Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Using dm-crypt in 2.6.4 for an encrypted filesystem
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
afabbro
Tux's lil' helper
Tux's lil' helper


Joined: 12 Jan 2003
Posts: 92
Location: Portland, OR

PostPosted: Mon Mar 01, 2004 5:28 am    Post subject: Using dm-crypt in 2.6.4 for an encrypted filesystem Reply with quote

Note: This is too lame to be a HOWTO since I just followed directions I found elsewhere,
but I'm so happy I finally got a solid, large encrypted filesystem working under linux that I'm
posting my experience


The Goal

A 100GB encrypted filesystem on a USB2 external drive.

My Trevails

I started with cryptoloop and the cryptoAPI. I had nothing but problems. Looking back, I realize it may
be that I had HIGHMEM set, and I think there are cryptoAPI bugs when that is set. With it set, I had
frequent hard lockups, either working with a block device or a file. I'll chalk it up to HIGHMEM (for
now), though I've read of others' problems. At any rate, cryptoloop looks to be on the way out,
according to http://kerneltrap.org/node/view/2433/ One other thing I don't like about
cryptoloop is that losetup doesn't ask for your password twice. If you pick a good, long passphrase,
you could easily typo it and find yourself unable to access your data.

Next I looked at loop-AES. This package has gotten good reviews, but requires (a) replacing your kernel's
loop module, and (b) patching util-linux (though Gentoo does this for you). I held this as a last resort
(what if I need my loop module for something some day?) and happily, never needed to use it.

Finally, I looked at BestCrypt, a commercial product from Jetico. BestCrypt is very well-documented but
is not free ($50 US after a 30-day trial; they give you the source code, so it's an honor system thing).
I downloaded and tested it, but 1.5.1 didn't work well with my 2.6.3 system. When using a block device,
it ran out of space or gave strange "bogus i_mode" messages in dmesg while attempting to fetch impossible
inodes, which hung the box. When I tried to use containers (of 100Gb size), mkfs would freeze. Since
BestCrypt provides its own kernel modules, I'm going to have to lay the blame at their doorstep. (The
product works very well under Windows, incidentally).

Eureka!

Just as I was about to shoot myself out in frustration (see https://forums.gentoo.org/viewtopic.php?t=143108&highlight=),
I learned about dm-crypt. This is new in 2.6.4 and was available in 2.6.3-mm. The above-mentioned thread
(http://kerneltrap.org/node/view/2433) discusses the future of kernel cryptography, and it looks
to be dm-crypt instead of cryptoloop. The main dm-crypt page is at http://www.saout.de/misc/dm-crypt/

Before 2.6.4, you needed to do some special patches on the -mm tree...that's a little too bleeding edge for me.
But the good news is that 2.6.4-rc1 has dm-crypt support built in. Note: HIGHMEM is still broken in
regard to CryptoAPI/dm-crypt, so don't use it if you want dm-crypt (yes, this sucks - see the dm-crypt page
above for some patches to fix it).

To get up and running, I did the following:

Code:

emerge -u development-sources (to get to 2.6.4-rc1)
emerge device-mapper


device-mapper is needed for dm, which is an option in the 2.6.4 kernel (under the RAID section).
You will also need hashalot, but that's pretty common (and just emerge hashalot if you don't have it).

After rebuilding the kernel, I downloaded cryptsetup (http://www.saout.de/misc/cryptsetup),
a script that makes working with encrypted volumes really easy. Once downloaded (and chmod'd 755), setting
up the volume is easy. I chose to use AES (The defaults are aes with a 256 bit key, hashed using rmd160):

Code:

modprobe dm-mod
modprobe aes (needed?)
./cryptsetup -c aes -y create my-data /dev/sda1
mke2fs /dev/mapper/my-data
mount /dev/mapper/my-data /data


You'll get a warning that -y isn't implemented yet - see below (I put it in the example in case someone
is cutting/pasting a month from now).

crypsetup will ask you for a password when you run it. Unfortunately, the -y flag, which would ask you
for the password twice, is not implemented yet - a hack is to type your password in an editor somewhere
and cut and paste it, thus insuring that your long string of characters is not typo'd.

The mkfs ran pretty hot in terms of system load - 2 to 2.5 on a 1.6Ghz P-IV. After the filesystem was
built, I started the copy. It cooked along pretty well - I didn't really notice much of a slowdown compared
to a normal copy (though this is USB2, so it's not as fast as writing to a ATA133 anyway ;) The load average
moved between 1 and 2, with 'pdflush' hogging most of it.

When I was finished, it was simply

Code:

umount /data


Yep, that simple.

Status

2.6.4-rc1 has only been out a few days, so this is all barely tested. However, unlike my earlier experiences, I've written tens of gigabytes
of data on top of a dm-crypted filesystem and mounted and unmounted it several times without a problem.

Future Projects

I haven't investigated how to put this in /etc/fstab, but that's my next step.

I don't really see much use for an encrypted root/swap at home (since I'm religious about linking everything
unique *off* of root, such as /var/www, /home, /usr/local, etc.) It would be interesting to play with
dm-crypt on a laptop...but that's a project for another day ;)
Back to top
View user's profile Send private message
bluephile
n00b
n00b


Joined: 01 Mar 2004
Posts: 6

PostPosted: Sun Mar 07, 2004 6:28 am    Post subject: Reply with quote

afabbro,

I have 2.6.4-rc1 installed and would really like to try this, but the cryptsetup script that you link to no longer exists. Do you think you could post it here?

Cheers,
bluephile

EDIT:
Ah, although archive.org didn't have the page, Google's cache does. I'll be back later with my results!
EDIT2:
Unfortunately, it appears to be older than the one you used, as there is no mention of a -y option anywhere in the script. :cry:
EDIT3:
I realized that cryptsetup was linked from the dm-crypt page. They have a new verison of the script (er, program!) now in C: http://www.saout.de/misc/dm-crypt/cryptsetup-0.1.tar.bz2
Back to top
View user's profile Send private message
mossmann
n00b
n00b


Joined: 23 Apr 2002
Posts: 13

PostPosted: Sun Mar 07, 2004 4:39 pm    Post subject: encrypted root and swap with dm-crypt Reply with quote

I've been running my laptop with the entire hard disk encrypted using dm-crypt for over a week now. Works great! I'm using a USB flash drive for my /boot and initrd, roughly following the method described in the Disk-Encryption-HOWTO. I wanted to build a swap device on top of the same encrypted device as my root filesystem and also have flexibility for multiple filesystems, so I'm using lvm2 on top of the encrypted block device. I had to build a custom initrd and linuxrc script to deal with a root filesystem over lvm2 over dm-crypt, but it was fairly straightforward (except for the conflicting documentation regarding what, exactly, the linuxrc script must accomplish). Minimal documentation follows:

Warning: You may destroy your data if you follow these instructions!

First I wrote a mkkey script to create a completely random key for the disk encryption and store the key on my flash drive in an encrypted loop file, protected by a passphrase. Note that all my scripts use the soon to be defunct cryptsetup.sh but should be easily adapted to the new cryptsetup.

Code:

#!/bin/bash

LOOP_FILE="/boot/keyloop"
KEY_DMTARGET="key"
LOOP="/dev/loop7"

modprobe dm-mod

if [ ! -f "$LOOP_FILE" ]; then
        # making a 512 byte key even though only a portion will be used
        dd if=/dev/zero of=$LOOP_FILE bs=512 count=1
        chmod 600 $LOOP_FILE
        losetup $LOOP $LOOP_FILE
        cryptsetup.sh -b 1 create $KEY_DMTARGET $LOOP
        dd if=/dev/random of=/dev/mapper/$KEY_DMTARGET bs=512 count=1
        cryptsetup.sh remove $KEY_DMTARGET
        losetup -d $LOOP
        chmod 400 $LOOP_FILE
else
        echo "Don't make me destroy your key!"
fi


Then I backed up my hard drive, double-checked the backup, shredded my hard drive, and built a new partition table. I chose to build my encrypted device on /dev/hda1 (maximum size) rather than /dev/hda just in case a new partition table accidently gets written to the disk or something. Then I wrote a cryptup script to create the encrypted block device:

Code:

#!/bin/bash

LOOP_FILE="/boot/keyloop"
KEY_DMTARGET="key"
LOOP="/dev/loop7"
DMTARGET="pvcrypt"
DEVICE="/dev/hda1"

modprobe dm-mod

if [ -r "$LOOP_FILE" ]; then
        losetup $LOOP $LOOP_FILE
        # it would be better to do this readonly
        cryptsetup.sh -b 1 create $KEY_DMTARGET $LOOP
        cryptsetup.sh -s 16 -d /dev/mapper/$KEY_DMTARGET create $DMTARGET $DEVICE
        cryptsetup.sh remove $KEY_DMTARGET
        losetup -d $LOOP
else
        echo "Key not found."
fi


Then I built my lvm2 setup on top of the encrypted device with a mkvols script. I chose to use a 1GB swap volume and a 10GB root volume to get me started:

Code:

#!/bin/bash

PV="/dev/mapper/pvcrypt"
VG="vgcrypt"

if [ -r "$PV" ]; then
        pvcreate $PV
        vgcreate $VG $PV
        # YMMV
        lvcreate -C y -L 1G -n lvswap $VG
        lvcreate -L 10G -n lvroot $VG
        mkswap /dev/$VG/lvswap
        mke2fs -j /dev/$VG/lvroot
else
        echo "$PV not found."
fi


The above script failed the first time I tried it because lvm2 does not consider device-mapper block devices (such as a dm-crypt device) for use as physical volumes by default. I had to add a line to the devices block in /etc/lvm/lvm.conf:

Code:

types = [ "device-mapper", 16 ]


Now is a good time to verify that the encrypted block device can be remounted correctly, especially because cryptsetup.sh didn't ask for the password twice during setup (thanks to hashalot). First I used cryptdown:

Code:

#!/bin/bash

DMTARGET="pvcrypt"

# 'vgchange -a n' fails if I don't do this first.  Not sure why.
# Asking lvm folks about this but no answer yet.
for lv in $(lvs --noheadings | awk '{print $2 "-" $1}'); do
        dmsetup remove $lv
done

vgchange -a n vgcrypt

cryptsetup.sh remove $DMTARGET


Then I could run cryptup and vgscan. vgscan found the vgcrypt volume group, so everything worked. Then I copied my old root filesystem onto /dev/vgcrypt/lvroot from the backup and built my initrd in /boot. I copied my keyloop to the initrd and wrote a new linuxrc:

Code:

#!/bin/bash

export PATH=/bin:/sbin
LOOP_FILE="keyloop"
KEY_DMTARGET="key"
LOOP="/dev/loop/4"
DMTARGET="pvcrypt"
VG="vgcrypt"
LV="/dev/vgcrypt/lvroot"
DEVICE="/dev/ide/host0/bus0/target0/lun0/part1"

if [ -r "$LOOP_FILE" ]; then
        mount -t proc none /proc
        modprobe loop
        modprobe aes
        modprobe dm-mod
        modprobe dm-crypt
        for ((TRY=1; TRY <= 3; TRY++)); do
                # it would be better to use key readonly
                losetup $LOOP $LOOP_FILE
                # This is easier than figuring out why hashalot's password
                # prompt isn't showing up:
                echo -n "Passphrase: "
                cryptsetup.sh -b 1 create $KEY_DMTARGET $LOOP
                echo
                cryptsetup.sh -s 16 -d /dev/mapper/$KEY_DMTARGET create $DMTARGET $DEVICE
                cryptsetup.sh remove $KEY_DMTARGET
                losetup -d $LOOP
                if (vgchange -a y $VG); then
                        exit 0
                else
                        cryptsetup.sh remove $DMTARGET
                fi
        done
        echo "Sorry."
else
        echo "Key not found."
fi

while true; do
        read
done


This took a few tries. Setting up all the files necessary to run cryptsetup.sh on the initrd was a bit of a pain but this will be easier with the new cryptsetup. The lvm2 tools also have to be on the initrd along with a customized /etc/lvm/lvm.conf.

My grub.conf entry looks like:

Code:

title gentoo 2.6.4-rc1
root (hd0,0)
kernel /vmlinuz-2.6.4-rc1 root=/dev/vgcrypt/lvroot vga=791
initrd /boot/initrd.gz
Back to top
View user's profile Send private message
Gentoo Server
Apprentice
Apprentice


Joined: 21 Jul 2003
Posts: 279

PostPosted: Tue Mar 09, 2004 6:22 pm    Post subject: Reply with quote

hi i was the unlucky dude with highmem and cryptloop!


ok lets look forward


how can i mount my cryptloop drive with dm-crypt? 2.6
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Tue Mar 09, 2004 6:54 pm    Post subject: Reply with quote

CooL! I think like this idea better than using loop based encryption. Thanks for the howto.

Chadders (the other root encryption howto guy) :P
Back to top
View user's profile Send private message
bluephile
n00b
n00b


Joined: 01 Mar 2004
Posts: 6

PostPosted: Mon Mar 15, 2004 9:57 pm    Post subject: Reply with quote

mossmann:

I'm trying to follow your instructions, but I'm confused on one major point:

What system are you booted into when you're running cryptsetup, etc.? The LiveCD kernel is too old for device-mapper support, and I don't know how to connect a laptop harddrive to my desktop to set this up with another machine. Please let me know how you did this!

Cheers,
bluephile
Back to top
View user's profile Send private message
epic
n00b
n00b


Joined: 16 Jan 2003
Posts: 44
Location: norway

PostPosted: Sun Mar 21, 2004 7:13 pm    Post subject: Reply with quote

seems like all this thing needs is a bit more time for developers to make util-linux(mount) and alike support this thing... i run cryptsetup from /etc/init.d/local , to mount my disk, this would ofcourse not work for a root/swap partition ;) i would love any hints to do it a easier way though..(hi to bluephile btw, who fixed the compile error in dmconvert for me! :) )
Back to top
View user's profile Send private message
bluephile
n00b
n00b


Joined: 01 Mar 2004
Posts: 6

PostPosted: Mon Mar 22, 2004 6:44 am    Post subject: Reply with quote

(Hi epic!)

Well, I've gotten somewhat further along ...

I used catalyst to create a new livecd based on 2.6.4 that included device-mapper, gcrypt, and cryptsetup. I successfully created my encrypted LVM partition, but I'm having trouble with the initrd: the kernel oopses when it boots up before panicing due to being unable to mount root. I've had the same problem with an encrypted root without LVM. I can't figure out how to read what the oops is to try and track down what's wrong. I'm afraid I'm stuck until development of dmcrypt/cryptsetup/etc. progresses somewhat (perhaps it'll include scripts to create the initrd & do this stuff automatically?) and I don't have to figure out why my initrd is failing, unless someone has a suggestion. :(

Thanks,
bluephile
Back to top
View user's profile Send private message
mossmann
n00b
n00b


Joined: 23 Apr 2002
Posts: 13

PostPosted: Tue Mar 23, 2004 10:50 pm    Post subject: Reply with quote

bluephile wrote:
What system are you booted into when you're running cryptsetup, etc.?


Good question! I was using a minimal system installed on a second partition on my hard disk that I failed to mention. Someday it won't be there, but, as I have been on the road constantly over the past few weeks, I'm not quite ready to be without a safety net! I haven't had the time or motivation to use catalyst yet, but I would like to.

I found it useful to use bash or sash as my linuxrc when I was first trying to get my initrd to work. Being able to interact with the process was very helpful for debugging. Have you figured out if the oops is prior to, during, or after linuxrc?

I haven't been following it closely, but I know there has been some discussion of initrd on the dm-crypt mailing list: http://news.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt
Back to top
View user's profile Send private message
DerRalf
n00b
n00b


Joined: 13 Dec 2003
Posts: 34
Location: Bay Area, CA

PostPosted: Fri Mar 26, 2004 5:52 pm    Post subject: Dmsetup ebuild Reply with quote

I created an ebuild for cryptsetup. You can get it here:

http://www.ece.cmu.edu/~rholzer/cryptsetup-0.1.ebuild
Back to top
View user's profile Send private message
davidblewett
Apprentice
Apprentice


Joined: 15 Feb 2004
Posts: 274
Location: Indiana

PostPosted: Tue Mar 30, 2004 5:09 pm    Post subject: Reply with quote

I would like to use this procedure to create an encrypted USB flash drive. Will this work in Windows, or is it a *nix only solution? Thanks!
Back to top
View user's profile Send private message
epic
n00b
n00b


Joined: 16 Jan 2003
Posts: 44
Location: norway

PostPosted: Tue Mar 30, 2004 10:40 pm    Post subject: Reply with quote

i cant get this to work with firewire... i have a 250 gb disk in a firewire enclousure. It works perfectly, but if i try to encrypt the device i get:

Code:

ieee1394: sbp2: aborting sbp2 command
0x2a 00 0e 90 40 57 00 00 80 00
ieee1394: sbp2: aborting sbp2 command
0x2a 00 0e 90 40 d7 00 00 80 00
ieee1394: sbp2: aborting sbp2 command
0x2a 00 0e 90 41 57 00 00 80 00
ieee1394: sbp2: aborting sbp2 command
0x2a 00 0e 90 41 d7 00 00 80 00


the command i use to set up the device is:
Code:

./cryptsetup -c aes -s 128 -y create cryptdev /dev/sda1


earlier i got the thing mounted... but it startet showing errormsg's after i tried to copy something to it... now, it cant get through mkfs.xfs before showing errors, so i cant mount it.

As i said earlier the disk works perfectly without the encryption.
Anyone got any ideas?

Another question i have in this dm-crypt matter is, when will we see this dm-crypt stuff merging into mount and such, so that the whole matter could be easilier managed(would be a breeze to encrypt root and such), since it's becoming the future in linux disk encryption since 2.6.4 i mean....
Back to top
View user's profile Send private message
keschrich
n00b
n00b


Joined: 09 Apr 2002
Posts: 69
Location: Branford, CT

PostPosted: Wed Mar 31, 2004 2:40 pm    Post subject: Reply with quote

Just a thought:

I don't know all too much about encryption and modern algorithms, but isn't encrypting the root partition a bit dangerous due to the amount of known plaintext? As long as the intruder knows that you're running Linux, there are quite a few libraries and such that are fairly standard to just about any Linux system. Not to mention those of us like me who've installed the howtos, now theres a lot of plaintext just waiting to be exploited..

There must be something I'm missing here otherwise I'm sure it would've been mentioned long ago.. is known plaintext no longer an issue?
Back to top
View user's profile Send private message
tdb
Apprentice
Apprentice


Joined: 19 Sep 2002
Posts: 293
Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)

PostPosted: Thu Apr 01, 2004 4:58 am    Post subject: Reply with quote

Feel free to correct any inaccuacies in my post, I'm no expert.

Here is something, although I think that most modern ciphers themselves are not vulnerable to a known plaintext attack. (which is what you are describing) Chaning modes (CFB and CBC) and Initialization Vectors (IV) were invented to prevent this, I think.

http://lwn.net/Articles/67216/
_________________
Do you know what a usufruct is?
Back to top
View user's profile Send private message
rwallace
Tux's lil' helper
Tux's lil' helper


Joined: 22 May 2003
Posts: 107
Location: Phoenix, AZ US

PostPosted: Fri Apr 02, 2004 5:21 am    Post subject: Mounting w/o entering password or key? Reply with quote

Ok. I successfully created an encrypted filesystem with dm-crypt. But...

I wanted to try this so I could protect data from theft if the server was taken. But if all a person needs to do to mount the encrypted partition is
Code:
mount /dev/mapper/crypt /data
and they don't have to enter a key, what's the point? Am I missing something?

[EDIT] :oops:

I guess I should have read a little more.
Quote:
Don't forget: cryptsetup only creates a mapping. If you call cryptsetup again after a reboot and supply the same passphrase you will be able to mount your filesystem you created before.


So I guess now my question is how do I kill this mapping without having to reboot?
[/EDIT]
Back to top
View user's profile Send private message
drfunfrock
Tux's lil' helper
Tux's lil' helper


Joined: 05 Aug 2003
Posts: 114

PostPosted: Fri Apr 02, 2004 11:16 am    Post subject: Re: Mounting w/o entering password or key? Reply with quote

rwallace wrote:
Ok. I successfully created an encrypted filesystem with dm-crypt. But...

So I guess now my question is how do I kill this mapping without having to reboot?
[/EDIT]



On the commandline only type cryptsetup -h and you get help
or
> cryptsetup delete [name] [device]
Back to top
View user's profile Send private message
rwallace
Tux's lil' helper
Tux's lil' helper


Joined: 22 May 2003
Posts: 107
Location: Phoenix, AZ US

PostPosted: Fri Apr 02, 2004 8:39 pm    Post subject: Reply with quote

Yah, I read some more of the dm-crypt page docs and lo' and behold found that its as simple as

Code:

umount /data
cryptsetup remove crypt


Very nice. Very simple. I did a 50GB transfer of the data I wanted to encrypt last night and it completed without a problem. I'm very happy now.

Before I was trying cryptfs and cfs on FreeBSD 4.9-R, 4.9-S, 5.1-R and 5.2-R and none of the combinations could get past 15G. Most of the time the system would hard lock at between 3 and 6G.

Thanks for this little pointer. The gentoo forums strike again :D
Back to top
View user's profile Send private message
mossmann
n00b
n00b


Joined: 23 Apr 2002
Posts: 13

PostPosted: Tue Apr 06, 2004 7:57 pm    Post subject: known plaintext attacks Reply with quote

keschrich wrote:
I don't know all too much about encryption and modern algorithms, but isn't encrypting the root partition a bit dangerous due to the amount of known plaintext?


The only known plaintext attack I'm aware of that we need to be concerned about is the optimized dictionary attack described in the link provided by tbd. This attack only works if the attacker knows some plaintext, including its exact location on the block device. Even though there is a lot of known plaintext on a root filesystem, very little of it is in a predictable location. That's why the attack in the link targets something in the filesystem header rather than any individual data files within the filesystem.

Personally, I don't trust any IV method to protect me from an optimized dictionary attack, at least not until the method and the specific implementation have undergone significant peer review. That's why my key is a chunk of completely random bits that would never be found in a dictionary. Then I encrypt my key with an easier to remember passphrase. The encrypted block device can't be attacked with an optimized dictionary because the key would not be in anyone's dictionary (even though there is known plaintext on the device); the encrypted key can't be attacked with an optimized dictionary because it contains no known plaintext (even though my passphrase could conceivably be in someone's dictionary).

If someone had both my hard disk (encrypted block device) and my flash device (encrypted key), then they could perform a dictionary attack, but it would be very computationally expensive and could not be optimized for multiple targets.
Back to top
View user's profile Send private message
mossmann
n00b
n00b


Joined: 23 Apr 2002
Posts: 13

PostPosted: Tue Apr 06, 2004 10:32 pm    Post subject: Reply with quote

epic wrote:
As i said earlier the disk works perfectly without the encryption.


Hmmm. Does it work perfectly with the same kernel that you are using for dm-crypt? Have you tried an intensive write test like "badblocks -w"?

epic wrote:
Another question i have in this dm-crypt matter is, when will we see this dm-crypt stuff merging into mount and such


That is being worked on. See http://article.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/34
Back to top
View user's profile Send private message
crculver
n00b
n00b


Joined: 02 Mar 2004
Posts: 17

PostPosted: Mon Apr 12, 2004 8:10 am    Post subject: Reply with quote

I already have a partition set up with encryption and mounting provided by the loopback driver. How do I use device-mapper functionality to mount the drive?

Note that I only want to mount an existing encrypted filesystem with this new method, I do NOT want to have to reformat or reencrypt. In fact, the first time I want to mount it read-only so I can make sure I'm not going to lose my home dir.
Back to top
View user's profile Send private message
tdb
Apprentice
Apprentice


Joined: 19 Sep 2002
Posts: 293
Location: New Orleans, Louisiana, U.S.A. (what's left of it anyway...)

PostPosted: Tue Apr 13, 2004 3:35 pm    Post subject: Reply with quote

crculver wrote:
I already have a partition set up with encryption and mounting provided by the loopback driver. How do I use device-mapper functionality to mount the drive?


Try here:

http://www.saout.de/misc/dm-crypt/

About halfway down the page is a section about migration. It looks like dm-crypt can do cryptoloop created by 2.6 kernels. There are a few links to follow from there as well.
_________________
Do you know what a usufruct is?
Back to top
View user's profile Send private message
GentooBox
Veteran
Veteran


Joined: 22 Jun 2003
Posts: 1168
Location: Denmark

PostPosted: Thu Apr 15, 2004 9:25 pm    Post subject: Reply with quote

Hi.

I have some experience with loop-AES with gpg keys.
but for loop-AES to work perfectly i need to patch util-linux and build a loop.ko module.

is there any reason why i should switch to dm-crypt ?

EDIT: has anyone encrypted their whole harddisk ? how does it work ?
did you guys figure out how to add the encrypted drive to fstab ?
_________________
Encrypt, lock up everything and duct tape the rest
Back to top
View user's profile Send private message
epic
n00b
n00b


Joined: 16 Jan 2003
Posts: 44
Location: norway

PostPosted: Tue Apr 27, 2004 2:04 pm    Post subject: Reply with quote

GentooBox wrote:
Hi.

I have some experience with loop-AES with gpg keys.
but for loop-AES to work perfectly i need to patch util-linux and build a loop.ko module.

is there any reason why i should switch to dm-crypt ?

EDIT: has anyone encrypted their whole harddisk ? how does it work ?
did you guys figure out how to add the encrypted drive to fstab ?


yes there is a good reason to switch to dm-crypt. Because the 2.6 maintainer morton has deprecated the loop-crypt.

To set up the encrypted partitions in fstab you would need to patch your util-linux with the patch located in the mailinglist(for util-linux 2.12 i belive, dunno if this works with a root/swap partition though)

Anyone know how to use dmconvert to encrypt a already existing partition?
Back to top
View user's profile Send private message
misc
Tux's lil' helper
Tux's lil' helper


Joined: 09 Sep 2003
Posts: 109

PostPosted: Fri May 07, 2004 6:43 am    Post subject: Reply with quote

Hi,

I haven't began to do this yet but I have a backup server that a lot of servers backup to. I store all this data on a separate partition, and it's a raid device as well (mirror). Is this going to cause trouble? Do I need to delete the partition before I encrypt it?

One last question, I noticed that when you unmount the drive that you type 'cryptsetup remove crypt' which will make it so that on a reboot, it will still ask for a pass phrase. My question is, what happens if this drive needs to be mounted at all times? I'm guessing that you can still type the cryptsetup command to remove the key even while it's mounted? Otherwise theres no point for me in using this, because if the backup server gets stolen then they will have access to the partition.
Back to top
View user's profile Send private message
Nate_S
Guru
Guru


Joined: 18 Mar 2004
Posts: 414

PostPosted: Fri May 07, 2004 5:18 pm    Post subject: Reply with quote

Here's a very dirty hack I'm using to encrypt swapspace on bootup with local.start and local.stop

DISCLAIMER: Use at your own risk. This is what I am using on my system, and it works for me, but I can't promise it won't make your hard drive scream in pain or your mouseball to get filled with dust twice as quick. However, I'd highly doubt it could do worse than cause the swap not to work, which could be easily fixed by simply removing this hack, and mkswap on your swap partition again.

/etc/fstab
Code:
/dev/hda9               none            swap            sw                     0 0

I still have an unencrypted swap in my fstab that the kernel activates during bootup. This is most likely not necessary, but I left it just in case it uses swap as it boots.

/etc/conf.d/local.start
Code:
swapoff /dev/hda9                                           #turn off swap activated in fstab
cryptsetup -d /dev/urandom create swap /dev/hda9            #encrypt partition using a random key from /dev/urandom
mkswap /dev/mapper/swap                                     #setup the swap space on the encypted partition
swapon /dev/mapper/swap                                     #activate the encrypted swap


/etc/conf.d/local.stop
Code:
swapoff /dev/mapper/swap                                        #deactivate the swap device
cryptsetup remove swap                                          #remove encrypted device
mkswap /dev/hda9                                                #set it up for unencrypted use on next reboot


I hope this helps some of you

-Nate
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum