Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] root, swap filesystem encryption for 2.4 and 2.6
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Sun Jan 18, 2004 10:39 pm    Post subject: Reply with quote

hi there,
i'm terribly sorry, but my gentoo is broken atm, so i can't answer some question. you know, nearly almost you have to sit in front of your computer to understand a problem and that is sadly impossible for me atm. hopefully there's somebody else out there who can help you.

@viperlin
for me this looks like as if you forgot either to include the filesystem of your root partition or devfs support. i would check the kernel config and the build-initrd.sh again. which method did you chose?

greets,
hulk
_________________
Linux: "Free as in free speech, not as in free beer"
Back to top
View user's profile Send private message
viperlin
Veteran
Veteran


Joined: 15 Apr 2003
Posts: 1319
Location: UK

PostPosted: Sun Jan 18, 2004 10:55 pm    Post subject: Reply with quote

erm, none, if you read the post you would know i'm trying to read an encrypted DVD, i can read other DVD's so i have filesystem support.
i have no initrd as i dont use encrypted filesystems for harddrives on this PC, only my old backups.

trying not to sound insultive but, well. :roll:
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Mon Jan 19, 2004 10:18 am    Post subject: Reply with quote

oh indeed, sorry about that!
ok then did you have a look at this tutorial? i saw it once so maybe this could help you!

greets,
hulk
_________________
Linux: "Free as in free speech, not as in free beer"
Back to top
View user's profile Send private message
viperlin
Veteran
Veteran


Joined: 15 Apr 2003
Posts: 1319
Location: UK

PostPosted: Mon Jan 19, 2004 6:00 pm    Post subject: Reply with quote

hulk2nd wrote:
oh indeed, sorry about that!
ok then did you have a look at this tutorial? i saw it once so maybe this could help you!

greets,
hulk


yep it gave me the original idea , but thanks :-) i'll keep experimenting
Back to top
View user's profile Send private message
revoohc
Tux's lil' helper
Tux's lil' helper


Joined: 12 Oct 2002
Posts: 128

PostPosted: Wed Jan 21, 2004 1:25 am    Post subject: Reply with quote

I need some help. I followed the instructions for building a clean encrypted system. I have used a 2.6 kernel (gentoo-dev-sources) and everything seemed to go well. However, when I try to boot into gentoo, it does not accempt my password. Any ideas what might be going on? I can boot back into Knoppix and am able to load the encrypted root file system w/o a problem

Any advice would be appreciated.

Thanks,

revoohc
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Wed Jan 21, 2004 1:34 pm    Post subject: Reply with quote

maybe you used another keyboard layout in knoppix than the default one that is chosen when booting into gentoo?

what is the exact error message you get?


greets,
hulk
_________________
Linux: "Free as in free speech, not as in free beer"
Back to top
View user's profile Send private message
kritip
n00b
n00b


Joined: 03 Jan 2004
Posts: 56
Location: Nuneaton, Warks, UK

PostPosted: Wed Jan 21, 2004 6:05 pm    Post subject: Reply with quote

The latest util-linux in portage, util-linux-2.12-r4.ebuild, has the following references:


Code:
IUSE="crypt nls static pam selinux"


Code:
CRYPT_PATCH_P="${P}-cryptoapi-losetup"
SELINUX_PATCH="util-linux-2.12-selinux.diff.bz2"
DESCRIPTION="Various useful Linux utilities"
SRC_URI="mirror://kernel/linux/utils/${PN}/${P}.tar.gz
        ftp://ftp.cwi.nl/pub/aeb/${PN}/${P}.tar.gz
        crypt? ( mirror://gentoo/${CRYPT_PATCH_P}.patch.bz2 )"
HOMEPAGE="http://www.kernel.org/pub/linux/utils/util-linux/"


If i have crypt in my global use flags, then will the encryption patch be applied to the install, or is this something different??

I may be starting to encrypt my PC, so i may give the standard portage util-linux a go unless anyone corrects me, and this is to do with something completly different??!!

Cheers,

Kristian
[/code]
_________________
Signature?? I don't want a signature!
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Wed Jan 21, 2004 8:28 pm    Post subject: Reply with quote

i'm nearly sure that is not the needed patch. you can try that easily: emerge util-linux and then type losetup. keep the output in your mind or on another console and then install util-linux after the tutorial (by hand) and type losetup. if the one installed by hand gives you another output (a few more options and a few more lines) then it is still needed to install it by hand. otherwise use the one from the portage tree.

greets,
hulk
_________________
Linux: "Free as in free speech, not as in free beer"
Back to top
View user's profile Send private message
kritip
n00b
n00b


Joined: 03 Jan 2004
Posts: 56
Location: Nuneaton, Warks, UK

PostPosted: Wed Jan 21, 2004 9:03 pm    Post subject: Reply with quote

hulk2nd wrote:
i'm nearly sure that is not the needed patch. you can try that easily: emerge util-linux and then type losetup. keep the output in your mind or on another console and then install util-linux after the tutorial (by hand) and type losetup. if the one installed by hand gives you another output (a few more options and a few more lines) then it is still needed to install it by hand. otherwise use the one from the portage tree.

greets,
hulk


Yep, i think you are correct, so i have gone ahead and manually patched and installed it. Got a quick question though, at present i have the following entry in grub.conf:
Code:
title Gentoo Testing (2.6.1-mm5)
root    (hd0,0)
kernel  (hd0,0)/boot/2.6.1-mm5 root=/dev/hde3 vga=792


and the guide states to change it to:

Code:
title=Gentoo/GNU Linux 1.4 Encrypted ROOT
root (hd0,0)
kernel (hd0,0)/bzImage root=/dev/ram0 init=/linuxrc rootfstype=minix
initrd=/initrd.gz


so do i omit the /boot/2.6.1-mm5 and just change it to /bzImage??

I presume the kernel is the one i have built but will not be mounted under /boot so should i have /2.6.1-mm5 ??


IE. To this:
Code:
title Gentoo Testing Encrypted (2.6.1-mm5)
root    (hd0,0)
kernel  (hd0,0)/2.6.1-mm5 root=/dev/ram0 init=/linuxrc rootfstype=minix
initrd=/initrd.gz

Cheers for your help, and please forgive my lack of knowledge, i just want to check that im gonna do this right!! ;)

Cheers,

Kristian
_________________
Signature?? I don't want a signature!
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Wed Jan 21, 2004 9:28 pm    Post subject: Reply with quote

i think you can leave the kernel part as it is. i assume you use genkernel? i have no experience with that, but if you compile your kernel on your own, it is always kernel (hd0,0)/bzImage or kernel (hd0,0)/boot/bzImage. it does not make any difference if you have the /boot in the line or not.

so, i think it is ok the way it is already. changes according to the place of your kernel are not needed for the whole encryption thing.


greets,
hulk
_________________
Linux: "Free as in free speech, not as in free beer"
Back to top
View user's profile Send private message
kritip
n00b
n00b


Joined: 03 Jan 2004
Posts: 56
Location: Nuneaton, Warks, UK

PostPosted: Wed Jan 21, 2004 9:34 pm    Post subject: Reply with quote

hulk2nd wrote:
i think you can leave the kernel part as it is. i assume you use genkernel? i have no experience with that, but if you compile your kernel on your own, it is always kernel (hd0,0)/bzImage or kernel (hd0,0)/boot/bzImage. it does not make any difference if you have the /boot in the line or not.

so, i think it is ok the way it is already. changes according to the place of your kernel are not needed for the whole encryption thing.


greets,
hulk


Ok, cheers. I don't use genkernel but i manualy compile it, and then rename it to the kernel version and patch level, hence the name of it. I think i have it sorted, i shal probably know by tommorrow.


As another question, when you use knoppix, the only special program is losetup, so could you not just boot off any rescuse cd, mount /boot which is home to losesetup that was compiled and copied during the install, and just use that insted??

Kristian
_________________
Signature?? I don't want a signature!
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Wed Jan 21, 2004 9:59 pm    Post subject: Reply with quote

yes, it should be possible to use the losetup binary in combination with every other rescue cd, but i have not tested it.

greets,
hulk
_________________
Linux: "Free as in free speech, not as in free beer"
Back to top
View user's profile Send private message
kritip
n00b
n00b


Joined: 03 Jan 2004
Posts: 56
Location: Nuneaton, Warks, UK

PostPosted: Wed Jan 21, 2004 11:05 pm    Post subject: Reply with quote

Well, i found a Knoppix CD lying about v3.3 so i used that in the end. After running the DD command, it stated:
Code:
I/O error
30623+1 records in
30623+1 records out...


it listed the duration (about 30 minns) and it then said it was successul or something along those lines, great i thought.

Upon rebooting, the kernel begins to load, loads my drivers, mounts /dev, then says freeing space form kernl (157K) or something like that, and hangs.

I does state it found a ram disk and a compressed image at 0 and seems to uncompress it. I get no prompt for a password as it hangs though :(

Now im not sure if its something i've done or to do with the error that was liseted when i ran dd ......

I guess i will have to fiddle tommorrow to try and fix it. Any ideas would be more than welcome though :)


Cheers,

Kristian
_________________
Signature?? I don't want a signature!
Back to top
View user's profile Send private message
lghman
Guru
Guru


Joined: 29 Nov 2002
Posts: 548
Location: Florida

PostPosted: Thu Jan 22, 2004 2:41 am    Post subject: Reply with quote

Just wanted to say thanks hulk2nd. Freakin excellent job on the howto, worked like a damn charm for me! ;)

--sonik
_________________
"What a distressing contrast there is between the radiant intelligence of a child and the feeble mentality of the average adult" --Freud
Back to top
View user's profile Send private message
hulk2nd
Guru
Guru


Joined: 25 Mar 2003
Posts: 512
Location: Freiburg, Germany

PostPosted: Thu Jan 22, 2004 11:22 pm    Post subject: Reply with quote

kritip wrote:
Code:
I/O error
30623+1 records in
30623+1 records out...


i don't remember that i/o error ...
in fact it doesn't look very well. i'm very sorry about that, i have no idea what to do ...
hope you backupped the important data ...
sorry

@sonikntails
glad to hear that. you're welcome :D
_________________
Linux: "Free as in free speech, not as in free beer"
Back to top
View user's profile Send private message
franklin
n00b
n00b


Joined: 29 Dec 2003
Posts: 7
Location: Montreal, Canada

PostPosted: Fri Jan 23, 2004 2:25 am    Post subject: Reply with quote

Have you look the file /etc/conf.d/crypto-loop?

Could I have more info about it, since the link to it is down.

And, where can I find build-initrd.sh?
Back to top
View user's profile Send private message
kritip
n00b
n00b


Joined: 03 Jan 2004
Posts: 56
Location: Nuneaton, Warks, UK

PostPosted: Fri Jan 23, 2004 7:19 am    Post subject: Reply with quote

hulk2nd wrote:
kritip wrote:
Code:
I/O error
30623+1 records in
30623+1 records out...


i don't remember that i/o error ...
in fact it doesn't look very well. i'm very sorry about that, i have no idea what to do ...
hope you backupped the important data ...
sorry


Very odd, i poseted a big reply yesterday and it is nowhere to be seen!! Perhaps i hit preview and then closed the browser!!???

Anyway, the I/O error seemed to be no problem as i am now running unencrypted again after not being able to successfully boot. I tried rebuilding my kernel twice, checking all the options, rebuilding losetup with the aes patch twice, messing around with boot commands in grub, all to no avail!!! I even read in build-initrd.sh that i shouldn't use the root= line in grub as i use devfs and 2.6 kernel, so i ran rdev /kerenl-version /dev/ram0 and removed the root= line, but it did exactly the same!
It just hung on freeing kernel memory!

I have given up for now, the only thing it think i could be is the HPT374 controller my drives sit on, although it is compiled into my kernel, or that in buil-inintrd.sh i specified /dev/discs/disc0/part3 whereas my mount command gives me /dev/ide/host2/bus0/target0/lun0/part3, both exist though!!??


Cheers anyway for the great guide, it was an experience, and i will try again in a few weeks,

Kristian
_________________
Signature?? I don't want a signature!
Back to top
View user's profile Send private message
kritip
n00b
n00b


Joined: 03 Jan 2004
Posts: 56
Location: Nuneaton, Warks, UK

PostPosted: Fri Jan 23, 2004 7:20 am    Post subject: Reply with quote

franklin wrote:
Have you look the file /etc/conf.d/crypto-loop?

Could I have more info about it, since the link to it is down.

And, where can I find build-initrd.sh?


build-initrd.sh will be in your /tmp/enc/loop-AES-v2.0d/ directory, or whever you exxtracted it.

Kristian
_________________
Signature?? I don't want a signature!
Back to top
View user's profile Send private message
TheCoop
Veteran
Veteran


Joined: 15 Jun 2002
Posts: 1814
Location: Where you least expect it

PostPosted: Fri Jan 23, 2004 10:44 pm    Post subject: Reply with quote

so does the current util-linux-2.12-r4 work properly so you can run an encrypted root, or do you still need to install your own version? why doesnt util-linux just include the patch you patch yourself?
_________________
95% of all computer errors occur between chair and keyboard (TM)

"One World, One web, One program" - Microsoft Promo ad.
"Ein Volk, Ein Reich, Ein Führer" - Adolf Hitler

Change the world - move a rock
Back to top
View user's profile Send private message
franklin
n00b
n00b


Joined: 29 Dec 2003
Posts: 7
Location: Montreal, Canada

PostPosted: Sat Jan 24, 2004 6:05 pm    Post subject: Reply with quote

Since it is not recommended to use a journaling filesystem, I would like to know what type of filesystem you use on your encrypted root partition.
Back to top
View user's profile Send private message
kritip
n00b
n00b


Joined: 03 Jan 2004
Posts: 56
Location: Nuneaton, Warks, UK

PostPosted: Sat Jan 24, 2004 8:37 pm    Post subject: Reply with quote

franklin wrote:
Since it is not recommended to use a journaling filesystem, I would like to know what type of filesystem you use on your encrypted root partition.


I belive it is not any type of journalled file system, just certain ones, depending on how they write data to the disk. I believe that Reiserfs and XFS are OK in the way they order the data in their default configuration, but i do not have any references to hand, so don't solely rely on my information. I persoanlly tried it with Reiserfs 3.6 and succesfully encrytpted, used, and then decryted my root partition.

Kristian
_________________
Signature?? I don't want a signature!
Back to top
View user's profile Send private message
franklin
n00b
n00b


Joined: 29 Dec 2003
Posts: 7
Location: Montreal, Canada

PostPosted: Sat Jan 24, 2004 10:12 pm    Post subject: Reply with quote

kritip wrote:
franklin wrote:
Since it is not recommended to use a journaling filesystem, I would like to know what type of filesystem you use on your encrypted root partition.


I belive it is not any type of journalled file system, just certain ones, depending on how they write data to the disk. I believe that Reiserfs and XFS are OK in the way they order the data in their default configuration, but i do not have any references to hand, so don't solely rely on my information. I persoanlly tried it with Reiserfs 3.6 and succesfully encrytpted, used, and then decryted my root partition.

Kristian


Thx for the info, I will try it with Reiserfs
Back to top
View user's profile Send private message
nx12
Apprentice
Apprentice


Joined: 14 Jan 2004
Posts: 193

PostPosted: Thu Jan 29, 2004 10:33 pm    Post subject: Reply with quote

One question: somebody have working software suspend on encrypted swap?
I'm going to try it out, but can't find any materials about that. On swsusp.sourceforge.net they write that it's supported but I could not find anything neither in google nor in their mailing archives. :cry:
So it could be great if someone posted his experiences with encrypted swsusp. :roll:
_________________
signature sucks
Back to top
View user's profile Send private message
gmoney
n00b
n00b


Joined: 04 Aug 2003
Posts: 20
Location: Santa Barbara

PostPosted: Sat Jan 31, 2004 5:57 pm    Post subject: loop.ko Reply with quote

Just a word of advice, if you're doing this with the 2.6 kernel and your modules end with .ko instead of .o, you need to change the build-initrd.sh script so that it will look for loop.ko instead of loop.o (if you're using the loop module and not the in-kernel crypto). I've been stumped on this for an hour but it's working fine now. I was using the loop-aes 2.0d so maybe they've fixed this in the latest version but if not, just change line 389. Other that that, fantastic guide and great work to the loop-aes guys. I owe you a beer if you're ever in Santa Barbara, CA, USA.
Back to top
View user's profile Send private message
sciwhiz007
n00b
n00b


Joined: 01 Jan 2004
Posts: 31
Location: /dev/random

PostPosted: Sun Feb 01, 2004 3:38 pm    Post subject: Reply with quote

Two things, a question and a word of advice.
Where does it say that journalling file systems are not recommended for our purposes? If you read through the loop-AES readme, it specifically states this:
Quote:
2.2. Use of journaling file systems on loop device
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Don't use a journaling file system on top of file backed loop device, unless
underlying file system is journaled and guarantees data=ordered or
data=journal. Device backed loop device can be used with journaling file
systems as device backed loops guarantee that writes reach disk platters in
order required by journaling file system (write caching must be disabled on
the disk drive, of course). With file backed loop devices, correct write
ordering may extend only to page cache (which resides in RAM) of underlying
file system. VM can write such pages to disk in any order it wishes, and
thus break write order expectation of journaling file system.

What this means is that you can have a journalling file system on a loop device that's backed by a device, such as /dev/hda1 or /dev/sda1, but it is not recommended to have a journalling file system on a file backed loop device, such as one you create by typing this in.
Code:
dd if=/dev/zero of=loop.img bs=1k count=65536      
losetup -e AES128 -S XXXXXX -T /dev/loop1 loop.img   
mke2fs /dev/loop1                         
mount -t ext2 /dev/loop1 /mnt/loop               

Now for my tip, which may not be useful to most people. But just in case you've been trying to patch the hardened-sources kernel with the loop-AES patch and haven't had much success, you could try what I did. Essentially what I'm doing is removing the cryptoloop patch applied to the hardened-sources kernel and then patching it with loop-AES.
Code:
cd /usr/src
cp /usr/portage/distfiles/patches-2.4.22-hardened.tar.bz2 ./
tar -xjvpf patches*.bz2
wget http://aleron.dl.sourceforge.net/sourceforge/loop-aes/loop-AES-v2.0e.tar.bz2
tar -xjvpf loop-A*.bz2
cd linux
patch -Rp1 -i ../2.4.22-hardened/70_crypto*.patch      # Remove the patch
patch -Np1 -i ../loop-A*/kernel-2.4.24.diff            # Apply the new patch
rm -rf ../*.bz2 ../2.4.22-hardened ../loop*
make menuconfig

Of course, I make a number of assumptions in the above code. I assume that you're patching hardened-sources-2.4.22 (any release), that your /usr/src/linux symlink correctly points to /usr/src/linux-2.4.22-hardened and that your portage distfiles are located at /usr/portage/distfiles. If any of this doesn't apply to you, you'll obviously have to change the code to suit your needs. Also, if you want to see whether a patch applies successfully, you can use the --dry-run switch with patch.

Hope that helps!
_________________
You can take a horse to water but you can't make it drink.
You can give a person facts, but you can't make them think.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Page 3 of 8

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum