I'll probably use this as a great excuse to encrypt my linux drive in the process.
_________________
-Rajl

-----------------------------------------------------------
It's easy to be brave once you consider the alternatives.
Back to top
View user's profile Send private message
GroennDemon
n00b
n00b


Joined: 30 Aug 2003
Posts: 52
Location: Berlin, Germany

PostPosted: Sat Sep 18, 2004 10:10 am    Post subject: Reply with quote

Thank you for the very nice and useful howto.

Encryption of my root parition works without any problems, but /initrd doesn't get deleted.
I always get "rm: operation not permitted" error messages at startup.

Furthermore, encrypting my swap partition with /dev/random as keyfile doesn't seem to work - the call to cryptsetup takes ages to complete. Strangely, it exits after a few seconds when I hold down the Ctrl key...

Any help would be appreciated.
Back to top
View user's profile Send private message
fbettag
n00b
n00b


Joined: 16 Jul 2004
Posts: 27
Location: Germany

PostPosted: Tue Sep 28, 2004 10:32 am    Post subject: Reply with quote

i have the problem that cryptsetup tells me

kackmaul ~ # cryptsetup create root /dev/hda3
Command failed: Invalid argument

if someone can tell me why :)

[edited] sorry i am so stupid and tried it from a rescue system withouth crypt-dm drivers! sorry [/edited]
_________________
If George W. Bush can reign over a whole country, what am i capable of?
Back to top
View user's profile Send private message
Seather
Apprentice
Apprentice


Joined: 23 May 2003
Posts: 194
Location: South Africa

PostPosted: Wed Nov 24, 2004 10:30 am    Post subject: Reply with quote

When trying to run:
Code:
cryptsetup create data /dev/hdb1

I get the following after typing in the passphrase:
Code:
Command failed: Invalid argument

And this shows up in logs:
Code:
Nov 24 12:27:15 roxy kernel: device-mapper: error adding target to table

Anyone know why this might be?
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Wed Nov 24, 2004 3:02 pm    Post subject: Reply with quote

Hi

Do you have kernel Device Drivers -> Multi-device support (RAID and LVM) -> Device Mapper Support and Crypt Target Support enabled in your kernel?

Chadders :D
Back to top
View user's profile Send private message
Seather
Apprentice
Apprentice


Joined: 23 May 2003
Posts: 194
Location: South Africa

PostPosted: Wed Nov 24, 2004 3:25 pm    Post subject: Reply with quote

yes. tried compiling them in stock or as modules
Back to top
View user's profile Send private message
Seather
Apprentice
Apprentice


Joined: 23 May 2003
Posts: 194
Location: South Africa

PostPosted: Wed Nov 24, 2004 6:54 pm    Post subject: Reply with quote

I have now tried on another gentoo box, the same versions of everything, the same procedure and exactly the same kernel configuration and it worked?
Back to top
View user's profile Send private message
Seather
Apprentice
Apprentice


Joined: 23 May 2003
Posts: 194
Location: South Africa

PostPosted: Wed Nov 24, 2004 7:20 pm    Post subject: Reply with quote

Sorry, after checking, the commands work if I run it on my usb flash disk, /dev/sda but not on my standard ide drive /dev/hdb or its partition /dev/hdb1. Why would this be?
Back to top
View user's profile Send private message
Seather
Apprentice
Apprentice


Joined: 23 May 2003
Posts: 194
Location: South Africa

PostPosted: Wed Nov 24, 2004 10:51 pm    Post subject: Reply with quote

I am going to kick myself

Apologies all round, for some reason didn't notice that the drive was mounted 20 times in a row!

Sorry, working perfectly now thank you
Back to top
View user's profile Send private message
Seather
Apprentice
Apprentice


Joined: 23 May 2003
Posts: 194
Location: South Africa

PostPosted: Thu Nov 25, 2004 10:11 am    Post subject: Reply with quote

Once again me, I have done everything now, however, when I reboot, it does not ask for passphrase or anything, it just flashes the kernel messages past and at the end I get:

Code:
UDF-fs: No partition found(1)
Kernel panic - not syncing: VFS: Unable to mount root fs on unkown-block(1,0)


Any ideas what I might be able to try?

What I did try to do, was copy /bin/sleep into myinitrd together with its libraries, and added "sleep 10" at various places in linuxrc file to be able to see whats happening but it didn't take effect at all, so my guess is my initrd isn't read?

Update:

I changed from grub to lilo and now it boots and asks for my passphrase (just before this, it gives: warning: can't open /etc/fstab: No such file or directory, is this okay?). After entering my passphrase, it outputs some text about reiserfs, finding partition etc.

Then however, at "Checking root filesystem" it stops:

Code:
Failed to open the device '/dev/mapper/root': No such file or directory

Warning... fsck.reiserfs for device /dev/mapper/root exited with signal 6.
 * Filesystem couldn't be fixed :(

Give root password for maintenance
(or type Control-D for normal startup):


Where to go from here?

If I do type in my root password, and do a ls /dev/mapper/ it doesn't show the "root" entry, only "control"

However, when trying: cryptsetup status root, I do get:
Code:
/dev/mapper/root is active:
Back to top
View user's profile Send private message
ross8653
n00b
n00b


Joined: 14 Jan 2004
Posts: 51

PostPosted: Fri Dec 10, 2004 9:20 pm    Post subject: Reply with quote

Thanks for the guide, i've been fighting with it for about a week now and dont know what next step to take
Also i have suggestions to the guide and it might fix other people's problems

1. When creating the initrd image i was a little confused since i never did much with loops. You should add a "cd /mnt" as the first step
2. When I first copied files to the ram drive i just pasted your commands. But off the gentoo live cd cryptsetup is located in "/bin/" instead of "/usr/bin" like you suggest
3. when you "mknod /mnt/initrd/dev/hda2 b 3 2 " you should say if you are using another partition like hda3 the major/minor numbers are 3 3 (if that's true?)
4. your grub kernel line wraps on my screen (either that or you hit enter) and when i copy/pasted I had problems
5. when encrypting the FS, you should call cryptsetup with -y to verify that you got the password right. Typing the password once when setting it can cause problems with long complex passwords, or fat fingers
6. when i compiled device mapper in the kernel and i booted off the ram disk, /proc/devices lists device-mapper as a major of 253, not sure if that matters

well anyway my problem is when i run cryptsetup i get
Code:
Command failed: Invalid argument

now i got that error at first when i boot off the gentoo live cd and try to encrypt the system, i found out that dm_crypt wasnt loaded so a quick modprobe fixed that. but i compiled everything needed in i think, and on boot up i see device mapper is loaded
Code:
md: md driver 0.90.0 MAX_MD_DEVS=256, MD_SB_DISKS=27
device-mapper:4.3.0-ioctl (2004-09-30 initialized: dm-devel@redhat.com

I know i have this problem because i set linuxrc to "exec /bin/sh" and i manually run the commands. I get the error above when i get to cryptsetup. I can also boot off the live cd, run modprobe dm_crypt, and then decrypt the device and chroot so i know that works.

Here are the things that ARE set, i deleted the ones that weren't to save space
Code:
livecd linux # grep -i crypt /usr/src/linux/.config
CONFIG_DM_CRYPT=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_BLOWFISH=y
CONFIG_CRYPTO_AES_586=y

the kernel i'm using is linux-2.6.9-gentoo-r9
...so what should i look at?[/code]
Back to top
View user's profile Send private message
westboy21
Tux's lil' helper
Tux's lil' helper


Joined: 10 Oct 2003
Posts: 135
Location: Raleigh, North Carolina

PostPosted: Wed Dec 15, 2004 2:29 am    Post subject: Reply with quote

I'm also getting a "command failed" error message. If I pass init=/bin/sh and manually type in the command
Code:
cryptsetup -v create root /dev/hda2

I get command failed: device mapper ioctl error. Don't quote me on exactness of this error message, I don't have it in front of me, but it was an ioctl error with the letters 254 in it. So I'm thinking this has to do with the major number of the control device. So, I booted into a live cd, and created a new control device which matched the major/minor numbers of the device created by the live cd. I then chrooted into the initrd drive, and ran cryptsetup. It worked perfect. Humm...

When I reboot with this setup, it fails. So I boot into the ram drive again, and
Code:
cat /proc/devices
I'm informed that device-mapper is 253,0. Humm... So I reboot into the live cd and re-run
Code:
mknod ./control c 253 0
. this time when I boot up I get the same error message about command failed. Also if I chroot into the initrd from the live cd with this new control device 253,0 I get a command failed error as well.

So .... I know this error message is due to the wrong /dev/mapper/control device. How do I fix this?

Anyone out there with great wisdom have any idea?
Back to top
View user's profile Send private message
westboy21
Tux's lil' helper
Tux's lil' helper


Joined: 10 Oct 2003
Posts: 135
Location: Raleigh, North Carolina

PostPosted: Wed Dec 15, 2004 6:23 am    Post subject: Reply with quote

OK. I seem to have fixed my issue. The author might want to amend his howto and include the devmap_mknod.sh script in the /bin directory of the myinitrd ram drive. Not all systems use the same major and minor device numbers for the /dev/mapper/control device. I altered the linuxrc file and added a line to run this script before unmounting the proc.

I also had issues with an error message telling me that /dev/mapper/root couldn't be mounted, and that I had to specify the type of filesystem. I just altered the mount line in the linuxrc file to include the type.

I'm still getting the can't find fstab error. I assume I should just ignore this, since my system boots up ok despite that message.
Back to top
View user's profile Send private message
Lokheed
Veteran
Veteran


Joined: 12 Jul 2004
Posts: 1295
Location: /usr/src/linux

PostPosted: Sun Dec 19, 2004 7:38 am    Post subject: Reply with quote

Added to wiki: http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt
Back to top
View user's profile Send private message
benjamin.choi
n00b
n00b


Joined: 16 Dec 2004
Posts: 5

PostPosted: Mon Dec 20, 2004 5:37 am    Post subject: Reply with quote

If for some reason I damaged my system horribly such that it cannot boot (e.g. by setting default runlevel to 0), I often can repair it using a boot disk such as Knoppix or the Gentoo LiveCD. However, with an encrypted root partition, how can I access it to work on it? Any idea how to make a boot disk capable of reading/writing to my encrypted partition?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum