View previous topic :: View next topic |
Author |
Message |
joeatsalot n00b
Joined: 08 Sep 2003 Posts: 2
|
Posted: Wed Sep 10, 2003 5:51 am Post subject: |
|
|
Gosh - I'm 28 and a half and I'm confused.
I've been following the instructions from the Linux from Scratch people, to do a similar thing. http://archives.linuxfromscratch.org/mail-archives/hints/2003-February/001539.html
I've got the encrypted part all working, but then /sbin/init crashes horribly, because of the way I'm running it. Perhaps LFS is different to gentoo?
Is the LFS stuff out of date? Badly?
I hope somebody can help.
Jonathan
PS My init script on the unencrypted partition is as follows:
#/sbin/init
#!/bin/sh
/bin/mount -n -t proc proc /proc
/sbin/losetup -e aes -k 128 /dev/loop0 /dev/hda9
/bin/mount -n -t reiserfs /dev/loop0 /mnt
/bin/umount /proc
cd /mnt
/sbin/pivot_root . loader
exec /usr/sbin/chroot . /sbin/init |
|
Back to top |
|
|
watersb Apprentice
Joined: 04 Sep 2002 Posts: 297 Location: take a left turn in Tesuque
|
Posted: Thu Sep 11, 2003 9:47 pm Post subject: |
|
|
Kernel 2.6 System Encryption
I am pleased to announce that with Mike Petullo's and David Braun's help, I have been able
to get an encrypted-root system WORKING with my Gentoo 2.6 laptop, using
a random string that is stored on a USB dongle; this string is encrypted
with GPG.
Work in progress documentation is available at
http://www.sdc.org/~leila/usb-dongle/rough-readme.txt
and at
http://www.sdc.org/~leila/usb-dongle/readme.html
The entire setup - a minix-based RAMDisk, and a tarballed filesystem for
the USB-dongle - has been posted to
http://www.sdc.org/~leila/usb-dongle/
This setup is working for me on an x86 system; you will need to replace
the binaries on the usb tarball with your actual binaries (just copy
them over from a working linux system, taking care to copy over any
shared libs as well).
Although I am starting to use this setup in production use, I keep
backups of everything, and assume it is going to eat my hard disk at any
moment. More pounding is needed.
At this point I want to focus on getting the documentation completed.
How does it look so far? |
|
Back to top |
|
|
chadders Tux's lil' helper
Joined: 21 Jan 2003 Posts: 113
|
Posted: Fri Sep 12, 2003 5:15 am Post subject: |
|
|
Woah COOL! I'm gonna try that! Thanks watersb
Chad |
|
Back to top |
|
|
gmoney n00b
Joined: 04 Aug 2003 Posts: 20 Location: Santa Barbara
|
Posted: Mon Sep 15, 2003 12:23 am Post subject: |
|
|
I've had no luck at all getting my filesystems which were originally encrypted with the loopback-aes system to work with the kernli crypto systems in the 2.6 kernel. The 2.12 util-linux package seems to work fine but doesn't give me all the options the kernli crypto seems to need (-k, -p, etc...). I've tried every combination of losetup I can think of and some of them actually "work", but when I try to mount no valid filesystem is found. My existing fstab entry is:
/secure/home /home ext3 encryption=AES256,sync,exec,noatime 0 0
and my 2.6 version is:
/secure/home /home ext3 sync,loop,keybits=256,encryption=aes,exec,noatime 0 0
I've seen information on the kernli website about how to convert your losetup options for loopback-aes to the kerneli version, but the gentoo build for util-linux doesn't include the needed options. Has anyone has any luck with mounting a loopback-aes encrypted filesystem from 2.4 to the kernli system in 2.6? |
|
Back to top |
|
|
Death Valley Pete n00b
Joined: 25 Mar 2003 Posts: 49 Location: The Inland Empire
|
Posted: Mon Sep 15, 2003 1:52 am Post subject: |
|
|
Looks promising. I'm trying to figure out how to make this whole thing work, but without the usb dongle. (i.e. with a prompt for a password, the thought being that a dongle would be too easily compromised). Any hints? _________________ <instert pithy statement here> |
|
Back to top |
|
|
bonsaikitten Apprentice
Joined: 01 Jan 2003 Posts: 213 Location: Shanghai, China
|
Posted: Mon Sep 15, 2003 9:46 am Post subject: |
|
|
Death Valley Pete wrote: | Looks promising. I'm trying to figure out how to make this whole thing work, but without the usb dongle. (i.e. with a prompt for a password, the thought being that a dongle would be too easily compromised). Any hints? |
The key on the dongle is password protected, so effectively you add another level of encryption by using a dongle. Using a plaintext key would be quite dumb from a crypto point of view. |
|
Back to top |
|
|
watersb Apprentice
Joined: 04 Sep 2002 Posts: 297 Location: take a left turn in Tesuque
|
Posted: Mon Sep 15, 2003 4:04 pm Post subject: |
|
|
Death Valley Pete wrote: | Looks promising. I'm trying to figure out how to make this whole thing work, but without the usb dongle. (i.e. with a prompt for a password, the thought being that a dongle would be too easily compromised). Any hints? |
I am sincerely sorry if the documentation is too complex -- I am trying to write it all down, and afterwards some editing to get some simple "paths" through all this.
I will be adding the more-simple, non-USB method to the documentation soon. The section "framework" should already be there.
Until then, see http://www.flyn.org/projects/cryptoswap/index.html |
|
Back to top |
|
|
watersb Apprentice
Joined: 04 Sep 2002 Posts: 297 Location: take a left turn in Tesuque
|
Posted: Mon Sep 15, 2003 6:18 pm Post subject: |
|
|
gmoney wrote: | My existing fstab entry is:
/secure/home /home ext3 encryption=AES256,sync,exec,noatime 0 0
and my 2.6 version is:
/secure/home /home ext3 sync,loop,keybits=256,encryption=aes,exec,noatime 0 0
Has anyone has any luck with mounting a loopback-aes encrypted filesystem from 2.4 to the kernli system in 2.6? |
What sort of error are you getting?
One thing to try, with new util-linux, is to specify key size in the encryption name:
Code: |
/secure/home /home ext3 sync,loop,encryption=aes-256-cbc,exec,noatime 0 0
|
I recommend that you build the crypto TESTING MODULE in the kernel options under CRYPTOGRAPHIC OPTIONS, then load it with
and then examine the kernel debug message output with dmesg -- you will see the names of the various crypto algorithms in the format the kernel is expecting, which you can then try as arguments to the encryption option to mount. |
|
Back to top |
|
|
Death Valley Pete n00b
Joined: 25 Mar 2003 Posts: 49 Location: The Inland Empire
|
Posted: Mon Sep 15, 2003 9:38 pm Post subject: |
|
|
watersb wrote: |
I am sincerely sorry if the documentation is too complex -- I am trying to write it all down, and afterwards some editing to get some simple "paths" through all this.
I will be adding the more-simple, non-USB method to the documentation soon. The section "framework" should already be there.
Until then, see http://www.flyn.org/projects/cryptoswap/index.html |
Well then, I guess I'll just shut up and let you finish.
bonsaikitten wrote: |
The key on the dongle is password protected, so effectively you add another level of encryption by using a dongle. Using a plaintext key would be quite dumb from a crypto point of view.
|
Good point. I guess I'll start saving my pocket change... _________________ <instert pithy statement here> |
|
Back to top |
|
|
usingloser Apprentice
Joined: 18 May 2003 Posts: 297 Location: ->Here<-
|
Posted: Tue Sep 16, 2003 5:09 pm Post subject: |
|
|
--editted--
I left out the "lun0" in my partition identifier in my initrd build script.
All better now. |
|
Back to top |
|
|
lazarous n00b
Joined: 13 Sep 2003 Posts: 18 Location: Charlottesville, Virginia
|
Posted: Fri Sep 26, 2003 3:25 am Post subject: |
|
|
If a court has a search warrant in the US and you do not give the password for the system, you can be held in contempt of the court and get jail time too. _________________ http://www.kuro5hin.org/story/2002/4/13/182028/722 |
|
Back to top |
|
|
Garbz Apprentice
Joined: 02 Jul 2003 Posts: 260 Location: Brisbane, Australia
|
Posted: Mon Sep 29, 2003 9:59 am Post subject: |
|
|
got similar issues in australia to the uk.
If the court has reason to believe there is incriminating evidence on the encrypted partition you can be forced to hand over the key. Or else 5 years or max $200,000 AUD i believe.
If you destroy the key and render the partiton useless then u can be charged on destroying evidents (although there was apparently a loophole whereby someone escaped conviction for that act by claiming the evidents was still there in it's entireity and hadn't been touched, and that not being able to read it wasn't his problem. It think there was also an arguement that if the data was scrambeled in such a way then the evidents which is presumably destroyed didn't exist in the first place :S ) _________________ Every begining is another begining's end. |
|
Back to top |
|
|
chadders Tux's lil' helper
Joined: 21 Jan 2003 Posts: 113
|
Posted: Thu Oct 02, 2003 4:30 am Post subject: |
|
|
Wooo! Im finally up on 2.6 kernel, now i can check out watersb stuff instead of loop-AES. Anyone know of anything I gotta watch out for especially?
Oh, Im supposed to say hi to Bo so hi Bo and everyone else ignore this part especially Garbz.
Chad |
|
Back to top |
|
|
Garbz Apprentice
Joined: 02 Jul 2003 Posts: 260 Location: Brisbane, Australia
|
Posted: Thu Oct 02, 2003 5:38 am Post subject: |
|
|
bah fine then _________________ Every begining is another begining's end. |
|
Back to top |
|
|
cayenne l33t
Joined: 17 Oct 2002 Posts: 945 Location: New Orleans
|
Posted: Fri Oct 03, 2003 8:39 pm Post subject: Just starting to read on this.. |
|
|
Hello...read through all this, and looks interesting. I noticed that this thread started awhile back...and had a question.
It originally says to get aes-loop from sourceforge. I did an emerge search and found there is app-crypt/aes-crypt availble.
Can this be a new starting point or are these 2 completely different apps?
Thanks!
cayenne _________________ Light travels faster than sound. This is why some people appear bright until you hear them speak......... |
|
Back to top |
|
|
bosko Tux's lil' helper
Joined: 07 Mar 2003 Posts: 114 Location: The Netherlands
|
Posted: Fri Oct 03, 2003 9:05 pm Post subject: |
|
|
I have read the how-to posted earlier in this thread (http://www.sdc.org/~leila/usb-dongle/rough-readme.txt), but I still don't completely understand what I have to do.
I would like to do is to use Linux 2.6 (so I would have to use the crypto api) and encrypt both my swap and my root partition. I want to store the key on a USB dongle (only the key, I want the kernel to be in /boot). But basically I have no clue about how I can do this. Could someone be so kind to post the exact steps I need to do?
I did try to extract the relevant information from the instructions posted in this thread, but it's a bit consufing to me
Thank you very much in advance. |
|
Back to top |
|
|
ro0t n00b
Joined: 09 Oct 2003 Posts: 1
|
Posted: Thu Oct 09, 2003 7:41 am Post subject: Initrd Remains Mounted After Boot ! :? |
|
|
this question is no really related to gentoo .. i m using slackware 9 and kernel 2.4.22 ..
i followed the steps given by "Disk Encryption HOWTO" David Braun
2003-09-13 Revision History
Revision 1.1 2003-09-13 Revised by: DB
the system is workin fine the only problem i am havin is that .. /initrd .. is mounted readonly ..
if i try umount /initrd .. it sayz DEVICE BUSY .
can n e one explain y its still mounted after booting and how to umount it automatically when system boots .. |
|
Back to top |
|
|
curmudgeon Veteran
Joined: 08 Aug 2003 Posts: 1741
|
Posted: Fri Oct 10, 2003 6:59 pm Post subject: Re: Initrd Remains Mounted After Boot ! :? |
|
|
ro0t wrote: |
the system is workin fine the only problem i am havin is that .. /initrd .. is mounted readonly ..
if i try umount /initrd .. it sayz DEVICE BUSY . :?
can n e one explain y its still mounted after booting and how to umount it automatically when system boots .. |
http://loop-aes.sourceforge.net/loop-AES.README
"Root partition loop device node is inside initrd, and that device node
will remain busy forever. This means that encrypted root initrd can't be
unmounted and RAM used by initrd file system can't be freed. This
unable-to-unmount side effect is the reason why initrd is intentionally
made as small as possible." |
|
Back to top |
|
|
DingoStick n00b
Joined: 05 Mar 2003 Posts: 63 Location: The Keweenaw
|
Posted: Sat Oct 11, 2003 6:30 am Post subject: |
|
|
I seem to have everything going (mostly) fine, but when I try to mount my partition (it's non-root, so the system is up, but the encrypted partition is not yet mounted), it fails:
Code: | root@outback home # mount ./ftp
Password:
ioctl: LOOP_SET_FD: Device or resource busy
|
I've read a bit of the documentation, but can't find out why this is occurring. Anyone know about this? My /etc/fstab contains this line:
Code: | /dev/loop5 /home/ftp reiserfs defaults,noauto,loop=/dev/loop5,encryption=AES256 0 0 |
I've tried switching between loop5 and loop0 (the howto uses both, which seems kinda odd...). Nothing works as of now. _________________
Linux programs, themes, howtos, etc.
|
|
Back to top |
|
|
echto Tux's lil' helper
Joined: 30 Jun 2002 Posts: 108
|
Posted: Thu Oct 23, 2003 6:58 pm Post subject: |
|
|
Thanks for your time on this.
watersb wrote: | Kernel 2.6 System Encryption
I am pleased to announce that with Mike Petullo's and David Braun's help, I have been able
to get an encrypted-root system WORKING with my Gentoo 2.6 laptop, using
a random string that is stored on a USB dongle; this string is encrypted
with GPG.
Work in progress documentation is available at
http://www.sdc.org/~leila/usb-dongle/rough-readme.txt
and at
http://www.sdc.org/~leila/usb-dongle/readme.html
The entire setup - a minix-based RAMDisk, and a tarballed filesystem for
the USB-dongle - has been posted to
http://www.sdc.org/~leila/usb-dongle/
This setup is working for me on an x86 system; you will need to replace
the binaries on the usb tarball with your actual binaries (just copy
them over from a working linux system, taking care to copy over any
shared libs as well).
Although I am starting to use this setup in production use, I keep
backups of everything, and assume it is going to eat my hard disk at any
moment. More pounding is needed.
At this point I want to focus on getting the documentation completed.
How does it look so far? |
|
|
Back to top |
|
|
watersb Apprentice
Joined: 04 Sep 2002 Posts: 297 Location: take a left turn in Tesuque
|
Posted: Tue Oct 28, 2003 12:36 am Post subject: |
|
|
Folks, nothing more to see here, just checking in to apologize for how long it's taking to complete that documentation.
If you want to help out, then of course you are free to take a whack at it...
Also, it is a complex document, and it would be useful to have a very quick step-by-step path through the cruft. If someone could post a particular trajectory of commands through it, in the "QuickStart Guide" style like you see in this unrelated document, then I'm sure people would be helped.
And FWIW, I'm up to kernel-test8-love3, the process has worked for all 2.6.0-series kernels that I've tried, and we're getting close to an API freeze for the test series... |
|
Back to top |
|
|
rajl Apprentice
Joined: 25 Sep 2002 Posts: 287
|
Posted: Wed Oct 29, 2003 3:28 am Post subject: |
|
|
Just my two cents on algorithm choice: While invesitgating harddisk encryption further, I've noticed that people have offered the opinion that Rinjdael should be used, and not Serpent; Rinjdael was chosen as the winner of the AES, and some people are saying that Serpent has been possibly broken. Doing some research, the only attack against Serpent I've found is one that also works against Rinjdael. Because of similarities in the algorithms (essentially the same, AES is designed to be faster, Serpent throws in more transformations, rounds, etc than necessary to be more secure) they both suffer from the same algebraic exploit, detailed here:
http://eprint.iacr.org/2002/044/
a better explanation in prettier colors is here:
http://www.cryptosystem.net/aes/
and apparently, the initial publicity that got everyone scared is here:
http://slashdot.org/articles/02/09/16/0653224.shtml?tid=93
However, the workability of the attack is still in doubt, as shown here:
http://www.usdsi.com/aes.html
but even if the attack turns out to be successful, both algorithms are still more secure than DES. _________________ -Rajl
-----------------------------------------------------------
It's easy to be brave once you consider the alternatives. |
|
Back to top |
|
|
snowjob n00b
Joined: 03 Nov 2003 Posts: 4
|
Posted: Mon Nov 03, 2003 10:03 pm Post subject: Hardened 2.4.22 |
|
|
Using aes with a 128 bit key was working great with a haredened 2.4.20 and 2.4.21 kernel but wont work with 2.4.22.
The first problem I had was the losetup program couldn't find aes even though it is in /proc/crypto
- So I emerge util-linux-2.12.ebuild
The new losetup doesn't support -k so I told it to use aes-cbc-128. That didn't complain but when I went to mount the /dev/loop0 device mount complained that it didn't know the fs type of the device. (My guess is it isn't decrypting correctly)
Has anyone else had a problem with the gentoo hardened 2.4.22 kernel. More importantly can anyone help me? |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Tue Nov 18, 2003 2:34 am Post subject: |
|
|
hi there,
i have problems doing this. first i shoot my old installation but doesnt matter. then i reinstalled gentoo and did the following like BlackBart and turbobri said:
hda1: winxp
hda2: boot part. (ext3)
hda3: swap
hda4: root part. (reiserfs)
Quote: | Ok boot into knoppix w/o the graphical
run losetup -e AES256 -T /dev/loop0 /dev/hda2 (or whatever is your root partition) |
i did "losetup -e AES256 -T /dev/loop0 /dev/hda4"
Quote: | then do mke2fs /dev/loop0 (or whatever file system you want) |
i did mkreiserfs /dev/loop
Quote: | then mkdir /mnt/gentoo
and then mount /dev/loop0 /mnt/gentoo
and mkdir /mnt/gentoo/boot
and mount /dev/hda1 /mnt/gentoo/boot
then cd into /mnt/gentoo
and then extract whatever stage you want and procede from there following the instruction guide.
when you get to the kernel:
Quote:
You HAVE to use CONFIG_MODULES=y, CONFIG_BLK_DEV_LOOP=n (y or m WONT WORK), CONFIG_BLK_DEV_RAM=y, CONFIG_BLK_DEV_RAM_SIZE=4096, CONFIG_BLK_DEV_INITRD=y, CONFIG_MINIX_FS=Y (this is because the ramdisk is minix), CONFIG_PROC_FS=y plus whateve FILESYSTEM YOUR ROOT IS HAS TO BE Y (modules wont work because the kernel can't get modules from the root file system until it knows how to read it and decrypt it when it is booting, other stuff can be modules if you want). Make sure that your new kernel works before going further. |
done (except of replacing "mount /dev/hda1 with mount /dev/hda2" i did the same).
Quote: | patch -p1 <../util-linux-2.11y.diff
export CFLAGS=-O2
export LDFLAGS='-static -s'
./configure
make SUBDIRS="lib mount"
cd mount
install -m 4755 -o root mount umount /bin
install -m 755 losetup swapon /sbin
rm -f /sbin/swapoff && ( cd /sbin && ln -s swapon swapoff )
rm -f /usr/share/man/man8/{mount,umount,losetup,swapon,swapoff}.8.gz
install -m 644 mount.8 umount.8 losetup.8 /usr/share/man/man8
install -m 644 swapon.8 swapoff.8 /usr/share/man/man8
rm -f /usr/share/man/man5/fstab.5.gz
install -m 644 fstab.5 /usr/share/man/man5 |
done
Quote: | cd /usr/src/loop-AES-v1.7b
make LINUX_SOURCE=/usr/src/linux-2.4.19-gentoo-r10 (or whatever vers. you have) |
i did "cd /usr/src/loop-AES..." and then "make LINUX_SOURCES=/usr/src/linux-2.4.22-ac4"
Quote: | cp -p /lib/modules/2.4.19-gentoo-r10/block/loop.o /boot/loop-2.4.19-gentoo-r10.o |
i did "cp -p /lib/modules/2.4.22-ac4/block/loop.o /boot/loop-2-4.22-ac4.o"
Quote: | and then do these steps
In the loop-AES directory edit build-initrd.sh. Change BOOTDEV, BOOTTYPE, CRYPTROOT, ROOTYPE and CIPHERTYPE to what you want. Then type sh build-initrd.sh . This makes a ramdisk so that the kernel knows how to get the pass phrase when you boot later.
|
i did BOOTDEV=hda2, BOOTTYPE=ext3, CRYPTOROOT=hda4, ROOTYPE=reiserfs, CYPHERTYPE=AES256
Quote: | edit fstab to make your root say /dev/loop5 instead of /dev/hdawhatever. |
replaced /dev/ROOT with /dev/loop5 (/dev/hda4 wasn't there cause the installation was fresh where the default entries are /dev/BOOT, /dev/SWAP and /dev/ROOT). and changed the /boot filesystem to ext3 and the /root filesystem to reiserfs.
Quote: | cd to /boot/grub and edit grub.conf to add a entry like this:
title=Encrypted Root
root (hd0,0)
kernel /bzImage ro root=/dev/ram1
initrd /initrd.gz |
jup, done.
but still doesn't work. anyone can see the error(s) i've done?
i tried to describe exactly what i've done with the hope that it would be most easy for you to find the errors i made.
thanks in advance and greets,
hulk |
|
Back to top |
|
|
hulk2nd Guru
Joined: 25 Mar 2003 Posts: 512 Location: Freiburg, Germany
|
Posted: Wed Nov 19, 2003 5:01 pm Post subject: |
|
|
i get a kernel panic, can not find reiserfs on ramdisk |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|