View previous topic :: View next topic |
Author |
Message |
turbobri n00b
Joined: 07 Oct 2002 Posts: 14
|
Posted: Mon Feb 03, 2003 3:12 pm Post subject: |
|
|
I think the problem might be my kernel. I set all the CONFIG options correctly, but I didn't do a "make clean" before recompiling. I will try recompiling and see if that makes a difference. |
|
Back to top |
|
|
turbobri n00b
Joined: 07 Oct 2002 Posts: 14
|
Posted: Mon Feb 03, 2003 4:04 pm Post subject: |
|
|
Recompile had no effect. Just for reference, how far along into the boot process should it ask for the password?
I also went to the grub command line and typed each command in to see if grub was finding the kernel and initrd.gz, seemed to be fine. I also saw no error messages during boot up until the kernel panic when it tries to find my root partition.
I am using ReiserFS for boot and root partitions, but I don't think that should matter.
I guess I am stuck at this point with an unusable system. I will try to unencrypt it and start the process over. At least then we will know how to unencrypt your root partition if the need ever arises. |
|
Back to top |
|
|
turbobri n00b
Joined: 07 Oct 2002 Posts: 14
|
Posted: Mon Feb 03, 2003 6:13 pm Post subject: |
|
|
Update: unencryption worked perfectly.
Just to recap how to unencrypt the root partition:
1) Boot Knoppix
2) losetup -e AES256 /dev/loop0 /dev/hda5 (or whatever your root is)
3) dd if=/dev/loop0 of=/dev/hda5 bs=64k conv=notrunc
You can do some extra steps in between if you want to double check:
2.5) mount /dev/loop0 /mnt/bla
2.6) ls /mnt/bla (you should see all your stuff)
2.7) umount /mnt/bla
I'll start the whole process over again and see if I can figure out where it went wrong. |
|
Back to top |
|
|
chadders Tux's lil' helper
Joined: 21 Jan 2003 Posts: 113
|
Posted: Mon Feb 03, 2003 6:57 pm Post subject: |
|
|
Here is part of my DMESG:
PCI: Found IRQ 9 for device 00:1f.4
PCI: Setting latency timer of device 00:1f.4 to 64
uhci.c: USB UHCI at I/O 0xd400, IRQ 9
usb.c: new USB bus registered, assigned bus number 2
hub.c: USB hub found
hub.c: 2 ports detected
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 4096 buckets, 32Kbytes
TCP: Hash tables configured (established 32768 bind 65536)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
ds: no socket drivers loaded!
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 1k freed
VFS: Mounted root (minix filesystem).
loop: loaded (max 8 devices)
IT ASKS FOR PASSPHRASE RIGHT HERE
read_super_block: can't find a reiserfs filesystem on (dev 07:05, block 64, size
1024)
read_super_block: can't find a reiserfs filesystem on (dev 07:05, block 8, size
1024)
XFS mounting filesystem loop(7,5)
VFS: Mounted root (xfs filesystem) readonly.
Trying to move old root to /initrd ... okay
Freeing unused kernel memory: 80k freed
SCSI subsystem driver Revision: 1.00
scsi0 : SCSI host adapter emulation for IDE ATAPI devices
Vendor: MITSUMI Model: CR-48X9TE Rev: 5.0D
Type: CD-ROM ANSI SCSI revision: 02
Attached scsi CD-ROM sr0 at scsi0, channel 0, id 0, lun 0
sr0: scsi3-mmc drive: 40x/40x writer cd/rw xa/form2 cdda tray
Uniform CD-ROM driver Revision: 3.12
If you know everything else is right then maybe it is the the old losetup that you are using. Knoppix is 3.1 works good.
LOSETUP makes a key from the pass phrase. I think old ones are different. The losetup that ram disk uses is the one that you made when you made util-linux as part of loop-AES. Can you use that one instead? It should work because its static.
I can't get on anymore until after school (im at home sneaking on at lunch) so I can't answer anymore for awhile.
Chad |
|
Back to top |
|
|
turbobri n00b
Joined: 07 Oct 2002 Posts: 14
|
Posted: Mon Feb 03, 2003 9:19 pm Post subject: |
|
|
I am not seeing the RAMDISK: line during boot. It seems like it is not using the initrd.gz file at all. |
|
Back to top |
|
|
BlackBart Apprentice
Joined: 07 Oct 2002 Posts: 252
|
Posted: Tue Feb 04, 2003 1:45 am Post subject: |
|
|
a couple of comments:
you forgot to gzip the manuals
also you don't technicaly need to install the tools, just copy the static losetup to the boot partition after you make the initrd.
Also you can install gentoo from scratch onto an encrypted partition by booting from the knoptix cd. I can write out directions if anyone wants.
Performance wise, compiling a bzImage was about 1.5% slower on an encrypted file system than unencrypted. Note that the partitions were on different parts of the disk and I had more stuff installed on the unencrypted fs so it probably had greater fragmentation.
Another thing, does anybody know how to compile a static version of loadkeys that I can put in my boot partition so that it will load my keymap before the password prompt.
And yet another thing, in the loop-AES readme FAQ they mention setting a random seed for the encryption, you mention nothing of this in you howto, would it be more secure to use a random seed, how would I do this, do I need to reinstall?
-edit-
Also if you do this you should build usb in as a module so it dosn't bug you while your typing in your password |
|
Back to top |
|
|
Leoric n00b
Joined: 27 May 2002 Posts: 8 Location: Oslo, Norway
|
Posted: Wed Feb 05, 2003 9:58 am Post subject: install gentoo from scratch onto an encrypted partition by b |
|
|
I would really like the guide |
|
Back to top |
|
|
BlackBart Apprentice
Joined: 07 Oct 2002 Posts: 252
|
Posted: Thu Feb 06, 2003 3:21 am Post subject: Re: install gentoo from scratch onto an encrypted partition |
|
|
Leoric wrote: | I would really like the guide |
Ok boot into knoppix w/o the graphical
run losetup -e AES256 -T /dev/loop0 /dev/hda2 (or whatever is your root partition)
then do mke2fs /dev/loop0 (or whatever file system you want)
then mkdir /mnt/gentoo
and then mount /dev/loop0 /mnt/gentoo
and mkdir /mnt/gentoo/boot
and mount /dev/hda1 /mnt/gentoo/boot
then cd into /mnt/gentoo
and then extract whatever stage you want and procede from there following the instruction guide.
when you get to the kernel:
Quote: | You HAVE to use CONFIG_MODULES=y, CONFIG_BLK_DEV_LOOP=n (y or m WONT WORK), CONFIG_BLK_DEV_RAM=y, CONFIG_BLK_DEV_RAM_SIZE=4096, CONFIG_BLK_DEV_INITRD=y, CONFIG_MINIX_FS=Y (this is because the ramdisk is minix), CONFIG_PROC_FS=y plus whateve FILESYSTEM YOUR ROOT IS HAS TO BE Y (modules wont work because the kernel can't get modules from the root file system until it knows how to read it and decrypt it when it is booting, other stuff can be modules if you want). Make sure that your new kernel works before going further. |
and then
do this
Quote: |
patch -p1 <../util-linux-2.11y.diff
export CFLAGS=-O2
export LDFLAGS='-static -s'
./configure
make SUBDIRS="lib mount"
cd mount
install -m 4755 -o root mount umount /bin
install -m 755 losetup swapon /sbin
rm -f /sbin/swapoff && ( cd /sbin && ln -s swapon swapoff )
rm -f /usr/share/man/man8/{mount,umount,losetup,swapon,swapoff}.8.gz
install -m 644 mount.8 umount.8 losetup.8 /usr/share/man/man8
install -m 644 swapon.8 swapoff.8 /usr/share/man/man8
rm -f /usr/share/man/man5/fstab.5.gz
install -m 644 fstab.5 /usr/share/man/man5
|
but instead of the normal last step:
cp -p /lib/modules/`uname -r`/block/loop.o /boot/loop-NAMEOFTHEKERNELYOUWILLBEUSING.o
and then do these steps
In the loop-AES directory edit build-initrd.sh. Change BOOTDEV, BOOTTYPE, CRYPTROOT, ROOTYPE and CIPHERTYPE to what you want. Then type sh build-initrd.sh . This makes a ramdisk so that the kernel knows how to get the pass phrase when you boot later.
edit fstab to make your root say /dev/loop5 instead of /dev/hdawhatever.
cd to /boot/grub and edit grub.conf to add a entry like this:
title=Encrypted Root
root (hd0,0)
kernel /bzImage ro root=/dev/ram1
initrd /initrd.gz
then reboot, if it dosn't work you can boot from the knopix cd again, do losetup and mount your / partinion and fix it. |
|
Back to top |
|
|
turbobri n00b
Joined: 07 Oct 2002 Posts: 14
|
Posted: Fri Feb 07, 2003 5:35 pm Post subject: |
|
|
Ok I tried installing a fresh Gentoo as BlackBart described and it worked perfectly, aside from a couple minor errors.
He forgot the compiling of the patched loop module, after compiling the kernel:
Code: |
cd /usr/src/loop-AES-v1.7b
make LINUX_SOURCE=/usr/src/linux-2.4.19-gentoo-r10 (or whatever vers. you have)
|
Also note that this latest loop-AES source is looking for util-linux-2.11z so make sure you get the right versions, then proceed as instructed.
Then when copying the module to /boot, `uname -r` will give you the currently running kernel from Knoppix which is not the same one you compiled the module for, so:
Code: |
cp -p /lib/modules/2.4.19-gentoo-r10/block/loop.o /boot/loop-2.4.19-gentoo-r10.o
|
The loop-AES README does mention stuff about creating a random seed, but it works fine without it. I think the seed is supposed to make it that much harder to brute force an attack, but since the seed would be easily available from the unencrypted boot partition, I don't really see the point. Although I am not an encryption guru so I may be misunderstanding.
Now I just have to figure out why my first attempt at converting an existing system didn't work. I think I am having some problems with GRUB and the initrd.gz file.
Also has anyone gotten the swap encryption working? The instructions in the README make it seem simple, but how can one verify if its working? |
|
Back to top |
|
|
chadders Tux's lil' helper
Joined: 21 Jan 2003 Posts: 113
|
Posted: Mon Feb 10, 2003 4:05 am Post subject: |
|
|
I use encrypted swap too. I did this to test it:
1) swapoff -a
2) changed fstab swap like it says in loop-AES readme
3) losetup -e AES256 /dev/loop0 /dev/hda(swap)
(typed bunch of random keys for passphrase)
4) dd if=/dev/hda(swap) of=/dev/loop0 bs=64k conv=notrunc
(this makes it initialized with random junk)
5) losetup -d /dev/loop0
6) swapon -a
7) od -xa /dev/hda(swap) | less
(if still looks like random junk after bunch of zeros at first of partition then i think its working ok. I don't know why there is a bunch of zeros at beginning)
Chad |
|
Back to top |
|
|
sam974 n00b
Joined: 21 Jan 2003 Posts: 3
|
Posted: Mon Feb 10, 2003 1:01 pm Post subject: |
|
|
And what about crashes while running encrypted root filesystem? I suppose people out there are usually setting up encrypted FS on laptops. So, a crash example may be : running out of battery.
Did you experience some corrupted FS? And more important, did you recover your data without any problem?
Thx for the post! _________________ Sam. |
|
Back to top |
|
|
kasper n00b
Joined: 22 Jul 2002 Posts: 55 Location: Montpellier
|
Posted: Tue Feb 11, 2003 2:06 pm Post subject: |
|
|
sam974 wrote: | And what about crashes while running encrypted root filesystem? I suppose people out there are usually setting up encrypted FS on laptops. So, a crash example may be : running out of battery.
Did you experience some corrupted FS? And more important, did you recover your data without any problem? | I'm thinking installing this on my laptop but i'd like to know too if someone has tried to turn it of violently, make it krash, say, press Ctrl.Alt.PrtScr.B for exemple and experienced success reboot w/o problems or not.
BTW, thanx all for thoses posts, really interesting |
|
Back to top |
|
|
chadders Tux's lil' helper
Joined: 21 Jan 2003 Posts: 113
|
Posted: Tue Feb 11, 2003 10:03 pm Post subject: |
|
|
I have turned off my computer a few times without shutting it down with an encrypted root. One time was with a kernel compiling. It rebooted ok. Root was a XFS file system. I don't know if it would always reboot ok.
Chad |
|
Back to top |
|
|
bryon Apprentice
Joined: 14 Feb 2003 Posts: 163
|
Posted: Fri Mar 07, 2003 3:14 pm Post subject: question about sending files |
|
|
I was wonderign waht would happen if turned my computer into a encytripted one, and say I wanted to send a file to a friend so that he could read it. Woudl all my friends be screwed and not be able to read files that i wanted them to? |
|
Back to top |
|
|
6169 n00b
Joined: 08 Mar 2003 Posts: 7
|
Posted: Sat Mar 08, 2003 12:29 am Post subject: Re: question about sending files |
|
|
bryon wrote: | I was wonderign waht would happen if turned my computer into a encytripted one, and say I wanted to send a file to a friend so that he could read it. Woudl all my friends be screwed and not be able to read files that i wanted them to? |
No, the data in your filesystems would be encrypted, but is transparently decrypted as Linux or any of your applications access it, and encrypted again when it is written to disk. Hence your programs think they are dealing with unencrypted files, because they are, and your files would work fine on other computers. |
|
Back to top |
|
|
chadders Tux's lil' helper
Joined: 21 Jan 2003 Posts: 113
|
Posted: Mon Mar 10, 2003 2:54 pm Post subject: |
|
|
Main reason I encrypt root is to keep ANYONE (mostly my brother) from booting my computer. If you dont encrypt root then peeps can use knoppix or other things to change root password and to steal your files. EVEN IF THEY PUT YOUR DISK IN ANOTHER COMPUTER like at a computer shop they cant get anything!
With encrypted root NOONE can take stuff or add stuff on your computer unless they find a way to break in when it is already running and if you have a good firewall and don't run anything that you dont need and keep up to date on portage/emerge then that probably wont happen.
It works good. Its hardly any slower (i thought it would be lots slower but its not) and it doesnt break even when computer crashes because of no power.
Chad |
|
Back to top |
|
|
bryon Apprentice
Joined: 14 Feb 2003 Posts: 163
|
Posted: Wed Mar 12, 2003 6:36 pm Post subject: bootable cd question |
|
|
I trited booting from the Knoppix cd but once it trited to boot into K it got a error, and stopped booting. But I have trited using cool linux beofre and it worked fine. Could I just use cool linux insed since it works? I am not relly sure if it has loop-AES.
Quote: |
4) The Knoppix (or Knoppix lite) CD from http://www.knoppix.net . Burn it to a CD and make sure you can boot from it. Knoppix is great rescue system and I use it it alot to fix stuff when I mess up bad. Knoppix comes with loop-AES already on it so you don't need to make your own rescue system. |
|
|
Back to top |
|
|
thehyperintelligentslug n00b
Joined: 30 Jun 2002 Posts: 49 Location: Edinburgh
|
|
Back to top |
|
|
sparks Guru
Joined: 05 Mar 2003 Posts: 331 Location: Nashville, TN
|
Posted: Thu Mar 13, 2003 9:46 pm Post subject: |
|
|
I followed chadders instructions, well written by the way, and everything is great. As far as the performance goes I can see a small hit when playing videos, but that's about it. I rip DVD's to my hard drive so I can watch them when I travel without the disk. I was watching Office Space the other day and it got choppy in one or two places, but it was not unbearable. So, from my experience the file system takes a minimal performance hit that is only noticable when performing a function that requires heavy disk access.
(I'm using XFS by the way) |
|
Back to top |
|
|
chadders Tux's lil' helper
Joined: 21 Jan 2003 Posts: 113
|
Posted: Sun Mar 16, 2003 12:14 am Post subject: |
|
|
Thanks |
|
Back to top |
|
|
slickwheel n00b
Joined: 21 Mar 2003 Posts: 2
|
Posted: Fri Mar 21, 2003 2:32 am Post subject: |
|
|
I cant boot knoppix on my laptop because it uses a pcmcia cdrom drive. Does anyone know of a distro cd that includes the losetup with encryption that works well with laptops? Any help is greatly appeciated, I really want to encrypt my root partition. _________________ -- slickwheel |
|
Back to top |
|
|
m00re n00b
Joined: 17 Jun 2002 Posts: 65 Location: Germany
|
Posted: Sat Mar 22, 2003 5:48 pm Post subject: |
|
|
I've too problems getting the system to boot after the encryption.
I've set up everything as said and finally encrypted the partition (i can also mount it under knoppix) but when I reboot to my gentoo, it always says it can't mount the root-partition on 01:01.
The error looks like this: (sorry, the message is not copypasted, so the last line is not exactly the same as on my system, but the content is still the same *hmm, bad english*)
Code: |
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
ds: no socket drivers loaded!
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 1k freed
VFS: failed to mount root partition on 01:01
|
And here are my configs:
build-initrd.sh
Code: |
# normal /boot partition
BOOTDEV=/dev/hda1
# /boot partition type
BOOTTYPE=ext3
# encrypted root partition
CRYPTROOT=/dev/hda6
# root partition type
ROOTTYPE=ext3
# encryption type (AES128 / AES192 / AES256) of root partition
CIPHERTYPE=AES256
|
grub.conf
Code: |
title=Gentoo Linux 1.4 Release Candidate 3
root (hd0,0)
kernel /gentoo-2.4.20 ro acpi=off root=/dev/ram1
initrd /initrd.gz
|
In fstab.conf, I only changed /dev/hda6 to /dev/loop5.
Maybe, someone can help.
Greets Jens _________________ "Fall seven times, stand up eight." |
|
Back to top |
|
|
easykill Apprentice
Joined: 07 Dec 2002 Posts: 230
|
Posted: Wed Mar 26, 2003 1:15 am Post subject: |
|
|
m00re wrote: | I've too problems getting the system to boot after the encryption.
I've set up everything as said and finally encrypted the partition (i can also mount it under knoppix) but when I reboot to my gentoo, it always says it can't mount the root-partition on 01:01.
The error looks like this: (sorry, the message is not copypasted, so the last line is not exactly the same as on my system, but the content is still the same *hmm, bad english*)
Code: |
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
ds: no socket drivers loaded!
RAMDISK: Compressed image found at block 0
Freeing initrd memory: 1k freed
VFS: failed to mount root partition on 01:01
|
|
I had a similar problem, mainly it wouldn't find any sort of loop device...that wasn't getting loaded. It would complain about unable to mount /dev/hdb1 on /lib (/dev/hdb1 is /boot for me...?) and I gave up before i hosed my system.
I ended up unencrypting, and re-encrypting with the instructions in the loop-AES README file (that way you get the seed, as well) and I also recompiled my kernel to take out Mount devfs at boot (as I suspect that may not have been helping) before I re-encrypted, so I suggest trying those approaches. I would unencrypt, redo your kernel if you have devfs mounting at boot, and then either encrypt with these instructions or with the instructions in the loop-AES readme.
So, I did eventually get it working...now to encrypt my other partitions.
I hope that made sense, I'm tired and on percoset right now. |
|
Back to top |
|
|
easykill Apprentice
Joined: 07 Dec 2002 Posts: 230
|
Posted: Wed Mar 26, 2003 1:35 am Post subject: |
|
|
I hate replying to myself, but here goes....
I'm on percoset right now (as i mentioned before) and i am having issues figuring out how to encrypt my other partitions and have them mount without asking me for a password for EVERY partition that I want to have encrypted (ideally all)
layout is as follows:
hda: windows stuff, ignore it
hdb1: /boot (DO NOT ENCRYPT THIS!)
hdb2: swap (already done, trivial)
hdb5: /home (I want to encrypt this)
hdb6: /usr/local (encrypt this as well)
hdb7: / (already encrypted)
I am at a loss right now cause I can't think straight, anybody got a solution for me? I havne't found anything in the loop-AES readme that is really helping much...I've thought of
losetup -e AES256 -T -S `cat /boot/seed.txt` /dev/loop1 /dev/hdb5
and then dding the drive to the loop, and setting something or other up, but I'd like to encrypt those drives (preferably without data loss, although I can back it all up rather easily, I just would rather not) and I don't want to have to enter a password for each partition. I want them to "trust" the root decryption password I give on boot. One 20 character password is plenty on startup, thank you, heh
but then it wants a password, and I don't want to have to type my password in 3 times on boot. |
|
Back to top |
|
|
Woody2143 n00b
Joined: 26 Mar 2003 Posts: 19 Location: Atlanta, GA
|
Posted: Wed Mar 26, 2003 7:13 am Post subject: If you are using devFS, read below! |
|
|
First I wanted to say that I found this thread to be an excellent help when encrypting my root fs. Thanks guys.
A couple of points I wanted to post in the thread for anyone else who may run in to the same problems I had.
1) Make sure to read the README and the comments in build-initrd.sh, pay attention to the parts about using devFS (if you use devFS of course). I scratched my head for a couple days until I learned to read. For those wanting to skip to the good stuff.
Set these options in build-initrd.sh
and
Then just make sure to update your grub.conf accordingly
Code: | title=Encrypted
root (hd0,0)
kernel /boot/bzImage-crypt root=/dev/ram0 init=/linuxrc
initrd /boot/initrd.gz |
Note: init=/linuxrc, not init=/boot/linuxrc.
All of the above alone will end your "Failed to mount /dev/hd*1 as /lib" problems... But wait! There's more!
2) Another point about using devFS which I had to search for, in build-initrd.sh under BOOTDEV and CRYPTROOT make sure to edit these options like below, according to your equipment:
This is /dev/hde1
Code: | BOOTDEV=/dev/ide/host2/bus0/target0/lun0/part1 |
This is /dev/hda10
Code: | CRYPTROOT=/dev/ide/host0/bus0/target0/lun0/part10 |
God Bless the creators and maintainers of Google.
And credit goes to the linux-crypto mailing list for point #2 http://mail.nl.linux.org/linux-crypto/2003-01/msg00034.html
My apoligies for any spelling/grammer/things that don't make sense. I'm tired and just happy to have a working system again. _________________ -- Woody2143 |
|
Back to top |
|
|
|