Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Support] System Encryption DM-Crypt with LUKS
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3 ... 17, 18, 19, 20  Next  
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
Hypnos
Advocate
Advocate


Joined: 18 Jul 2002
Posts: 2889
Location: Omnipresent

PostPosted: Sun Dec 28, 2008 2:48 pm    Post subject: Reply with quote

did you change your Gentoo setup from 32-bit to 64-bit? That could do it.

If all you did was change your hardware, then hmmm .... maybe ask on the LUKS mailing list.
_________________
Personal overlay | Simple backup scheme
Back to top
View user's profile Send private message
Robert Dongers
n00b
n00b


Joined: 28 Dec 2008
Posts: 7

PostPosted: Mon Dec 29, 2008 7:10 am    Post subject: Reply with quote

Well, while the bit capability of the processor has changed, I'm not sure if it'd have any effect - I haven't been able to boot to change anything.
Back to top
View user's profile Send private message
Hypnos
Advocate
Advocate


Joined: 18 Jul 2002
Posts: 2889
Location: Omnipresent

PostPosted: Mon Dec 29, 2008 7:42 am    Post subject: Reply with quote

If you didn't change any software, only the CPU, then I am stumped --which is why I suggested the mailing list.

Have you tried putting back in the old CPU?
_________________
Personal overlay | Simple backup scheme
Back to top
View user's profile Send private message
Robert Dongers
n00b
n00b


Joined: 28 Dec 2008
Posts: 7

PostPosted: Mon Dec 29, 2008 4:48 pm    Post subject: Reply with quote

I haven't - Intel HSFs are a real pain to get on and off. I don't suppose my kernel could be somehow "attached" to my old CPU (it was compiled with P4 processor family)?
Back to top
View user's profile Send private message
Hypnos
Advocate
Advocate


Joined: 18 Jul 2002
Posts: 2889
Location: Omnipresent

PostPosted: Tue Dec 30, 2008 4:27 am    Post subject: Reply with quote

Robert Dongers wrote:
I haven't - Intel HSFs are a real pain to get on and off. I don't suppose my kernel could be somehow "attached" to my old CPU (it was compiled with P4 processor family)?

That's a good point -- more than the general kernel optimization (which you should indeed change), are you using optimized encryption modules? Those are dependent on 32- and 64-bit.

So right now you are using a rescue CD? These changes should be easy to implement; also, you can change the rest of your system easily using chroot (as in the installation handbook).

Good luck!
_________________
Personal overlay | Simple backup scheme
Back to top
View user's profile Send private message
Robert Dongers
n00b
n00b


Joined: 28 Dec 2008
Posts: 7

PostPosted: Tue Dec 30, 2008 5:28 am    Post subject: Reply with quote

Hypnos wrote:
Robert Dongers wrote:
I haven't - Intel HSFs are a real pain to get on and off. I don't suppose my kernel could be somehow "attached" to my old CPU (it was compiled with P4 processor family)?

That's a good point -- more than the general kernel optimization (which you should indeed change), are you using optimized encryption modules? Those are dependent on 32- and 64-bit.

So right now you are using a rescue CD? These changes should be easy to implement; also, you can change the rest of your system easily using chroot (as in the installation handbook).

Good luck!

My encryption modules are the default ones (which I assumed were devoid of processor-specific optimisations), and I'm using serpent for the actual disk encryption.
I'm currently posting from another computer - I did indeed try the rescue CD, however I did not include the serpent module so I was unable to decrypt and chroot. I'm guessing perhaps the full LiveCD may be of more help here, but I am unsure as to which architecture I should download - must I use x86 as that's what my existing system is, or will amd64 work, allowing forwards compatibility?
Back to top
View user's profile Send private message
Hypnos
Advocate
Advocate


Joined: 18 Jul 2002
Posts: 2889
Location: Omnipresent

PostPosted: Tue Dec 30, 2008 6:09 am    Post subject: Reply with quote

SysRescueCD may work for you better -- it has the kitchen sink in it, including dm-crypt.

As for which CD architecture to use, your 64-bit machine should boot a 32-bit CD. Then if you want to modify your software to try to get it to boot off of hard disk, you won't have to worry about any environment incompatibilities.

(In your situation, I would just do a fresh install since I would want to move my system from 32-bit to 64-bit anyway. "emerge -e world" doesn't work in this situation. Then, copy over my personal data from my physically secured, unencrypted backups ..)
_________________
Personal overlay | Simple backup scheme
Back to top
View user's profile Send private message
Robert Dongers
n00b
n00b


Joined: 28 Dec 2008
Posts: 7

PostPosted: Tue Dec 30, 2008 7:42 am    Post subject: Reply with quote

I'll try that, thanks for all your assistance. :)
Back to top
View user's profile Send private message
jordanwb
l33t
l33t


Joined: 10 Jul 2008
Posts: 642
Location: Ottawa, Canada

PostPosted: Sat Jan 24, 2009 1:34 am    Post subject: Encrypting two partitions with one password Reply with quote

What I'd like to do is encrypt /home and swap with LUKS so at boot time I have to type in only one password. Is this possible? If so how?

I know I could use LVM but I want to keep my new setup as simple as possible.

I'm not even sure if I need swap though. My laptop has 256MB or Ram, but I never see more than 5 Megs of swap used.
Back to top
View user's profile Send private message
Sadako
Advocate
Advocate


Joined: 05 Aug 2004
Posts: 3792
Location: sleeping in the bathtub

PostPosted: Sat Jan 24, 2009 7:51 am    Post subject: Reply with quote

You don't need a password for encrypted swap (nor luks), just specify /dev/urandom as the keyfile.
_________________
"You have to invite me in"
Back to top
View user's profile Send private message
nixnut
Bodhisattva
Bodhisattva


Joined: 09 Apr 2004
Posts: 10974
Location: the dutch mountains

PostPosted: Sat Jan 24, 2009 3:50 pm    Post subject: Reply with quote

merged above two posts here
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered

talk is cheap. supply exceeds demand
Back to top
View user's profile Send private message
jordanwb
l33t
l33t


Joined: 10 Jul 2008
Posts: 642
Location: Ottawa, Canada

PostPosted: Sat Jan 24, 2009 5:01 pm    Post subject: Reply with quote

Hopeless wrote:
You don't need a password for encrypted swap (nor luks), just specify /dev/urandom as the keyfile.


Cool. I'll look at cryptsetup's man page.

[Edit] Wait, I understand why that would work but not how. How would the swap "file" system work? Would a new swap fs be created every boot?
Back to top
View user's profile Send private message
Sadako
Advocate
Advocate


Joined: 05 Aug 2004
Posts: 3792
Location: sleeping in the bathtub

PostPosted: Sat Jan 24, 2009 9:15 pm    Post subject: Reply with quote

jordanwb wrote:
Hopeless wrote:
You don't need a password for encrypted swap (nor luks), just specify /dev/urandom as the keyfile.


Cool. I'll look at cryptsetup's man page.

[Edit] Wait, I understand why that would work but not how. How would the swap "file" system work? Would a new swap fs be created every boot?
Yes, if you look at the init scripts provided with sys-fs/cryptsetup you'll see it runs mkswap on the mapping for swap.
_________________
"You have to invite me in"
Back to top
View user's profile Send private message
jordanwb
l33t
l33t


Joined: 10 Jul 2008
Posts: 642
Location: Ottawa, Canada

PostPosted: Sat Jan 24, 2009 9:41 pm    Post subject: Reply with quote

Hopeless wrote:
Yes, if you look at the init scripts provided with sys-fs/cryptsetup you'll see it runs mkswap on the mapping for swap.


Okay cool. And I assume that it knows what's swap by the /etc/crypttab file? I emerged cryptsetup but I don't see a cryptsetup file in /etc/init.d

When I try to format a partition using /dev/urandom as a keyfile:

Code:
cryptsetup luksFormat /dev/sda6 -c aes -s 128 -d /dev/urandom


It still asks me for a password.

I suppose I could create a keyfile, and store it on my /home partition which would be easier, not sure about safer. I'm not trying to make my laptop super crazy safe though.

Unrelated, If I had a partition which was encrypted which held a keyfile, could I use that keyfile to encrypt multiple partitions (i.e. for LVM)?


Last edited by jordanwb on Sat Jan 24, 2009 10:01 pm; edited 2 times in total
Back to top
View user's profile Send private message
Sadako
Advocate
Advocate


Joined: 05 Aug 2004
Posts: 3792
Location: sleeping in the bathtub

PostPosted: Sat Jan 24, 2009 10:00 pm    Post subject: Reply with quote

jordanwb wrote:
Hopeless wrote:
Yes, if you look at the init scripts provided with sys-fs/cryptsetup you'll see it runs mkswap on the mapping for swap.


Okay cool. And I assume that it knows what's swap by the /etc/crypttab file? I emerged cryptsetup but I don't see a cryptsetup file in /etc/init.d
You set the options in /etc/conf.d/dmcrypt, which is pretty well documented.

Quote:
When I try to format a partition using /dev/urandom as a keyfile:

Code:
cryptsetup luksFormat /dev/sda6 -c aes -s 128 -d /dev/urandom


It still asks me for a password.

I suppose I could create a keyfile, and store it on my /home partition which would be easier, not sure about safer. I'm not trying to make my laptop super crazy safe though.
You shouldn't use luks for this, just run `cryptsetup -c aes -s 128 -d /dev/urandom create swap /dev/sda6`

Quote:
Unrelated, If I had a partition which was encrypted which held a keyfile, could I use that keyfile to encrypt multiple partitions (i.e. for LVM)?
I don't see any reason why not, but again this isn't really where you should use luks.

luks stores the actually key used to en/decrypt the data is store in the luks header on the partition (it's encrypted and safer than it sounds), however it makes luks unsuitable for cases where you want to use your own key data or wnat more automation or flexibility.
_________________
"You have to invite me in"
Back to top
View user's profile Send private message
jordanwb
l33t
l33t


Joined: 10 Jul 2008
Posts: 642
Location: Ottawa, Canada

PostPosted: Sat Jan 24, 2009 10:34 pm    Post subject: Reply with quote

Hopeless wrote:
You shouldn't use luks for this


I want to encrypt /home as well, is it all right to use luks there?
Back to top
View user's profile Send private message
Sadako
Advocate
Advocate


Joined: 05 Aug 2004
Posts: 3792
Location: sleeping in the bathtub

PostPosted: Sat Jan 24, 2009 10:50 pm    Post subject: Reply with quote

jordanwb wrote:
Hopeless wrote:
You shouldn't use luks for this


I want to encrypt /home as well, is it all right to use luks there?
If you want to just protect it with a password rather than a keyfile or similar external method, then yes, it'd probably be the best choice.
_________________
"You have to invite me in"
Back to top
View user's profile Send private message
jordanwb
l33t
l33t


Joined: 10 Jul 2008
Posts: 642
Location: Ottawa, Canada

PostPosted: Sat Jan 24, 2009 10:55 pm    Post subject: Reply with quote

Okee dokee. I'll give it a try tommorrow afternoon. Thanks.
Back to top
View user's profile Send private message
teddks
n00b
n00b


Joined: 26 Jan 2009
Posts: 1

PostPosted: Mon Jan 26, 2009 6:25 am    Post subject: Reply with quote

Right, so I'm not using the guide this thread is about, but this relatively similar one: http://www.gentoo-wiki.info/Booting_encrypted_system_from_USB_stick

Things were pretty rocky from the get-go, since the system I'm using doesn't actually boot off of USB, and I've been using a CD with grub on it to bootstrap the system. Also, I had to rig up something with stty to get the passphrase for my keyfile into gpg, because my initramfs doesn't have /dev/tty (any suggestions as to that would be welcome).

My real problem, however, is that LVM will simply not recognize my volume group. I can unlock the drive, but running lvm vgscan tells me I have no logical volumes. I copied over lvm.conf from the liveCD, and don't really know where else to go from here (I have an encrypted gentoo system on another box, but not using LVM). Any suggestions?
Back to top
View user's profile Send private message
jordanwb
l33t
l33t


Joined: 10 Jul 2008
Posts: 642
Location: Ottawa, Canada

PostPosted: Wed Jan 28, 2009 8:49 pm    Post subject: Reply with quote

Let's say I wanted to partition my drives like this:

/dev/sda1, 32MB, ext3, /boot
/dev/sda2, 8MB, ext3, partition is encrypted with password, contains keyfile
/dev/sda3, ~320GB, LVM volume, encrypted with keyfile in /dev/sda2

/dev/sdb1, 160GB, LVM volume, encrypted with keyfile in /dev/sda2

Startup:

1: Ask for password to unlock /dev/sda2 and map to /dev/mapper/crypt-keyfile
2: Mount /dev/mapper/crypt-keyfile to /keyfile
3: Unlock LVM physical volumes with keyfile stored in /keyfile

Is this possible? I suppose it is possible but can genkernel do this?

This theorhetical setup could allow one to use multiple drives in LVM with having to use only one password.
Back to top
View user's profile Send private message
Paczesiowa
Guru
Guru


Joined: 06 Mar 2006
Posts: 593
Location: Oborniki Śląskie, Poland

PostPosted: Wed Jan 28, 2009 11:34 pm    Post subject: Reply with quote

it is possible (don't know about genkernel, but you can do everything with custom initramfs), but why not just use the same password for everything? the same security (e.g. you break the password, you can decrypt everything), but no need for custom initramfs.
Back to top
View user's profile Send private message
jordanwb
l33t
l33t


Joined: 10 Jul 2008
Posts: 642
Location: Ottawa, Canada

PostPosted: Thu Jan 29, 2009 12:07 am    Post subject: Reply with quote

Paczesiowa wrote:
but why not just use the same password for everything?


You'd still need to type in each individual password.
Back to top
View user's profile Send private message
Paczesiowa
Guru
Guru


Joined: 06 Mar 2006
Posts: 593
Location: Oborniki Śląskie, Poland

PostPosted: Thu Jan 29, 2009 9:59 am    Post subject: Reply with quote

no.
Code:
read -s PASSWORD
echo $PASSWORD | cryptsetup luksOpen /dev/sda1 sda1
echo $PASSWORD | cryptsetup luksOpen /dev/sda2 sda2
Back to top
View user's profile Send private message
jordanwb
l33t
l33t


Joined: 10 Jul 2008
Posts: 642
Location: Ottawa, Canada

PostPosted: Thu Jan 29, 2009 4:12 pm    Post subject: Reply with quote

Oh. So what exactly is doing that? The init script?
Back to top
View user's profile Send private message
Paczesiowa
Guru
Guru


Joined: 06 Mar 2006
Posts: 593
Location: Oborniki Śląskie, Poland

PostPosted: Thu Jan 29, 2009 4:16 pm    Post subject: Reply with quote

yes. http://en.gentoo-wiki.com/wiki/Initramfs writing your own init script is very easy (easier than creating initramfs archive).
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Goto page Previous  1, 2, 3 ... 17, 18, 19, 20  Next
Page 18 of 20

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum