Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Support] System Encryption DM-Crypt with LUKS
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3 ... 18, 19, 20  Next  
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
Reikinio
Apprentice
Apprentice


Joined: 14 Aug 2005
Posts: 203
Location: Uruguay

PostPosted: Sun Aug 14, 2005 8:09 am    Post subject: [Support] System Encryption DM-Crypt with LUKS Reply with quote

Support thread for: System Encryption DM-Crypt with LUKS
http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS
Back to top
View user's profile Send private message
rainbow flag
n00b
n00b


Joined: 03 Jul 2005
Posts: 33

PostPosted: Sat Aug 20, 2005 7:26 pm    Post subject: failed to setup dm-crypt mapping Reply with quote

Well,

since i am a linux-newbie i have no idea of the most things related to linux, to gentoo, to encryption and to LUKS.

but i tried to create an encrypted root partition (mostly) like this tutorial ( http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS / https://forums.gentoo.org/viewtopic-t-370022.html?sid=04094fb1bcabaf4587b002a7199c4b5f ) explained.

doing so, i encountered the following problems:

1. after reboot and entering the correct LUKS passphrase
Code:
 
...
Enter LUKS passphrase:
failed to setup dm-crypt mapping
failed to read from key storage
Command failed: No key available with this passphrase
mount: special device -dev-mapper-root does not exist
umount: /root: not mounted
Command failed: no such device
Enter LUKS passphrase:


2. The tutorial explains about linuxrc "Basically its job will be to set up dm-crypt, ..."; but i really do not understand where this script does so. So i decided to try to solve this by inserting dm-crypt and dm-mod modules (just like it is explained here: http://wiki.blagblagblag.org/Encrypting_Root_Filesystem#Create_initrd ): so i copied dm-crypt.ko, dm-mod.ko and insmod to the initrd and added
Code:

insmod /modules/dm-crypt.ko
insmod /modules/dm-mod.ko

to linukrc. The result was
Code:

insmod: error inserting `dm-crypt.ko`: -1 Unknown symbol in module

and dmesg told
Code:

dm_crypt: Unknown symbol dm_put_device
dm_crypt: Unknown symbol dm_unregister_target
dm_crypt: Unknown symbol dm_register_target
dm_crypt: Unknown symbol dm_table_get_mode
dm_crypt: Unknown symbol dm_get_device
device-mapper: 4.4.0-ioctl (2005-01-12) initialized: dm-devel@redhat.com

And of course the first problem persisted.

Since searching the web for (parts of) this dmesg output does not result anything (but some strange recomendations like "recompile your kernel..." and so on), i am now out of ideas.

can anyone help me?

...thx in advance...
Back to top
View user's profile Send private message
Reikinio
Apprentice
Apprentice


Joined: 14 Aug 2005
Posts: 203
Location: Uruguay

PostPosted: Sun Aug 21, 2005 12:42 am    Post subject: Reply with quote

Hi,
You're probably following the guide, right? if so, please do not skip steps unless you know exactly what you're doing, for example if you're going to differ from the initrd showed in the guide, do so with care. I highly recommend however that you follow step by step the guide, it's not hard to understand.
:)

Quote:

1. after reboot and entering the correct LUKS passphrase
Code:

Enter LUKS passphrase:
failed to setup dm-crypt mapping
failed to read from key storage
Command failed: No key available with this passphrase
mount: special device -dev-mapper-root does not exist
umount: /root: not mounted
Command failed: no such device
Enter LUKS passphrase:


1)
Well, did you included the necessary kernel options?
http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS#Kernel_Configuration
Note: Compile them into the kernel and not as modules, if you however decide to compile them as modules, then you'll have to edit 'linuxrc' in order to load the modules before trying to luksOpen the partition.
Make sure you include the necessary ciphers as well.
2) Did you created the nodes yourself inside the initrd or you used the script ?

Check the two things I mentioned above

Quote:
2. The tutorial explains about linuxrc "Basically its job will be to set up dm-crypt, ..."; but i really do not understand where this script does so. So i decided to try to solve this by inserting dm-crypt and dm-mod modules (just like it is explained here: http://wiki.blagblagblag.org/Encrypting_Root_Filesystem#Create_initrd ): so i copied dm-crypt.ko, dm-mod.ko and insmod to the initrd and added
Code:

insmod /modules/dm-crypt.ko
insmod /modules/dm-mod.ko

to linukrc. The result was
Code:

insmod: error inserting `dm-crypt.ko`: -1 Unknown symbol in module

and dmesg told
Code:

dm_crypt: Unknown symbol dm_put_device
dm_crypt: Unknown symbol dm_unregister_target
dm_crypt: Unknown symbol dm_register_target
dm_crypt: Unknown symbol dm_table_get_mode
dm_crypt: Unknown symbol dm_get_device
device-mapper: 4.4.0-ioctl (2005-01-12) initialized: dm-devel@redhat.com

Again, it is best to compile dm-crypt and device-mapper into the kernel instead of modules, i will add this to the guide to avoid confusion.

Bottom line, either re-start your installation from scratch(this time follow the guide), or boot up with your livecd, luksOpen it from there, recompile your kernel, fix the initrd(do it the way it is posted on the guide), and double check everything is in place.

Any doubts? questions ?
Let me know how it went 8)
Back to top
View user's profile Send private message
rainbow flag
n00b
n00b


Joined: 03 Jul 2005
Posts: 33

PostPosted: Sun Aug 21, 2005 1:30 am    Post subject: Reply with quote

okay, thanks.

i will try to insert some ciphers via insmod an if this won't work, i'll check the configuration of the kernel and recompile it.
this may take some time, but i'll let you know, if it worked and how it went.

Quote:
I highly recommend however that you follow step by step the guide, it's not hard to understand.


my thought was: i have (temporarily, untill the root-encryption works) a second unencrypted root-partition wich is compiled exactly like the encrypted one. and from this system i can open/encrypt/mount the encrypted partition without any problems. so i thought, this should work from the initrd as well if i include the right modules.

Quote:
Did you created the nodes yourself inside the initrd or you used the script ?


i tried to use the script, which didn't work. so i replaced the script by one, that only checks for procfs and devfs and
Code:
 mknod --mode=600 /dev/mapper/control c 10 63

just to see if it works - and it does. (at least there is no error message.)

Quote:
insmod: error inserting `dm-crypt.ko`: -1 Unknown symbol in module

this problem can be solved by inserting dm-mod.ko before dm-crypt.ko (as i figured out in the meantime) but this does nothing to solve the first problem.

...thx
Back to top
View user's profile Send private message
Reikinio
Apprentice
Apprentice


Joined: 14 Aug 2005
Posts: 203
Location: Uruguay

PostPosted: Sun Aug 21, 2005 3:15 am    Post subject: Reply with quote

rainbow flag,
If building the initrd is too much work for you, or you just don't want to do it, you can let genkernel-luks build it for you instead, http://luks.endorphin.org/gentoo

http://gentoo-wiki.com/Talk:SECURITY_System_Encryption_DM-Crypt_with_LUKS
Back to top
View user's profile Send private message
totengraeber
n00b
n00b


Joined: 03 Aug 2003
Posts: 27

PostPosted: Sun Aug 21, 2005 9:01 am    Post subject: Reply with quote

The genkernel ebuild on luks.endorphin.org is pretty old and dont works with udev (at least for me) that means you have to create the devnode for your hdd manualy (ugly hack) or you have to use devfs (even uglier). I use a customized genkernel 3.3.5 to build my initramfs with udev enabled and it works reasonably well:)
Back to top
View user's profile Send private message
rainbow flag
n00b
n00b


Joined: 03 Jul 2005
Posts: 33

PostPosted: Sun Aug 21, 2005 8:40 pm    Post subject: Reply with quote

thx; problem solved. everything works fine now. :)

adding
Code:
 insmod /modules/aes-i586.ko

to the linuxrc script helped. now, that script looks like this
Code:

...
umount -n /proc
insmod /modules/aes-i586.ko
insmod /modules/dm-mod.ko
insmod /modules/dm-crypt.ko
loadkeys ...


thank you for your help, especially of course Reikinio.

Quote:
If building the initrd is too much work for you


no, it is not; only, recompile the kernel, reconfigure the system, and so on would have been really inconvenient. :)
Back to top
View user's profile Send private message
mprange
n00b
n00b


Joined: 31 Aug 2005
Posts: 2

PostPosted: Wed Aug 31, 2005 8:26 am    Post subject: linuxrc - Script => umount -n /proc Reply with quote

Hi,

first at all, thanks for the Wiki.

I follow every step and get the problem

Code:

Enter LUKS passphrase:
failed to setup dm-crypt mapping
failed to read from key storage
Command failed: No key available with this passphrase
mount: special device -dev-mapper-root does not exist
umount: /root: not mounted
Command failed: no such device


checking your FAQ and the luks-Mailinglist, I get a few hints but nothing helped me.

But after I disable the linuxrc-script and compiled also the SHA256 crypto in, I have success in mounting root .

Switching back to the default linuxrc, I get the error again. So I compare my linuxrc with this in your Wiki and I see that /proc is still mounted when I tried to cryptosetup root. So I disable it in your script and my gentoo boots.

So I think when you add this in your FAQ it could help more linux noobs like me.

By the way, could anybody tell me, why this changed ?
Back to top
View user's profile Send private message
Reikinio
Apprentice
Apprentice


Joined: 14 Aug 2005
Posts: 203
Location: Uruguay

PostPosted: Wed Aug 31, 2005 8:56 am    Post subject: Reply with quote

Hi there,

Quote:
But after I disable the linuxrc-script and compiled also the SHA256 crypto in, I have success in mounting root .

What are you exactly trying to say in this line? what do you mean by "after I disable the llinuxrc-script" ? You need that script to boot your system, otherwise you won't be able to decrypt the root partition :)
So what line did you comment in the linuxrc script ? did you unmounted proc later in the script ?

Also, And very important, if you used sha256 when you created the mapping, then sha256 must be compiled into the kernel, otherwise it will fail, with the error you posted above, the wiki FAQ says this, and so does the LUKS site.
Remember, all the ciphers you use must be built into the kernel(You can build them as modules, but it is simpler and better not to).

Could you post here the diff between your linuxrc script and the one posted in the wiki ? together with the ciphers you used and the relative kernel configuration.

Oh, and congratulations for successfully encrypting your / partition 8)

Regards,
Back to top
View user's profile Send private message
mprange
n00b
n00b


Joined: 31 Aug 2005
Posts: 2

PostPosted: Wed Aug 31, 2005 11:12 am    Post subject: Reply with quote

Hello,

ok I write the message fast and when you tried so long to get it work you miss some "little" details.

I trying to say

cp linuxrc linuxrc_backup

and changing linuxrc to the following code

Code:

#!/bin/sh
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
# Filter kernel messages on boot
dmesg -n 1
haltme() {
b=0
while [ "$b" = 0 ]
 do
 sleep 60
done
}
mount -t proc none /proc
CMDLINE=`cat /proc/cmdline`
exec /bin/sh


because I want to proof /dev for the right nodes and /proc for the right cipher

The problem with the sha256 was, that I do copy and paste from your Wiki, so I do not see

cryptsetup --verbose -y luksFormat --cipher serpent-cbc-essiv:sha256 --key-size 256 /dev/sda3

and tried first a kernel only with the serpent cipher.

Now I use the serpent, blowfish for swap and the sha256 cipher compiled in the kernel.

And I changed the linuxrc like this

Code:


#!/bin/sh
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
# Filter kernel messages on boot
dmesg -n 1
haltme() {
b=0
while [ "$b" = 0 ]
 do
 sleep 60
done
}
mount -t proc none /proc
CMDLINE=`cat /proc/cmdline`
## Create /dev/mapper/control nod for udev systems     # Only if you choosed
#sh devmap_mknod.sh                                  # to use devmap_mknod

#umount -n /proc  =========>>>add  #

## loadkeys                    # Only for international users,
#loadkeys ./es-cp850.map.gz
# correct password while loop
c=0
while [ "$c" != 5 ]
 do
 cryptsetup luksOpen /dev/sda3 root
 mount -t ext3 /dev/mapper/root /root

 umount -n /proc  # ========>>>>> newline

 if [ "$?" = 0 ]; then
  echo "Root Decrypted"
  break
 else
  umount /root
  cryptsetup luksClose root
  let c=$c+1
  if [ "$c" = 5 ]; then
   echo "Illegal Trasspassing attempted"
   echo "Halting..."
   haltme
  fi
 fi
--snapp


Thats right, the FAQ say's that all used cipher have to be compiled in the kernel, but I don't read the sha256 after serpent. :oops:

Hope I could answer your questions.

Next time I read the complete Wiki :D .

So the only change I made, was to umount /proc after I mounted root. Is the /proc needed by cryptsetup for the ciphers ??? This would explain it.

After trying for one year, first with crypto-loop, then with dm-crypt to crypt my hdd's and now I finished.

So thank you for the wiki.

Regards,
Back to top
View user's profile Send private message
Reikinio
Apprentice
Apprentice


Joined: 14 Aug 2005
Posts: 203
Location: Uruguay

PostPosted: Thu Sep 01, 2005 11:43 pm    Post subject: Reply with quote

Quote:
So the only change I made, was to umount /proc after I mounted root. Is the /proc needed by cryptsetup for the ciphers ??? This would explain it.

No, I don't think /proc needs to be mounted for cryptsetup execution, your problem was the ciphers, you didn't had sha256 builted in the kernel, yet you used it when you created the mapping, therefore it failed when you tried to decrypt it. That's way it all worked fine when you recompiled your kernel with sha256 builted in.
Unmounting /proc after executing cryptsetup is not needed, but it doesn't hurt either, so there is no need to change your linuxrc script.

Regards,
Back to top
View user's profile Send private message
Reikinio
Apprentice
Apprentice


Joined: 14 Aug 2005
Posts: 203
Location: Uruguay

PostPosted: Wed Sep 07, 2005 7:46 pm    Post subject: Security Alert Reply with quote

Security Alert:
From the dm-crypt mailing list:
Quote:

....
http://eprint.iacr.org/2005/271

This paper implements a side-channel attack on the AES implemention of
the Linux kernel via dm-crypt. That is, the encryption key is reveal to
any legal user of the system by probing the processor's cache after
about 800 read/write requests.

These kinds of attacks are quite new, and there is no clear answer how to
deal with them. I presume it will take a while before we see this gap
closed. For the moment: Don't use dm-crypt on systems where users can
write to disks for that they are not authorized to know the encryption
key.
....
Back to top
View user's profile Send private message
unixtroll
n00b
n00b


Joined: 19 Aug 2003
Posts: 41

PostPosted: Thu Sep 08, 2005 2:46 am    Post subject: Reply with quote

Quote:
The attacks allow an unprivileged process to attack other processes running in parallel on the same processor, despite partitioning methods such as memory protection, sandboxing and virtualization

If I understand that sentence right, you would need access to the system via a user account for executing such unprivileged processes & exploiting the weakness.
Since this Thread is about System Encryption, meaning the whole disk (except /boot) is encrypted, there is no such way to exploit it, since the attacker doesn't even have a user account in the first place. If for example local agencies do a house search because you downloaded too many linux ISOs and find your pc shut down (i.e. not running with a user logged in) they will not be able to attack the encryption since they're also not able to gain user access.
Even if the PC is running at the time of a house search with a user logged in, the pigs will surely not start hacking for the decryption key right away, but instead shut it down, and try gaining access in their IT department later on, which I with these assumptions?
I hope I'm right with these assumptions?
Back to top
View user's profile Send private message
Reikinio
Apprentice
Apprentice


Joined: 14 Aug 2005
Posts: 203
Location: Uruguay

PostPosted: Thu Sep 08, 2005 3:21 am    Post subject: Reply with quote

Yes, I think you're right, at least I came to the same conlusion after reading it, so most of us don't have to worry about it.
I just posted it because it's interesting and to let others(that didn't knew about it) know about this.

Regards,
Back to top
View user's profile Send private message
rainbow flag
n00b
n00b


Joined: 03 Jul 2005
Posts: 33

PostPosted: Fri Sep 09, 2005 2:28 pm    Post subject: Reply with quote

Quote:
Since this Thread is about System Encryption, meaning the whole disk (except /boot) is encrypted,


Sorry, i do not really understand which difference that makes. if i understood correctly, this kind of attack is possible, if the encrypted disk is opened and the attacker owns a process on the local machine - no matter if there are unencrypted disks/partitions as well. or did i understand something wrong?

Quote:
We discuss in detail several such attacks on AES, and experimentally demonstrate their applicability to real systems, such as OpenSSL and Linux's dm-crypt encrypted partitions


The problem seems not to be luks- (but AES-) specific. Does that mean that any currently used partition encryption-methods are affected (since they are all AES-based, aren't they?)? Or are there any elliptic-curve-cryptographic-methods yet?
Back to top
View user's profile Send private message
unixtroll
n00b
n00b


Joined: 19 Aug 2003
Posts: 41

PostPosted: Sat Sep 10, 2005 9:49 am    Post subject: Reply with quote

Quote:
if i understood correctly, this kind of attack is possible, if the encrypted disk is opened and the attacker owns a process on the local machine - no matter if there are unencrypted disks/partitions as well. or did i understand something wrong?


But how is the attacker supposed to open the disk in the first place, if it is encrypted? IMO the only way to exploit this weakness is if you give an attacker a user account on your machine or if he gets physical access to it while it is still running - if the PC is powered off, he'll need to encrypt the disk first.

Now here's my problem:
Everything is working fine basically, except that i don't like to type passwords everytime at boot, but instead I'd like to store a keyfile on my USB-Stick (but don't want to boot completely from the USB-Stick).
So I make some device nodes in the initrd for my USB-stick which is on /dev/sdb1 (sda is my harddisk):
Code:

ls -l /dev/sdb /dev/sdb1
brw-rw----  1 root disk 8, 16 Sep 10 11:25 /dev/sdb
brw-rw----  1 root disk 8, 17 Sep 10 11:25 /dev/sdb1
losetup /dev/loop0 myinitrd
mount /dev/loop0 /mnt/initrd/
cd /mnt/initrd/
mkdir mnt/usbstick
cd /mnt/initrd/dev
mknod sdb b 8 16
mknod sdb1 b 8 17


and modify the linuxrc to this:

Code:

#!/bin/sh
export PATH=/bin:/sbin

# Get cmdline from proc
mount -t proc proc /proc
CMDLINE=`cat /proc/cmdline`
umount /proc
loadkeys de-latin1

# Mount real root and change to it
sleep 1
mount -t vfat /dev/sdb1 /mnt/usbstick
cat /mnt/usbstick/root.key | cryptsetup luksOpen /dev/sda5 root
mount -t reiserfs /dev/mapper/root /root
cd /root
mkdir initrd
pivot_root . initrd

# Start init and flush ram device
exec chroot . /bin/sh <<- EOF >/dev/console 2>&1
umount initrd
rm -rf initrd
blockdev --flushbufs /dev/ram0
exec /sbin/init ${CMDLINE}
EOF


Problem is that i get a boot message saying that /dev/sdb1 is not a valid block device, so right now I've gone back to storing that key file inside the initrd, so I can at least boot.
I have USB Support, FAT & Codepage support compiled into the kernel (not as modules), and
i see some kernel messages prior to the error telling me a low speed USB device is found.

EDIT: After 12932 reboots i finally fixed the problem myself. I had to put a "sleep 12" instead of just "sleep 1" in the linuxrc file because the USB-Stick takes very long to be fully recognized by the kernel. I also added a "sfdisk -R /dev/sdb" after that, but I don't really know if that is necessary. Anyway it's all working fine now.

Btw. the syslinux approach from the Howto didn't work for me because syslinux has incompabilities with certain kinds of Promise ATA controllers (which I unfortunately have).
Back to top
View user's profile Send private message
Aszrael
Tux's lil' helper
Tux's lil' helper


Joined: 15 Feb 2005
Posts: 101
Location: Hannover/Germany

PostPosted: Wed Oct 05, 2005 6:39 am    Post subject: Reply with quote

Thanks for this very nice guide.
Unfortunately I couldn't get my USB-Stick to boot (propably due to the funny BIOS on my old laptop).
Also I had probs making the device-node manually - so I used devmap_mknod

I decided to combine the scripts provided by Reikinio and unixtroll.

If no USB-Stick plugged, you get the chance to enter your password manually.
If you provide a keyfile on USB-Stick, the script will use it.
Wrong password/keyfile? No cookies!
Code:

#!/bin/sh
############################################
#script by Aszrael
#based von scripts by Reikinio and unixtroll
#feel free to copy/modify/whatever you like
############################################
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
dmesg -n 1

#function to halt the system
stop()
{
b=0
while [ "$b" = 0 ]
do
echo ""
echo "you are out"
sleep 60
## if you work with 2 luks-passwords (eg slot0: very long pw from usb-key and
## slot1: rather weak pw to be entered without usb-key) you might want to add
## some extra security against bruteforcing by replacing "sleep 60" with something like
## crypsetup -q luksDelKey root 1
## this will delete the key for your root-device in slot1
## BE CAREFULL - "-q" overrides any confirmation!!! - be SURE to have your
## masterkey in slot0 (and don't lose it :-)

done
}

#function to probe for USB-Stick
#calls all other functions
test()
{
if ! mount /dev/sda1 /mnt/keydisk>/dev/null 2>/dev/null
then
echo ""
echo "no usb-key present"
input
else
keydisk
fi
}

#function to enter pwd manually
#3 tries
input() #
{
c=3
z=" ..."
while [ "$c" != 0 ]
do
   if ! cryptsetup luksOpen /dev/hda4 root 2>/dev/null # <- remove "2>/dev/null" for visible promt for your password
   then
   let c=$c-1
   echo ""
   echo $c $z
      if [ "$c" = 0 ]
      then
      echo "... wrong pw"
      stop
      fi
else
mount /dev/mapper/root /root 2>/dev/null
break
fi
done
}

#function that reads keyfile from USB-Stick
keydisk()
{
if ! cryptsetup luksOpen --key-file=/mnt/keydisk/laptux.key /dev/hda4 root 2>/dev/null # <- change to match your USB-Device and keyfile
then
stop
else
mount /dev/mapper/root /root 2>/dev/null
umount /mnt/keydisk>/dev/null
fi
}

mount -t proc none /proc
CMDLINE=`cat /proc/cmdline`

sh devmap_mknod #<- call devmap_mknod-script - remove if not needed

umount -n /proc

loadkeys ./de.map.gz #<- german keymap (see howto)
cat ./ascii-skull #<- ascii-greeter

sleep 5 # <- wait for slow USB-Stick

test #<- start function test()

echo ""
echo "you are allowed in"

cd /root
mkdir initrd
pivot_root . initrd
# start init and flush ram device
exec chroot . /bin/sh <<- EOF >dev/console 2>&1
umount initrd
rm -rf initrd
blockdev --flushbufs /dev/ram0
exec /sbin/init ${CMDLINE}
EOF



maybe I'll modify this script to use gpg-encrypted passwords some day...


Last edited by Aszrael on Fri Aug 18, 2006 11:18 am; edited 1 time in total
Back to top
View user's profile Send private message
xanthax
Tux's lil' helper
Tux's lil' helper


Joined: 16 Apr 2004
Posts: 91
Location: Bi Nary State

PostPosted: Sun Oct 09, 2005 9:17 am    Post subject: Reply with quote

Oki i did the "dd if=/dev/urandom of=/dev/hdc" to set random data all over the disk...
but i have now waited for more then 11½ hours and it´s still not done.... :|

I have a P3 600Mhz with 768 MB Ram and the disk is 250 GB...
How long time do yoiu think it will take :?:
How long time did it take for you guys and what kinda computers did you have.. :?:

//Xanthax
_________________
God is only an imaginary friend for adults...
Back to top
View user's profile Send private message
Aszrael
Tux's lil' helper
Tux's lil' helper


Joined: 15 Feb 2005
Posts: 101
Location: Hannover/Germany

PostPosted: Sun Oct 09, 2005 10:53 am    Post subject: Reply with quote

Hi,
to answer in short: it took ages! 8O
On my laptop I created a 50GB-partition and dd finished in >8 hours time, but it has a damn slow HDD.
So don't expect miracles...
I was shocked too, but fortunately it was my a testing system, so I just had another coffee (and quite a few more after that one)
Back to top
View user's profile Send private message
xanthax
Tux's lil' helper
Tux's lil' helper


Joined: 16 Apr 2004
Posts: 91
Location: Bi Nary State

PostPosted: Sun Oct 09, 2005 11:07 am    Post subject: Reply with quote

Oki, Thanks for the info....
It´s just an extra drive in my server so i dont really have to use it anyway...
just wanted to continue with fixing the drive.... but then i know im not fixing it today :roll:

EDIT: oki im up in 39h but still not finished....
_________________
God is only an imaginary friend for adults...
Back to top
View user's profile Send private message
xanthax
Tux's lil' helper
Tux's lil' helper


Joined: 16 Apr 2004
Posts: 91
Location: Bi Nary State

PostPosted: Tue Oct 11, 2005 2:31 pm    Post subject: Reply with quote

Im up in 59:h still not complete and the process is working ist just not finished....

Is there a possible way to se how much is done ???
_________________
God is only an imaginary friend for adults...
Back to top
View user's profile Send private message
unixtroll
n00b
n00b


Joined: 19 Aug 2003
Posts: 41

PostPosted: Wed Oct 12, 2005 5:16 pm    Post subject: Reply with quote

I would suggest not to use /dev/urandom to delete your harddisk. Shred is much faster, and 3 passes are usually more than enough. Took about a few hours on my system (160gb, 7.200 RPM).
I know there's some US official paper for secure harddisk erasure suggesting 16 (IIRC) passes, but that is just totally undue. Even professional data recovery firms are usually not able to recover anything after 3 times of overwriting.
It may not be as secure as overwriting with random data, depending on the filesystem used etc. the attacker will probably recognize where the encrypted disk is filled with data, und where it's just free space. However I wasn't able to find any document backing up that this enables the attacker to decrypt more easily. A certain amount of caution & paranoia is alright, but one shouldn't blow it outta proportion.


Last edited by unixtroll on Wed Oct 12, 2005 5:48 pm; edited 1 time in total
Back to top
View user's profile Send private message
niuck
n00b
n00b


Joined: 16 Mar 2005
Posts: 59

PostPosted: Wed Oct 12, 2005 5:41 pm    Post subject: Reply with quote

Hi, i have a problem =)

I have encrypted me /home wish is /dev/hdb1 with aes256 +luks. I could mount it and format it and copy files etc to it at first, problem is that after the first reboot dmesg says "unknown partition table". /dev/hdb1 doesnt exist, only /dev/hdb. So i cant mount it with cryptsetup luksOpen /dev/hdb1 hdb1.

The disk is found and responds to hdparm etc. Any ideas what could be wrong and how to fix it?

Thanks
Back to top
View user's profile Send private message
niuck
n00b
n00b


Joined: 16 Mar 2005
Posts: 59

PostPosted: Thu Oct 13, 2005 8:22 am    Post subject: Reply with quote

Hmm. guess i fixed it. I added a partition in fdisk wrote it to disk then just tried to mount it and it worked?!
Back to top
View user's profile Send private message
swit
Tux's lil' helper
Tux's lil' helper


Joined: 22 Nov 2004
Posts: 87
Location: /Europe/Italy/Toscany/Lucca

PostPosted: Thu Oct 13, 2005 8:37 am    Post subject: Reply with quote

hi, great guide ;)

but, i've a problem: i tried to starting the system with an usb-device, but when starting the system syslinux print out a message that say "the sysstem is not avabile for this device, inserit the corret device"

i'm sure that i used step by step command on the guide for creating the syslinux, another spy is that the usb-memory is readeable on Windows system

i used this command for formatting usb-memory:
Quote:
dd if=/dev/zero of=/dev/sdb bs=1024k count=5 conv=notrunc
mkfs -t vfat -I /dev/sdb
mount -t vfat /dev/sdb /mnt/usb
#coping vmlinux
#coping System.map
#coping initrd
syslinux /dev/sdb
sync


can anyone help me?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Goto page 1, 2, 3 ... 18, 19, 20  Next
Page 1 of 20

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum