View previous topic :: View next topic |
Author |
Message |
easykill Apprentice
Joined: 07 Dec 2002 Posts: 230
|
Posted: Wed Mar 26, 2003 7:39 am Post subject: |
|
|
yeah, that's kinda what i was thinking...i just didn't get around to doing it, and instead just told devfs not to mount automatically at boot, since gentoo does it itself with devfsd
and i think i figured out how to encrypt the other drives with a fixed key...reading a bit past the encrypt root FS stuff in the loop-AES readme gives some examples (including the magic -p 0 for losetup)
so I'm gonna try that tomorow after some sleep |
|
Back to top |
|
|
chadders Tux's lil' helper
Joined: 21 Jan 2003 Posts: 113
|
Posted: Wed Mar 26, 2003 6:50 pm Post subject: |
|
|
I think using a key gotten from /dev/random and then the key encrypted with GPG would be lots better than using a hashed key from a pass phrase. I know how to do this on partitions that aren't root. If anyone knows how to do it on a root filesystem please post!
Chad |
|
Back to top |
|
|
easykill Apprentice
Joined: 07 Dec 2002 Posts: 230
|
Posted: Wed Mar 26, 2003 9:28 pm Post subject: |
|
|
the loop-AES faq pretty much sums it up, just substitute the steps. I recommend using one of those little USB hard drive thingies (the dongles) as they won't break on you. |
|
Back to top |
|
|
easykill Apprentice
Joined: 07 Dec 2002 Posts: 230
|
Posted: Wed Mar 26, 2003 9:29 pm Post subject: |
|
|
the loop-AES faq pretty much sums it up, just substitute the steps. I recommend using one of those little USB hard drive thingies (the dongles) as they won't break on you. |
|
Back to top |
|
|
easykill Apprentice
Joined: 07 Dec 2002 Posts: 230
|
Posted: Fri Mar 28, 2003 6:20 pm Post subject: |
|
|
gah, sorry for the double post...mozilla was acting up
here is a little summary for how I set up my /usr/local partition to be encrypted, and mounted without a password (this is unsecure if you don't have an encrypted root fs, since the password is stored in a file)
READ THIS THROUGH BEFORE TRYING IT IN CASE I FORGOT ANYTHING. BE SURE TO BACKUP YOUR DATA!!!
1.) Run the following twice to get your seed and password
Code: | head -c 15 /dev/urandom | uuencode -m - | head -2 | tail -1 |
You will get 2 strings similar to the following
djYFGvsKuiMIJkerw3H8
zZEomoTvDgFTfRz+o7RN
copy them to a file, or write them down...the first one will be used as your random seed, the second will be used as your password.
2.) Make sure to backup all important data on the partition you are going to encrypt.
3.) Make the loop device. Assuming you want /dev/loop4 to be the device to use for your mounted device, and assuming /dev/hdb5 is the partition you want to encrypt, the following works. Substitute your random seeds and passwords for the ones i just made up....
Code: |
echo "zZEomoTvDgFTfRz+o7RN" | /sbin/losetup -e AES256 -p 0 -S djYFGvsKuiMIJkerw3H8 /dev/loop4 /dev/hdb5
|
This sets up a loop device that will use AES256 encryption....the password is read from the echo because of the -p 0 flag, and the -S sets the random seed (which was missing from the original howto in this thread, because it's not necessary, but does make it more secure. If you are going to do the -S for the encrypting root, READ THE LOOP-AES README!!! IT has very nice instructions!
4.) Encrypt the drive:
Code: | dd if=/dev/hdb5 of=/dev/loop4 bs=64k conv=notrunc |
This will take a while, and won't show anything, but your hard drive light should be flashing (if the light works, that is)
So be patient...read Calvin and Hobbes or play the new Zelda game.
5.) Your drive is now encrypted....you need to make an rc script with the following in it (or something similar)
Code: | #!/sbin/runscript
depend() {
before modules
}
start() {
ebegin "Starting loop setup for /usr/local"
echo "zZEomoTvDgFTfRz+o7RN" | /sbin/losetup -e AES256 -p 0 -S djYFGvsKuiMIJkerw3H8 /dev/loop4 /dev/hdb5
eend $? "Failed to start loop setup!"
}
|
again, substitute your seed and password and drive and loop device for my sample ones.
6.) Ack! can't have anyone find our our random seeds/passwords!
Code: | chmod 700 /etc/init.d/loopsetup |
Substitute whatever you named the rc script
7.) Put the script in your startup
Code: |
rc-update add loopsetup boot
|
This puts it in the boot runlevel (an early one) and should (for me it doesnt...???) have it run before your modules are loaded....it may work for you.
8.) Edit your fstab...change the line for /usr/local (or whatever) to read as so:
Code: |
/dev/loop4 /usr/local ext3 noauto,noatime 0 0
|
I have the noauto in there because for whatever reason, the rc-update isn't running the loopsetup where it is supposed to, even with the depend statement...I'm not sure why. It's very annoying. If anyone can solve that, it would be nice. It (for me) ends up getting ran way later on. If that gets solved, make sure to change the last number in that fstab line to a 1, so the loop device gets fscked for errors.
9.) If you have gotten it working so that it will run the loopsetup before it tries to mount filesystems, then ignore this step. If you didn't get rc-update to work correctly, put the following in your /etc/conf.d/local.start or make a new init script, whatever...
Code: |
/bin/mount /usr/local
|
again, substitute...blah blah...
10.) Your partiton should be encrypted and should autoload without a password now. Make sure you keep the loopsetup file chmod 700 so that nobody else can read it, as it has your passwords in it. This is relatively secure since your root filesystem is encrypted so that anybody who would steal the drive and try to read it would first have to break the encryption for the root drive before they could get the password out of the file
I don't think I've forgotten anything, but let me know if I have. |
|
Back to top |
|
|
Woody2143 n00b
Joined: 26 Mar 2003 Posts: 19 Location: Atlanta, GA
|
Posted: Sat Apr 12, 2003 5:24 pm Post subject: |
|
|
Well Gentlemen, I have run in to a problem using this little trick... Now mind you it may not be a direct result of encrypting my root fs, but I can't say for sure that it isn't....
One day after work I came back to my apartment to find that my beloved computer had a little panic attack. Upon rebooting I came to the
Code: | loop: loaded (max 8 devices)
Encrypted file system, please supply correct password to continue
Password: |
I put in my password and this is what I got for my troubles...
Code: | EXT3-fs: unsupported inode size: 14776
Looks like you didn't say the magic word. Mounting /dev/loop/5 failed
Encrypted file system, please supply the correct password to continue
Password: |
I have tried to type in the WRONG password on purpose to see if I was getting that particular error msg, but indeed it wasn't....
Code: | VFS: Can't find ext3 filesystem on dev loop(7,5).
Looks like you didn't say the magic word. Mounting /dev/loop/5 failed
Encrypted file system, please supply the correct password to continue
Password: |
I'm currently looking around [think google] for an answer of how to repair my little unsupported inode size problem but I figured I'd drop a msg here as well....
After typing this out I realized what I should be doing... I broke out my Knoppix CD, unencrypted the partition, and ran e2fsck on it... I knew I kept that Knoppix CD around for some reason.
Oh well, I'll leave this just in case someone elses brain doesn't start up right away.... _________________ -- Woody2143 |
|
Back to top |
|
|
chadders Tux's lil' helper
Joined: 21 Jan 2003 Posts: 113
|
Posted: Sat Apr 12, 2003 8:06 pm Post subject: |
|
|
Probably would have been easier to:
1) Boot Knoppix
2) losetup -e whatever /dev/loop0 /dev/hdWhateverWasYourRoot
3) e2fsck /dev/dev/loop0
4) Reboot like normal
Chad |
|
Back to top |
|
|
Woody2143 n00b
Joined: 26 Mar 2003 Posts: 19 Location: Atlanta, GA
|
Posted: Sat Apr 12, 2003 8:43 pm Post subject: |
|
|
Yeah, that is what I ment by unencrypting the partition... My mistake.
It worked but man was my drive hosed up. I'm gonna have to recover some key files and reinstall I think... To many files are giving me errors like syslog and rsync... Oh well, stuff happens... _________________ -- Woody2143 |
|
Back to top |
|
|
revoohc Tux's lil' helper
Joined: 12 Oct 2002 Posts: 128
|
Posted: Tue Apr 15, 2003 11:18 pm Post subject: |
|
|
Has anyone been able to do this root encryption storing part of the key/passphrase on removable media? This question is coming from example 4.
I have a 256MB USB key card that I would love to have incorporated in this so that you can't boot my laptop without it.
Any ideas/help would be appreciated.
BTW, my system is setup as follows:
/dev/hda1 1048MB (suspend to disk area)
/dev/hda2 ~50MB - boot
/dev/hda3 1024MB - swap
/dev/hda5 ~38GB /
thanks,
chris |
|
Back to top |
|
|
chadders Tux's lil' helper
Joined: 21 Jan 2003 Posts: 113
|
Posted: Thu Apr 17, 2003 3:23 pm Post subject: |
|
|
I think it would be really great to have the whole /boot filesystem on a USB keychain drive. That way NOTHING would have to be on the /root or other filesystems thats not encrypted I don't have a USB keychain drive but i am going to get one and try it I think.
Does anyone know if a USB keychain disk drive is seen by the BIOS? Will it try to boot from it?
Btw the partition types don't have to be 82 or 83 on anything except the /boot. You can set them to DA = NON-FS DATA or anything else you want and it works. With /boot on a USB keychain noone would even know what operating system is on the hard disk!
Chad |
|
Back to top |
|
|
easykill Apprentice
Joined: 07 Dec 2002 Posts: 230
|
Posted: Fri Apr 18, 2003 5:37 pm Post subject: |
|
|
ok, not having tried this, I'm just randomly guessing here....
If the USB dongles are anything like my digital camera, they will end up being /dev/sda or something along those lines.
Pretending you have your /dev/hda set up as following:
/dev/hda1 /
/dev/hda2 swap
/dev/hda3 /usr/local
or something like that
and you have your /boot on the keychain drive located at (find this out before you do this) /dev/sda1
I don't think it would be easy to have the BIOS boot from the keychain drive, unless the BIOS would see it as a SCSI device as well...?
however, you could use lilo (or grub) to accomplish this, I would imagine, by having lilo install itself in the MBR of /dev/hda but having the /boot in lilo point to /dev/sda1 or something
Thinking about this more, it might not work since the kernel hasn't loaded yet, and unless the BIOS assigns the keychain drive a value of sorts, it wouldn't be loaded yet as /dev/sda. I'm not sure.
In retrospect, this whole post is probably incorrect and pointless. Sorry, heh. |
|
Back to top |
|
|
ghetto Guru
Joined: 10 Jul 2002 Posts: 369 Location: BC, Canada
|
Posted: Sat Apr 19, 2003 12:12 am Post subject: |
|
|
Wow what an exciting idea! I mean to have the entire harddrive encrypted and the kernel on some sort of external media.
I agree that a usb keychain would be cool, but if its not possible then what about a floppy disk? or maybe a cdrom? Wouldnt one of those work? Or would the external media need to contain the entire /boot partition? a cdrom could hold that easily but i doubt a floppy could. meh.. _________________ Blizzard you suck. |
|
Back to top |
|
|
chadders Tux's lil' helper
Joined: 21 Jan 2003 Posts: 113
|
Posted: Sat Apr 19, 2003 1:18 pm Post subject: |
|
|
Ive been trying to figure out how to make a little cdrom (one that will fit in my pocket) that contains just the /boot stuff. So far I dont know how to make it bootable. Once I can get it to load the kernel it should be ok to use the loop-AES initrd.gz and ramdisk and then prompt for the pass phrase and chroot/pivot to the real encrypted root.
Does anyone know how to make a bootable cdrom with grub? or where a HOWTO is? What I dont know how to do is tell grub to put its bootstrap stuff that normally goes in the mbr into something that the BIOS understands when it tries to boot the CDROM. Everything I found so far says it has to be a floppy or a disk image and I'm real confused about how to make that part.
Chad |
|
Back to top |
|
|
easykill Apprentice
Joined: 07 Dec 2002 Posts: 230
|
Posted: Sat Apr 19, 2003 3:12 pm Post subject: |
|
|
you should be able to get around that, with lilo i would expect...probably not with grub, as grub will only let you specify hard drives as your devices.
in lilo, you would edit the /etc/lilo.conf file so that
or whatever the CD rom is....
but have lilo install itself onto /dev/hda (your hard drive) with i believe would work. otherwise, man lilo and find the right option.
Then, lilo will load off of the hard drive, but will scan /dev/hdc for the lilo mapping or whatever.
That may not work, but I would think that it would be worth a try, at least.
You would also have to modify /etc/fstab obviously |
|
Back to top |
|
|
ghetto Guru
Joined: 10 Jul 2002 Posts: 369 Location: BC, Canada
|
Posted: Sat Apr 19, 2003 5:56 pm Post subject: |
|
|
The problem with lilo of course is that if you change kernels, or change configuration you have to re-run lilo.. so this may mean that you would have to burn a new disk everytime you needed to run lilo again (i think..) _________________ Blizzard you suck. |
|
Back to top |
|
|
TinheadNed Guru
Joined: 05 Apr 2003 Posts: 339 Location: Farnborough, UK
|
Posted: Sat Apr 19, 2003 8:20 pm Post subject: This sounds great, but . . . |
|
|
When I first read this, I was really tempted to wipe RedHat off my laptop (which I'm going to do soon anyway), and install an encrypted Gentoo. But, after thinking about it, I've seen two problems, and I just wanted to throw them out here to see what people think.
Encrypting a file is very secure, as you can't make many guesses as to what might be inside it, unless you know what you're looking for. It's only a small file after all, which makes it very difficult to crack. However, if you're encrypting an N Gb HD there's a lot more bytes to look for patterns in. Considering you know you're booting Gentoo (or at least some linux kernel) you can make a few guesses as to which filesystem you're installing. Surely then you can look for the thousands of empty inodes on the disc? They'll be in fairly predictable places. You also know the directory structure, and can guess at the contents of quite a few of the plaintext files. Wouldn't this make it far easier (though not actually EASY for non-governmental bodies) to break?
A second problem (if you live in the UK), is that encrypting your drive is completely pointless, unless it is hiding evidence of crimes that carry sentences of greater than 3 years in prison, as failing to hand over a password to encrypted data when instructed by a representative of the Home Office is itself now a crime, courtesy of the RIP Act. And you have to prove you don't have the key, innocence is not assumed (which controvenes other laws I hope). And it's illegal to tell anybody if they ask you for the key too, IIRC.
I'd be really happy to be proved wrong on either of these points though. |
|
Back to top |
|
|
karrots n00b
Joined: 06 Mar 2003 Posts: 11 Location: Ogden, Ut
|
Posted: Sun Apr 20, 2003 4:26 am Post subject: CD booting |
|
|
To boot off of a CD you could just use ISOLinux as your boot loader its part of the syslinux family. I use it to have multiple boot images on one CD.
Also to who ever was wondering how to boot Knoppix on their laptop that doesn't support BootCD's. There is a disk image you can write to a floppy that will allow you to boot the CD. Browse around the cd and you will find it.
Karrots |
|
Back to top |
|
|
barlad l33t
Joined: 22 Feb 2003 Posts: 673
|
Posted: Sun Apr 20, 2003 8:49 am Post subject: |
|
|
Well... looks like I messed up everything. I followed instructions step by step and ended up with a unreadable root partition .
There was a problem with devfs so I decided to decrypt the partition, and that's where shit hits the fan. When I tried to mount /dev/loop5 (under Knopix, after doing a losetup) it told me it could not recognize filesystem. Then after I did my decrypt (dd if=/dev/loop5 of=/dev/sdb3 bs=64k notrunc), sdb3 could not be read either.
It does not recognize the file system.
Any idea? if it's only some minor stuff that got damaged, I could maybe recover it. |
|
Back to top |
|
|
thehyperintelligentslug n00b
Joined: 30 Jun 2002 Posts: 49 Location: Edinburgh
|
Posted: Sun Apr 20, 2003 3:57 pm Post subject: Re: This sounds great, but . . . |
|
|
TinheadNed wrote: | A second problem (if you live in the UK), is that encrypting your drive is completely pointless, unless it is hiding evidence of crimes that carry sentences of greater than 3 years in prison, as failing to hand over a password to encrypted data when instructed by a representative of the Home Office is itself now a crime, courtesy of the RIP Act. And you have to prove you don't have the key, innocence is not assumed (which controvenes other laws I hope). And it's illegal to tell anybody if they ask you for the key too, IIRC. |
I don't know about anyone else but I encrypted my drive (laptop) so if it gets nicked, I know nobody will be able to see what I have on there* - eg my companies accounts!
(* without a lot of work anyway).
Besides, I store all information pertaining to my organised crime activities on my windows machine - thats secure right? _________________ Cheers,
Neil.
---
http://www.thehyperintelligentslug.co.uk |
|
Back to top |
|
|
barlad l33t
Joined: 22 Feb 2003 Posts: 673
|
Posted: Sun Apr 20, 2003 7:27 pm Post subject: |
|
|
Well, I just crashed another patition by trying to encrypt the system, although that time I didn't lose anything since it was a stage1 install . Anyway I think I narrowed down a bit better the problem and I have a question everyone who made this working should be able to answer.
When you first use the losetup program, it asks you for a password. After that you encrypt the system with dd if/of.
Now when you use again losetup to mount your encrypted partition (be it to decrypt it or to mount it), it asks for a password. You MUST enter the password that you entered the FIRST TIME right? and if you enter something else... it fails, right? Seems quite logical... The problem is after I encrypt my partition, if I want to mount it using losetup, it asks again for a password. But I can enter whatever I want, like if it had not been encrypted the first time.
Basically, I think that the encryption process fucks up somewhere and that then the partition cannot be recognized, either as a reiserfs system or as a crypted system. Thus losetup always thinks it's a "decrypted" partition.
Any though please? and has anyone read/heard about a problem with encrypthing scsi disks? I started looking into mailing-list but haven't found anything yet.
Anyway... off to the reinstall again! |
|
Back to top |
|
|
ghetto Guru
Joined: 10 Jul 2002 Posts: 369 Location: BC, Canada
|
Posted: Sun Apr 20, 2003 7:41 pm Post subject: |
|
|
man oh man oh man oh man oh man oh man oh man oh man oh man oh man man oh man oh man oh man oh man oh man oh man oh man oh man oh man man oh man oh man oh man oh man oh man oh man oh man oh man oh man man oh man oh man oh man oh man oh man oh man oh man oh man oh man man oh man oh man oh man oh man oh man oh man oh man oh man oh man man oh man oh man oh man oh man oh man oh man oh man oh man oh man man oh man oh man oh man oh man oh man oh man oh man oh man oh man man oh man oh man oh man oh man oh man oh man oh man oh man oh man
OH MAN I WISH I HAD A SPARE SYSTEM SO I COULD TRY THIS!!
anyone got a spare they want to lend me? _________________ Blizzard you suck. |
|
Back to top |
|
|
easykill Apprentice
Joined: 07 Dec 2002 Posts: 230
|
Posted: Mon Apr 21, 2003 3:09 pm Post subject: |
|
|
barlad wrote: | Well, I just crashed another patition by trying to encrypt the system, although that time I didn't lose anything since it was a stage1 install . Anyway I think I narrowed down a bit better the problem and I have a question everyone who made this working should be able to answer.
When you first use the losetup program, it asks you for a password. After that you encrypt the system with dd if/of.
Now when you use again losetup to mount your encrypted partition (be it to decrypt it or to mount it), it asks for a password. You MUST enter the password that you entered the FIRST TIME right? and if you enter something else... it fails, right? Seems quite logical... The problem is after I encrypt my partition, if I want to mount it using losetup, it asks again for a password. But I can enter whatever I want, like if it had not been encrypted the first time.
Basically, I think that the encryption process fucks up somewhere and that then the partition cannot be recognized, either as a reiserfs system or as a crypted system. Thus losetup always thinks it's a "decrypted" partition.
Any though please? and has anyone read/heard about a problem with encrypthing scsi disks? I started looking into mailing-list but haven't found anything yet.
Anyway... off to the reinstall again! |
Yeah, it will let you enter in anything when you losetup...but you should enter the password you used. If you don't enter that password, it won't decrypt correctly, and if you try to dd if=/dev/loop5 of=/dev/sda1 or whatever, it's gonna fuck up the system, and there's nothing you can do.
Make SURE you use the correct password...it does ask twice with the -t switch |
|
Back to top |
|
|
jlade n00b
Joined: 21 Mar 2003 Posts: 21 Location: Taiwan
|
Posted: Thu Apr 24, 2003 2:27 am Post subject: Encrypted FileSystem on Notebook |
|
|
I like the idea, great howto Chadders. Wish I was into this stuff when I was 13 and a half.
Anyway has anyone tried this on a laptop. Mine is still installing at the moment. Reason I am asking is I had to do a floppy boot disk then a network install using redhat. So booting from knoppix CD is not an option.
Anyway great stuff I am thinking on giving it a try
Jason |
|
Back to top |
|
|
mihochan Apprentice
Joined: 16 Apr 2002 Posts: 296 Location: Melbourne again
|
Posted: Wed Apr 30, 2003 8:33 am Post subject: |
|
|
Don't want to throw cold water on this idea, but why would you want to encrypt your ENTIRE filesystem?
Anybody can get a copy of 'ls', they don't have to steal one.
Which, leads to a second point. Probably, encrypting the entire filesystem is actually less secure than just encrypting you own personal data. After all, it is much easier to crack encryption if you have some idea of what is encrypted. A hacker would simply need to compare your encrypted copy of some common config file to their unencrypted one. This would give them a hand hold to break into the system.
Maybe I'm wrong. I don't actually know anything about the details of this but prima facie the point seems valid.
Tom _________________ In the long run we are all dead - Keynes |
|
Back to top |
|
|
thehyperintelligentslug n00b
Joined: 30 Jun 2002 Posts: 49 Location: Edinburgh
|
Posted: Wed Apr 30, 2003 9:17 am Post subject: |
|
|
mihochan wrote: | Don't want to throw cold water on this idea, but why would you want to encrypt your ENTIRE filesystem? |
Some may want to keep people off it (brothers, sisters, government!), personaly, I have my laptop encrypted as I do alot of my work on there. If somebody steals it, I can be as sure as I can be that they can't boot the system / view my files.
mihochan wrote: | Anybody can get a copy of 'ls', they don't have to steal one.
Which, leads to a second point. Probably, encrypting the entire filesystem is actually less secure than just encrypting you own personal data. After all, it is much easier to crack encryption if you have some idea of what is encrypted. A hacker would simply need to compare your encrypted copy of some common config file to their unencrypted one. This would give them a hand hold to break into the system. |
An intruder can't get a 'copy of ls' of an encrypted system / partition / file, you misunderstand how this encryption works. Check out Chadders first post or the loopAES README file for an overview. _________________ Cheers,
Neil.
---
http://www.thehyperintelligentslug.co.uk |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|