View previous topic :: View next topic |
Author |
Message |
luckySimba n00b
Joined: 23 Dec 2022 Posts: 59
|
Posted: Fri Jan 27, 2023 4:23 am Post subject: disk encryption with custom compiled kernel |
|
|
hello, I have been following this https://wiki.gentoo.org/wiki/Full_Disk_Encryption_From_Scratch_Simplified
in order to build an encrypted disk. the issue is, not only this instruction set but any of the instructinos i find only only use genkernel. I have my own .config file that i've made that i know works fine. is there any difference here? when they use genkernel they seem to be feeding it parameters relevent to encryption. any information would be greatly appreciated. thanks all. |
|
Back to top |
|
|
_integralpanther_ n00b
Joined: 13 Jul 2005 Posts: 7 Location: de
|
Posted: Fri Jan 27, 2023 6:38 am Post subject: Full Disk encryption |
|
|
Hi luckySimba,
I presume that the command line arg "--luks" should instruct genkernel to include cryptoSetup binaries into the initial ramdisk. So if you are building the kernel manually you should do the same in the step where you build your custom initrd.
I have not done it so far, but I guess that you need an unencrypted (boot) partition where you boot your kernel and the initrd from.
Hope that helps, |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54234 Location: 56N 3W
|
Posted: Fri Jan 27, 2023 8:29 am Post subject: |
|
|
luckySimba,
Booting with an encrypted disk requires kernel support and initrd support.
The initrd provides all the user space tools to unlock the encrypted root.
Genkernel builds both parts, given the right command line input.
You can do it yourself too if you want to.
That page uses RAID and LVM but not LUKS.
Genkernel can use your kernel conf file, or even build the initrd only. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
luckySimba n00b
Joined: 23 Dec 2022 Posts: 59
|
Posted: Fri Jan 27, 2023 2:08 pm Post subject: |
|
|
Ok how do you two recommend I build it? Yes I have unencrypted boot and 3 meg grub partition the rest is encrypted lol split as root and swap partition. I normally use drakut to build my intitramfs, but is there a way to use genkernel but not build the kernel? Thanks for the replies you two. Thanks for your help and direction. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54234 Location: 56N 3W
|
Posted: Fri Jan 27, 2023 5:17 pm Post subject: |
|
|
luckySimba,
I would do it the way I linked.
Step 1. Make a kernel that does not need any modules loaded to decrypt and mount root.
Step 2. Make an initrd that contains all the user space tools required.
It also needs an init script to control what happens while the initrd does its thing.
Such an initrd is kernel agnostic as it contains no kernel modules, so it need never be updated.
Both dracut and genkernel can build the initrd only but I've never used either, so I don't know how. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
_integralpanther_ n00b
Joined: 13 Jul 2005 Posts: 7 Location: de
|
Posted: Fri Jan 27, 2023 9:07 pm Post subject: |
|
|
Hi luckySimba,
I think your last question can be easily answered by the manpage of genkernel. There is a "initramfs" action (instead of "all") which only builds the initial ramdisk. |
|
Back to top |
|
|
soka Tux's lil' helper
Joined: 27 Dec 2006 Posts: 99 Location: Argentina
|
Posted: Sat Jan 28, 2023 12:19 pm Post subject: |
|
|
I have an encrypted luks root partition with a manual kernel and use genkernel with the following command to make the initramfs.
(--ssh to allow remote unlock).
Code: | genkernel --luks --lvm --keymap --ssh initramfs |
and then on grub.cfg
Code: | menuentry 'Gentoo' {
insmod cryptodisk
insmod luks
root=hd0,1
linux /boot/kernel-5.15.88-gentoo dosshd crypt_root=UUID=(encrypted disk partition uuid) root=/dev/mapper/root keymap=es quiet CONSOLE=/dev/tty1
initrd /boot/initramfs-5.15.88-gentoo.img
} |
|
|
Back to top |
|
|
luckySimba n00b
Joined: 23 Dec 2022 Posts: 59
|
Posted: Thu Feb 02, 2023 6:15 pm Post subject: |
|
|
soka wrote: | I have an encrypted luks root partition with a manual kernel and use genkernel with the following command to make the initramfs.
(--ssh to allow remote unlock).
Code: | genkernel --luks --lvm --keymap --ssh initramfs |
and then on grub.cfg
Code: | menuentry 'Gentoo' {
insmod cryptodisk
insmod luks
root=hd0,1
linux /boot/kernel-5.15.88-gentoo dosshd crypt_root=UUID=(encrypted disk partition uuid) root=/dev/mapper/root keymap=es quiet CONSOLE=/dev/tty1
initrd /boot/initramfs-5.15.88-gentoo.img
} |
|
thank you sir! appreciate your help |
|
Back to top |
|
|
luckySimba n00b
Joined: 23 Dec 2022 Posts: 59
|
Posted: Thu Feb 02, 2023 6:18 pm Post subject: |
|
|
i am working on this, i've found several tutorials i think im starting to get it, however, one thing i don't see yet. is how does the boot process know that my /dev/xxx is the partition that should be unencrypted? I saw some tutorials about /etc/crypttab but those have nothing to do with the ones i've been using.
the dm-crypt instruction set has settings for the /dev/mapper/xxyy, however, im failing to see how the system would know where to locate those volumes?
anyone have any further insight into this i could glean |
|
Back to top |
|
|
luckySimba n00b
Joined: 23 Dec 2022 Posts: 59
|
Posted: Thu Feb 02, 2023 6:51 pm Post subject: |
|
|
Ok so I’ve done it all y’all. I go to boot and I get this
Code: |
›› Genkernel 4.2.6 (2023-02-02 06:13:15 UTC). Linux kernel 5.15.88-gentoo-x86_64
›> Activating udev
›› Scanning for volume groups…
Reading all physical volumes.This may take a while...
»› Activating volume groups…..
!! Failed to find LUKS device. If crypt_root kernel command-line argument is correct you are probably missing kernel support for your storage!
!! Could not find the root in.
?? Please specify another value or
|
I have crypt_root=UUID(dev/mapper/rootuuid) and crypt_swap=UUID setup in my default/grub file
My fstab also specifies the UUID of the dev mapper for respective mount points.
I’ve build my initramfs using genkernel —luks —lvm initramfs command.
I can get into a genkernel rescue shell where I can use cryptsetup luksOpen to see my encrypted drive.
Any suggestions? I have certainly added kernel support at least based on all the tutorials I’ve found. |
|
Back to top |
|
|
sublogic Apprentice
Joined: 21 Mar 2022 Posts: 222 Location: Pennsylvania, USA
|
Posted: Fri Feb 03, 2023 12:11 am Post subject: |
|
|
luckySimba wrote: | I have crypt_root=UUID(dev/mapper/rootuuid) and crypt_swap=UUID setup in my default/grub file | crypt_root should have the UUID of your LUKS container, not the one of your root device. The LUKS container is the /dev/sdxn partition on which you ran cryptsetup luksFormat. The genkernel /init script will run cryptsetup luksOpen on it, prompting you for your passphrase; if successful that will cause the decrypted view /dev/mapper/root to appear. Your kernel command line should also have root=/dev/mapper/root, literally, so the /init can proceed to mount it and switch_root to it. (No need to give an UUID for the root= parameter because it is unambiguously identified by the name given to it in the /init, which is always "root" in the case of genkernel.)
Likewise, crypt_swap should be the LUKS container of the swap device, not the swap itself. The decrypted view will show up as /dev/mapper/swap; again you can use that path name, rather than an UUID, in your /etc/fstab so that swapon -a will pick it up.
One downside of this setup is that you have to enter two passphrases, one for root and one for swap. An alternative is to dispense with crypt-swap, which is not needed for booting out of early userspace, and decrypt/enable the swap from the initscripts (openrc or systemd). To do this you add a keyslot to your swap container, with a keyfile, not a passphrase, that is stored on your root device (and therefore encrypted on-disk). Your initscripts can then open the swap container without a passphrase and do the swapon -a. With openrc you can put a script in /etc/local.d. But you can't hibernate and resume from swap if you do it that way . |
|
Back to top |
|
|
grknight Retired Dev
Joined: 20 Feb 2015 Posts: 1659
|
Posted: Fri Feb 03, 2023 12:24 am Post subject: |
|
|
sublogic wrote: |
One downside of this setup is that you have to enter two passphrases, one for root and one for swap. An alternative is to dispense with crypt-swap, which is not needed for booting out of early userspace, and decrypt/enable the swap from the initscripts (openrc or systemd). To do this you add a keyslot to your swap container, with a keyfile, not a passphrase, that is stored on your root device (and therefore encrypted on-disk). Your initscripts can then open the swap container without a passphrase and do the swapon -a. With openrc you can put a script in /etc/local.d. But you can't hibernate and resume from swap if you do it that way . |
If hibernate and resume is not an issue, don't bother with local.d and just use dmcrypt service to make a new encrypted swap on each boot. You cannot use it later anyway just to keep RAM pages from prying eyes.
Example:
Code: | swap=crypt-swap
source=PARTUUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
options="-c aes-xts-plain64 -s 256 -d /dev/urandom"
|
|
|
Back to top |
|
|
Leo3418 n00b
Joined: 01 Feb 2023 Posts: 6
|
Posted: Fri Feb 03, 2023 12:55 am Post subject: |
|
|
luckySimba wrote: | Ok how do you two recommend I build it? Yes I have unencrypted boot and 3 meg grub partition the rest is encrypted lol split as root and swap partition. I normally use drakut to build my intitramfs, but is there a way to use genkernel but not build the kernel? Thanks for the replies you two. Thanks for your help and direction. |
You should be able to continue using dracut. dracut has a 'crypt' module that is responsible for dm-crypt support. By default, this module should be enabled automatically when you have installed sys-fs/cryptsetup.
luckySimba wrote: | i am working on this, i've found several tutorials i think im starting to get it, however, one thing i don't see yet. is how does the boot process know that my /dev/xxx is the partition that should be unencrypted? I saw some tutorials about /etc/crypttab but those have nothing to do with the ones i've been using.
the dm-crypt instruction set has settings for the /dev/mapper/xxyy, however, im failing to see how the system would know where to locate those volumes?
anyone have any further insight into this i could glean |
/etc/crypttab is relevant only when you want to set up automatic unlock with systemd. I don't think OpenRC uses it, though I have not used OpenRC too much. |
|
Back to top |
|
|
luckySimba n00b
Joined: 23 Dec 2022 Posts: 59
|
Posted: Tue Feb 07, 2023 5:35 am Post subject: |
|
|
sublogic wrote: | luckySimba wrote: | I have crypt_root=UUID(dev/mapper/rootuuid) and crypt_swap=UUID setup in my default/grub file | crypt_root should have the UUID of your LUKS container, not the one of your root device. The LUKS container is the /dev/sdxn partition on which you ran cryptsetup luksFormat. The genkernel /init script will run cryptsetup luksOpen on it, prompting you for your passphrase; if successful that will cause the decrypted view /dev/mapper/root to appear. Your kernel command line should also have root=/dev/mapper/root, literally, so the /init can proceed to mount it and switch_root to it. (No need to give an UUID for the root= parameter because it is unambiguously identified by the name given to it in the /init, which is always "root" in the case of genkernel.)
Likewise, crypt_swap should be the LUKS container of the swap device, not the swap itself. The decrypted view will show up as /dev/mapper/swap; again you can use that path name, rather than an UUID, in your /etc/fstab so that swapon -a will pick it up.
One downside of this setup is that you have to enter two passphrases, one for root and one for swap. An alternative is to dispense with crypt-swap, which is not needed for booting out of early userspace, and decrypt/enable the swap from the initscripts (openrc or systemd). To do this you add a keyslot to your swap container, with a keyfile, not a passphrase, that is stored on your root device (and therefore encrypted on-disk). Your initscripts can then open the swap container without a passphrase and do the swapon -a. With openrc you can put a script in /etc/local.d. But you can't hibernate and resume from swap if you do it that way . |
thank you my man, this worked perfectly!! |
|
Back to top |
|
|
kukibl Apprentice
Joined: 10 Jun 2008 Posts: 237
|
Posted: Wed Feb 08, 2023 9:46 am Post subject: |
|
|
Leo3418 wrote: |
/etc/crypttab is relevant only when you want to set up automatic unlock with systemd. I don't think OpenRC uses it, though I have not used OpenRC too much. |
crypttab is required when dracut is used even on OpenRC and without automatic unlocking. With genkernel-generated initiramfs it is not required. |
|
Back to top |
|
|
|