View previous topic :: View next topic |
Author |
Message |
Hypnos Advocate
Joined: 18 Jul 2002 Posts: 2889 Location: Omnipresent
|
Posted: Sun Dec 28, 2008 2:48 pm Post subject: |
|
|
did you change your Gentoo setup from 32-bit to 64-bit? That could do it.
If all you did was change your hardware, then hmmm .... maybe ask on the LUKS mailing list. _________________ Personal overlay | Simple backup scheme |
|
Back to top |
|
|
Robert Dongers n00b
Joined: 28 Dec 2008 Posts: 7
|
Posted: Mon Dec 29, 2008 7:10 am Post subject: |
|
|
Well, while the bit capability of the processor has changed, I'm not sure if it'd have any effect - I haven't been able to boot to change anything. |
|
Back to top |
|
|
Hypnos Advocate
Joined: 18 Jul 2002 Posts: 2889 Location: Omnipresent
|
Posted: Mon Dec 29, 2008 7:42 am Post subject: |
|
|
If you didn't change any software, only the CPU, then I am stumped --which is why I suggested the mailing list.
Have you tried putting back in the old CPU? _________________ Personal overlay | Simple backup scheme |
|
Back to top |
|
|
Robert Dongers n00b
Joined: 28 Dec 2008 Posts: 7
|
Posted: Mon Dec 29, 2008 4:48 pm Post subject: |
|
|
I haven't - Intel HSFs are a real pain to get on and off. I don't suppose my kernel could be somehow "attached" to my old CPU (it was compiled with P4 processor family)? |
|
Back to top |
|
|
Hypnos Advocate
Joined: 18 Jul 2002 Posts: 2889 Location: Omnipresent
|
Posted: Tue Dec 30, 2008 4:27 am Post subject: |
|
|
Robert Dongers wrote: | I haven't - Intel HSFs are a real pain to get on and off. I don't suppose my kernel could be somehow "attached" to my old CPU (it was compiled with P4 processor family)? |
That's a good point -- more than the general kernel optimization (which you should indeed change), are you using optimized encryption modules? Those are dependent on 32- and 64-bit.
So right now you are using a rescue CD? These changes should be easy to implement; also, you can change the rest of your system easily using chroot (as in the installation handbook).
Good luck! _________________ Personal overlay | Simple backup scheme |
|
Back to top |
|
|
Robert Dongers n00b
Joined: 28 Dec 2008 Posts: 7
|
Posted: Tue Dec 30, 2008 5:28 am Post subject: |
|
|
Hypnos wrote: | Robert Dongers wrote: | I haven't - Intel HSFs are a real pain to get on and off. I don't suppose my kernel could be somehow "attached" to my old CPU (it was compiled with P4 processor family)? |
That's a good point -- more than the general kernel optimization (which you should indeed change), are you using optimized encryption modules? Those are dependent on 32- and 64-bit.
So right now you are using a rescue CD? These changes should be easy to implement; also, you can change the rest of your system easily using chroot (as in the installation handbook).
Good luck! |
My encryption modules are the default ones (which I assumed were devoid of processor-specific optimisations), and I'm using serpent for the actual disk encryption.
I'm currently posting from another computer - I did indeed try the rescue CD, however I did not include the serpent module so I was unable to decrypt and chroot. I'm guessing perhaps the full LiveCD may be of more help here, but I am unsure as to which architecture I should download - must I use x86 as that's what my existing system is, or will amd64 work, allowing forwards compatibility? |
|
Back to top |
|
|
Hypnos Advocate
Joined: 18 Jul 2002 Posts: 2889 Location: Omnipresent
|
Posted: Tue Dec 30, 2008 6:09 am Post subject: |
|
|
SysRescueCD may work for you better -- it has the kitchen sink in it, including dm-crypt.
As for which CD architecture to use, your 64-bit machine should boot a 32-bit CD. Then if you want to modify your software to try to get it to boot off of hard disk, you won't have to worry about any environment incompatibilities.
(In your situation, I would just do a fresh install since I would want to move my system from 32-bit to 64-bit anyway. "emerge -e world" doesn't work in this situation. Then, copy over my personal data from my physically secured, unencrypted backups ..) _________________ Personal overlay | Simple backup scheme |
|
Back to top |
|
|
Robert Dongers n00b
Joined: 28 Dec 2008 Posts: 7
|
Posted: Tue Dec 30, 2008 7:42 am Post subject: |
|
|
I'll try that, thanks for all your assistance. |
|
Back to top |
|
|
jordanwb l33t
Joined: 10 Jul 2008 Posts: 642 Location: Ottawa, Canada
|
Posted: Sat Jan 24, 2009 1:34 am Post subject: Encrypting two partitions with one password |
|
|
What I'd like to do is encrypt /home and swap with LUKS so at boot time I have to type in only one password. Is this possible? If so how?
I know I could use LVM but I want to keep my new setup as simple as possible.
I'm not even sure if I need swap though. My laptop has 256MB or Ram, but I never see more than 5 Megs of swap used. |
|
Back to top |
|
|
Sadako Advocate
Joined: 05 Aug 2004 Posts: 3792 Location: sleeping in the bathtub
|
Posted: Sat Jan 24, 2009 7:51 am Post subject: |
|
|
You don't need a password for encrypted swap (nor luks), just specify /dev/urandom as the keyfile. _________________ "You have to invite me in" |
|
Back to top |
|
|
nixnut Bodhisattva
Joined: 09 Apr 2004 Posts: 10974 Location: the dutch mountains
|
Posted: Sat Jan 24, 2009 3:50 pm Post subject: |
|
|
merged above two posts here _________________ Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered
talk is cheap. supply exceeds demand |
|
Back to top |
|
|
jordanwb l33t
Joined: 10 Jul 2008 Posts: 642 Location: Ottawa, Canada
|
Posted: Sat Jan 24, 2009 5:01 pm Post subject: |
|
|
Hopeless wrote: | You don't need a password for encrypted swap (nor luks), just specify /dev/urandom as the keyfile. |
Cool. I'll look at cryptsetup's man page.
[Edit] Wait, I understand why that would work but not how. How would the swap "file" system work? Would a new swap fs be created every boot? |
|
Back to top |
|
|
Sadako Advocate
Joined: 05 Aug 2004 Posts: 3792 Location: sleeping in the bathtub
|
Posted: Sat Jan 24, 2009 9:15 pm Post subject: |
|
|
jordanwb wrote: | Hopeless wrote: | You don't need a password for encrypted swap (nor luks), just specify /dev/urandom as the keyfile. |
Cool. I'll look at cryptsetup's man page.
[Edit] Wait, I understand why that would work but not how. How would the swap "file" system work? Would a new swap fs be created every boot? | Yes, if you look at the init scripts provided with sys-fs/cryptsetup you'll see it runs mkswap on the mapping for swap. _________________ "You have to invite me in" |
|
Back to top |
|
|
jordanwb l33t
Joined: 10 Jul 2008 Posts: 642 Location: Ottawa, Canada
|
Posted: Sat Jan 24, 2009 9:41 pm Post subject: |
|
|
Hopeless wrote: | Yes, if you look at the init scripts provided with sys-fs/cryptsetup you'll see it runs mkswap on the mapping for swap. |
Okay cool. And I assume that it knows what's swap by the /etc/crypttab file? I emerged cryptsetup but I don't see a cryptsetup file in /etc/init.d
When I try to format a partition using /dev/urandom as a keyfile:
Code: | cryptsetup luksFormat /dev/sda6 -c aes -s 128 -d /dev/urandom |
It still asks me for a password.
I suppose I could create a keyfile, and store it on my /home partition which would be easier, not sure about safer. I'm not trying to make my laptop super crazy safe though.
Unrelated, If I had a partition which was encrypted which held a keyfile, could I use that keyfile to encrypt multiple partitions (i.e. for LVM)?
Last edited by jordanwb on Sat Jan 24, 2009 10:01 pm; edited 2 times in total |
|
Back to top |
|
|
Sadako Advocate
Joined: 05 Aug 2004 Posts: 3792 Location: sleeping in the bathtub
|
Posted: Sat Jan 24, 2009 10:00 pm Post subject: |
|
|
jordanwb wrote: | Hopeless wrote: | Yes, if you look at the init scripts provided with sys-fs/cryptsetup you'll see it runs mkswap on the mapping for swap. |
Okay cool. And I assume that it knows what's swap by the /etc/crypttab file? I emerged cryptsetup but I don't see a cryptsetup file in /etc/init.d | You set the options in /etc/conf.d/dmcrypt, which is pretty well documented.
Quote: | When I try to format a partition using /dev/urandom as a keyfile:
Code: | cryptsetup luksFormat /dev/sda6 -c aes -s 128 -d /dev/urandom |
It still asks me for a password.
I suppose I could create a keyfile, and store it on my /home partition which would be easier, not sure about safer. I'm not trying to make my laptop super crazy safe though. | You shouldn't use luks for this, just run `cryptsetup -c aes -s 128 -d /dev/urandom create swap /dev/sda6`
Quote: | Unrelated, If I had a partition which was encrypted which held a keyfile, could I use that keyfile to encrypt multiple partitions (i.e. for LVM)? | I don't see any reason why not, but again this isn't really where you should use luks.
luks stores the actually key used to en/decrypt the data is store in the luks header on the partition (it's encrypted and safer than it sounds), however it makes luks unsuitable for cases where you want to use your own key data or wnat more automation or flexibility. _________________ "You have to invite me in" |
|
Back to top |
|
|
jordanwb l33t
Joined: 10 Jul 2008 Posts: 642 Location: Ottawa, Canada
|
Posted: Sat Jan 24, 2009 10:34 pm Post subject: |
|
|
Hopeless wrote: | You shouldn't use luks for this |
I want to encrypt /home as well, is it all right to use luks there? |
|
Back to top |
|
|
Sadako Advocate
Joined: 05 Aug 2004 Posts: 3792 Location: sleeping in the bathtub
|
Posted: Sat Jan 24, 2009 10:50 pm Post subject: |
|
|
jordanwb wrote: | Hopeless wrote: | You shouldn't use luks for this |
I want to encrypt /home as well, is it all right to use luks there? | If you want to just protect it with a password rather than a keyfile or similar external method, then yes, it'd probably be the best choice. _________________ "You have to invite me in" |
|
Back to top |
|
|
jordanwb l33t
Joined: 10 Jul 2008 Posts: 642 Location: Ottawa, Canada
|
Posted: Sat Jan 24, 2009 10:55 pm Post subject: |
|
|
Okee dokee. I'll give it a try tommorrow afternoon. Thanks. |
|
Back to top |
|
|
teddks n00b
Joined: 26 Jan 2009 Posts: 1
|
Posted: Mon Jan 26, 2009 6:25 am Post subject: |
|
|
Right, so I'm not using the guide this thread is about, but this relatively similar one: http://www.gentoo-wiki.info/Booting_encrypted_system_from_USB_stick
Things were pretty rocky from the get-go, since the system I'm using doesn't actually boot off of USB, and I've been using a CD with grub on it to bootstrap the system. Also, I had to rig up something with stty to get the passphrase for my keyfile into gpg, because my initramfs doesn't have /dev/tty (any suggestions as to that would be welcome).
My real problem, however, is that LVM will simply not recognize my volume group. I can unlock the drive, but running lvm vgscan tells me I have no logical volumes. I copied over lvm.conf from the liveCD, and don't really know where else to go from here (I have an encrypted gentoo system on another box, but not using LVM). Any suggestions? |
|
Back to top |
|
|
jordanwb l33t
Joined: 10 Jul 2008 Posts: 642 Location: Ottawa, Canada
|
Posted: Wed Jan 28, 2009 8:49 pm Post subject: |
|
|
Let's say I wanted to partition my drives like this:
/dev/sda1, 32MB, ext3, /boot
/dev/sda2, 8MB, ext3, partition is encrypted with password, contains keyfile
/dev/sda3, ~320GB, LVM volume, encrypted with keyfile in /dev/sda2
/dev/sdb1, 160GB, LVM volume, encrypted with keyfile in /dev/sda2
Startup:
1: Ask for password to unlock /dev/sda2 and map to /dev/mapper/crypt-keyfile
2: Mount /dev/mapper/crypt-keyfile to /keyfile
3: Unlock LVM physical volumes with keyfile stored in /keyfile
Is this possible? I suppose it is possible but can genkernel do this?
This theorhetical setup could allow one to use multiple drives in LVM with having to use only one password. |
|
Back to top |
|
|
Paczesiowa Guru
Joined: 06 Mar 2006 Posts: 593 Location: Oborniki Śląskie, Poland
|
Posted: Wed Jan 28, 2009 11:34 pm Post subject: |
|
|
it is possible (don't know about genkernel, but you can do everything with custom initramfs), but why not just use the same password for everything? the same security (e.g. you break the password, you can decrypt everything), but no need for custom initramfs. |
|
Back to top |
|
|
jordanwb l33t
Joined: 10 Jul 2008 Posts: 642 Location: Ottawa, Canada
|
Posted: Thu Jan 29, 2009 12:07 am Post subject: |
|
|
Paczesiowa wrote: | but why not just use the same password for everything? |
You'd still need to type in each individual password. |
|
Back to top |
|
|
Paczesiowa Guru
Joined: 06 Mar 2006 Posts: 593 Location: Oborniki Śląskie, Poland
|
Posted: Thu Jan 29, 2009 9:59 am Post subject: |
|
|
no.
Code: | read -s PASSWORD
echo $PASSWORD | cryptsetup luksOpen /dev/sda1 sda1
echo $PASSWORD | cryptsetup luksOpen /dev/sda2 sda2 |
|
|
Back to top |
|
|
jordanwb l33t
Joined: 10 Jul 2008 Posts: 642 Location: Ottawa, Canada
|
Posted: Thu Jan 29, 2009 4:12 pm Post subject: |
|
|
Oh. So what exactly is doing that? The init script? |
|
Back to top |
|
|
Paczesiowa Guru
Joined: 06 Mar 2006 Posts: 593 Location: Oborniki Śląskie, Poland
|
|
Back to top |
|
|
|