Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] root, swap filesystem encryption for 2.4 and 2.6
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
discomfitor
l33t
l33t


Joined: 21 Feb 2003
Posts: 927
Location: None

PostPosted: Sat Dec 20, 2003 1:56 pm    Post subject: Reply with quote

Have you tested it with udev?
_________________
There is no substitute for experience.
Imperfection indicates a lack of effort.
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Sat Dec 20, 2003 3:04 pm    Post subject: Reply with quote

Death Valley Pete wrote:
Holy wow.

I tried it (with 256-bit encryption because I'm a tad OCD) with kernel 2.6.0 final. It works. I've been waiting for a guide to come out for a couple of months now, and hulk2nd, thank you very much.

I've already upgraded loop-aes (basically, repeat steps 2b and 2c) from 2.0c to 2.0d.

I'm thinking that when I upgrade my kernel (down the road) it will just be a matter of repacing the bzImage and that's it. Does that sound right?

Now I just need to figure out how to make this work with a gpg key on a usb stick... when and if I get the money for that I'll probably give it a shot. If anybody wanted to write a howto for that that would be even cooler.

I'm not sure I have the expertise to write an ebuild for the modified util-linux, but if I (or somebody) did would it be an appropriate thing to put into portage?

Perhaps you should submit the whole clean install onto an encrypted partition procedure to the alternative install guide.

Anyway, good work!
maybe i will add gpg and the usb stick thing to the howto. i already have some experience with that.

greets,
hulk
Back to top
View user's profile Send private message
Gentoo Server
Apprentice
Apprentice


Joined: 21 Jul 2003
Posts: 279

PostPosted: Sat Dec 20, 2003 10:55 pm    Post subject: Reply with quote

this is power of gentoo
one helps other

:P
Back to top
View user's profile Send private message
Lord Tocharian
Tux's lil' helper
Tux's lil' helper


Joined: 11 Mar 2003
Posts: 75

PostPosted: Thu Dec 25, 2003 3:27 pm    Post subject: Reply with quote

First thanks a lot for your guide, it was very helpful. I have all of my partitions encrypted with the exception of /boot and I really don't notice any slowdown at all.

I know I would also greatly appreciate it if you added some information about working with gpg/a usb stick. I don't think there is as much information about that on the internet and I am trying to figure out what is the correct way to do it. Thanks :D
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Thu Dec 25, 2003 5:23 pm    Post subject: Reply with quote

you are welcome!
yesterday i ordered a sony memory stick on ebay (cause my vaio has a memory stick reader). and guess why i bought it :P as soon as it will arrive and as i got it working, i will give a message here. it is not hard at all, i think!

greets,
hulk
Back to top
View user's profile Send private message
Lord Tocharian
Tux's lil' helper
Tux's lil' helper


Joined: 11 Mar 2003
Posts: 75

PostPosted: Sun Dec 28, 2003 1:24 am    Post subject: Reply with quote

I have been playing around with encryption and by using hulk2nd's great guide along with the loop-AES.README I have setup an encrypted root partition using a gpg encrypted key. I thought I would add on to his guide with how I setup my system.

All I basically did is put the loop-AES.README into an easier to read format. I would highly suggest reading the entire thing before attempting to encrypt your hard drive. Also a current backup of your hard drive definitely helps. :D

7. Encrypt your current root partition using a gpg encrypted key.

7a) Requirements:
-loop-AES-v2.0d (same as in 1. Requirements)
-latest loop-AES patch (loop-AES-v2.0d-20031226.diff.bz2)
-util-linux-2.12 (same as in 1. Requirements)
-Knoppix / Gentoo LiveCD (same as in 1. Requirements)
-gnupg-1.2.3
-aespipe-v2.2a

7b) Recompile Kernel (2.6.x Instructions Only):
Code:
cd /usr/src/linux
make menuconfig

Follow Section 2a3 with the following exceptions:
Extra things to set:
Code:
CONFIG_MODULES=y
CONFIG_KMOD=y (recommended but not required)
CONFIG_CRAMFS=n(or CONFIG_CRAMFS=m)

Differences:
Code:
CONFIG_BLK_DEV_LOOP=n

This step is VERY important! As opposed to the other guide loop support cannot be in your kernel at all, even as a module (therefore Cryptoloop Support will not be built into your kernel)!

From the loop-AES.README:
Quote:
After building and installing your new kernel, do not attempt to clean kernel tree, or rename path to kernel sources.


Follow the end of 2a3 to recompile your kernel and then optionally reboot into your new kernel (if you want to make sure it is working).

7c) Compile loop.o module for your kernel:
Code:
mkdir /tmp/enc
cd /tmp/enc
tar jxvf loop-AES-v2.0d.tar.bz2
bunzip2 loop-AES-v2.0d-20031226.diff.bz2
patch -p0 <./loop-AES-v2.0d-20031226.diff
make clean
make LINUX_SOURCE=/usr/src/linux-2.6.0-gentoo

replace 2.6.0-gentoo with the kernel version you have.

7d) Install util-linux:
Use the instructions in 2b) install util-linux

7e) Setup GPG:
Code:
cd /tmp/enc/loop-AES-v2.0d
tar zxvf gnupg-1.2.3.tar.gz
cd gnupg-1.2.3
patch -p1 <../gnupg-1.2.3.diff
CFLAGS="-O2" LDFLAGS="-static -s" ./configure --prefix=/usr --enable-static-rnd=linux
make
rm -f /usr/share/man/man1/{gpg,gpgv}.1.gz
make install
chown root:root /usr/bin/gpg
chmod 4755 /usr/bin/gpg


7f) Test loop-AES:
Code:
cd /tmp/enc/loop-AES-v2.0d
make tests

From the loop-AES.README:
Quote:
Makefile will display "*** Test results ok ***" message if tests are
completed successfully. If tests fail, do not use the driver as it is
broken.

If gpg isn't available, then tests that involve decrypting gpg encrypted key
files will fail. You can skip gpg key file tests by specifying
TEST_GPG_TYPES=n on make command line.


7g) Build aespipe program:
Code:
CFLAGS="-O2" LDFLAGS="-static -s" ./configure
make
make tests
cp -p aespipe /boot


7h) Copy kernel version specific loop.o to /boot/modules-KERNELRELEASE/
Code:
mkdir /boot/modules-2.6.0-gentoo
cp -p /lib/modules/2.6.0-gentoo/block/loop.*o /boot/modules-2.6.0-gentoo/loop.o

replace 2.6.0-gentoo with the kernel version you have.

7i) Create 64 random encryption keys and encrypt those keys using gpg.
Code:
umask 077
head -c 2880 /dev/random | uuencode -m - | head -n 65 | tail -n 64 | gpg --symmetric -a >/boot/rootkey.gpg


7j) Build /boot/initrd.gz
Follow the bottom part of 2c) create the ramdisk to setup and execute your build-initrd.sh with the following changes:
-change USEGPGKEY to 1
-leave USEMODULE set to 1
I would note that I have used both AES128 and AES256 on the same system at different times and in my desktop usage I noticed no difference between the two as far as slow down.

7k) Modify /etc/fstab
Use the same procedure as in 2d) modifying /etc/fstab

7l) Edit grub.conf / lilo.conf
Use the same procedure as in 2e) modifying your grub.conf
NOTE: if you use lilo read the top of build-initrd.sh for instructions on how to setup lilo

7m) Do the actual encryption using some sort of bootable CD:
First reboot onto Knoppix/Gentoo LiveCD or some other form of bootable CD so your root partition will not be mounted. Then do the following steps:
Code:
mkdir /mnt/tempboot
mount -r -t ext2 /dev/hda1 /mnt/tempboot

Replace /dev/hda1 with whatever your boot partition is, and change the type as well.

Finally encrypt your hard drive, this may take several hours depending on the size of your hard drive:
Code:
dd if=/dev/hda2 bs=64k \
            | /mnt/aespipe -e AES128 -K /mnt/rootkey.gpg -G / \
            | dd of=/dev/hda2 bs=64k conv=notrunc

Replace /dev/hda2 with whatever your root partition is.

Unmount and reboot onto new encrypted partition!
Code:
umount /mnt/tempboot
sync
reboot
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Sun Dec 28, 2003 4:51 am    Post subject: Reply with quote

wow, this is awesome!
thanks for these additions! of course i will update the howto with these informations (btw, thank you for keeping the same "layout" as the original howto, this makes it much easier). i'm sure several people are very interested in this!

so big thanks again for the great work you have done here!!

greets,
hulk
Back to top
View user's profile Send private message
innocentbeats
Tux's lil' helper
Tux's lil' helper


Joined: 15 Jul 2003
Posts: 76

PostPosted: Sun Dec 28, 2003 8:32 pm    Post subject: Reply with quote

Hi, thank you for this interesting guide.

I have another question, I just want to encrypt one partition or filesystem, where I can "host" the home directory for example.
I used the search function, but I did not find good results for the 2.6. kernel. I have the cryptoloop function compiled in. What steps do I have to take?

CU
Chris
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Sun Dec 28, 2003 11:16 pm    Post subject: Reply with quote

as far as i know you can even encrypt only one directory. but i haven't done this yet. have a look at the loop-aes readme or try to google.

greets,
hulk
Back to top
View user's profile Send private message
innocentbeats
Tux's lil' helper
Tux's lil' helper


Joined: 15 Jul 2003
Posts: 76

PostPosted: Sun Dec 28, 2003 11:24 pm    Post subject: Reply with quote

Searching google, it found this little how to:

http://www.ece.cmu.edu/~rholzer/cryptoloop_mini_howto.html

which is exactly what I was looking for, but when I typ this command
losetup -e aes-256 /dev/loop0 /dev/sda1

I get the error, that the cipher is unknown, althought it is definetely compiled into the kernel and it can be seen in /proc/cryp as well.

CU
Chris
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Sun Dec 28, 2003 11:28 pm    Post subject: Reply with quote

either boot with knoppix or do step 2b). the util-linux from the portage tree does not work with aes until you have patched it.

greets,
hulk
Back to top
View user's profile Send private message
Lord Tocharian
Tux's lil' helper
Tux's lil' helper


Joined: 11 Mar 2003
Posts: 75

PostPosted: Mon Dec 29, 2003 12:49 am    Post subject: Reply with quote

I wanted to post an update regarding encryption using a gpg encrypted key. After some reading I have not found a way to use the key to encrypt swap with. Therefore it seems that swap is encrypted the same way as normal (step 4) in hulk2nd's guide, which works fine.
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Mon Dec 29, 2003 2:49 am    Post subject: Reply with quote

have a look at this: http://www.sdc.org/~leila/usb-dongle/readme.html#doc_chap8. i actually could not what it does. maybe you can see it. the guide seems to be incomplete but at least the swap encryption part looks complete.

greets,
hulk
Back to top
View user's profile Send private message
ZaCi
n00b
n00b


Joined: 29 Dec 2003
Posts: 1

PostPosted: Mon Dec 29, 2003 5:01 pm    Post subject: Reply with quote

Is it possbile to easily encrypt other non root or boot partitions? How?
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Fri Jan 02, 2004 5:11 am    Post subject: Reply with quote

sure, have a look at the link innocentbeats posted before.
http://www.ece.cmu.edu/~rholzer/cryptoloop_mini_howto.html
this should suit your needs.

greets,
hulk
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Sat Jan 03, 2004 4:05 pm    Post subject: Reply with quote

so i'm right back from holidays and finally got my memory stick, but unfortunatly i can't boot from it. obviously i can't boot from any external device like an usb stick. that is really bad but that's how it is, so no update for the howto in this case at least from my side.

greets,
hulk
Back to top
View user's profile Send private message
TPC
Tux's lil' helper
Tux's lil' helper


Joined: 16 Sep 2003
Posts: 135
Location: Sweden

PostPosted: Sun Jan 04, 2004 4:52 pm    Post subject: Reply with quote

I messed it up :(
I must have made the same typo twice while entering the pass-phrase because it doesn't work. I tried all common typos of that password that I can think of. I just can't get access to the root partition.
I probably have to re-install... but I'm just making sure that there isn't somtething I can do.
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Sun Jan 04, 2004 6:19 pm    Post subject: Reply with quote

hmm, that is strange cause you have to type the passphrase twice if you used the parameter 'T' in the losetup command. what error do you get? does it also not work with the knoppix cd? (maybe there is another keyboard layout)
maybe you had caps lock or num enabled?
Back to top
View user's profile Send private message
TPC
Tux's lil' helper
Tux's lil' helper


Joined: 16 Sep 2003
Posts: 135
Location: Sweden

PostPosted: Sun Jan 04, 2004 6:23 pm    Post subject: Reply with quote

oh, you're right! a different keyboard layout! why didn't I think of that? thanks!
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Sun Jan 04, 2004 6:35 pm    Post subject: Reply with quote

no problem!
have a look at the build-initrd.sh. you can enable the option to use another keyboard layout. it's not hard at all. just enable that option and copy the layout over to your /boot partition and you are done.

greets,
hulk
Back to top
View user's profile Send private message
phlef
n00b
n00b


Joined: 08 Jun 2002
Posts: 6
Location: Earth

PostPosted: Sat Jan 10, 2004 6:50 pm    Post subject: Reply with quote

Lord Tocharian wrote:
I have been playing around with encryption and by using hulk2nd's great guide along with the loop-AES.README I have setup an encrypted root partition using a gpg encrypted key. I thought I would add on to his guide with how I setup my system.

All I basically did is put the loop-AES.README into an easier to read format. I would highly suggest reading the entire thing before attempting to encrypt your hard drive. Also a current backup of your hard drive definitely helps. :D

7. Encrypt your current root partition using a gpg encrypted key.


Is there a way that the encrypted Root FS does not need a password? For instance, I already have my gpg Private Key on floppy, is there a way that the boot process verifies that the floppy in the drive has the proper gpg key and decrypts the FS w/o user intervention enabling me to unlock the FS by inserting the floppy before PowerOn? Thus allowing me to restart the Server remotely as long as the floppy is in the Server's Drive?
_________________
There are 10 types of people on Earth.
Those who know BINARY and those who don't.
Back to top
View user's profile Send private message
braindead0
Tux's lil' helper
Tux's lil' helper


Joined: 29 Apr 2003
Posts: 146
Location: Ohio

PostPosted: Tue Jan 13, 2004 8:06 pm    Post subject: Reply with quote

You'll find that the gpg key on your floppy is your private key and encrypted using your passphrase.

otherwise, anybody that has the floppy could access your system.. not good security.
Back to top
View user's profile Send private message
viperlin
Veteran
Veteran


Joined: 15 Apr 2003
Posts: 1319
Location: UK

PostPosted: Tue Jan 13, 2004 9:15 pm    Post subject: Reply with quote

i've got cryptoloop set up :-)

but when mounting my backup DVD's (yes correct password, i have correct cipher set :-))

Code:

$ mount /mnt/ecd
Password:
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
       or too many mounted file systems
       (could this be the IDE device where you in fact use
       ide-scsi so that sr0 or sda or so is needed?)
$


sadly "auto" filesystem does not seem work with cryptoloop anymore.

fstab entry:

Code:

/dev/sr0                /mnt/ecd        udf            defaults,user,noauto,encryption=aes-256,itercountk=100 0 0


EDIT:
latest fstab entry:
Code:

/dev/sr0                /mnt/ecd        auto            defaults,user,noauto,encryption=aes-256          0 0


seems better but now i get:
Code:

mount: /dev/loop0: can't read superblock
Back to top
View user's profile Send private message
braindead0
Tux's lil' helper
Tux's lil' helper


Joined: 29 Apr 2003
Posts: 146
Location: Ohio

PostPosted: Sat Jan 17, 2004 11:04 pm    Post subject: Reply with quote

I followed the instructions and double checked everything, after the ramdisk loads I get an error that VFS can't open /dev/ram0

RAMDISK: Compressed image found at block 0
VFS: Cannot open root device "ram0" or ram0
Please append a correct "root=" boot option

I tried without the root=/dev/ram0 option, and with root=/dev/loop5, with no luck on that front. I double checked my kernel config (2.6.1) and I've got all the options specified, triple checked ram disk support and initrd support, both are as they should (with automount option).

Could this have anything to do with that I'm running SCSI drives?

Any suggestions? Luckily I'm going this on my laptop

**** Scratch all that above, found the problem. In my grub.conf I had incorrectly specified minux filesystem, instead of minix! ;-).

typed linux way too many times I think... Booting up like a champ now. Perhaps this message will help somebody else..
Back to top
View user's profile Send private message
braindead0
Tux's lil' helper
Tux's lil' helper


Joined: 29 Apr 2003
Posts: 146
Location: Ohio

PostPosted: Sat Jan 17, 2004 11:18 pm    Post subject: Reply with quote

Which leads to another question, how come /dev/loop/5 is shown twice when running mount (or df for that matter)?

I've only got one line in fstab mounting it... should that be removed because the initrd does the mount?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Page 2 of 8

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum