Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] root, swap filesystem encryption for 2.4 and 2.6
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
s3ntient
Guru
Guru


Joined: 13 Apr 2003
Posts: 304
Location: Lyon, France

PostPosted: Sat Apr 16, 2005 2:01 pm    Post subject: Reply with quote

Hi! I just had a slight problem, I encrypted my root partition but forgot something so my system won't boot. No big problem, just boot back into knoppix and mount the partition:

losetup -e AES128 /dev/loop0 /dev/hda4
mount /dev/loop0 /mnt/hda4

the problem is it tells me tha I must specifiy the filesystem, if I put -t reiserfs it tells me wrong fs, bad option, or bad superblock on /dev/loop0 ...

what can I do to get it mounted?
_________________
http://blog.chaostrophy.org
Back to top
View user's profile Send private message
chadders
Tux's lil' helper
Tux's lil' helper


Joined: 21 Jan 2003
Posts: 113

PostPosted: Mon Apr 18, 2005 6:33 pm    Post subject: Reply with quote

Um, that is the symptom that happens when the passphrase is wrong, or when the incorrect encryption algorithm is on the mount (like AES126 when the file system was encrypted with AES256, or blowfish, or whatever).

Not good knews. When that happened to me I messed up the pass phrase when encrypting, I had to restore from a backup and CAREFULLY reencrypt the partition. Sorry.

Chadders :D

P.S. You might think about using the device mapper dm-crypt instead of loop-AES. Other threads can tell you why.
Back to top
View user's profile Send private message
yaneurabeya
Veteran
Veteran


Joined: 13 May 2004
Posts: 1754
Location: Seattle

PostPosted: Tue Apr 19, 2005 5:24 am    Post subject: Reply with quote

Dang, that's a long tut (and quite detailed). I'll try that out someday when security becomes a serious issue wherever I work/use PCs :).
Back to top
View user's profile Send private message
Apropos
n00b
n00b


Joined: 06 Jan 2004
Posts: 29

PostPosted: Wed Apr 27, 2005 10:13 pm    Post subject: Two Questions/Comments Reply with quote

First, if I understand the security howto's correctly, one should password protect their BIOS and boot from an internal hard drive to prevent a user from popping in a CD or floppy and booting their own system. If I had a laptop and some nefarious individual got a hold of it they could easily wipe by nice encrypted system from my hard drive. They could probably circumvent the BIOS too but it adds a layer of security and I'm paranoid 8O .
Same is true I suppose for a locked desktop PC. So what is wrong with this or is there a better way to protect the data then boot from USB/CD/Floppy?

Next, I've found a link in all the howto's that states the dm-crypt and cryptoloop are not good methods until kernel 2.6.10 or greater. http://mareichelt.de/pub/texts.cryptoloop.php

Does anyone have anymore info on this or a second source?

BTW, I havn't yet encrypted my file system I'm just trying to lay it all out first and then charge ahead.
Thanks for any help.
Back to top
View user's profile Send private message
Base
n00b
n00b


Joined: 22 Apr 2005
Posts: 17

PostPosted: Thu Apr 28, 2005 10:13 pm    Post subject: Reply with quote

Password protection in bios are utterly worthless as a security measure for other people than like your 10 year old brother or mother.

The only thing you can do to really protect yourself from someone whiping your disks is to remove your cd/dvd and diskdrive + using a thick steelcase with padlocks.

The main point with encryption is not to prevent other people from whiping your info but to prevent them to getting access to it so they can see what your store on your disks.

If you encrypt your disks with a strong crypto/approach you should have a good protection against everything(accesswise) except someone breaking in thorugh your network connection.
Back to top
View user's profile Send private message
Base
n00b
n00b


Joined: 22 Apr 2005
Posts: 17

PostPosted: Thu Apr 28, 2005 10:20 pm    Post subject: Reply with quote

Im no encryption expert and have been checking around myself and this is what i can find out.
Cryptoloop is a nohope solution securitywhipes, atleast for those that lack uberlinux skills(and perhaps can avoid some of the vulnerabilitys otherwise).
dm-crypt is a big questionmark. Ive read some about a patch that can be used with dm-crypt by using certain commands at install. This patch salts dm somehow making it more secure agains watermark.Some kind of ESSIV story.
Loop-aes seems to be the only really renowned secure solution atm(with multikeys), but seems to be a bitch to get working.

Tried to get more opinions about the dm-crypt voulnerability issue, but no luck so far.
I am kinda fresh at using linux(except for my webserver, but any dufus are probably able to install a apache/php/mysql solution today) and prefer to get an easy solution to this. But installing encryption that isnt moderatly safe is to me like making something not working, totally pointless. So would be nice with more input.
Back to top
View user's profile Send private message
Sigmatador
n00b
n00b


Joined: 26 Sep 2004
Posts: 19

PostPosted: Sun May 29, 2005 12:49 pm    Post subject: Reply with quote

I have a problem with my passphrase, recently i have use one that have 'A' and 'M' characters. So what's the problem ? well, when i'm taping my passphrase under knoppix, my keyboard is 'azerty', but once i boot my crypted root, my initrd seems to be in 'qwerty'. Is there a way to tell initrd that i'm using an 'azerty' keyboard ?
Back to top
View user's profile Send private message
dripton
n00b
n00b


Joined: 16 Aug 2002
Posts: 65
Location: Virginia USA

PostPosted: Wed Jun 08, 2005 2:07 pm    Post subject: Reply with quote

Thanks for the HOWTO.

I've been encrypting an existing root filesystem, on amd64, with udev. Just different enough that none of the docs quite match. :->

1. cryptoloop and dm_crypt are currently deprecated for lack-of-security reasons. You will find that the options to turn them on are disabled in recent 2.6 kernels. So loop-AES is defintitely the way to go.

2. The ldd in recent versions of Gentoo (and other bleeding-edge distros) changed its output format, which breaks loop-AES's build_initrd.sh script. There is a one-line patch here:

http://mail.nl.linux.org/linux-crypto/2005-04/msg00054.html

Just in case that link breaks:

Code:

--- ../loop-AES-v3.0c/build-initrd.sh   Sat May  8 10:36:31 2004
+++ ./build-initrd.sh   Sun Apr 24 21:37:28 2005
@@ -740,7 +740,7 @@
 for x in ${z} ; do
     echo Copying ${SOURCEROOT}${x} to ${DESTINATIONROOT}${DESTINATIONPREFIX}
     cp -p ${SOURCEROOT}${x} ${DESTINATIONROOT}${DESTINATIONPREFIX}
-    y=`ldd ${SOURCEROOT}${x} | perl -ne 'if(/ => ([^ ]*) /){print "$1\n"}'`
+    y=`ldd ${SOURCEROOT}${x} | perl -ne 'if(/([^ ]*) \(0x/){print "$1\n"}'`
     for a in ${y} ; do
         echo Copying ${SOURCEROOT}${a} to ${DESTINATIONROOT}${DESTINATIONPREFIX}
         cp -p ${SOURCEROOT}${a} ${DESTINATIONROOT}${DESTINATIONPREFIX}
Back to top
View user's profile Send private message
hadees
Tux's lil' helper
Tux's lil' helper


Joined: 17 Dec 2003
Posts: 137

PostPosted: Wed Jun 08, 2005 8:55 pm    Post subject: Reply with quote

does this guide still ring true? it is sort of old. I am looking at doing this right now my self. However I wish Trusted Gentoo wasn't just vapor ware because i could have used my tcpa chip for storing the keys.
Back to top
View user's profile Send private message
dripton
n00b
n00b


Joined: 16 Aug 2002
Posts: 65
Location: Virginia USA

PostPosted: Sat Jun 11, 2005 2:24 am    Post subject: Reply with quote

Quote:
does this guide still ring true? it is sort of old.


I would read this guide, but use http://loop-aes.sourceforge.net/loop-AES.README as the primary source, since it's more authoritative and up-to-date. The multi-key-v3 setup is more secure than the older single-key configurations.

I did Example 5, Encrypting Root Partition. Encrypting a non-root partition is easy -- I recommend doing that first for practice before moving on to the harder cases. (If you don't have a spare partition, you can always disable swap and then mess around with your swap partition.) The root is a pain because of having to set up initrd, make sure the necessarily devices are visible early enough in the boot process, make sure things are compiled statically so they work without /usr/lib available, etc. Anything you do wrong usually hangs the system and renders it unbootable, and then it's back to Knoppix or the Gentoo livecd.

Never did get it working correctly with udev -- I had to revert my system to devfs, which has explicit support instructions. Not saying udev can't be made to work, just that I couldn't get it working before running out of patience.

I used the latest versions of loop-AES, aespipe, util-linux, and gpg, all built by hand under /usr/src rather than using portage. For dietlibc I just used the ebuild.
Other than the one-line patch to build-initrd.sh to work around ldd's output changing in recent glibc versions (see my other post), there were no big surprises. It's just a matter of getting all the little steps right at the same time.
Back to top
View user's profile Send private message
Logician
n00b
n00b


Joined: 06 Jan 2005
Posts: 41

PostPosted: Tue Jul 12, 2005 3:45 am    Post subject: Reply with quote

Anyone who knows enough about this bit, this question is directed to you - my roommate told me, at one point, not to emerge and update my bin-utils EVER. But the version I use is no longer in portage. Is there a real reason I can't update, or should I be good to go?
Back to top
View user's profile Send private message
kanaesin
n00b
n00b


Joined: 09 Aug 2004
Posts: 25

PostPosted: Mon Sep 12, 2005 8:01 am    Post subject: Reply with quote

Logician wrote:
Anyone who knows enough about this bit, this question is directed to you - my roommate told me, at one point, not to emerge and update my bin-utils EVER. But the version I use is no longer in portage. Is there a real reason I can't update, or should I be good to go?

I wouldn't do it. I haven't updated them and haven't run into problems... yet...
So if it ain't broke don't fix it.
Back to top
View user's profile Send private message
gnjf
n00b
n00b


Joined: 11 Sep 2005
Posts: 3
Location: Innsbruck, Austria

PostPosted: Tue Sep 13, 2005 6:48 pm    Post subject: Reply with quote

very interesting howto, thanks for all the great work.

i intent to encrypt my notebook's partitions using aes-loop but i have one question:
would it ...
...be technically possible to use a TPM chip (trusted platfrom module) to create and store the encryption key?
...make any sense securitywise? as the key would be stroed in the TPM instead on an unencrypted partition

please tell me if this is complete bull****, aside from the fact that tpm's aren't very popular with the open-source-crowd.

greetings gnjf
Back to top
View user's profile Send private message
Metalheadws
n00b
n00b


Joined: 19 Jul 2005
Posts: 2

PostPosted: Thu Sep 15, 2005 11:54 am    Post subject: Reply with quote

Just my 2 cent:

I've encrypted my root partition following the steps in this howto, everything worked :)
I'm using udev (configuration as in "without devfs" comments in build-initrd.sh), portage loop-aes, util-linux (with crypt and static) useflag, aespipe (static useflag) and gpg (compiled myself, since it doesn't have a static useflag).
There's one caveat though: the aespipe version marked as stable in portage (2.2a) doesn't support multi-keys. After I initially encrypted my partition, I wasn't able to mount it (got losetup'ed properly though). I just piped the data on the disk back through aespipe to decrypt (which worked like a charm), emerged ~x86 aespipe and re-encrypted the data. I suppose this might also be the reason for most of the "wrong fs type" errors posted in this thread.

Lars
Back to top
View user's profile Send private message
Gotterdammerung
l33t
l33t


Joined: 11 Feb 2004
Posts: 627
Location: Rio de Janeiro, Brazil

PostPosted: Thu Oct 06, 2005 6:16 pm    Post subject: Reply with quote

Fine tut! I was looking for something like this for some time. I'll try it on a virtual machine before diving on my real PC.
_________________
A mind that is stretched by a new experience can never go back to its old dimensions. - Oliver Wendell Holmes
Back to top
View user's profile Send private message
unixtroll
n00b
n00b


Joined: 19 Aug 2003
Posts: 41

PostPosted: Fri Oct 07, 2005 7:26 am    Post subject: Reply with quote

Quote:
1. cryptoloop and dm_crypt are currently deprecated for lack-of-security reasons. You will find that the options to turn them on are disabled in recent 2.6 kernels. So loop-AES is defintitely the way to go.


Cryptoloop IS deprecated, but dm_crypt ?? There's no mentioning of any security risks in the 2.6 Kernel, and it's definately not deprecated. It WAS susceptible to watermarking attacks with the old public-IV mode, but since ESSIV got introduced with 2.6.10 that issue was erased. I'm just a layman, but if I understand correctly, ESSIV in dm-crypt is the equivalent (security wise) to multi-key mode in loop-AES. Further information here.
So regarding security issues, both seem to be on the same level.

Nevertheless I have gotten the perception from reading mailing lists & other forums about this topic, that dm-crypt in combination with LUKS is considered superior to loop-AES, mainly because of its key management & especially design issues.
Back to top
View user's profile Send private message
dtmf
Tux's lil' helper
Tux's lil' helper


Joined: 18 Jan 2005
Posts: 124

PostPosted: Thu Dec 22, 2005 9:12 pm    Post subject: Reply with quote

The doc was nice and easy to follow, but I must of missed something. I have encrypted the Drive and setup the ramdisk and all the kernel stuff. When the Kernel starts loading it Stops half way, and says:
Code:
VFS: Mounted root (minix filesystem) readonly
Freeing unusded kernel memory: 260k freed
Warning: unable to open initial console.
Shutdown: hda
System halted.


I am not sure what to do I can get in to the encrypted drive just fine in knoppix. But it doesn't look like boot on it's own is working.
Back to top
View user's profile Send private message
redhook
n00b
n00b


Joined: 24 Jan 2005
Posts: 18

PostPosted: Fri Dec 23, 2005 12:22 pm    Post subject: Re: Two Questions/Comments Reply with quote

Apropos wrote:
If I had a laptop and some nefarious individual got a hold of it they could easily wipe by nice encrypted system from my hard drive. They could probably circumvent the BIOS too but it adds a layer of security and I'm paranoid 8O .


Moden laptop BIOS passwords cannot be reset. You have to send the laptop in to a service center to have this done (requires BIOS replacement).
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8
Page 8 of 8

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum