View previous topic :: View next topic |
Author |
Message |
veezi Apprentice
Joined: 10 Nov 2003 Posts: 226
|
Posted: Sun Jun 27, 2004 11:09 pm Post subject: [mini-HOWTO] Encrypting root file system with dm-crypt |
|
|
There're probably many threads out there on how to encrypt your root file system. And I'm probably a n00b, but anyway, here is my mini-contribution. Make sure you backup your system first, and if you trash it (highly probable!) then don't blame me
Assumptions:
1. Kernel 2.6.6: disk driver builtin, ext2/reiserfs filesystem drivers builtint, device mapper/encryption modules dm-crypt/dm-mod builtin, aes builtin, ramdisk and initial ramdisk (initrd) builtin.
2. Boot partition on /dev/hda1 filesystem is ext2.
3. Root partition on /dev/hda2 filesystem is reiserfs.
4. You will be prompted for encryption passphrase at boot time.
5. You are using udev.
6. You are using grub boot loader.
7. You're logged in as root.
Requirements:
1. You'll need to emerge device-mapper:
Code: |
emerge device-mapper
|
2. You'll need to download and install cryptsetup available at http://www.saout.de/misc/dm-crypt/:
Code: |
tar jxvf cryptsetup-0.1.tar.bz2
cd cryptsetup-0.1
./configure
make && make install
|
Note: cryptsetup is now in portage. Just emerge cryptsetup instead of the above!
Creating initrd image:
Now we need to create our initrd, I'll call it myinitrd. It's a simple task once you played around a bit with it. I highly recommed playing with initrd's before you go actually and encrypt your root (last step in this mini-howto)
First create the image, I'm using a 4MB initrd but feel free ot expand that if you need more, just remember to set the option in your kernel configuration for the maximum ramdisk size properly.
Code: |
touch myinitrd
dd if=/dev/zero of=myinitrd bs=1024k count=4
losetup /dev/loop0 myinitrd
mke2fs /dev/loop0
mkdir /mnt/initrd
mount /dev/loop0 /mnt/initrd
|
Now populate the image with required directories and files:
Code: |
cd /mnt/initrd
mkdir etc dev lib bin proc new
touch linuxrc
chmod +x linuxrc
|
linuxrc is where the action will be. It's a script file to be loaded by linux on initial boot, more below.
Now you need to copy necessary files into bin and lib. For bin, copy the following from your current system:
Code: |
/bin/sh
/bin/cat
/bin/mount
/bin/umount
/bin/mkdir
/bin/chroot
/usr/bin/cryptsetup
/sbin/pivot_root
|
For lib, you'll need to find out which lib files are needed by each of the binaries above. The way to do it is to run 'ldd' for each file above and copy the required libs over. Example
Code: |
ldd /bin/mount
linux-gate.so.1 => (0xffffe000)
libc.so.6 => /lib/libc.so.6 (0x4002e000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
cp /lib/libc.so.6 /mnt/initrd/lib/
cp /lib/ld-linux.so.2 /mnt/initrd/lib/
|
And so on for the rest of the binaries.
Now, we need to create necessary devices under dev directory:
Code: |
mknod /mnt/initrd/dev/console c 5 1
mknod /mnt/initrd/dev/null c 1 3
mknod /mnt/initrd/dev/hda2 b 3 2
mknod /mnt/initrd/dev/tty c 4 0
mkdir /mnt/initrd/dev/mapper
mknod /mnt/initrd/dev/mapper/control c 10 63
|
Finally we need to create our linuxrc script. The script should setup dm-crypt and mount root on it, then start the real init of the system. Here's it is:
Code: |
#!/bin/sh
export PATH=/bin
# Get cmdline from proc
mount -t proc proc /proc
CMDLINE=`cat /proc/cmdline`
umount /proc
# Mount real root and change to it
cryptsetup create root /dev/hda2
mount /dev/mapper/root /new
cd /new
mkdir initrd
pivot_root . initrd
# Start init and flush ram device
exec chroot . /bin/sh <<- EOF >dev/console 2>&1
umount initrd
rm -rf initrd
blockdev --flushbufs /dev/ram0
exec /sbin/init ${CMDLINE}
EOF
|
Done with initrd. Test all bin files in it by chrooting and running them one by one. You should get no error messages about missing libraries:
Code: |
chroot /mnt/initrd /bin/sh
/bin/chroot --help
/bin/mkdir --help
....
|
Unmount initrd and copy it over to /boot. Since I'm using bootsplash I've appended my bootsplash initrd to it. Note that you can still mount/unmount the image and play with it event after cat'ing bootsplash image to it. mount knows it's start and end.
Code: |
umount /mnt/initrd
mount /boot
cat /boot/bootsplash-initrd >> myinitrd
cp myinitrd /boot/
umount /boot
|
Modifying fstab and grub.conf :
We need to modify /etc/fstab to point to our new root. Here's my new fstab:
Code: |
/dev/mapper/root / reiserfs noatime 0 1
/dev/hda1 /boot ext2 noauto 0 0
/dev/hda4 none swap sw 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
|
And here's my new grub.conf:
Code: |
default 1
timeout 5
splashimage=(hd0,0)/grub/splash.xpm.gz
title=Gentoo Linux (2.6.6)
root (hd0,0)
kernel (hd0,0)/vmlinuz-2.6.6 video=mtrr,vesa:1024x768 vga=0x317 splash=verbose root=/dev/ram0 rw init=/linuxrc
initrd (hd0,0)/myinitrd
|
Encrypting the filesystem:
Now to encrypting the file system (make sure you have backup!!!). How you encrypt it depends on you. Here I'm assuming you've enough space in hda3, and you've a linux boot CD or linux installed on a another partition, and you've booted from that:
Code: |
mkdir /mnt/partition2 /mnt/partition3
mount /dev/hda2 /mn/partition2
mount /dev/hda3 /mnt/partition3
cp -r -p -v /mnt/partition2/* /mnt/partition3/
umount /mnt/partition2
cryptsetup create root /dev/hda2
--> enter passphrase when prompted
mkreiserfs /dev/mapper/root
mount /dev/mapper/root /mnt/partition2
cp -r -p -v /mnt/partition3/* /mnt/partition2
|
The above simply copies your current root to another partition, sets up an encrypted filesystem there (accessible through /dev/mapper/root from now on), and copies back files to it.
Next, we need to create necessary devices which will be needed at the initial phase of booting before the real system starts and udev takes over. It's important.
Code: |
mknod /mnt/partition2/dev/console c 5 1
mknod /mnt/partition2/dev/null c 1 3
|
That's it! Unmount all.
Notes:
1. If you can't find a bootable CD with all ingredients in to encrypt your root, no problem! Just change your grub.conf line above to 'init=/bin/sh'. Now when you boot you'll get a nice little shell inside a ram disk that you can work from. Of course you'll need all necessary tools in the initrd image (e.g. mkreiserfs, fdisk, etc.).
2. If you have the default gentoo behaviour of saving '/dev' at reboot and restoring it at boot, make sure that your '/dev/mapper' directory contains a 'root' entry with major 254 minor 0 (mknod /dev/mapper/root b 254 0) just before your last reboot into the new encrypted root. Otherwise, it'll fail at boot time.
3. If you're running a modular kernel, no problem! Add a modules directory to myinitrd, say '/mod'. Copy the modules you'll need to it. Copy 'insmod' and requited libs to '/bin' and '/lib' and that's it. Just don't forget to modify 'linuxrc' to insert the modules before 'cryptsetup' line. Example, 'insmod /mods/dm-mod.ko' .. and so on.
Reboot, and cross your fingers.
Last edited by veezi on Mon Oct 25, 2004 7:05 pm; edited 4 times in total |
|
Back to top |
|
|
GentooBox Veteran
Joined: 22 Jun 2003 Posts: 1168 Location: Denmark
|
Posted: Sun Jun 27, 2004 11:52 pm Post subject: |
|
|
Nice guide
but you posted it the wrong place. _________________ Encrypt, lock up everything and duct tape the rest |
|
Back to top |
|
|
veezi Apprentice
Joined: 10 Nov 2003 Posts: 226
|
Posted: Tue Jun 29, 2004 5:21 am Post subject: |
|
|
Why wrong place?! Encryption is security .. right? |
|
Back to top |
|
|
Souperman Guru
Joined: 14 Jul 2003 Posts: 449 Location: Cape Town, South Africa
|
Posted: Wed Jun 30, 2004 1:39 pm Post subject: |
|
|
Indeed it is, but it's a howto, not a support question and thus belongs in Documentation, Tips and Tricks. I've reported it.
edit: hot damn! already moved! _________________ moo
Last edited by Souperman on Wed Jun 30, 2004 1:41 pm; edited 1 time in total |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20054
|
Posted: Wed Jun 30, 2004 1:40 pm Post subject: |
|
|
vzeidat wrote: | Why wrong place?! Encryption is security .. right? | Encryption is security related, but the Documentation, Tips & Tricks forum is for "howtos" and other similar documentation.
Moved from Networking & Security. _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
chadders Tux's lil' helper
Joined: 21 Jan 2003 Posts: 113
|
Posted: Wed Jun 30, 2004 4:22 pm Post subject: |
|
|
Vzeidat I am glad you posted your how to and thanks.
I like device mapper crypto alot and have been using it for awhile. I think it is better and cleaner than loop device driver based stuff (especially for encrypting root file system).
Chadders |
|
Back to top |
|
|
veezi Apprentice
Joined: 10 Nov 2003 Posts: 226
|
Posted: Wed Jun 30, 2004 7:29 pm Post subject: |
|
|
No problem. Glad I could help.
I made some modifications (since I've written it without actually trying it )
- added '/bin/cat' to myinitrd
- added '/etc' to myinitrd
- added 'root=/dev/ram0 rw' to grub.conf line
- added '/dev/tty' to myinitrd
- added notes.
Cheers |
|
Back to top |
|
|
rajl Apprentice
Joined: 25 Sep 2002 Posts: 287
|
Posted: Fri Jul 09, 2004 2:44 pm Post subject: |
|
|
Can you post up how I could safely encrypt my swap using device-mapper? Also, what about people who have more than just a root partition?
For example: my /etc/fstab is:
Code: |
/dev/hda1 /boot ext2 noauto,noatime 1 1
/dev/hda4 /home xfs noatime 0 0
/dev/hda2 none swap sw 0 0
/dev/hda3 / reiserfs noatime 0 0
|
I basically want to encrypt my root, home, and swap partitions. Will you please expand upon your guide? _________________ -Rajl
-----------------------------------------------------------
It's easy to be brave once you consider the alternatives. |
|
Back to top |
|
|
veezi Apprentice
Joined: 10 Nov 2003 Posts: 226
|
Posted: Fri Jul 09, 2004 5:38 pm Post subject: |
|
|
I don't know much about encrypting swap. You may want to look around for an answer.
As for other partitions, well, if you can encrypt the root partition, then you can encrypt anything else . For the home partition, I just add the following to my '/etc/conf.d/local.start'
Code: |
/usr/bin/cryptsetup create home /dev/whatever
/bin/mount /home
|
Of course, you'll need to have the corresponding entry in /etc/fstab:
Code: |
/dev/mapper/home /home reiserfs noatime,noauto 0 0
|
Notice that the home partition isn't accessed by the init boot scripts. That's why it's easy to leave it to the last stage (through local.start). If you have other partitions which need to be mounted earlier, you might want to mount them inside your linuxrc script.
Notice also the 'noauto' option in /etc/fstab. You'll need to have that in there to prevent the init scripts from automatically mounting those partitions.
Hope that helps,
Cheers, |
|
Back to top |
|
|
chingo n00b
Joined: 09 Jul 2004 Posts: 2 Location: Newcastle, UK
|
Posted: Fri Jul 09, 2004 8:12 pm Post subject: |
|
|
Thanks for the guide veezi, along with this RootCryptoraid guide it helped me get it all working great.
rajl, here's how I set it up with multiple partitions and encrypted swap. I had problems compiling cryptsetup-0.1 statically which means it needs /usr mounted, so I set up all the devices with linuxrc first then copy them to /dev after pivot_root. When i get cryptsetup compiled statically, I'll change it to set up other partitions in the initscript rather than in linuxrc.
My key is encrypted on a usb flash drive, as described by mossmann in this thread, but I can't get the usb stick booting (yet) so /boot is left unencrypted on the hard drive, which has this layout:
Code: |
/dev/hda1 /boot
/dev/hda2 /
/dev/hda3 /usr
/dev/hda5 /usr/local
/dev/hda6 /var
/dev/hda7 /var/tmp
/dev/hda8 /home
/dev/hda9 swap
|
I added the following to my initrd:
Directories:
Code: |
bin dev/mapper lib/modules mnt/{root,usb} proc sbin usr/lib
|
Contents of initrd directories:
Code: |
bin
cat chroot cryptsetup dmesg mount sh sleep umount
sbin
insmod losetup pivot_root rmmod
lib
ld-linux.so.2 libc.so.6 libdl.so.2 libm.so.6 libnsl.so.1 libpthread.so.0 librt.so.1
usr/lib
libgcrypt.so.11 libgpg-error.so.0 libpopt.so.0
dev
console hda hda1 hda2 hda3 hda4 hda5 hda6 hda7 hda8 hda9 loop0 null random sda sda1 tty
dev/mapper
control
|
In dev add a device file for all your encrypted partitions, in my case hda1 to 9. I also need sda1 for the usb stick and loop0 to use losetup.
Add any modules you need to lib/modules (or wherever), in my case loop, sd_mod & usb_storage.
Here's my linuxrc, which mounts the loopback key on usb, and after checking the passphrase sets up the data partitions with that key (/dev/mapper/bootkey), and recreates swap with /dev/random. It just checks the passphrase by tring to mount root, if the passphrase is wrong then there'll be no mapped filesystem to mount.
Code: |
#!/bin/sh
PATH=/bin:/sbin
dmesg -n 1
# halt on error
stop_init () {
crypsetup remove bootkey 2>/dev/null
losetup -d /dev/loop0 2>/dev/null
umount -n /mnt/usb 2>/dev/null
umount -n /mnt/root 2>/dev/null
count=0
while [ "$count" = 0 ]; do
sleep 60
done
}
mount -n -t proc none /proc 2>/dev/null
if [ ! -e "/proc/devices" ]; then
echo "procfs not found, halting."
stop_init
fi
CMDLINE=`cat /proc/cmdline`
echo "Loading modules..."
insmod /lib/modules/loop.ko
insmod /lib/modules/sd_mod.ko
insmod /lib/modules/usb-storage.ko
# give usb time to sort itself
sleep 4
# mount keyfile on usb device
mount -r -n -t ext2 /dev/sda1 /mnt/usb 2>/dev/null
if [ ! -e "/mnt/usb/keys/laptop_key" ]; then
echo "Can't continue boot sequence, halting."
stop_init
fi
losetup /dev/loop0 /mnt/usb/keys/laptop_key
# check passphrase
count=0
while [ "$count" -lt 3 ]; do
cryptsetup create bootkey /dev/loop0 # prompts for passphrase
cryptsetup -d /dev/mapper/bootkey create rootfs /dev/hda2
mount -r -n -t ext2 /dev/mapper/rootfs /mnt/root 2>/dev/null
if [ "$?" = 0 ]; then
echo "Root mounted, preparing filesystems..."
break
else
cryptsetup remove rootfs
cryptsetup remove bootkey
let count=$count+1
if [ "$count" -ge 3 ]; then
echo "Halting."
stop_init
fi
fi
done
cryptsetup -d /dev/mapper/bootkey create usrfs /dev/hda3
cryptsetup -d /dev/mapper/bootkey create localfs /dev/hda5
cryptsetup -d /dev/mapper/bootkey create varfs /dev/hda6
cryptsetup -d /dev/mapper/bootkey create vartmpfs /dev/hda7
cryptsetup -d /dev/mapper/bootkey create homefs /dev/hda8
cryptsetup -d /dev/random create swapfs /dev/hda9
echo "Unmounting usb storage..."
cryptsetup remove bootkey
losetup -d /dev/loop0
umount -n /mnt/usb
rmmod loop.ko
rmmod usb-storage.ko
rmmod sd_mod.ko
umount -n /proc
echo "Switching to full system..."
cd /mnt/root
pivot_root . initrd
exec chroot . /bin/sh -c 'exec /sbin/init ${CMDLINE}' \
<dev/console >dev/console 2>&1
|
As you can see initrd doesn't get unmounted yet, that means the devices created with cryptsetup in linuxrc can be copied from /initrd/dev/mapper/ to /dev/mapper/ proper once the main init starts.
After backing up the system, encrypting the partitions with my key from boot media and copying everything back over (I used a ramdisk with cryptsetup added), I mounted root then the other partitions and chrooted in to update fstab and grub.conf, add the initscript below to the boot runlevel, and create the /initrd partition (to mkdir it from linuxrc root has to be mounted rw).
fstab now looks like this:
Code: |
/dev/hda1 /boot ext2
/dev/mapper/rootfs / ext2
/dev/mapper/usrfs /usr ext2
/dev/mapper/localfs /usr/local ext2
/dev/mapper/varfs /var ext2
/dev/mapper/vartmpfs /var/tmp ext2
/dev/mapper/homefs /home ext2
/dev/mapper/swapfs none swap
|
relevant bit of grub.conf:
Code: |
title=gentoo-2.6.7
root (hd0,0)
kernel /bzimage-2.6.7 root=/dev/ram0 init=/linuxrc
initrd /initrd
|
And the dm-crypt initscript I'm using:
Code: |
#!/sbin/runscript
crypt_part="rootfs usrfs localfs varfs vartmpfs homefs swapfs"
start() {
ebegin "Setting up encrypted filesystems"
for i in $crypt_part; do
if [ ! -e "/dev/mapper/${i}" ]; then
cp -a /initrd/dev/mapper/${i} /dev/mapper/
fi
done
einfo "Creating encrypted swap..."
mkswap /dev/mapper/swapfs 1>/dev/null
einfo "Unmounting initrd & flushing ram..."
umount -n /initrd
blockdev --flushbufs /dev/ram0
eend $?
}
|
(edited the initscript, / doesn't need mounting rw there as /dev is on a different filesystem.. doh.)
The initscript has to be run before checkroot, which is the first thing run in the boot runlevel. /sbin/rc has a list of critical services which are run first regardless of depends etc... to get the dm-crypt script running first, create the file /etc/runlevels/boot/.critical and add the following line:
Code: |
dm-crypt checkroot hostname modules checkfs localmount
|
And that's it. Woo-hoo! Now, if I can just get a usb stick to boot. |
|
Back to top |
|
|
rajl Apprentice
Joined: 25 Sep 2002 Posts: 287
|
Posted: Wed Jul 14, 2004 1:30 pm Post subject: |
|
|
Thanks for the help. Much appreciation. My gcc and xfree/xorg decided not too play nice this weekend (some stupid error involving the hardened toolchain that just won't fix) so I'll probably use this as a great excuse to encrypt my linux drive in the process. _________________ -Rajl
-----------------------------------------------------------
It's easy to be brave once you consider the alternatives. |
|
Back to top |
|
|
GroennDemon n00b
Joined: 30 Aug 2003 Posts: 52 Location: Berlin, Germany
|
Posted: Sat Sep 18, 2004 10:10 am Post subject: |
|
|
Thank you for the very nice and useful howto.
Encryption of my root parition works without any problems, but /initrd doesn't get deleted.
I always get "rm: operation not permitted" error messages at startup.
Furthermore, encrypting my swap partition with /dev/random as keyfile doesn't seem to work - the call to cryptsetup takes ages to complete. Strangely, it exits after a few seconds when I hold down the Ctrl key...
Any help would be appreciated. |
|
Back to top |
|
|
fbettag n00b
Joined: 16 Jul 2004 Posts: 27 Location: Germany
|
Posted: Tue Sep 28, 2004 10:32 am Post subject: |
|
|
i have the problem that cryptsetup tells me
kackmaul ~ # cryptsetup create root /dev/hda3
Command failed: Invalid argument
if someone can tell me why :)
[edited] sorry i am so stupid and tried it from a rescue system withouth crypt-dm drivers! sorry [/edited] _________________ If George W. Bush can reign over a whole country, what am i capable of? |
|
Back to top |
|
|
Seather Apprentice
Joined: 23 May 2003 Posts: 194 Location: South Africa
|
Posted: Wed Nov 24, 2004 10:30 am Post subject: |
|
|
When trying to run:
Code: | cryptsetup create data /dev/hdb1 |
I get the following after typing in the passphrase:
Code: | Command failed: Invalid argument |
And this shows up in logs:
Code: | Nov 24 12:27:15 roxy kernel: device-mapper: error adding target to table |
Anyone know why this might be? |
|
Back to top |
|
|
chadders Tux's lil' helper
Joined: 21 Jan 2003 Posts: 113
|
Posted: Wed Nov 24, 2004 3:02 pm Post subject: |
|
|
Hi
Do you have kernel Device Drivers -> Multi-device support (RAID and LVM) -> Device Mapper Support and Crypt Target Support enabled in your kernel?
Chadders |
|
Back to top |
|
|
Seather Apprentice
Joined: 23 May 2003 Posts: 194 Location: South Africa
|
Posted: Wed Nov 24, 2004 3:25 pm Post subject: |
|
|
yes. tried compiling them in stock or as modules |
|
Back to top |
|
|
Seather Apprentice
Joined: 23 May 2003 Posts: 194 Location: South Africa
|
Posted: Wed Nov 24, 2004 6:54 pm Post subject: |
|
|
I have now tried on another gentoo box, the same versions of everything, the same procedure and exactly the same kernel configuration and it worked? |
|
Back to top |
|
|
Seather Apprentice
Joined: 23 May 2003 Posts: 194 Location: South Africa
|
Posted: Wed Nov 24, 2004 7:20 pm Post subject: |
|
|
Sorry, after checking, the commands work if I run it on my usb flash disk, /dev/sda but not on my standard ide drive /dev/hdb or its partition /dev/hdb1. Why would this be? |
|
Back to top |
|
|
Seather Apprentice
Joined: 23 May 2003 Posts: 194 Location: South Africa
|
Posted: Wed Nov 24, 2004 10:51 pm Post subject: |
|
|
I am going to kick myself
Apologies all round, for some reason didn't notice that the drive was mounted 20 times in a row!
Sorry, working perfectly now thank you |
|
Back to top |
|
|
Seather Apprentice
Joined: 23 May 2003 Posts: 194 Location: South Africa
|
Posted: Thu Nov 25, 2004 10:11 am Post subject: |
|
|
Once again me, I have done everything now, however, when I reboot, it does not ask for passphrase or anything, it just flashes the kernel messages past and at the end I get:
Code: | UDF-fs: No partition found(1)
Kernel panic - not syncing: VFS: Unable to mount root fs on unkown-block(1,0) |
Any ideas what I might be able to try?
What I did try to do, was copy /bin/sleep into myinitrd together with its libraries, and added "sleep 10" at various places in linuxrc file to be able to see whats happening but it didn't take effect at all, so my guess is my initrd isn't read?
Update:
I changed from grub to lilo and now it boots and asks for my passphrase (just before this, it gives: warning: can't open /etc/fstab: No such file or directory, is this okay?). After entering my passphrase, it outputs some text about reiserfs, finding partition etc.
Then however, at "Checking root filesystem" it stops:
Code: | Failed to open the device '/dev/mapper/root': No such file or directory
Warning... fsck.reiserfs for device /dev/mapper/root exited with signal 6.
* Filesystem couldn't be fixed :(
Give root password for maintenance
(or type Control-D for normal startup): |
Where to go from here?
If I do type in my root password, and do a ls /dev/mapper/ it doesn't show the "root" entry, only "control"
However, when trying: cryptsetup status root, I do get:
Code: | /dev/mapper/root is active: |
|
|
Back to top |
|
|
ross8653 n00b
Joined: 14 Jan 2004 Posts: 51
|
Posted: Fri Dec 10, 2004 9:20 pm Post subject: |
|
|
Thanks for the guide, i've been fighting with it for about a week now and dont know what next step to take
Also i have suggestions to the guide and it might fix other people's problems
1. When creating the initrd image i was a little confused since i never did much with loops. You should add a "cd /mnt" as the first step
2. When I first copied files to the ram drive i just pasted your commands. But off the gentoo live cd cryptsetup is located in "/bin/" instead of "/usr/bin" like you suggest
3. when you "mknod /mnt/initrd/dev/hda2 b 3 2 " you should say if you are using another partition like hda3 the major/minor numbers are 3 3 (if that's true?)
4. your grub kernel line wraps on my screen (either that or you hit enter) and when i copy/pasted I had problems
5. when encrypting the FS, you should call cryptsetup with -y to verify that you got the password right. Typing the password once when setting it can cause problems with long complex passwords, or fat fingers
6. when i compiled device mapper in the kernel and i booted off the ram disk, /proc/devices lists device-mapper as a major of 253, not sure if that matters
well anyway my problem is when i run cryptsetup i get
Code: | Command failed: Invalid argument |
now i got that error at first when i boot off the gentoo live cd and try to encrypt the system, i found out that dm_crypt wasnt loaded so a quick modprobe fixed that. but i compiled everything needed in i think, and on boot up i see device mapper is loaded
Code: | md: md driver 0.90.0 MAX_MD_DEVS=256, MD_SB_DISKS=27
device-mapper:4.3.0-ioctl (2004-09-30 initialized: dm-devel@redhat.com |
I know i have this problem because i set linuxrc to "exec /bin/sh" and i manually run the commands. I get the error above when i get to cryptsetup. I can also boot off the live cd, run modprobe dm_crypt, and then decrypt the device and chroot so i know that works.
Here are the things that ARE set, i deleted the ones that weren't to save space
Code: | livecd linux # grep -i crypt /usr/src/linux/.config
CONFIG_DM_CRYPT=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_NULL=y
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_BLOWFISH=y
CONFIG_CRYPTO_AES_586=y
|
the kernel i'm using is linux-2.6.9-gentoo-r9
...so what should i look at?[/code] |
|
Back to top |
|
|
westboy21 Tux's lil' helper
Joined: 10 Oct 2003 Posts: 135 Location: Raleigh, North Carolina
|
Posted: Wed Dec 15, 2004 2:29 am Post subject: |
|
|
I'm also getting a "command failed" error message. If I pass init=/bin/sh and manually type in the command
Code: | cryptsetup -v create root /dev/hda2 |
I get command failed: device mapper ioctl error. Don't quote me on exactness of this error message, I don't have it in front of me, but it was an ioctl error with the letters 254 in it. So I'm thinking this has to do with the major number of the control device. So, I booted into a live cd, and created a new control device which matched the major/minor numbers of the device created by the live cd. I then chrooted into the initrd drive, and ran cryptsetup. It worked perfect. Humm...
When I reboot with this setup, it fails. So I boot into the ram drive again, and I'm informed that device-mapper is 253,0. Humm... So I reboot into the live cd and re-run Code: | mknod ./control c 253 0 | . this time when I boot up I get the same error message about command failed. Also if I chroot into the initrd from the live cd with this new control device 253,0 I get a command failed error as well.
So .... I know this error message is due to the wrong /dev/mapper/control device. How do I fix this?
Anyone out there with great wisdom have any idea? |
|
Back to top |
|
|
westboy21 Tux's lil' helper
Joined: 10 Oct 2003 Posts: 135 Location: Raleigh, North Carolina
|
Posted: Wed Dec 15, 2004 6:23 am Post subject: |
|
|
OK. I seem to have fixed my issue. The author might want to amend his howto and include the devmap_mknod.sh script in the /bin directory of the myinitrd ram drive. Not all systems use the same major and minor device numbers for the /dev/mapper/control device. I altered the linuxrc file and added a line to run this script before unmounting the proc.
I also had issues with an error message telling me that /dev/mapper/root couldn't be mounted, and that I had to specify the type of filesystem. I just altered the mount line in the linuxrc file to include the type.
I'm still getting the can't find fstab error. I assume I should just ignore this, since my system boots up ok despite that message. |
|
Back to top |
|
|
Lokheed Veteran
Joined: 12 Jul 2004 Posts: 1295 Location: /usr/src/linux
|
|
Back to top |
|
|
benjamin.choi n00b
Joined: 16 Dec 2004 Posts: 5
|
Posted: Mon Dec 20, 2004 5:37 am Post subject: |
|
|
If for some reason I damaged my system horribly such that it cannot boot (e.g. by setting default runlevel to 0), I often can repair it using a boot disk such as Knoppix or the Gentoo LiveCD. However, with an encrypted root partition, how can I access it to work on it? Any idea how to make a boot disk capable of reading/writing to my encrypted partition? |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|