Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO: Use the new baselayout for filesystem-encryption
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
Master One
l33t
l33t


Joined: 25 Aug 2003
Posts: 754
Location: Austria

PostPosted: Sun Feb 20, 2005 2:00 pm    Post subject: HOWTO: Use the new baselayout for filesystem-encryption Reply with quote

The latest (~x86) baselayout has fs-encryption included, which renders most of the existing guides & scripts for this purpose obsolet.

Here is a quick and dirty howto concerning swap-partition encryption:

Necessary kernel-options:

Code:
Device-Drivers -> Multi-device support (RAID and LVM) ->
        [*] Multiple devices driver support (RAID and LVM)
        <*>   Device mapper support
        <*>     Crypt target support

Cryptographic options ->
        <*>   AES cipher algorithms (i586)


If you are running a "x86" system, you need to:

Code:
echo "=app-shells/bash-3.0-r8" >> /etc/portage/package.keywords
echo "=sys-apps/baselayout-1.11.9-r1" >> /etc/portage/package.keywords
echo "=sys-apps/sysvinit-2.86" >> /etc/portage/package.keywords
echo "=sys-libs/readline-5.0-r2" >> /etc/portage/package.keywords


Now get the necessary items:

Code:
emerge baselayout cryptsetup


After updating your config-files (I always use dispatch-conf, take care not to simply overwrite your settings), edit /etc/conf.d/cryptfs to show

Code:
swap=crypt-swap
source='/dev/hda2'


(my swap is on hda2, so if you have it somewhere else, replace this properly)

At last edit the line for the swap-partition in your /etc/fstab to show

Code:
/dev/mapper/crypt-swap  none            swap            sw                      0 0


That's it! Reboot and have your swap encrypted.

(OT Now I need help for making swsusp2 + encrypted swap possible please see this thread)

EDIT1: Corrected typo in '/etc/confd/cryptfs'
_________________
Las torturas mentales de la CIA


Last edited by Master One on Sun Feb 20, 2005 4:42 pm; edited 1 time in total
Back to top
View user's profile Send private message
Cintra
Advocate
Advocate


Joined: 03 Apr 2004
Posts: 2111
Location: Norway

PostPosted: Sun Feb 20, 2005 3:36 pm    Post subject: Reply with quote

A quick additional question or 2..
Does one need to emerge sha1 with its huge emacs dependency? ref.
Code:
# If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom

NB there's a small typo ref /etc/conf.d/cryptfs

regards

Edit: Well I went ahead regardless of sha1. everything looked OK during bootup
No news may be good news, but I'm looking for clear signs that all is well.
Qtparted shows partition type for hda5 as 'unknow' which I guess is a good sign ;-)
And I see there is a /dev/mapper containing crypt-swap and control, so all is looking pretty good!
Code:
# cat /proc/swaps
Filename                                Type            Size    Used    Priority
/dev/mapper/crypt-swap                  partition       1044184 0       -1

_________________
"I am not bound to please thee with my answers" W.S.


Last edited by Cintra on Sun Feb 20, 2005 5:20 pm; edited 3 times in total
Back to top
View user's profile Send private message
Master One
l33t
l33t


Joined: 25 Aug 2003
Posts: 754
Location: Austria

PostPosted: Sun Feb 20, 2005 4:48 pm    Post subject: Reply with quote

Cintra wrote:
does one need to emerge sha1 with its huge emacs dependency? ref.
Code:
# If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom


No, sha1 is not necessary at all, because on one hand with 'sha1' the kernel crypto module is meant, not the sha1 package (I assume), and on the other hand the use of the '-d' options disables the '-h' option. This is what I could read on the homepage of cryptsetup, looks like it is a redundancy in the scripts.

Cintra wrote:
NB there's a small typo ref /etc/conf.d/cryptfs


Thank's, is already corrected (I was kind of in a hurry).
_________________
Las torturas mentales de la CIA
Back to top
View user's profile Send private message
kimchi_sg
Advocate
Advocate


Joined: 26 Nov 2004
Posts: 2968

PostPosted: Sun Feb 20, 2005 4:50 pm    Post subject: Reply with quote

Looks good! Can we use this trick to encrypt non-swap partitions as well? :-D
Back to top
View user's profile Send private message
Master One
l33t
l33t


Joined: 25 Aug 2003
Posts: 754
Location: Austria

PostPosted: Sun Feb 20, 2005 5:07 pm    Post subject: Reply with quote

Yes, just have a look into /etc/conf.d/cryptfs, it has examples for swap, /tmp and /home.
_________________
Las torturas mentales de la CIA
Back to top
View user's profile Send private message
Cintra
Advocate
Advocate


Joined: 03 Apr 2004
Posts: 2111
Location: Norway

PostPosted: Sun Feb 20, 2005 5:24 pm    Post subject: Reply with quote

Here is the cryptsetup home page and wiki
http://www.saout.de/tikiwiki/tiki-index.php
http://www.saout.de/misc/dm-crypt/
regards & thanks Master One
_________________
"I am not bound to please thee with my answers" W.S.
Back to top
View user's profile Send private message
Morimando
Guru
Guru


Joined: 14 Feb 2005
Posts: 339
Location: Germany

PostPosted: Sun Feb 20, 2005 6:53 pm    Post subject: Reply with quote

Think i shouldn't even consider doing that, since i just did a new Gentoo-installation (running pure udev // emerge -C devfsd ;) )
But does it work with encrypting
a) the whole disc
b) both discs
c) Reiser4 partitions..
?
am i right in guessing that the answer is a clear "no"?
_________________
That young girl is one of the least benightedly unintelligent organic life forms it has been my profound lack of pleasure not to be able to avoid meeting.
-- Marvin
Back to top
View user's profile Send private message
Master One
l33t
l33t


Joined: 25 Aug 2003
Posts: 754
Location: Austria

PostPosted: Mon Feb 21, 2005 10:23 am    Post subject: Reply with quote

Morimando wrote:
Think i shouldn't even consider doing that, since i just did a new Gentoo-installation (running pure udev // emerge -C devfsd ;) )

That has nothing to do with it at all, you can simply swap over to the new baselayout also on your new installation, it will not cause any harm (as long as you don't blindly overwrite your config files). The new baselayout is really considered to be very stable, and also should get the "x86" status soon now, as I have read somewhere else (especially also due to the included wireless support).

Morimando wrote:
But does it work with encrypting
a) the whole disc

No, because therefore you will have to use an initrd, if you also want to encrypt your / partition.

Morimando wrote:
b) both discs

Don't understand that, but you can simply encrypt any other partitions on other harddiscs using this method without problem.

Morimando wrote:
c) Reiser4 partitions..

I didn't try it (also I use Reiser4), but I don't see a point, why this encryption matter should depend on any filesystem-type.
_________________
Las torturas mentales de la CIA
Back to top
View user's profile Send private message
markandrew
Apprentice
Apprentice


Joined: 04 Feb 2004
Posts: 176
Location: Manchester, UK

PostPosted: Mon Feb 21, 2005 11:37 pm    Post subject: Reply with quote

how does this work in practice, exactly? do you have to specify a password, or enter the root password at some point during boot? Or am I misunderstanding how this works?
Back to top
View user's profile Send private message
Teh Penguin D00d
n00b
n00b


Joined: 31 Dec 2004
Posts: 35
Location: Tampa, FL

PostPosted: Tue Feb 22, 2005 3:24 am    Post subject: Speed? Reply with quote

Curious...what's the speed hit taken for encrypting FS?

Seems like as it hits large files, there's going to be a performance hit as it decrypts the file as it's loaded...
Back to top
View user's profile Send private message
Master One
l33t
l33t


Joined: 25 Aug 2003
Posts: 754
Location: Austria

PostPosted: Tue Feb 22, 2005 7:42 am    Post subject: Reply with quote

AES Help Page wrote:
AES cipher algorithms (FIPS-197). AES uses the Rijndael
algorithm.

Rijndael appears to be consistently a very good performer in
both hardware and software across a wide range of computing
environments regardless of its use in feedback or non-feedback
modes. Its key setup time is excellent, and its key agility is
good. Rijndael's very low memory requirements make it very well
suited for restricted-space environments, in which it also
demonstrates excellent performance. Rijndael's operations are
among the easiest to defend against power and timing attacks.

Since swap gets hardly used nowadays on decent machines, you will not see any difference in performance at all, and even with full swap action, you should not see any noteable speed hit.
_________________
Las torturas mentales de la CIA
Back to top
View user's profile Send private message
Master One
l33t
l33t


Joined: 25 Aug 2003
Posts: 754
Location: Austria

PostPosted: Tue Feb 22, 2005 7:50 am    Post subject: Reply with quote

markandrew wrote:
how does this work in practice, exactly? do you have to specify a password, or enter the root password at some point during boot? Or am I misunderstanding how this works?

You can provide a key-file, if you want, but without it, /dev/urandom gets used, and you will not have to enter a password during boot anyway. This encryption menthod has nothing to do with restricting access, but to have data stored encrypted on you harddrive, so it can not get extracted by someone, who is not able to start your computer (using bios boot-passwd), or who is not able to login.
_________________
Las torturas mentales de la CIA
Back to top
View user's profile Send private message
Cintra
Advocate
Advocate


Joined: 03 Apr 2004
Posts: 2111
Location: Norway

PostPosted: Tue Feb 22, 2005 9:50 am    Post subject: Reply with quote

Hei Master One

Ref my edited post above where I mentioned the swap partition having become type 'unknow' in Qtparted.. cfdisk btw shows the partition type as Linux swap/Solaris, just like my other disk's swap partitions.

But, I regularly use Acronis True Image on XP to backup both my disks, and find now that I am unable to backup the whole hda drive, because True Image doesn't recognize the encrypted partition.. I have to 'ignore' that partition, then the rest of the disk backs up OK.

I'm concerned of course about the day I HAVE to do a full disk Restore rather than individual partitions, something I remember having had to do in the past, and now my chosen way of restoring as it goes so fast anyway.

My question: would you expect the partition type to be changed, as well as the contents encrypted, by the method in this thread?

Mvh
_________________
"I am not bound to please thee with my answers" W.S.
Back to top
View user's profile Send private message
j-m
Retired Dev
Retired Dev


Joined: 31 Oct 2004
Posts: 975

PostPosted: Tue Feb 22, 2005 10:26 am    Post subject: Reply with quote

You are backing up the contents of swap partition? Why? It is totally useless. :?
Back to top
View user's profile Send private message
Cintra
Advocate
Advocate


Joined: 03 Apr 2004
Posts: 2111
Location: Norway

PostPosted: Tue Feb 22, 2005 11:36 am    Post subject: Reply with quote

j-m wrote:
You are backing up the contents of swap partition? Why? It is totally useless. :?
Thank you, I am aware of that.. but backing up the whole disk does more than backup individual partitions, as I understand it. I am trying to find out why/whether the partition type should change as it has, not whether or not I should backup the swap partition itself as such.
mvh
_________________
"I am not bound to please thee with my answers" W.S.
Back to top
View user's profile Send private message
Master One
l33t
l33t


Joined: 25 Aug 2003
Posts: 754
Location: Austria

PostPosted: Tue Feb 22, 2005 7:49 pm    Post subject: Reply with quote

I also only can suggest not to back up a swap partition. When I did my tests with swap encryption, I also could see, that swsusp2 didn't find the swap id (or something like this) any more, so it may be possible that the partition type gets changed. But this really should not matter, I'd use another backup method (I don't like dual boot machines no more).
_________________
Las torturas mentales de la CIA
Back to top
View user's profile Send private message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Tue Feb 22, 2005 11:06 pm    Post subject: Reply with quote

Cintra wrote:
I am trying to find out why/whether the partition type should change as it has,

AFAIK the partition type, as set by fdisk, is a single byte stored in the partition table, whereas mkswap (which needs to be run before swapon) adds some kind of signature or whatever to the partition. But since your swap partition is encrypted, that signature can of course not be found when it's accessed without the correct device-mapper mapping.
Hope that helps.
Back to top
View user's profile Send private message
Cintra
Advocate
Advocate


Joined: 03 Apr 2004
Posts: 2111
Location: Norway

PostPosted: Wed Feb 23, 2005 5:43 am    Post subject: Reply with quote

Thanks for your answers Master One and tuxophil.
Now I know the probable reason, I'll do a whole disk restore to make sure all goes well..
ref. using another backup/restore method, my system is not just dual boot but quadruple+1
and my current method is both simple to use, and very fast when restoring complete disks ;-)
Mvh
_________________
"I am not bound to please thee with my answers" W.S.
Back to top
View user's profile Send private message
chrism
Guru
Guru


Joined: 15 Jul 2004
Posts: 526

PostPosted: Tue Mar 01, 2005 4:09 pm    Post subject: Reply with quote

Master One wrote:
You can provide a key-file, if you want, but without it, /dev/urandom gets used, and you will not have to enter a password during boot anyway. This encryption menthod has nothing to do with restricting access, but to have data stored encrypted on you harddrive, so it can not get extracted by someone, who is not able to start your computer (using bios boot-passwd), or who is not able to login.


Assuming I use this method for encrypting my home partition.
What happends if someone it chrooting in, or if someone just stole your hardrive? Would he/she be able to gain access to the data stored on the harddrive?

Thanks,

Chris
Back to top
View user's profile Send private message
Master One
l33t
l33t


Joined: 25 Aug 2003
Posts: 754
Location: Austria

PostPosted: Tue Mar 01, 2005 4:21 pm    Post subject: Reply with quote

yellowhippy wrote:
Master One wrote:
You can provide a key-file, if you want, but without it, /dev/urandom gets used, and you will not have to enter a password during boot anyway. This encryption menthod has nothing to do with restricting access, but to have data stored encrypted on you harddrive, so it can not get extracted by someone, who is not able to start your computer (using bios boot-passwd), or who is not able to login.

Assuming I use this method for encrypting my home partition.
What happends if someone it chrooting in, or if someone just stole your hardrive? Would he/she be able to gain access to the data stored on the harddrive?

Ok, the info given before was not complete, because the examples in /etc/conf.d/cyryptfs for partition-encryption are only about swap and /tmp, which get formated before they can be used by the script (and only that's why /dev/urandom can be used). Encryption of something like /home is mentioned to work with a loopback file this way, and of cource you need a key therefore. I am not a crypto-expert, so if you are interested in encrypting whatever you need, you will have to dig deeper by yourself. If you only want to encrypt your swap or /tmp, using the new baselayout just works out of the box (I mounted /tmp in tmpfs, so I don't have a need to encrypt that).
_________________
Las torturas mentales de la CIA
Back to top
View user's profile Send private message
chrism
Guru
Guru


Joined: 15 Jul 2004
Posts: 526

PostPosted: Tue Mar 01, 2005 5:08 pm    Post subject: Reply with quote

Thanks a lot.

Chris
Back to top
View user's profile Send private message
D1g1talS0ul
n00b
n00b


Joined: 24 Feb 2004
Posts: 9
Location: whereis me

PostPosted: Wed Mar 02, 2005 12:10 am    Post subject: Reply with quote

This is the method I used to preserve a partitions contents across reboots and secures that data with a passphrase.

## fdisk output
/dev/hda6 2691 30515 223504281 83 Linux

## shred
shred -n1 -v /dev/hda6

Another tutorial recommended using shred to randomize the data.

## cryptsetup
cryptsetup -y -c aes -h sha1 create crypt-share /dev/hda6

cryptsetup will now ask for the passphrase.

## format
mkfs.ext3 /dev/mapper/crypt-share

## /etc/conf.d/cryptfs
mount=crypt-share
source='/dev/hda6'

## /etc/fstab
/dev/mapper/crypt-share /var/share ext3 noatime 0 0

Now when you boot, cryptfs will ask for the passphrase you entered when you ran cryptsetup.
Back to top
View user's profile Send private message
christianbarth
n00b
n00b


Joined: 10 Jun 2005
Posts: 2
Location: Karlsruhe- Germany

PostPosted: Fri Jun 10, 2005 8:13 pm    Post subject: Problem: no swap after encryption Reply with quote

I tried to encrypt my swap, but something is still wrong. I added the descriped kernel-options:

Code:
Device-Drivers -> Multi-device support (RAID and LVM) ->
        [*] Multiple devices driver support (RAID and LVM)
        <*>   Device mapper support
        <*>     Crypt target support

Cryptographic options ->
        <*>   AES cipher algorithms (i586)

then I run:
Quote:
emerge bash -av

the output is:
Code:
 Calculating dependencies ...done!
[ebuild   R   ] app-shells/bash-3.0-r11  -bashlogger -build -debug +nls 0 kB

Total size of downloads: 0 kB


next I checked the baselayout:
Quote:
emerge baselayout -av

the output is:
Code:
Calculating dependencies ...done!
[ebuild   R   ] sys-apps/baselayout-1.11.12-r4  -bootstrap -build -debug -static -unicode 0 kB

Total size of downloads: 0 kB


after that I checkedsysvinit:
Quote:
emerge sysvinit -av

the output is:
Code:
Calculating dependencies ...done!
[ebuild   R   ] sys-apps/sysvinit-2.86  -bootstrap -build -debug (-selinux) -static 0 kB

Total size of downloads: 0


last I looked for readline
Quote:
emerge sys-libs/readlinet -av

the output is:
Code:
These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild   R   ] sys-libs/readline-5.0-r2  0 kB

Total size of downloads: 0 kB


All the dependencys are newer than the required:

Quote:
echo "=app-shells/bash-3.0-r8" >> /etc/portage/package.keywords
echo "=sys-apps/baselayout-1.11.9-r1" >> /etc/portage/package.keywords
echo "=sys-apps/sysvinit-2.86" >> /etc/portage/package.keywords
echo "=sys-libs/readline-5.0-r2" >> /etc/portage/package.keywords


After checking the dependencys I emerge "cryptsetup"
Code:
Calculating dependencies ...done!
[ebuild   R   ] sys-fs/cryptsetup-0.1-r1  0 kB

Total size of downloads: 0 kB


Finally my /etc/conf.d/cryptfs:
Code:
cat /etc/conf.d/cryptfs
# /etc/conf.d/cryptfs
# $Header: /var/cvsroot/gentoo-x86/sys-fs/cryptsetup/files/cryptfs.confd,v 1.2 2005/05/21 06:10:25 vapier Exp $

# Note regarding the syntax of this file.  This file is *almost* bash,
# but each line is evaluated separately.  Separate swaps/mounts can be
# specified.  The init-script which reads this file assumes that a
# swap= or mount= line starts a new section, similar to lilo or grub
# configuration.

# Note when using gpg keys and /usr on a separate partition, you will
# have to copy /usr/bin/gpg to /bin/gpg so that it will work properly.
# See http://bugs.gentoo.org/90482 for more information.

# Swap partitions. These should come first so that no keys make their
# way into unencrypted swap.
# If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom
# If no makefs is given then mkswap will be assumed
swap=cryptswap
source='/dev/hda2'


and the /etc/fstab
Code:
cat /etc/fstab
# /etc/fstab: static file system information.
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/fstab,v 1.14 2003/10/13 20:03                                             :38 azarah Exp $
#
# noatime turns off atimes for increased performance (atimes normally aren't
# needed; notail increases performance of ReiserFS (at the expense of storage
# efficiency).  It's safe to drop the noatime options if you want and to
# switch between notail and tail freely.

# <fs>                  <mountpoint>    <type>          <opts>                 <                                             dump/pass>

# NOTE: If your BOOT partition is ReiserFS, add the notail option to opts.
/dev/hda1               /boot           ext2            noauto,noatime         1                                              1
/dev/hda3               /                  xfs             noatime                    0                                              0
#/dev/hda2              none          swap            sw                           0                                              0
/dev/mapper/cryptswap   none    swap            sw                           0                                              0
/dev/cdroms/cdrom0      /mnt/cdrom      iso9660         noauto,ro,user         0                                    0


# NOTE: The next line is critical for boot!
none                    /proc           proc            defaults               0                                              0

# glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for
# POSIX shared memory (shm_open, shm_unlink).
# (tmpfs is a dynamically expandable/shrinkable ramdisk, and will
#  use almost no memory if not populated with files)
# Adding the following line to /etc/fstab should take care of this:

none                    /dev/shm        tmpfs           defaults               0                                              0

(sorry for the bad formating)
Finnaly I rebooted, but now if I
Quote:
cb-m300 ~ # cat /proc/swaps
cb-m300 ~ #

there is no swap.
Can please someone tell me what I did wrong.

Thx Christian
Back to top
View user's profile Send private message
Master One
l33t
l33t


Joined: 25 Aug 2003
Posts: 754
Location: Austria

PostPosted: Mon Jun 13, 2005 3:12 pm    Post subject: Reply with quote

Quite strange, everthing you did seems to be ok. When you boot the machine, have a look what messages it shows concerning the crypt-swap-activation (if something goes wrong there, you should see the red [!!] sign).
"cat /proc/swaps" shows /dev/hda2 here, you can also use "swapon -s" to check.
_________________
Las torturas mentales de la CIA
Back to top
View user's profile Send private message
curantil
Tux's lil' helper
Tux's lil' helper


Joined: 28 Feb 2004
Posts: 102

PostPosted: Fri Jun 17, 2005 10:36 am    Post subject: Reply with quote

Is there a way to automaticly answer the passphrase (for non-swap-partitions)? I use a external-harddisk and I only need it encrypted for if I carry it to somewhere else. So it is not really a problem if the passfrase needs to be stored on hard-disk. But ofcourse I prefer if it could be stored encrypted.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum