View previous topic :: View next topic |
Author |
Message |
Master One l33t
Joined: 25 Aug 2003 Posts: 754 Location: Austria
|
Posted: Sun Feb 20, 2005 2:00 pm Post subject: HOWTO: Use the new baselayout for filesystem-encryption |
|
|
The latest (~x86) baselayout has fs-encryption included, which renders most of the existing guides & scripts for this purpose obsolet.
Here is a quick and dirty howto concerning swap-partition encryption:
Necessary kernel-options:
Code: | Device-Drivers -> Multi-device support (RAID and LVM) ->
[*] Multiple devices driver support (RAID and LVM)
<*> Device mapper support
<*> Crypt target support
Cryptographic options ->
<*> AES cipher algorithms (i586) |
If you are running a "x86" system, you need to:
Code: | echo "=app-shells/bash-3.0-r8" >> /etc/portage/package.keywords
echo "=sys-apps/baselayout-1.11.9-r1" >> /etc/portage/package.keywords
echo "=sys-apps/sysvinit-2.86" >> /etc/portage/package.keywords
echo "=sys-libs/readline-5.0-r2" >> /etc/portage/package.keywords |
Now get the necessary items:
Code: | emerge baselayout cryptsetup |
After updating your config-files (I always use dispatch-conf, take care not to simply overwrite your settings), edit /etc/conf.d/cryptfs to show
Code: | swap=crypt-swap
source='/dev/hda2' |
(my swap is on hda2, so if you have it somewhere else, replace this properly)
At last edit the line for the swap-partition in your /etc/fstab to show
Code: | /dev/mapper/crypt-swap none swap sw 0 0 |
That's it! Reboot and have your swap encrypted.
(OT Now I need help for making swsusp2 + encrypted swap possible please see this thread)
EDIT1: Corrected typo in '/etc/confd/cryptfs' _________________ Las torturas mentales de la CIA
Last edited by Master One on Sun Feb 20, 2005 4:42 pm; edited 1 time in total |
|
Back to top |
|
|
Cintra Advocate
Joined: 03 Apr 2004 Posts: 2111 Location: Norway
|
Posted: Sun Feb 20, 2005 3:36 pm Post subject: |
|
|
A quick additional question or 2..
Does one need to emerge sha1 with its huge emacs dependency? ref.
Code: | # If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom |
NB there's a small typo ref /etc/conf.d/cryptfs
regards
Edit: Well I went ahead regardless of sha1. everything looked OK during bootup
No news may be good news, but I'm looking for clear signs that all is well.
Qtparted shows partition type for hda5 as 'unknow' which I guess is a good sign
And I see there is a /dev/mapper containing crypt-swap and control, so all is looking pretty good!
Code: | # cat /proc/swaps
Filename Type Size Used Priority
/dev/mapper/crypt-swap partition 1044184 0 -1
|
_________________ "I am not bound to please thee with my answers" W.S.
Last edited by Cintra on Sun Feb 20, 2005 5:20 pm; edited 3 times in total |
|
Back to top |
|
|
Master One l33t
Joined: 25 Aug 2003 Posts: 754 Location: Austria
|
Posted: Sun Feb 20, 2005 4:48 pm Post subject: |
|
|
Cintra wrote: | does one need to emerge sha1 with its huge emacs dependency? ref.
Code: | # If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom |
|
No, sha1 is not necessary at all, because on one hand with 'sha1' the kernel crypto module is meant, not the sha1 package (I assume), and on the other hand the use of the '-d' options disables the '-h' option. This is what I could read on the homepage of cryptsetup, looks like it is a redundancy in the scripts.
Cintra wrote: | NB there's a small typo ref /etc/conf.d/cryptfs |
Thank's, is already corrected (I was kind of in a hurry). _________________ Las torturas mentales de la CIA |
|
Back to top |
|
|
kimchi_sg Advocate
Joined: 26 Nov 2004 Posts: 2968
|
Posted: Sun Feb 20, 2005 4:50 pm Post subject: |
|
|
Looks good! Can we use this trick to encrypt non-swap partitions as well? |
|
Back to top |
|
|
Master One l33t
Joined: 25 Aug 2003 Posts: 754 Location: Austria
|
Posted: Sun Feb 20, 2005 5:07 pm Post subject: |
|
|
Yes, just have a look into /etc/conf.d/cryptfs, it has examples for swap, /tmp and /home. _________________ Las torturas mentales de la CIA |
|
Back to top |
|
|
Cintra Advocate
Joined: 03 Apr 2004 Posts: 2111 Location: Norway
|
|
Back to top |
|
|
Morimando Guru
Joined: 14 Feb 2005 Posts: 339 Location: Germany
|
Posted: Sun Feb 20, 2005 6:53 pm Post subject: |
|
|
Think i shouldn't even consider doing that, since i just did a new Gentoo-installation (running pure udev // emerge -C devfsd )
But does it work with encrypting
a) the whole disc
b) both discs
c) Reiser4 partitions..
?
am i right in guessing that the answer is a clear "no"? _________________ That young girl is one of the least benightedly unintelligent organic life forms it has been my profound lack of pleasure not to be able to avoid meeting.
-- Marvin |
|
Back to top |
|
|
Master One l33t
Joined: 25 Aug 2003 Posts: 754 Location: Austria
|
Posted: Mon Feb 21, 2005 10:23 am Post subject: |
|
|
Morimando wrote: | Think i shouldn't even consider doing that, since i just did a new Gentoo-installation (running pure udev // emerge -C devfsd ) |
That has nothing to do with it at all, you can simply swap over to the new baselayout also on your new installation, it will not cause any harm (as long as you don't blindly overwrite your config files). The new baselayout is really considered to be very stable, and also should get the "x86" status soon now, as I have read somewhere else (especially also due to the included wireless support).
Morimando wrote: | But does it work with encrypting
a) the whole disc |
No, because therefore you will have to use an initrd, if you also want to encrypt your / partition.
Morimando wrote: | b) both discs |
Don't understand that, but you can simply encrypt any other partitions on other harddiscs using this method without problem.
Morimando wrote: | c) Reiser4 partitions.. |
I didn't try it (also I use Reiser4), but I don't see a point, why this encryption matter should depend on any filesystem-type. _________________ Las torturas mentales de la CIA |
|
Back to top |
|
|
markandrew Apprentice
Joined: 04 Feb 2004 Posts: 176 Location: Manchester, UK
|
Posted: Mon Feb 21, 2005 11:37 pm Post subject: |
|
|
how does this work in practice, exactly? do you have to specify a password, or enter the root password at some point during boot? Or am I misunderstanding how this works? |
|
Back to top |
|
|
Teh Penguin D00d n00b
Joined: 31 Dec 2004 Posts: 35 Location: Tampa, FL
|
Posted: Tue Feb 22, 2005 3:24 am Post subject: Speed? |
|
|
Curious...what's the speed hit taken for encrypting FS?
Seems like as it hits large files, there's going to be a performance hit as it decrypts the file as it's loaded... |
|
Back to top |
|
|
Master One l33t
Joined: 25 Aug 2003 Posts: 754 Location: Austria
|
Posted: Tue Feb 22, 2005 7:42 am Post subject: |
|
|
AES Help Page wrote: | AES cipher algorithms (FIPS-197). AES uses the Rijndael
algorithm.
Rijndael appears to be consistently a very good performer in
both hardware and software across a wide range of computing
environments regardless of its use in feedback or non-feedback
modes. Its key setup time is excellent, and its key agility is
good. Rijndael's very low memory requirements make it very well
suited for restricted-space environments, in which it also
demonstrates excellent performance. Rijndael's operations are
among the easiest to defend against power and timing attacks. |
Since swap gets hardly used nowadays on decent machines, you will not see any difference in performance at all, and even with full swap action, you should not see any noteable speed hit. _________________ Las torturas mentales de la CIA |
|
Back to top |
|
|
Master One l33t
Joined: 25 Aug 2003 Posts: 754 Location: Austria
|
Posted: Tue Feb 22, 2005 7:50 am Post subject: |
|
|
markandrew wrote: | how does this work in practice, exactly? do you have to specify a password, or enter the root password at some point during boot? Or am I misunderstanding how this works? |
You can provide a key-file, if you want, but without it, /dev/urandom gets used, and you will not have to enter a password during boot anyway. This encryption menthod has nothing to do with restricting access, but to have data stored encrypted on you harddrive, so it can not get extracted by someone, who is not able to start your computer (using bios boot-passwd), or who is not able to login. _________________ Las torturas mentales de la CIA |
|
Back to top |
|
|
Cintra Advocate
Joined: 03 Apr 2004 Posts: 2111 Location: Norway
|
Posted: Tue Feb 22, 2005 9:50 am Post subject: |
|
|
Hei Master One
Ref my edited post above where I mentioned the swap partition having become type 'unknow' in Qtparted.. cfdisk btw shows the partition type as Linux swap/Solaris, just like my other disk's swap partitions.
But, I regularly use Acronis True Image on XP to backup both my disks, and find now that I am unable to backup the whole hda drive, because True Image doesn't recognize the encrypted partition.. I have to 'ignore' that partition, then the rest of the disk backs up OK.
I'm concerned of course about the day I HAVE to do a full disk Restore rather than individual partitions, something I remember having had to do in the past, and now my chosen way of restoring as it goes so fast anyway.
My question: would you expect the partition type to be changed, as well as the contents encrypted, by the method in this thread?
Mvh _________________ "I am not bound to please thee with my answers" W.S. |
|
Back to top |
|
|
j-m Retired Dev
Joined: 31 Oct 2004 Posts: 975
|
Posted: Tue Feb 22, 2005 10:26 am Post subject: |
|
|
You are backing up the contents of swap partition? Why? It is totally useless. |
|
Back to top |
|
|
Cintra Advocate
Joined: 03 Apr 2004 Posts: 2111 Location: Norway
|
Posted: Tue Feb 22, 2005 11:36 am Post subject: |
|
|
j-m wrote: | You are backing up the contents of swap partition? Why? It is totally useless. | Thank you, I am aware of that.. but backing up the whole disk does more than backup individual partitions, as I understand it. I am trying to find out why/whether the partition type should change as it has, not whether or not I should backup the swap partition itself as such.
mvh _________________ "I am not bound to please thee with my answers" W.S. |
|
Back to top |
|
|
Master One l33t
Joined: 25 Aug 2003 Posts: 754 Location: Austria
|
Posted: Tue Feb 22, 2005 7:49 pm Post subject: |
|
|
I also only can suggest not to back up a swap partition. When I did my tests with swap encryption, I also could see, that swsusp2 didn't find the swap id (or something like this) any more, so it may be possible that the partition type gets changed. But this really should not matter, I'd use another backup method (I don't like dual boot machines no more). _________________ Las torturas mentales de la CIA |
|
Back to top |
|
|
tuxophil Tux's lil' helper
Joined: 29 Jun 2003 Posts: 80 Location: Diddeleng, Lëtzebuerg
|
Posted: Tue Feb 22, 2005 11:06 pm Post subject: |
|
|
Cintra wrote: | I am trying to find out why/whether the partition type should change as it has, |
AFAIK the partition type, as set by fdisk, is a single byte stored in the partition table, whereas mkswap (which needs to be run before swapon) adds some kind of signature or whatever to the partition. But since your swap partition is encrypted, that signature can of course not be found when it's accessed without the correct device-mapper mapping.
Hope that helps. |
|
Back to top |
|
|
Cintra Advocate
Joined: 03 Apr 2004 Posts: 2111 Location: Norway
|
Posted: Wed Feb 23, 2005 5:43 am Post subject: |
|
|
Thanks for your answers Master One and tuxophil.
Now I know the probable reason, I'll do a whole disk restore to make sure all goes well..
ref. using another backup/restore method, my system is not just dual boot but quadruple+1
and my current method is both simple to use, and very fast when restoring complete disks
Mvh _________________ "I am not bound to please thee with my answers" W.S. |
|
Back to top |
|
|
chrism Guru
Joined: 15 Jul 2004 Posts: 526
|
Posted: Tue Mar 01, 2005 4:09 pm Post subject: |
|
|
Master One wrote: | You can provide a key-file, if you want, but without it, /dev/urandom gets used, and you will not have to enter a password during boot anyway. This encryption menthod has nothing to do with restricting access, but to have data stored encrypted on you harddrive, so it can not get extracted by someone, who is not able to start your computer (using bios boot-passwd), or who is not able to login. |
Assuming I use this method for encrypting my home partition.
What happends if someone it chrooting in, or if someone just stole your hardrive? Would he/she be able to gain access to the data stored on the harddrive?
Thanks,
Chris |
|
Back to top |
|
|
Master One l33t
Joined: 25 Aug 2003 Posts: 754 Location: Austria
|
Posted: Tue Mar 01, 2005 4:21 pm Post subject: |
|
|
yellowhippy wrote: | Master One wrote: | You can provide a key-file, if you want, but without it, /dev/urandom gets used, and you will not have to enter a password during boot anyway. This encryption menthod has nothing to do with restricting access, but to have data stored encrypted on you harddrive, so it can not get extracted by someone, who is not able to start your computer (using bios boot-passwd), or who is not able to login. |
Assuming I use this method for encrypting my home partition.
What happends if someone it chrooting in, or if someone just stole your hardrive? Would he/she be able to gain access to the data stored on the harddrive? |
Ok, the info given before was not complete, because the examples in /etc/conf.d/cyryptfs for partition-encryption are only about swap and /tmp, which get formated before they can be used by the script (and only that's why /dev/urandom can be used). Encryption of something like /home is mentioned to work with a loopback file this way, and of cource you need a key therefore. I am not a crypto-expert, so if you are interested in encrypting whatever you need, you will have to dig deeper by yourself. If you only want to encrypt your swap or /tmp, using the new baselayout just works out of the box (I mounted /tmp in tmpfs, so I don't have a need to encrypt that). _________________ Las torturas mentales de la CIA |
|
Back to top |
|
|
chrism Guru
Joined: 15 Jul 2004 Posts: 526
|
Posted: Tue Mar 01, 2005 5:08 pm Post subject: |
|
|
Thanks a lot.
Chris |
|
Back to top |
|
|
D1g1talS0ul n00b
Joined: 24 Feb 2004 Posts: 9 Location: whereis me
|
Posted: Wed Mar 02, 2005 12:10 am Post subject: |
|
|
This is the method I used to preserve a partitions contents across reboots and secures that data with a passphrase.
## fdisk output
/dev/hda6 2691 30515 223504281 83 Linux
## shred
shred -n1 -v /dev/hda6
Another tutorial recommended using shred to randomize the data.
## cryptsetup
cryptsetup -y -c aes -h sha1 create crypt-share /dev/hda6
cryptsetup will now ask for the passphrase.
## format
mkfs.ext3 /dev/mapper/crypt-share
## /etc/conf.d/cryptfs
mount=crypt-share
source='/dev/hda6'
## /etc/fstab
/dev/mapper/crypt-share /var/share ext3 noatime 0 0
Now when you boot, cryptfs will ask for the passphrase you entered when you ran cryptsetup. |
|
Back to top |
|
|
christianbarth n00b
Joined: 10 Jun 2005 Posts: 2 Location: Karlsruhe- Germany
|
Posted: Fri Jun 10, 2005 8:13 pm Post subject: Problem: no swap after encryption |
|
|
I tried to encrypt my swap, but something is still wrong. I added the descriped kernel-options:
Code: | Device-Drivers -> Multi-device support (RAID and LVM) ->
[*] Multiple devices driver support (RAID and LVM)
<*> Device mapper support
<*> Crypt target support
Cryptographic options ->
<*> AES cipher algorithms (i586) |
then I run:
the output is:
Code: | Calculating dependencies ...done!
[ebuild R ] app-shells/bash-3.0-r11 -bashlogger -build -debug +nls 0 kB
Total size of downloads: 0 kB
|
next I checked the baselayout: Quote: | emerge baselayout -av |
the output is:
Code: | Calculating dependencies ...done!
[ebuild R ] sys-apps/baselayout-1.11.12-r4 -bootstrap -build -debug -static -unicode 0 kB
Total size of downloads: 0 kB
|
after that I checkedsysvinit: Quote: | emerge sysvinit -av |
the output is:
Code: | Calculating dependencies ...done!
[ebuild R ] sys-apps/sysvinit-2.86 -bootstrap -build -debug (-selinux) -static 0 kB
Total size of downloads: 0
|
last I looked for readline Quote: | emerge sys-libs/readlinet -av |
the output is:
Code: | These are the packages that I would merge, in order:
Calculating dependencies ...done!
[ebuild R ] sys-libs/readline-5.0-r2 0 kB
Total size of downloads: 0 kB
|
All the dependencys are newer than the required:
Quote: | echo "=app-shells/bash-3.0-r8" >> /etc/portage/package.keywords
echo "=sys-apps/baselayout-1.11.9-r1" >> /etc/portage/package.keywords
echo "=sys-apps/sysvinit-2.86" >> /etc/portage/package.keywords
echo "=sys-libs/readline-5.0-r2" >> /etc/portage/package.keywords |
After checking the dependencys I emerge "cryptsetup"
Code: | Calculating dependencies ...done!
[ebuild R ] sys-fs/cryptsetup-0.1-r1 0 kB
Total size of downloads: 0 kB |
Finally my /etc/conf.d/cryptfs:
Code: | cat /etc/conf.d/cryptfs
# /etc/conf.d/cryptfs
# $Header: /var/cvsroot/gentoo-x86/sys-fs/cryptsetup/files/cryptfs.confd,v 1.2 2005/05/21 06:10:25 vapier Exp $
# Note regarding the syntax of this file. This file is *almost* bash,
# but each line is evaluated separately. Separate swaps/mounts can be
# specified. The init-script which reads this file assumes that a
# swap= or mount= line starts a new section, similar to lilo or grub
# configuration.
# Note when using gpg keys and /usr on a separate partition, you will
# have to copy /usr/bin/gpg to /bin/gpg so that it will work properly.
# See http://bugs.gentoo.org/90482 for more information.
# Swap partitions. These should come first so that no keys make their
# way into unencrypted swap.
# If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom
# If no makefs is given then mkswap will be assumed
swap=cryptswap
source='/dev/hda2'
|
and the /etc/fstab
Code: | cat /etc/fstab
# /etc/fstab: static file system information.
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/fstab,v 1.14 2003/10/13 20:03 :38 azarah Exp $
#
# noatime turns off atimes for increased performance (atimes normally aren't
# needed; notail increases performance of ReiserFS (at the expense of storage
# efficiency). It's safe to drop the noatime options if you want and to
# switch between notail and tail freely.
# <fs> <mountpoint> <type> <opts> < dump/pass>
# NOTE: If your BOOT partition is ReiserFS, add the notail option to opts.
/dev/hda1 /boot ext2 noauto,noatime 1 1
/dev/hda3 / xfs noatime 0 0
#/dev/hda2 none swap sw 0 0
/dev/mapper/cryptswap none swap sw 0 0
/dev/cdroms/cdrom0 /mnt/cdrom iso9660 noauto,ro,user 0 0
# NOTE: The next line is critical for boot!
none /proc proc defaults 0 0
# glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for
# POSIX shared memory (shm_open, shm_unlink).
# (tmpfs is a dynamically expandable/shrinkable ramdisk, and will
# use almost no memory if not populated with files)
# Adding the following line to /etc/fstab should take care of this:
none /dev/shm tmpfs defaults 0 0
|
(sorry for the bad formating)
Finnaly I rebooted, but now if I
Quote: | cb-m300 ~ # cat /proc/swaps
cb-m300 ~ # |
there is no swap.
Can please someone tell me what I did wrong.
Thx Christian |
|
Back to top |
|
|
Master One l33t
Joined: 25 Aug 2003 Posts: 754 Location: Austria
|
Posted: Mon Jun 13, 2005 3:12 pm Post subject: |
|
|
Quite strange, everthing you did seems to be ok. When you boot the machine, have a look what messages it shows concerning the crypt-swap-activation (if something goes wrong there, you should see the red [!!] sign).
"cat /proc/swaps" shows /dev/hda2 here, you can also use "swapon -s" to check. _________________ Las torturas mentales de la CIA |
|
Back to top |
|
|
curantil Tux's lil' helper
Joined: 28 Feb 2004 Posts: 102
|
Posted: Fri Jun 17, 2005 10:36 am Post subject: |
|
|
Is there a way to automaticly answer the passphrase (for non-swap-partitions)? I use a external-harddisk and I only need it encrypted for if I carry it to somewhere else. So it is not really a problem if the passfrase needs to be stored on hard-disk. But ofcourse I prefer if it could be stored encrypted. |
|
Back to top |
|
|
|