View previous topic :: View next topic |
Author |
Message |
jordanwb l33t
Joined: 10 Jul 2008 Posts: 642 Location: Ottawa, Canada
|
Posted: Thu Jan 29, 2009 4:46 pm Post subject: |
|
|
Let's say I don't want the initramfs built into the kernel? what would I do then? |
|
Back to top |
|
|
Paczesiowa Guru
Joined: 06 Mar 2006 Posts: 593 Location: Oborniki Śląskie, Poland
|
Posted: Thu Jan 29, 2009 5:44 pm Post subject: |
|
|
cpio it, gzip that and tell grub to pass it to the kernel. |
|
Back to top |
|
|
jordanwb l33t
Joined: 10 Jul 2008 Posts: 642 Location: Ottawa, Canada
|
Posted: Thu Jan 29, 2009 9:39 pm Post subject: |
|
|
"cpio" it? |
|
Back to top |
|
|
Paczesiowa Guru
Joined: 06 Mar 2006 Posts: 593 Location: Oborniki Śląskie, Poland
|
Posted: Fri Jan 30, 2009 9:18 am Post subject: |
|
|
man cpio:) you create root filesystem layout (/dev with few devices, /lib and /[s]bin with whatever you need, and /init script ) than you make an archive of that directory with cpio, gzip and it is ready to pass to grub. |
|
Back to top |
|
|
bonnietyler n00b
Joined: 30 Sep 2006 Posts: 7
|
Posted: Fri Jan 30, 2009 1:02 pm Post subject: one pw for swap and root |
|
|
hey,
i use the init script from Alon Bar-Lev, which works pretty fine for me (symmetric encrypted swap and root)
( http://wiki.tuxonice.net/EncryptedSwapAndRoot ). normally my computer doesn't need swap, just for hibernation with tuxonice, so no problem if both got the same password.
my grub conf says:
title=Gentoo toi 2.6.28 r1 toi init
kernel /kernel-2.6.28-gentoo-r1-toi root=/dev/hda3 initrd_encmode=dm-crypt
initrd_util=passphrase:id,id initrd_devices=/dev/hda2,/dev/hda3 initrd_dmnames
=swap,root initrd_suspend_mode=tuxonice resume=swap:/dev/mapper/swap
initrd /initramfs-gentoo-crypt-susp2tux
(from kernel...till /swap must be one line in the grub.conf!)
good luck! |
|
Back to top |
|
|
jordanwb l33t
Joined: 10 Jul 2008 Posts: 642 Location: Ottawa, Canada
|
Posted: Fri Jan 30, 2009 7:48 pm Post subject: |
|
|
Paczesiowa wrote: | man cpio:) you create root filesystem layout (/dev with few devices, /lib and /[s]bin with whatever you need, and /init script ) than you make an archive of that directory with cpio, gzip and it is ready to pass to grub. |
Could you give an example? |
|
Back to top |
|
|
Paczesiowa Guru
Joined: 06 Mar 2006 Posts: 593 Location: Oborniki Śląskie, Poland
|
|
Back to top |
|
|
jordanwb l33t
Joined: 10 Jul 2008 Posts: 642 Location: Ottawa, Canada
|
Posted: Fri Jan 30, 2009 8:44 pm Post subject: |
|
|
Paczesiowa wrote: | http://en.gentoo-wiki.com/wiki/Initramfs#Basic_File_structure |
Uh yeah you already showed me that. I'm talking about cpio, "0 occurances onf 'cpio' found". |
|
Back to top |
|
|
Paczesiowa Guru
Joined: 06 Mar 2006 Posts: 593 Location: Oborniki Śląskie, Poland
|
Posted: Fri Jan 30, 2009 10:49 pm Post subject: |
|
|
weird that they don't mention the final step, my bad. anyway, when you have all things in /usr/src/initramfs/ then you do this:
Code: | cd /usr/src/initramfs/ && find . | cpio -o -H newc | gzip -9 > /boot/initramfs.gz |
and adjust grub cfg. |
|
Back to top |
|
|
blacksheep n00b
Joined: 04 Aug 2006 Posts: 25
|
Posted: Sat Feb 21, 2009 10:27 pm Post subject: |
|
|
I'm currently running a system with kernel linux-2.6.24-gentoo-r4 (everything is encrypted with dm-crypt with luks) as a fileserver. I've recently noticed that on a hardware raid volume (encrypted too) that whilst it's being written to there is significant delay to anything reading from the same directory.
I've had a little read around and noticed that several people were saying this was a kernel issue and supposedly fixed in 2.6.24 - my question is, do you think a kernel upgrade would help and/or any other ideas?
Thanks |
|
Back to top |
|
|
jordanwb l33t
Joined: 10 Jul 2008 Posts: 642 Location: Ottawa, Canada
|
Posted: Sat Feb 21, 2009 10:40 pm Post subject: |
|
|
Give it a try. |
|
Back to top |
|
|
chr0n0 n00b
Joined: 08 Aug 2008 Posts: 40
|
Posted: Sun May 10, 2009 1:09 pm Post subject: |
|
|
How does one go about encrypting a /home and /swap partition during a stage3 install? There are so many different guides out there and none of them seem to agree on anything. And worse, none of them are up to date (including the guide posted in this thread).
I have tried creating /dev/mapper/home and a /dev/mapper/swap using the guide here, but when I boot it says it cannot find them. I did some looking around in /etc/conf.d and found a file called crypto-loop. So I edited it and now I can get a prompt for my passphrase at boot, but after I enter it, it says:
Failed to configure /dev/mapper/home. Skipping.
I think what's happening is that it is looking for my /home partition early in the boot phase, it gives an error and then later it comes back asking for my passphrase. Something is screwed up in the boot order.
I just wish there was a simple, up-to-date guide out there! _________________ Athlon 64 x2 4000+, GA-M57SLI-S4 mobo, 2GB PC-6400 RAM, WD 500GB HDD SATA, Internet: eth0 cable modem. |
|
Back to top |
|
|
Paczesiowa Guru
Joined: 06 Mar 2006 Posts: 593 Location: Oborniki Śląskie, Poland
|
Posted: Sun May 10, 2009 3:19 pm Post subject: |
|
|
you can do it later, when your system is already working. |
|
Back to top |
|
|
Sujao l33t
Joined: 25 Sep 2004 Posts: 677 Location: Germany
|
Posted: Mon May 11, 2009 12:18 pm Post subject: |
|
|
Your ramdisk only has to decrypt the root partition. Everything else is done by the "real" gentoo system. Edit /etc/conf.d/dmcrypt and add your entries. It's commented pretty good. |
|
Back to top |
|
|
chip007 n00b
Joined: 16 May 2009 Posts: 14 Location: Germany
|
Posted: Sun May 17, 2009 1:32 pm Post subject: |
|
|
Hi,
I've set up an encrypted root partition with busybox and initramfs and everything works fine, besides the fact that I am only able to use AES as cipher. If I use twofish for example I get an error message while booting. Something like "alg: no test for twofish(....)" Of course twofish is compiled into the kernel. (not as a module)
Any ideas?
init script: | #!/bin/sh
export PATH=/bin
umask 0077
mount -t proc proc /proc
mount -t sysfs sysfs /sys
mount -t tmpfs tmpfs /dev
busybox --install -s
echo /bin/mdev > /proc/sys/kernel/hotplug
mdev -s
while ! mount -n -o ro /dev/hda1 /bootram ; do
sleep 5
done
rm /dev/tty
ln -s /dev/console /dev/tty
cryptsetup luksOpen /dev/hda2 root
mount /dev/mapper/root /new-root
echo > /proc/sys/kernel/hotplug
umount -l /proc /sys /dev /bootram
exec /bin/busybox switch_root /new-root /sbin/init root=/dev/mapper/root |
|
|
Back to top |
|
|
avx Advocate
Joined: 21 Jun 2004 Posts: 2152
|
Posted: Sun May 17, 2009 1:59 pm Post subject: |
|
|
Quote: | If I use twofish for example I get an error message while booting. Something like "alg: no test for twofish(....)" | Dito for me, but with serpent. Some googling reveals, that it's more of an cosmetic issue than a real problem. |
|
Back to top |
|
|
chip007 n00b
Joined: 16 May 2009 Posts: 14 Location: Germany
|
Posted: Sun May 17, 2009 3:22 pm Post subject: |
|
|
Well I cannot boot using my preferred cipher. For me it isn't cosmetic. Or are you speaking about the advantages and disadvantages between the ciphers? |
|
Back to top |
|
|
avx Advocate
Joined: 21 Jun 2004 Posts: 2152
|
Posted: Sun May 17, 2009 3:29 pm Post subject: |
|
|
Than I guess there must be something wrong with your setup, I get the "alg..."-message, too, but booting works without problems and the encryption does work. |
|
Back to top |
|
|
lkraav Tux's lil' helper
Joined: 13 Oct 2004 Posts: 129 Location: Estonia
|
Posted: Wed Jun 03, 2009 6:39 pm Post subject: |
|
|
hrm, like few guys before mentioned about newer kernels, my tuxonice-sources-2.6.28-r10 also gets stuck after inserting USB stick with keyfile.
sda1 prompt shows up, but nothing else happens, no "Opening root" and "Opening swap" appears. initrd_shell=rescue hangs right before shell prompt is supposed to appear, no input from keyboard is recognized, power off is only choice.
tuxonice-sources-2.6.24-r9 keeps on working fine.
has anyone figured anything out?
edit: make sure CONFIG_SYSFS_DEPRECATED_V2 stays on, everything is working. |
|
Back to top |
|
|
Dheath Tux's lil' helper
Joined: 06 Aug 2006 Posts: 131
|
Posted: Sun Jul 26, 2009 7:31 pm Post subject: |
|
|
I have amd64 system with baselayout2 and cryptsetup 1.0.6 and I'm trying to have an encrypted partition mounted on boot.
For some weird reason I get this at the beginning of boot messages:
Code: |
...
* Setting up dm-crypt mappings...
* dm-crypt map crypt-token...
* cryptsetup will be called with : -c serpent-cbc-essiv:sha256 -d /etc/conf.d/token.key create crypt-token /dev/sde
Command failed: Error opening device: No such file or directory
* failure running cryptsetup [ !! ]
* dm-crypt map crypt-maxi...
* cryptsetup will be called with : -c serpent-cbc-essiv:sha256 -d /mnt/token/maxi.key create crypt-maxi /dev/sdc2
Command failed: Error opening device: No such file or directory
* failure running cryptsetup [ !! ]
* Checking swap is not LUKS
* dm-crypt map crypt-swap1...
* cryptsetup will be called with : -c aes -h sha1 -d /dev/urandom create crypt-swap1 /dev/disk/by-id/ata-WDC_WD6401AALS-00L3B2_WD-WCASY5803499-part3 [ ok ]
* Running pre_mount commands for crypt-swap1... [ ok ]
* Checking swap is not LUKS
* dm-crypt map crypt-swap2...
* cryptsetup will be called with : -c aes -h sha1 -d /dev/urandom create crypt-swap2 /dev/disk/by-id/ata-WDC_WD6401AALS-00L3B2_WD-WCASY5783237-part3 [ ok ]
* Running pre_mount commands for crypt-swap2... [ ok ]
* Failed to setup dm-crypt devices [ !! ]
* ERROR: dmcrypt failed to start
* Checking local filesystems ...
/dev/disk/by-uuid/23fafc47-37dc-431f-9da2-fc9e0c67f772: clean, 457077/3278576 files, 1964888/13109024 blocks
/dev/disk/by-uuid/4e573612-c6ca-483e-81df-90aef20e7820: clean, 401/35528704 files, 2301289/142094896 blocks
/dev/disk/by-uuid/7362ee33-b769-4be2-b878-6adb518be0c9: clean, 47/28112 files, 34071/112320 blocks [ ok ]
* Remounting root filesystem read/write... [ ok ]
* Updating /etc/mtab... [ ok ]
* Mounting local filesystems...
mount: special device /dev/mapper/crypt-maxi does not exist
* Some local filesystem failed to mount [ !! ]
...
|
and this at the end of boot messages:
Code: |
...
* Mounting USB device filesystem [usbfs]... [ ok ]
* Mounting misc binary format filesystem... [ ok ]
* Activating swap devices... [ ok ]
* Initializing random number generator... [ ok ]
INIT: Entering runlevel: 3
* Setting up dm-crypt mappings...
* dm-crypt map crypt-token...
* cryptsetup will be called with : -c serpent-cbc-essiv:sha256 -d /etc/conf.d/token.key luksOpen /dev/sde crypt-token
key slot 0 unlocked.
Command successful. [ ok ]
* Running pre_mount commands for crypt-token... [ ok ]
* dm-crypt map crypt-maxi...
* cryptsetup will be called with : -c serpent-cbc-essiv:sha256 -d /mnt/token/maxi.key luksOpen /dev/sdc2 crypt-maxi
key slot 0 unlocked.
Command successful. [ ok ]
* Checking swap is not LUKS
* dm-crypt mapping crypt-swap1 is already configured
* Checking swap is not LUKS
* dm-crypt mapping crypt-swap2 is already configured [ ok ]
...
|
dmcrypt should be starting only at the boot level. If I delete dmcrypt from the boot level then none of the encrypted partitions will be mounted.
In /etc/conf.d/dmcrypt I have:
Code: |
target=crypt-token
source='/dev/sde'
options='-c serpent-cbc-essiv:sha256 -d /etc/conf.d/token.key'
pre_mount='mount -o ro /dev/mapper/crypt-token /mnt/token'
post_mount='umount /mnt/token; cryptsetup luksClose crypt-token'
target=crypt-maxi
source='/dev/sdc2'
options='-c serpent-cbc-essiv:sha256 -d /mnt/token/maxi.key'
swap=crypt-swap1
source='/dev/disk/by-id/ata-WDC_WD6401AALS-00L3B2_WD-WCASY5803499-part3'
swap=crypt-swap2
source='/dev/disk/by-id/ata-WDC_WD6401AALS-00L3B2_WD-WCASY5783237-part3'
|
In /etc/fstab I have:
Code: |
/dev/disk/by-uuid/7362ee33-b769-4be2-b878-6adb518be0c9 /boot ext2 noatime 1 2
/dev/disk/by-uuid/23fafc47-37dc-431f-9da2-fc9e0c67f772 / ext3 noatime 0 1
/dev/mapper/crypt-swap1 none swap sw 0 0
/dev/mapper/crypt-swap2 none swap sw 0 0
tmpfs /tmp tmpfs defaults,nosuid,size=1024M,mode=1777 0 1
/dev/disk/by-uuid/4e573612-c6ca-483e-81df-90aef20e7820 /home ext2 noatime 0 1
/dev/disk/by-uuid/6727f0a7-97ec-4489-9bde-05311351316c /mnt/puxi ext2 rw 0 0
/dev/mapper/crypt-maxi /mnt/maxi ext2 rw 0 0
...
|
So, why is it trying to decrypt the partitions without Luks and why is the Luks used to decrypt the partitions before mounting the filesystems in /etc/fstab? |
|
Back to top |
|
|
NotQuiteSane Guru
Joined: 30 Jan 2005 Posts: 488 Location: Klamath Falls, Jefferson, USA, North America, Midgarth
|
Posted: Thu Nov 12, 2009 9:00 pm Post subject: |
|
|
I'm trying to follow this guide after failing first try
when I reboot I see:
Code: | /init: line 615: syntax error: EOF in backquote substitution
init used greatest stack depth: 2336 bytes left!
Kernel Panic - not syncing: Attempted to kill init!
Pid: 1, comm: init Not tainted 2.6.31-zen8-12nov09-08430-gaa0b3ad #5 |
what's really confusing me is that /init is only 614 lines, triple verified.
I can pastebin any needed info
NQS _________________ These opinions are mine, mine I say! Piss off and get your own.
As I see it -- An irregular blog, Improved with new location
To delete French language packs from system use 'sudo rm -fr /' |
|
Back to top |
|
|
mephist0 Tux's lil' helper
Joined: 19 Sep 2005 Posts: 94 Location: Germany, Frankfurt/Main
|
Posted: Tue Dec 15, 2009 8:43 pm Post subject: |
|
|
@frostschutz
I setup my system as described in your guide http://en.gentoo-wiki.com/wiki/Booting_encrypted_system_from_USB_stick
I used a gpg key for the password
this is my init:
Code: |
#!/bin/busybox sh
# Function rescue shell
rescue_shell() {
echo "Something went wrong. Dropping you to a shell."
busybox --install -s
exec /bin/sh
}
# Mount the /proc and /sys filesystems.
mount -t proc none /proc
mount -t sysfs none /sys
# Do your stuff here.
echo "This script decrypts and mounts rootfs and boots it up, nothing more!"
# Decrypting root LUKS device
gpg --decrypt etc/root.gpg 2>/dev/null | cryptsetup luksOpen /dev/sda3 root
# enabling lvm devices
lvm vgscan
lvm vgchange -a y
# Mount the root filesystem.
mount -o ro /dev/lvm/root /mnt/root || rescue_shell
# Clean up.
umount /proc
umount /sys
# Boot the real thing.
exec switch_root /mnt/root /sbin/init
|
But gpg doesnt ask for the password ?!?!?!
It says decrypted with 1 password
and then false session key or so
whats wrong?!? _________________ There is only one God, and his name is Death. And there is only one thing we say to Death: 'Not today!'
Photography portfolio |
|
Back to top |
|
|
mephist0 Tux's lil' helper
Joined: 19 Sep 2005 Posts: 94 Location: Germany, Frankfurt/Main
|
Posted: Tue Dec 15, 2009 9:47 pm Post subject: |
|
|
This F***ING gpg-agent is messing with me
I booted the Gentoo LiveDVD 10.1 again and executed gpg under chroot:
(I touched the S.gpg-agent file)
Code: |
gpg --decrypt /root/system.encryption/root.gpg
gpg: 3DES encrypted data
can't connect to `/root/.gnupg/S.gpg-agent': Connection refused
gpg-agent[10612]: command get_passphrase failed: Operation cancelled
gpg: cancelled by user
gpg: encrypted with 1 passphrase
gpg: decryption failed: No secret key
|
how do I turn this off for my init-script ?
[EDIT]
from man-page:
--no-use-agent
This is dummy option. gpg2 always requires the agent.
rofl ?!?! WTF?
[EDIT2]
luckily gentoo still has gpg-1.4.9 with static useflag and it asks for password on my chroot
If it doenst work now I must beat something with a big hammer
For now I have the root.gpg inside the initramfs
That isnt secure right? _________________ There is only one God, and his name is Death. And there is only one thing we say to Death: 'Not today!'
Photography portfolio |
|
Back to top |
|
|
kingfame_147 Apprentice
Joined: 11 Oct 2008 Posts: 171
|
Posted: Sun Mar 21, 2010 9:39 am Post subject: kernel panic |
|
|
Hi,
when i try to use this guide with the "init" file from here (Alon Bar-Lev) and want to decrypt any partition i'm getting this error:
error picture
Even when i just try to decrypt the swap partiton like this:
Code: |
kernel /boot/kernel-2.6.32-gentoo-r7 root=/dev/sdb3 video=uvesafb:2560x1600-32,mtrr:3,ywrap initrd_encmode=dm-crypt initrd_util=passphrase:id initrd_devices=/dev/sdb2 initrd_dmnames=swap
|
I'm asked for the password, then the screen goes black, and then the given error occurs :/ Any ideas? |
|
Back to top |
|
|
darkbasic Tux's lil' helper
Joined: 06 Sep 2006 Posts: 133
|
Posted: Sun Mar 21, 2010 1:35 pm Post subject: |
|
|
This script simply doesn't work out of the box, I had to modify it to make it work.
Unfortunately I have fixed only the "encrypted keyfile" path, so it will not help you...
I also added (partial) LVM2 support, but it's still not finished. _________________ Computers are like air conditioners:
they stop working properly when you open Windows...
Coltiva Linux, Windows si pianta da solo.
http://www.linuxsystems.it/ |
|
Back to top |
|
|
|