Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] root, swap filesystem encryption for 2.4 and 2.6
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3, 4, 5, 6, 7, 8  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Fri Nov 21, 2003 9:34 pm    Post subject: [HOWTO] root, swap filesystem encryption for 2.4 and 2.6 Reply with quote

Latest Additions:
- added 2.6 support
- added swap encryption
- added bootsplash+loop ramdisk support
- added udev support
- added gpg encrypted key support (by Lord Tocharian)


Introduction
hi there,

for the first my thank goes out to chadders, Lord Tocharian, BlackBart, turbobri and everyone i forgot from the original Encrypted Root File System, Swap, etc... thread. They have most of the work done i describe here. I only had a few problems and had to do several changes. also the thread is now 12 pages long so it's a little hard to get everything that is in it and i wanted to summarize what they wrote on several pages.
I had the experience that the old tutorial wasn't gentoo related in that case that it did not work with gentoo related enabled stuff, like the kernel setting to mount devfs at boot (correct me if i'm wrong). Ok, enough introduction!

if you have /dev file system support in your kernel and enabled the option to mount at boot (as it is suggested in the gentoo installation doc) then continue. else have a look at the old tutorial.
Note: since udev requires disabling devfs in the kernel, i updated the tutorial so that it works now with or without devfs. the settings should be the same for 2.4 and 2.6 kernel versions.

Another good 2.4 documentation is the Linux Disk Encryption Howto by David Braun. very detailed but also very complicated, i think.



And it is never wrong to have a look at the loop-AES.readme where you can find many useful informations.

Ok, the tutorial is divided into two, one if you want to encrypt a clean install and one if you want to encrypt your current root partition. the requirements are needed for both!

The steps
1. Requirements
2. Encrypt your current root partition
3. Encrypt your current root partition using a gpg encrypted key
4. Encrypt a clean root partition while installing gentoo
5. Setting up an encrypted swap partition
6. How to merge the bootsplash initrd and the loop-AES initrd into one
7. If something has gone wrong


1. Requirements
- get the latest loop-AES from sourceforge.net. at the moment it is
loop-AES-v2.0d. have a look at the Sourceforge.net loop-AES Project if the link is broken or to see if a newer version exists.

- get the latest util-linux (at the moment it is util-linux-2.12) from a gentoo mirror or from kernel.org.
util-linux is also in the portage tree but you have to patch util-linux and i dont know if the ebuild of util-linux contains an entry for the patch. haven't tried it yet but you can try it.

- get a knoppix (kde) .iso from one of the mirrors and burn it. i think you can also use gnoppix (gnome).
Note: i experienced that at least the latest gnoppix version does not work, so you have to use knoppix until now!

- decide wether you want to build loop AES as module or to build it directly into the kernel. i would really suggest not to use the module for example because you have to disable loopback device completely in your kernel config if you use the module. If you want to encrypt your root partition with a 2.6 kernel, there is no need to patch the kernel or to build modules, cause it has already built-in cryptoloop support.

2. Encrypt your current root partition
2a) (re)compile your kernel as following:

if you have a 2.4 kernel, choose either to patch the kernel with loop-aes 2a1) or to use the module 2a2)!
If you have a 2.6 kernel continue with 2a3), cause 2.6 has already built-in cryptoloop support!

extract the loop-AES archive in a temporary folder, for example /tmp/enc.

2a1) patching your current 2.4 kernel and rebuilding it
go to the kernel directory, patch the kernel rebuild and install it.
Code:
cd /usr/src/linux
patch -p1 < /tmp/enc/loop-AES-v2.0d/kernel-2.4.22.diff
make menuconfig

Block devices --->
<*> Loopback device support
[*] AES encrypted loop device support
<*> RAM disk support
(4096) Default RAM disk size
[*] Initial RAM disk (initrd) support

File systems --->
<*> Minix fs support
[*] /proc file system support
[*] /dev file system support (EXPERIMENTAL)
[*] Automatically mount at boot

and whatever file systems you want to be supported.

Code:
mount /boot
make dep && make clean bzImage modules modules_install
cp arch/i386/boot/bzImage /boot

you can either reboot now to make sure your kernel works or directly boot from the knoppix cd if you are sure the new kernel DOES work!!! continue with step 2b).

2a2) rebuilding your 2.4 kernel by using the loop.o module
Code:
cd /usr/src/linux
make menuconfig

Block devices --->
< > Loopback device support <---- Note: this HAS to be disabled. M or Y WON'T work here!
<*> RAM disk support
(4096) Default RAM disk size
[*] Initial RAM disk (initrd) support

File systems --->
<*> Minix fs support
[*] /proc file system support
[*] /dev file system support (EXPERIMENTAL)
[*] Automatically mount at boot

and whatever file systems you want to be supported.

Code:
mount /boot
make dep && make clean bzImage modules modules_install
cp arch/i386/boot/bzImage /boot

you can either reboot now to make sure your kernel works or directly continue if you are sure the new kernel DOES work!!! continue with step 2b).

2a3) kernel 2.6 instructions with devfs or udev
Code:
cd /usr/src/linux
make menuconfig

Device Drivers ---> Block devices --->
<*> Loopback device support
<*> Cryptoloop Support
<*> RAM disk support
(4096) Default RAM disk size
[*] Initial RAM disk (initrd) support
[*] Support for Large Block Devices

File systems --->
<*> Minix fs support

Pseudo filesystems --->
[*] /proc file system support
[*] /dev file system support (OBSOLETE) <---- Note: As far as i know, you have to disable this to use the new udev system. you can do this, but look for the modifications at the ramdisk you will create later [choose step 2c2) instead of 2c1)]! I have NOT tested this yet for success, so i suggest to create 2 kernels and two ramdisks (one with devfs and one without) to be sure, that you at least can boot your system with devfs enabled. but i'm very sure that both methods work, cause the difference between the two options are very obvious.
[*] Automatically mount at boot

and whatever file systems you want to be supported.

Cryptographic options --->
<*> AES cipher algorithms

and whatever encryption algorithms you want to be supported.

Code:
mount /boot
make clean && make && make modules_install
cp arch/i386/boot/bzImage /boot

you can either reboot now to make sure your kernel works or directly boot from the knoppix cd if you are sure the new kernel DOES work!!! continue with step 2b).


2b) install util-linux

you can try to emerge util-linux but as i said at the beginnig there is no guarantee that it will work cause i dunno whether it is patched or not. here is the manual method:
Note: i experienced, that the util-linux from the portage tree doesn't work. you have to install it manually, cause the one from the portage tree does not contain the loop-AES patches.

if you rebooted earlier then mount /boot again.

- extract the util-linux archive into the /tmp/enc/loop-AES-v2.0d/ directory and cd into it (cd /tmp/enc/loop-AES-v2.0d/util-linux-2.12/)
- then type the following commands:
Code:
patch -p1 <../util-linux-2.12.diff
export CFLAGS=-O2
export LDFLAGS='-static -s'
./configure
make SUBDIRS="lib mount"
cd mount
install -m 4755 -o root mount umount /bin
install -m 755 losetup swapon /sbin
rm -f /sbin/swapoff && ( cd /sbin && ln -s swapon swapoff )
rm -f /usr/share/man/man8/{mount,umount,losetup,swapon,swapoff}.8.gz
install -m 644 mount.8 umount.8 losetup.8 /usr/share/man/man8
install -m 644 swapon.8 swapoff.8 /usr/share/man/man8
rm -f /usr/share/man/man5/fstab.5.gz
install -m 644 fstab.5 /usr/share/man/man5



2c) create the ramdisk (and optional the loop module)

cd .. to the loop-AES directory.

if you choosed to use the module [step 2a1)] then do the following two steps, else skip and continue with editing build-initrd.sh [2c1) OR 2c2)]:
Code:
make LINUX_SOURCE=/usr/src/linux-2.4.22-ac4
cp -p /lib/modules/2.4.22-ac4/block/loop.o /boot/loop-2.4.22-ac4.o
replace 2.4.22-ac4 with the kernel version you have.


2c1)creating the ramdisk with devfs enabled in the kernel

- edit build-initrd.sh:
- replace BOOTDEV, BOOTTYPE, CRYPTOROOT, ROOTTYPE and CYPHERTYPE with the things you want i suggest to use AES128 instead of AES256. Because of the fact that 128 isn't to hack with bruteforce, 256 isn't more safe. and 256 is about 25% slower than 128 according to some tutorials and to other people.
do NOT use the normal disk/partition descriptions (/dev/hda1 ...) in BOOTDEV and CRYPTOROOT! you have to use the dev descriptions: so for example if /dev/hda1 is your /boot partition then replace it with BOOTDEV=/dev/discs/disc0/part1 etc ...
- change USEMODULE to 0 if you choosed to patch the kernel or if you encrypt a 2.6 system. leave it at 1 if you choosed to use the module instead of patching.
- change USEPIVOT to 1.
- change USEDEVFS to 1.
- save the file.
- type sh build-initrd.sh
this will build the ramdisk and copy it over (including some tools) to /boot. again, be sure /boot is mounted!!


2c2)creating the ramdisk with devfs disabled in the kernel

- edit build-initrd.sh:
- replace BOOTDEV, BOOTTYPE, CRYPTOROOT, ROOTTYPE and CYPHERTYPE with the things you want i suggest to use AES128 instead of AES256. Because of the fact that 128 isn't to hack with bruteforce, 256 isn't more safe. and 256 is about 25% slower than 128 according to some tutorials and to other people.
in this case you can use the normal disk/partition descriptions (/dev/hda1 ...) in BOOTDEV and CRYPTOROOT.
- change USEMODULE to 0 if you choosed to patch the kernel or if you encrypt a 2.4 or 2.6 system with the kernel loop device. leave it at 1 if you choosed to use the module.
- change USEPIVOT to 1.
- change USEDEVFS to 0.
- save the file.
- type sh build-initrd.sh
this will build the ramdisk and copy it over (including some tools) to /boot. again, be sure /boot is mounted!!


2d) modifying /etc/fstab

- replace your root partition with loop5. for example if you have /dev/hda3 as root, then replace it with /dev/loop5.


2e) modifying your grub.conf

Code:
title=Gentoo/GNU Linux 1.4 Encrypted ROOT
root (hd0,0)
kernel (hd0,0)/bzImage root=/dev/ram0 init=/linuxrc rootfstype=minix
initrd=/initrd.gz


of course, leave other changes that you need as they are. for example if you have hdc=ide-scsi etc in your kernel line leave it where it is.
only one thing: if you have bootsplash at boot enabled and you so have the initrd on your boot partition and the line in your grub.conf then you have to remove it.
Until now i don't know how to load two ramdisks at the same time or how to merge them into one. But let me know if you have a solution for that problem!


2f) encrypting your root partition with the help of knoppix

- reboot now with your earlier burned knoppix cd. you can type knoppix 2 at boot so that X will not be loaded and you'll only get a shell. it is a little bit faster but in fact doesn't matter.
- type the following:
Code:
losetup -e AES128 -T /dev/loop0 /dev/hda2
- replace 128 with the encryption you choosed to use earlier in the build-initrd.sh and hda2 with your root partition.
- then enter a passphrase you want to use.
- then convert your root partition:
Code:
dd if=/dev/hda2 of=/dev/loop0 bs=64k conv=notrunc

don't worry this can last a few hours if your root partition is big so as long as your hdd light flashes, everything goes right.


2g) rebooting and starting with your new encrypted root partition.

- when the convertion process is finished, type reboot, remove the knoppix cd and start with the new encrypted root partition. if everything went well, it will asks you for a password while the boot process.


3. Encrypt your current root partition using a gpg encrypted key.

Lord Tocharian wrote:
I have been playing around with encryption and by using hulk2nd's great guide along with the loop-AES.README I have setup an encrypted root partition using a gpg encrypted key. I thought I would add on to his guide with how I setup my system.

All I basically did is put the loop-AES.README into an easier to read format. I would highly suggest reading the entire thing before attempting to encrypt your hard drive. Also a current backup of your hard drive definitely helps. :D


3a) Requirements:
-loop-AES-v2.0d (same as in 1. Requirements)
-latest loop-AES patch (loop-AES-v2.0d-20031226.diff.bz2)
-util-linux-2.12 (same as in 1. Requirements)
-Knoppix / Gentoo LiveCD (same as in 1. Requirements)
-gnupg-1.2.3
-aespipe-v2.2a

3b) Recompile Kernel (2.6.x Instructions Only):
Code:
cd /usr/src/linux
make menuconfig

Follow Section 2a3 with the following exceptions:
Extra things to set:
Code:
CONFIG_MODULES=y
CONFIG_KMOD=y (recommended but not required)
CONFIG_CRAMFS=n(or CONFIG_CRAMFS=m)

Differences:
Code:
CONFIG_BLK_DEV_LOOP=n

This step is VERY important! As opposed to the other guide loop support cannot be in your kernel at all, even as a module (therefore Cryptoloop Support will not be built into your kernel)!

From the loop-AES.README:
Quote:
After building and installing your new kernel, do not attempt to clean kernel tree, or rename path to kernel sources.


Follow the end of 2a3 to recompile your kernel and then optionally reboot into your new kernel (if you want to make sure it is working).

3c) Compile loop.o module for your kernel:
Code:
mkdir /tmp/enc
cd /tmp/enc
tar jxvf loop-AES-v2.0d.tar.bz2
bunzip2 loop-AES-v2.0d-20031226.diff.bz2
patch -p0 <./loop-AES-v2.0d-20031226.diff
make clean
make LINUX_SOURCE=/usr/src/linux-2.6.0-gentoo

replace 2.6.0-gentoo with the kernel version you have.

3d) Install util-linux:
Use the instructions in 2b) install util-linux

3e) Setup GPG:
Code:
cd /tmp/enc/loop-AES-v2.0d
tar zxvf gnupg-1.2.3.tar.gz
cd gnupg-1.2.3
patch -p1 <../gnupg-1.2.3.diff
CFLAGS="-O2" LDFLAGS="-static -s" ./configure --prefix=/usr --enable-static-rnd=linux
make
rm -f /usr/share/man/man1/{gpg,gpgv}.1.gz
make install
chown root:root /usr/bin/gpg
chmod 4755 /usr/bin/gpg


3f) Test loop-AES:
Code:
cd /tmp/enc/loop-AES-v2.0d
make tests

From the loop-AES.README:
Quote:
Makefile will display "*** Test results ok ***" message if tests are
completed successfully. If tests fail, do not use the driver as it is
broken.

If gpg isn't available, then tests that involve decrypting gpg encrypted key
files will fail. You can skip gpg key file tests by specifying
TEST_GPG_TYPES=n on make command line.


3g) Build aespipe program:
Code:
CFLAGS="-O2" LDFLAGS="-static -s" ./configure
make
make tests
cp -p aespipe /boot


3h) Copy kernel version specific loop.o or loop.ko (depends on your kernel version) to /boot/modules-KERNELRELEASE/
Code:
mkdir /boot/modules-2.6.0-gentoo
cp -p /lib/modules/2.6.0-gentoo/block/loop.*o /boot/modules-2.6.0-gentoo/

replace 2.6.0-gentoo with the kernel version you have.

3i) Create 64 random encryption keys and encrypt those keys using gpg.
Code:
umask 077
head -c 2880 /dev/random | uuencode -m - | head -n 65 | tail -n 64 | gpg --symmetric -a >/boot/rootkey.gpg


3j) Build /boot/initrd.gz
Follow the bottom part of 2c) create the ramdisk to setup and execute your build-initrd.sh with the following changes:
-change USEGPGKEY to 1
-leave USEMODULE set to 1
I would note that I have used both AES128 and AES256 on the same system at different times and in my desktop usage I noticed no difference between the two as far as slow down.

3k) Modify /etc/fstab
Use the same procedure as in 2d) modifying /etc/fstab

3l) Edit grub.conf / lilo.conf
Use the same procedure as in 2e) modifying your grub.conf
NOTE: if you use lilo read the top of build-initrd.sh for instructions on how to setup lilo

3m) Do the actual encryption using some sort of bootable CD:
First reboot onto Knoppix/Gentoo LiveCD or some other form of bootable CD so your root partition will not be mounted. Then do the following steps:
Code:
mkdir /mnt/tempboot
mount -r -t ext2 /dev/hda1 /mnt/tempboot

Replace /dev/hda1 with whatever your boot partition is, and change the type as well.

Finally encrypt your hard drive, this may take several hours depending on the size of your hard drive:
Code:
dd if=/dev/hda2 bs=64k \
            | /mnt/aespipe -e AES128 -K /mnt/rootkey.gpg -G / \
            | dd of=/dev/hda2 bs=64k conv=notrunc

Replace /dev/hda2 with whatever your root partition is.

Unmount and reboot onto new encrypted partition!
Code:
umount /mnt/tempboot
sync
reboot


Note: The whole step 3) has not been tested by myself, but since Lord Tocharian sucessfully used this method, before he wrote this update here, there is no doubt that it should work this way! Thanks to Lord Tocharian for writing this addon.


4. Encrypt a clean root partition while installing gentoo
installing gentoo and encrypting root from the knoppix cd

- boot your pc with the knoppix cd (type knoppix 2 at boot to get a console only).
- bring up your network and enable hdparm (optional) like it is described in the installation doc, then create your partitions and the filesystems you want.
- create your boot, swap and root partitions
- type the following:
Code:
losetup -e AES128 -T /dev/loop0 /dev/hda3
- replace 128 with the encryption you want to use and hda3 with your root partition and then enter a passphrase you want to use.
- format your root partition with the filesystem you want to use.
Code:
mkfs /dev/loop0

- format your boot and swap partition
- swapon /dev/hda2 (if you choosed to create a swap partition this is the point to mount it. replace hda2 with your actual swap partition)
- do mkdir /mnt/gentoo
- mount /dev/loop0 /mnt/gentoo
- mkdir /mnt/gentoo/boot
- mount /dev/hda1 /mnt/gentoo/boot (replace hda1 with your actual boot partition)
- continue with Step "8. Stage tarballs and chroot" from the Gentoo Installation doc.

- when you get to "15. Modifying /etc/fstab for your machine" in the gentoo install doc, go up be sure to add the changes that were mentioned in:
2d) modifying /etc/fstab

- when you get to "16. Installing the kernel and system logger", be sure to add the modifications that were meant in:
2a) (re)compile your kernel as following:

- after you did the whole "16. Installing the kernel and system logger" step, do the following steps from this doc:
2b) install util-linux
2c) create the ramdisk (and optional the loop module)

- after that, continue with step "17. Installing miscellaneous necessary packages" from the gentoo doc until you get to step "23. Configure a Bootloader".
- follow the instructions from the gentoo doc and add the changes from
2e) modifying your grub.conf

- do the end of the gentoo installation doc and everything should work after you reboot.


5. Setting up an encrypted swap partition

- first you need to swapoff your current swap partition. i will always write /dev/hda3 for the swap partition so replace hda3 with your actual partition, as usual.
Code:
swapoff /dev/hda3

- now add "loop=/dev/loop6" and "encryption=AES128" to the swap line in your /etc/fstab. for example:
Code:
/dev/hda3   none   swap   sw,loop=/dev/loop6,encryption=AES128   0 0

- if there is old unencrypted data on the swap partition, run the following commands
Code:
dd if=/dev/zero of=/dev/hda3 bs=64k conv=notrunc
mkswap /dev/hda3


That should it be. If everything went right, you should now be able to reboot and enjoy your newly encrypted root and swap partition!!!


6. How to merge the bootsplash initrd and the loop-AES initrd into one

i finally got it working to use both, the bootsplash AND the loop-AES ramdisk.
- First, mount /boot and create the bootsplash ramdisk as explained in the howto.
- i would suggest to backup both ramdisks so that you can go back to the old state when something goes wrong.
- cd /boot ant type ls to double check that the initrd-1280x1024 (bootsplash) and the initrd.gz (loop-AES) ramdisks exist.
- extract the loop-AES ramdisk and merge it with the bootsplash ramdisk into one:
Code:
gunzip initrd.gz
cat initrd-1280x1024 >>/boot/initrd
rm initrd-1280x1024

- edit your grub.conf and change initrd=/initrd.gz to initrd=/initrd to make sure that it points to your newly created ramdisk.
- umount /boot and reboot, to see the wonder of the new ramdisk :D


7. If something has gone wrong

you always have the possibility to access your (already encrypted) root drive:
- boot the knoppix cd
- type
Code:
losetup -e AES128 /dev/loop0 /dev/hda2

- as always, replace AES128 with the encryption you chosed and hda2 with your root partition
- enter the passphrase you choosed the first time
- mkdir /mnt/gentoo and mount /dev/loop0 /mnt/gentoo
- mount /dev/hda1 /mnt/gentoo/boot (or whatever your boot partition is)
- chroot /mnt/gentoo /bin/bash

now you can check all the steps you've done again if something has gone wrong, cause you have access to your boot and your root partition.


I hope i did not forget something and you understand what i wrote. again, thanks to the guys from the other encryption thread. suggestions, comments, critics etc... are welcome!


greets,
hulk
_________________
Linux: "Free as in free speech, not as in free beer"


Last edited by hulk2nd on Wed May 12, 2004 10:31 am; edited 47 times in total
Back to top
View user's profile Send private message
Boris27
Guru
Guru


Joined: 05 Nov 2003
Posts: 562
Location: Almelo, The Netherlands

PostPosted: Sat Nov 22, 2003 2:19 pm    Post subject: Reply with quote

Great guide! Don't have the guts to try it out though.
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Wed Dec 10, 2003 10:20 pm    Post subject: Reply with quote

added 2.6 kernel support, swap partition encryption support and bootsplash-ramdisk+loop-AES-ramdisk support.

greets,
hulk
Back to top
View user's profile Send private message
Sh4d0w
n00b
n00b


Joined: 26 Nov 2003
Posts: 28

PostPosted: Mon Dec 15, 2003 12:54 am    Post subject: Reply with quote

I'm almost certain I got all the steps correct, but on bootup I now get:

RAMDISK: Compressed image found at block 0
Freeing initrd memory: 2k freed
VFS: Mount root (minix filesystem) readonly
Freeing unused kernel memory: 112k freed
Warning: unable to open an initial console.
flushing ide devices: hda hdc
System hhalted.

Any ideas?
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Mon Dec 15, 2003 12:57 am    Post subject: Reply with quote

did you made a clean install or did you encrypt your part. afterwards? and which kernel are you using?

greets,
hulk
Back to top
View user's profile Send private message
Sh4d0w
n00b
n00b


Joined: 26 Nov 2003
Posts: 28

PostPosted: Mon Dec 15, 2003 1:03 am    Post subject: Reply with quote

hulk2nd wrote:
did you made a clean install or did you encrypt your part. afterwards? and which kernel are you using?

greets,
hulk


That was a quick response :P Want to log onto msn maybe?

few days old install, 2.4.23 kernel compiled in, not as a module.
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Mon Dec 15, 2003 1:15 am    Post subject: Reply with quote

sure, why not!

two things:

did you the bootsplash/loop ramdisk merging thing? and double check your grub.conf. especially for the init-parts

kernel (hd0,0)/bzImage root=/dev/ram0 init=/linuxrc rootfstype=minix
initrd=/initrd.gz

if that does not help, check if you include support for every file system you use in your kernel. also look for devfs and mount devfs at boot.


greets,
hulk
Back to top
View user's profile Send private message
Sh4d0w
n00b
n00b


Joined: 26 Nov 2003
Posts: 28

PostPosted: Mon Dec 15, 2003 1:17 am    Post subject: Reply with quote

No, I didnt do the merging part.

This is my grub.conf:

Code:

default 0
timeout 5

title=Linux
root (hd0,0)
kernel (hd0,0)/boot/bzImage root=/dev/hda3

title=Linux
root (hd0,0)
kernel (hd0,0)/bzImage root=/dev/ram0 init=/linuxrc rootfstype=minix
initrd=/initrd.gz
Back to top
View user's profile Send private message
Sh4d0w
n00b
n00b


Joined: 26 Nov 2003
Posts: 28

PostPosted: Mon Dec 15, 2003 1:20 am    Post subject: Reply with quote

Just rebooted and couldnt see anything about devfs, alot of it went by far too quickly though to see. Gotta run for a bit ,back in 45.
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Mon Dec 15, 2003 1:28 am    Post subject: Reply with quote

be sure to add these options to your kernel:


[*] /dev file system support (EXPERIMENTAL)
[*] Automatically mount at boot
Back to top
View user's profile Send private message
Sh4d0w
n00b
n00b


Joined: 26 Nov 2003
Posts: 28

PostPosted: Mon Dec 15, 2003 1:55 am    Post subject: Reply with quote

hulk2nd wrote:
be sure to add these options to your kernel:


[*] /dev file system support (EXPERIMENTAL)
[*] Automatically mount at boot


Whoops, after enabling that everything seems to be working great. Good tutorial :)
Back to top
View user's profile Send private message
BarryJ
n00b
n00b


Joined: 13 Apr 2003
Posts: 72
Location: Wisconsin, USA

PostPosted: Mon Dec 15, 2003 5:43 am    Post subject: Reply with quote

Great tutorial! Gonna try this when I get the nerve.

P.S. Richard Dean Anderson is awesome! Did you know about Young Macgyver? Unfortunately the WB didn't pick it up :cry: .
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Mon Dec 15, 2003 9:12 pm    Post subject: Reply with quote

BarryJ wrote:
P.S. Richard Dean Anderson is awesome! Did you know about Young Macgyver? Unfortunately the WB didn't pick it up :cry: .


hi there,

no i've actually never heard of the young macgyver. i would really like to see a picture. but i hardly can belive that he is able do invent that many incredible machines like "the old macgyver" is able to. and that he can beat every enemy while staying THAT polite!!!! :D

greets,
hulk
Back to top
View user's profile Send private message
Qweasda
Apprentice
Apprentice


Joined: 04 Feb 2003
Posts: 152

PostPosted: Thu Dec 18, 2003 12:52 am    Post subject: Reply with quote

I'm probably going to try this on my new computer when all it's parts arrive.
A question though. I read a bit about encryption and apprently it keeps everything in RAM encrypted, and decrypts it in RAM as it's being used. Does this process take up memory? How much about? Does it slow things down, or will it not be noticible?
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Thu Dec 18, 2003 12:55 pm    Post subject: Reply with quote

i bet it does slow down things, but unitl now i don't have experienced speed differences between before and after encryption. as far as i know, only the ram disk is in ram but that is only a few kb. it really doesn't matter. but im not 100% sure about that.

greets,
hulk
Back to top
View user's profile Send private message
femtotech
n00b
n00b


Joined: 19 Dec 2002
Posts: 23

PostPosted: Thu Dec 18, 2003 3:42 pm    Post subject: speed Reply with quote

AFAIK, the data in RAM is not encrypted. Data on the hard drive and data written to swap is encrypted but the RAM access is handled normally. This is not much of a problem though since the RAM is cleared at power off and old data isn't recoverable.

As far as the speed goes, my system is basically as fast as before encryption. Programs load as fast, games run the same. The only time you notice the encryption is in transferring large files between drives -- there is about a 25% processor usage (2GHz Athlon, transferring between u160 SCSI drives).

A cool thing to do if you have a USB bootable motherboard is have your /boot partition on a USB pen drive, then
everything on your hard disks would be encrypted (as opposed to an unencrypted boot on the drive). Unfortunately, my nForce 2 board does not have this feature.
Back to top
View user's profile Send private message
Qweasda
Apprentice
Apprentice


Joined: 04 Feb 2003
Posts: 152

PostPosted: Fri Dec 19, 2003 12:15 am    Post subject: Reply with quote

Sorry, made a typo, meant to say that everything on the hard drive (not RAM) is encrypted and it decrypts it in RAM.

If I do this, it will be for a home server (web, ftp, file and other) that will be up 24/7. Will the RAM get more clogged as time goes on or does it compensate? It will only have 256mb of pc100 RAM per node, which brings me to another question. It's a 4u setup with 4 SBC motherboards with 733mhz P3's. 3 of these will be diskless thin clients to one fat client with a 180gb HD. These clients won't have any troubles will they? (btw, I'm going to use openMosix clustering also, if that matters)
Thanks.
Back to top
View user's profile Send private message
femtotech
n00b
n00b


Joined: 19 Dec 2002
Posts: 23

PostPosted: Fri Dec 19, 2003 2:30 pm    Post subject: encryption Reply with quote

I haven't read the code to figure out exactly what the encryption utilities are doing, but it's probably using a minimal amount of RAM to decrypt your data which is then stored (decrypted) in memory as normal.

On my personal box I've had no noticable differences in memory usage when using loopback 256bit AES as compared to no encryption(uptimes up to a month, 512MB). My IDS box running snort, ACID, apache, and ssh had a 163 day uptime until I rebooted for a kernel upgrade yesterday, and it was still running as quick as ever (1GB).

I doubt you'd see any real memory usage increases on your cluster. The only thing to keep in mind is the increased processor usage when transferring large files across a fast link, but even this is fine for the added security.
Back to top
View user's profile Send private message
deadaim
Guru
Guru


Joined: 27 Oct 2003
Posts: 467
Location: Florida

PostPosted: Fri Dec 19, 2003 4:27 pm    Post subject: Reply with quote

Pardon me for asking the "noob" question, but what are the benefits of encrypting your swap filesystem? Is it recommended to do this?

Thanks in advance.
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Fri Dec 19, 2003 4:45 pm    Post subject: Reply with quote

as you know, even if cou can't boot a computer cause you don't have the root or the user password, you can connect the hard drive to another computer and read the data from there. with an encrypted filesystem this is impossible unless you know the encryption password etc ...
and if the encryption is high or/and secure enough, you can't hack it by bruteforce or other methods.
of course, the way i describe it here is not the safest possible one. but there is a point where you have to think if more security steps are really needed.
i personally own a laptop and thats the reason why i encrypted my partitions cause i don't want other people to be able to read my data if i lose my laptop or if it gets stolen.

greets,
hulk
Back to top
View user's profile Send private message
deadaim
Guru
Guru


Joined: 27 Oct 2003
Posts: 467
Location: Florida

PostPosted: Fri Dec 19, 2003 4:51 pm    Post subject: Reply with quote

hulk2nd wrote:
as you know, even if cou can't boot a computer cause you don't have the root or the user password, you can connect the hard drive to another computer and read the data from there. with an encrypted filesystem this is impossible unless you know the encryption password etc ...
and if the encryption is high or/and secure enough, you can't hack it by bruteforce or other methods.
of course, the way i describe it here is not the safest possible one. but there is a point where you have to think if more security steps are really needed.
i personally own a laptop and thats the reason why i encrypted my partitions cause i don't want other people to be able to read my data if i lose my laptop or if it gets stolen.

greets,
hulk


Sweet, I'm going to buy a laptop soon...now I know to encrypt the partitions. Thanks!
Back to top
View user's profile Send private message
S_aIN_t
Guru
Guru


Joined: 11 May 2002
Posts: 488
Location: Ottawa

PostPosted: Fri Dec 19, 2003 5:59 pm    Post subject: Reply with quote

an interesting topic came up on the linux-crypto mailing list.
Quote:

> Is there a point to using loop-AES with kernel-2.6? CryptoAPI is in the kernel.
> Why not just use it?

1) Loop-AES is about twice as fast on modern x86 boxes.
2) Kernel 2.6 cryptoloop will not work properly with encrypted swap.
Encrypted swap needs memory pre-allocation.
3) kerneli.org and mainline versions are more than two years behind in
security. Both have exploitable vulnerability that is best described as
back door.
4) Uncounted number of bugs fixed in loop-AES that still bite mainline.
5) If Andrew Morton's loop changes get merged to mainline loop, kernel 2.6
cryptoloop will no longer work reliably with journaled file systems.
(same why reason I don't recommend using journaled file systems with
file backed loops)


So, this means that even if you're running kernel 2.6 you still should patch it with loop-AES. I haven't tried patching 2.6 with the new loop-AES. But it is possible. This is the announcement from the linux-crypto mailing list:
Quote:

loop-AES changes since previous release:
- Fixed util-linux patch so it compiles on boxes where C library is compiled
against 2.6 kernel headers.
- Fixed SMP race that could corrupt data if all following conditions are
met: (1) loop device is in multi-key mode, (2) SMP or UP+PREEMPT box, (3)
shared writable mappings to a file, (4) memory mapped file data modified
at same time as that same data is being encrypted inside loop transfer
function, and (5) unclean shutdown so that re-dirtied page won't get
written again.

bzip2 compressed tarball is here:

http://loop-aes.sourceforge.net/loop-AES/loop-AES-v2.0c.tar.bz2
md5sum 8ef53cb6783a57f0476517896ce59990

http://loop-aes.sourceforge.net/loop-AES/loop-AES-v2.0c.tar.bz2.sign


Additional ciphers package changes since previous release:
- Fixed SMP race in loop_twofish and loop_serpent modules that could corrupt
data if all following conditions are met: (1) loop device is in multi-key
mode, (2) SMP or UP+PREEMPT box, (3) shared writable mappings to a file,
(4) memory mapped file data modified at same time as that same data is
being encrypted inside loop transfer function, and (5) unclean shutdown so
that re-dirtied page won't get written again.

bzip2 compressed tarball is here:

http://loop-aes.sourceforge.net/ciphers/ciphers-v2.0c.tar.bz2
md5sum 6b40e4a1c172560e059d9439fa73942d

http://loop-aes.sourceforge.net/ciphers/ciphers-v2.0c.tar.bz2.sign

--
Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/

_________________
"That which is overdesigned, too highly
specific, anticipates outcome; the anicipation of
outcome guatantees, if not failure, the
absence of grace."
- William Gibson, "All Tomorrow's Parties"
----
http://petro.tanreisoftware.com
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Fri Dec 19, 2003 6:47 pm    Post subject: Reply with quote

this sounds very interesting. i will try that and update the tutorial. big thanks for that information!

btw, i dunno why, but they removed version c. there is onle b and d in http://loop-aes.sourceforge.net/ciphers/ and in http://loop-aes.sourceforge.net/loop-AES/

greets,
hulk
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Fri Dec 19, 2003 7:09 pm    Post subject: Reply with quote

ahh, there is no need to patch the kernel. first, the archive isn't a patch anyway, it just builds the module. and second, this only updates serpent, twofish and blowfish encryption, i think. cause it builds only loop_twofish.o, loop_blowfish.o and loop_serpent.o. and since we use aes, i don't think we need to build these modules.

greets,
hulk
Back to top
View user's profile Send private message
Death Valley Pete
n00b
n00b


Joined: 25 Mar 2003
Posts: 49
Location: The Inland Empire

PostPosted: Sat Dec 20, 2003 1:40 am    Post subject: Reply with quote

Holy wow.

I tried it (with 256-bit encryption because I'm a tad OCD) with kernel 2.6.0 final. It works. I've been waiting for a guide to come out for a couple of months now, and hulk2nd, thank you very much.

I've already upgraded loop-aes (basically, repeat steps 2b and 2c) from 2.0c to 2.0d.

I'm thinking that when I upgrade my kernel (down the road) it will just be a matter of repacing the bzImage and that's it. Does that sound right?

Now I just need to figure out how to make this work with a gpg key on a usb stick... when and if I get the money for that I'll probably give it a shot. If anybody wanted to write a howto for that that would be even cooler.

I'm not sure I have the expertise to write an ebuild for the modified util-linux, but if I (or somebody) did would it be an appropriate thing to put into portage?

Perhaps you should submit the whole clean install onto an encrypted partition procedure to the alternative install guide.

Anyway, good work!
_________________
<instert pithy statement here>
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2, 3, 4, 5, 6, 7, 8  Next
Page 1 of 8

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum