View previous topic :: View next topic |
Author |
Message |
Mr.Pink n00b
Joined: 02 Mar 2004 Posts: 2
|
Posted: Fri Oct 14, 2005 8:50 am Post subject: |
|
|
Hi all,
sorry swit for interrupting you and posting a new question without yours being answered...
I read the HOWTO and the posts in here and now I'd like to try to setup an encrypted system. The problem thereby is that I'd like to use LVM to create individual resizable partitions for not only root but also /home, /usr etc.
Am I right when I say that in this case it would be necessary to encrypt the whole harddisc at once using /dev/hda for instance and then setting up the LVM partitions to use with LVM or will I have to encrypt every LVM partition itself with a different key/passphrase?
Or is it even impossible to use LVM and encryption at the same time?
Regards
Mr.Pink |
|
Back to top |
|
|
unixtroll n00b
Joined: 19 Aug 2003 Posts: 41
|
Posted: Tue Oct 25, 2005 7:49 pm Post subject: |
|
|
Quote: | but, i've a problem: i tried to starting the system with an usb-device, but when starting the system syslinux print out a message that say "the sysstem is not avabile for this device, inserit the corret device" |
I have no idea how to fix the syslinux issue, but if it does not work I would recommend to keep a boot partition with the kernel image etc. unencrypted on your harddisk. Since this partition doesn't contain any sensitive data, there's no need for it to be encrypted. You can then modify the linuxrc file in the initrd image to mount a usb-stick with your keyfiles stored on and after that mount your encrypted partitions. |
|
Back to top |
|
|
alecpap n00b
Joined: 12 Oct 2005 Posts: 11
|
Posted: Sat Nov 05, 2005 4:39 am Post subject: |
|
|
I don't mean to beat a dead horse, but I'm also getting the failed to setup dm-crypt mapping error message. I have all of the kernel additions compiled into the kernel, as well as all of the crypto options, as in the howto. Here are some exerpts form my config file: Code: |
CONFIG_BLK_DEV_DM=y
CONFIG_DM_CRYPT=y
CONFIG_BLK_DEV_LOOP=y
CONFIG_BLK_DEV_INITRD=y
CONFIG_BLK_DEV_RAM=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_BLOWFISH=y
CONFIG_CRYPTO_SERPENT=y
|
I'm pretty lost with this. When I boot off of the live cd and download the precompiled binary, everything goes smoothly. I can decrypt the partition and chroot into it fine, but when I boot off of the hard disk, I get that message. Any ideas? |
|
Back to top |
|
|
rr n00b
Joined: 22 Feb 2005 Posts: 35
|
Posted: Mon Nov 07, 2005 6:47 pm Post subject: |
|
|
Great article on file encryption. I'm trying to set it up now, but have run into a problem. You say to download the
precompiled cryptsetup-luks binary from http://luks.endorphin.org/dm-crypt, but you don't say how. My Gentoo 2005.1 install does not have FTP or Lynx. How do you download? |
|
Back to top |
|
|
rr n00b
Joined: 22 Feb 2005 Posts: 35
|
Posted: Mon Nov 07, 2005 11:27 pm Post subject: |
|
|
Answered my own question. It's called links2. |
|
Back to top |
|
|
rainbow flag n00b
Joined: 03 Jul 2005 Posts: 33
|
Posted: Tue Nov 15, 2005 4:29 pm Post subject: |
|
|
alecpap wrote: | I don't mean to beat a dead horse, but I'm also getting the failed to setup dm-crypt mapping error message. |
it seems that this is a question for me, isn't it?
i'm sorry to answer very late - the last time i wasn't here very often..
my mistake, that resulted in this error message, had been not to compile dm-mod (CONFIG_BLK_DEV_DM), dm_crypt (CONFIG_DM_CRYPT) and my cipher into the kernel but as modules and to forget to insmod them, later to insmod them accidently in the wrong order. the error might occure if you try to use any other cipher than sha256, blowfish and serpent (wich are included in your kernel) - but that doesn't seem to be the case, does it?
since you have built everything into the kernel your problem seems to be another one - something that is icluded in either the lifecd or the binary but not in your initrd. i have no idea . but - if you did not just solve it during the last 10 days - maybe, you want to include dmesg into the initrd-image and call it somewhere in the linuxrc-script (just to see if it provides some more information). |
|
Back to top |
|
|
alecpap n00b
Joined: 12 Oct 2005 Posts: 11
|
Posted: Thu Nov 17, 2005 10:16 pm Post subject: |
|
|
rainbow flag-
thanks for your reply. I did solve it, I think. I was using the 2.6.13 kernel, and when I tried it with 2.6.12, it worked perfectly! Maybe I changed something else that I didn't know about, but, it works now.
Now I have another question, though. I'd like to be able to use a key on a usb stick to decrypt it (actually, I'd like to encrypt the key on the usb stick, decrypt that, and then use that key to decrypt the hdd). So, I put in the linuxrc and re-do the initrd process, and reboot. I get the shell, like I should, and I plug in the usb stick. dmesg reports:
Code: | usb 2-1: new full speed USB device using ohci_hcd and address 2
ub(2.2): GetMaxLUN returned 0, using 1 LUNs
uba: uba1 < uba5 >
|
So, I do:
Code: |
mkdir /mnt
mkdir /mnt/usbkey
mount -t ext2 /dev/uba5 /mnt/usbkey
|
But it tells me that device /dev/uba5 does not exist.
I had already formatted that partition with ext2, and it works fine. If I boot up normally, I can mount the drive and use it normally.
Any ideas? |
|
Back to top |
|
|
rainbow flag n00b
Joined: 03 Jul 2005 Posts: 33
|
Posted: Fri Nov 18, 2005 2:28 am Post subject: |
|
|
hi again.
i'm just not sure if my proposals are very useful (as you can see, i'm a newbie like you)
but maybe, the device node /dev/uba5 does not exist and you have to create it (by something like "mknod /dev/uba5 b <major> <minor>") ... |
|
Back to top |
|
|
alecpap n00b
Joined: 12 Oct 2005 Posts: 11
|
Posted: Fri Nov 18, 2005 8:09 am Post subject: |
|
|
rainbow flag-
Thanks for the help! That sure did the trick, I can't believe I forgot that part - I was going crazy! Everything is working very smoothly now, thanks again!
I just had to make the nod /dev/uba and /dev/uba5
And thanks for the great How-To Reikinio! |
|
Back to top |
|
|
jester42 n00b
Joined: 10 Dec 2005 Posts: 1
|
Posted: Sat Dec 10, 2005 5:17 pm Post subject: ascii-skull available? |
|
|
I just read the Wiki and used some information from there to encrypt a single hdd... Around X-Mas I will try the whole encryption of my system, impressions will follow.
I have got one question right now: is the skull-ascii-art shown in the article available for download somewhere? i quite like it
Well... more in two weeks then.
jester |
|
Back to top |
|
|
Armageddon n00b
Joined: 29 Dec 2004 Posts: 39
|
Posted: Sat Jan 28, 2006 7:51 pm Post subject: |
|
|
hello,
first of all thank you for this really great howto
i installed a encryptet system and all works fine.
The only thing not working correctly is the Encypting swap at boot.
It needs more then 15 mins to make the swap is that normal? |
|
Back to top |
|
|
GenKreton l33t
Joined: 20 Sep 2003 Posts: 828 Location: Cambridge, MA
|
Posted: Sun Jan 29, 2006 5:50 am Post subject: |
|
|
Armageddon wrote: | It needs more then 15 mins to make the swap is that normal? |
Nope. If it weren't for the script telling me I was making an encrypted swap, I wouldn't even know it happened. |
|
Back to top |
|
|
daff Apprentice
Joined: 02 Jul 2003 Posts: 232 Location: Vienna, Austria
|
Posted: Thu Feb 02, 2006 7:44 pm Post subject: |
|
|
Could it be that there are no CONFIG_BLK_DEV_DM or CONFIG_DM_CRYPT options in gentoo-sources-2.6.15-r1? I can't seem to find them.
EDIT: Feeling stupid right now. These options are available only if you enable Multiple devices driver support (RAID and LVM) under Device Drivers. _________________ Instead of asking why a piece of software is using 1970s technology,
start asking why software is ignoring 30 years of accumulated wisdom. |
|
Back to top |
|
|
fuzebest n00b
Joined: 19 Jan 2006 Posts: 5
|
Posted: Fri Feb 24, 2006 10:22 am Post subject: |
|
|
Sorry, for little offtopic.
Are there any guide how to create encrypted CD/DVD images using LUKS?
thank you!
sorry again |
|
Back to top |
|
|
b0rsten n00b
Joined: 08 Mar 2006 Posts: 1
|
Posted: Wed Mar 08, 2006 11:18 pm Post subject: |
|
|
i've tried this howto, but after reboot i get this error:
Code: | unable to mount root fs on unknown-block{1,0) |
but i had nowhere typed (1,0) in... im using hda1 for boot, 2 for swap and 3 for root...
any idea what i have done wrong?
my menu.lst Code: | default 0
timeout 5
splashimage=(hd0,0)/grub/splash.xpm.gz
title=Gentoo
root(hd0,0)
kernel /kernel-2.6.15-gentoo-r1 root=/dev/ram0 rw init=/linuxrc vga=0x318 video=vedafb:mtrr,ywrap
initid (hd0,0)/initrd
|
|
|
Back to top |
|
|
mephist0 Tux's lil' helper
Joined: 19 Sep 2005 Posts: 94 Location: Germany, Frankfurt/Main
|
Posted: Tue Mar 14, 2006 6:46 pm Post subject: |
|
|
Very good HOWTO !
works perfectly !
Thanks very much !
Is it possible to install windows xp afterwards ? is it safe ?
I mean, I dont want to loose my data
EDIT : As I installed Gentoo I left 50GB free space for windows for gaming ... someone got a tip ?
Thanks _________________ There is only one God, and his name is Death. And there is only one thing we say to Death: 'Not today!'
Photography portfolio |
|
Back to top |
|
|
mephist0 Tux's lil' helper
Joined: 19 Sep 2005 Posts: 94 Location: Germany, Frankfurt/Main
|
Posted: Fri Mar 17, 2006 7:14 am Post subject: |
|
|
*push* _________________ There is only one God, and his name is Death. And there is only one thing we say to Death: 'Not today!'
Photography portfolio |
|
Back to top |
|
|
GenKreton l33t
Joined: 20 Sep 2003 Posts: 828 Location: Cambridge, MA
|
Posted: Tue Mar 21, 2006 1:30 am Post subject: |
|
|
mephist0 wrote: |
Is it possible to install windows xp afterwards ? is it safe ?
I mean, I dont want to loose my data
EDIT : As I installed Gentoo I left 50GB free space for windows for gaming ... someone got a tip ?
Thanks |
luks encryption is done to the partition, not the disk. It is safe to install windows IF you left free space for it. Be aware that windows will overwrite your MBR though. |
|
Back to top |
|
|
mephist0 Tux's lil' helper
Joined: 19 Sep 2005 Posts: 94 Location: Germany, Frankfurt/Main
|
Posted: Tue Mar 21, 2006 10:47 pm Post subject: |
|
|
GenKreton wrote: | mephist0 wrote: |
Is it possible to install windows xp afterwards ? is it safe ?
I mean, I dont want to loose my data
EDIT : As I installed Gentoo I left 50GB free space for windows for gaming ... someone got a tip ?
Thanks |
luks encryption is done to the partition, not the disk. It is safe to install windows IF you left free space for it. Be aware that windows will overwrite your MBR though. |
Thanks for the info !
After installing Windows, I think I can boot from the Gentoo installCD and launch grub-install again ?
so, time to go to bed ...
gn8 all _________________ There is only one God, and his name is Death. And there is only one thing we say to Death: 'Not today!'
Photography portfolio |
|
Back to top |
|
|
GenKreton l33t
Joined: 20 Sep 2003 Posts: 828 Location: Cambridge, MA
|
Posted: Thu Mar 23, 2006 4:54 am Post subject: |
|
|
mephist0 wrote: |
Thanks for the info !
After installing Windows, I think I can boot from the Gentoo installCD and launch grub-install again ?
so, time to go to bed ...
gn8 all |
That should be sufficient. You just need to add it to the grub menu as well. It's actually easier to get grub to boot windows than it is Linux ironically... |
|
Back to top |
|
|
anuron n00b
Joined: 01 Feb 2005 Posts: 4
|
Posted: Thu Apr 13, 2006 11:38 am Post subject: |
|
|
nice work.
just for the record and for people expieriencing the same problem as I. sys-fs/cryptsetup-luks-1.0.1-r1 is somehow broken (see https://bugs.gentoo.org/show_bug.cgi?id=128925) and produces regardless of what you try the error "invalid argument".
anuron |
|
Back to top |
|
|
Reikinio Apprentice
Joined: 14 Aug 2005 Posts: 203 Location: Uruguay
|
Posted: Thu May 11, 2006 8:39 pm Post subject: |
|
|
Hello,
I forgot about this thread, I am sorry
The email notifications for this thread stopped, I didn't knew that you had to be logged in for the email notification system log that you have followed the link sent by email, it won't happen again.
Anyway, I have rewrited the guide, many things have been added, I spent a _lot_ of time on it so you better like it.
ChangeLog:
* Added initramfs support, initrd is gone.
* Using BusyBox for the initramfs image.
* Added a bash script to handle initramfs images.
* Added steps for booting from an USB-stick.
* Added steps for gpg protected keys(randomly generated).
* Removed all the childish comments and excessive smileys that made the guide look it was written by a five year old kid.
* Guide wikified(using wiki code, should look better now)
* And more...
What do you guys think of the new guide ?
Bye. |
|
Back to top |
|
|
Reikinio Apprentice
Joined: 14 Aug 2005 Posts: 203 Location: Uruguay
|
|
Back to top |
|
|
Reikinio Apprentice
Joined: 14 Aug 2005 Posts: 203 Location: Uruguay
|
Posted: Thu May 11, 2006 9:03 pm Post subject: |
|
|
fuzebest wrote: | Sorry, for little offtopic.
Are there any guide how to create encrypted CD/DVD images using LUKS?
thank you!
sorry again |
Yes, read the last entry of the FAQ section.
Those of you who wanted to boot from an USB-stick but couldn't, should read the new guide, I did it using extlinux(a syslinux derivative) and it works fine.
Those of you having problems with the linuxrc and the initrd, should read the new guide, the new initramfs method should work without problems.
Armageddon wrote: |
hello,
first of all thank you for this really great howto
i installed a encryptet system and all works fine.
The only thing not working correctly is the Encypting swap at boot.
It needs more then 15 mins to make the swap is that normal?
|
No, it's not, make sure you're not reading the passphrase from /dev/random.
Anyway, the old method(the one you used) is now deprecated. so check the new guide, it'll tell you to use the cryptfs file from the Gentoo cryptsetup-luks package.
jester42 wrote: |
I have got one question right now: is the skull-ascii-art shown in the article available for download somewhere? i quite like it
|
here
Mr.Pink wrote: |
Hi all,
sorry swit for interrupting you and posting a new question without yours being answered...
I read the HOWTO and the posts in here and now I'd like to try to setup an encrypted system. The problem thereby is that I'd like to use LVM to create individual resizable partitions for not only root but also /home, /usr etc.
Am I right when I say that in this case it would be necessary to encrypt the whole harddisc at once using /dev/hda for instance and then setting up the LVM partitions to use with LVM or will I have to encrypt every LVM partition itself with a different key/passphrase?
Or is it even impossible to use LVM and encryption at the same time?
Regards
Mr.Pink
|
I have no idea, I think i remember seeing something about this in on some Mailing lists, but I dont have the links to it, sorry.
Regards, |
|
Back to top |
|
|
andersenep n00b
Joined: 31 Dec 2004 Posts: 20 Location: Everett, Washington
|
Posted: Mon May 15, 2006 4:34 am Post subject: having problems with initramfs |
|
|
Hi, I've been trying to get this working all day with no luck. I've stuck to the howto as closely as possible and I think my main problem is with initramfs. I'm using gentoo-sources-2.6.16-r7 and for starters there is no default initramfs_date.cpio.gz in /usr/src/linux/usr. I've tried adding the gzip'd cpio I created following the howto (in /output) and touching it but when I build the kernel it is overwritten. I gunzip'd the cpio to / and set CONFIG_INITRAMFS_SOURCE="/initramfs_data.cpio" and rebuilt and this generates what seems to be the right image in /usr/src/linux/usr (zcat initramfs_date.cpio.gz | cpio -t spits out the files/dirs in my testimage dir) but I still can seem to get a working kernel. It will boot and go through everything until it tries to init (I forget the actual error) and then the kernel panics and I have to reboot.
I'm not sure if I have something wrong in my kernel config or in the init script in my initramfs_data.cpio.gz. I set set the line:
Code: | root=*) # get root and fs type |
to:
Code: | root=/dev/sda2:ext3) # get root and fs type |
which is my encrypted root partition.
This is my grub.conf
Code: | default 0
timeout 90
splashimage=(hd0,0)/grub/splash.xpm.gz
title=Gentoo Linux 2.6.16
root (hd0,0)
kernel /kernel-2.6.16-gentoo-r7 root=/dev/sda2:ext3 vga=0x31B video=vesafb:ywrap,mtrr:3 |
Any ideas what I'm doing wrong?
thanks |
|
Back to top |
|
|
|