Setting Up a Laptop on Top of Pappys Seeds

[Moriah]

BAD NEWS!

From http://www.tuxonice.net/HOWTO-7.html#ss7.4 we find:

[pappy_mcfae]

There are releases to 2.6.32-tuxonice-5, so you don't really have to give up much. As far as the need for a swap partition, that's definitely a sticky wicket. I'm not sure how that could be accomplished.

Cheers,
Pappy
_________________
This space left intentionally blank, except for these ASCII symbols.

[Moriah]

The problem seems to be that it needs to know where to read its saved hibernation data before it mounts /sys, and with lvm, you need /sys mounted to do the vgscan and vgchange operations that make the logical volumes and logical devices visible, and these are the lvm equivalent of partitions. Its truley a catch-22 situation as far as I can see. I guess I will have to be content to use sleep for short term idle periods and total shutdown when security is important, such as when I will not be within arms reach of the machne. Maybe I will go to the tuxonice web site and see if anyone there has come up against this before, and if there is a solution.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

[Moriah]

Hot off the presses from the
SANS @RISK: The Consensus Security Vulnerability Alert

______________________________________________________________________

10.11.13 CVE: Not Available
Platform: Linux
Title: Linux Kernel Video Output Status Local Denial of Service
Description: The Linux kernel is exposed to a local denial of service
issue. The issue stems from an error while reading the status of video
output devices on certain ThinkPad platforms and can be triggered by
reading "/proc/acpi/ibm/video". Linux kernel versions prior to
2.6.34-rc1 on certain ThinkPad platforms are affected.
Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=565790
______________________________________________________________________

This looks like it could very well be related to my boot time video initialization race condition that still occurs about 1/4 of the time.

Very interesting...
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

[pappy_mcfae]

Most definitely. It's worth following until they figure it out, and see if it then fixes your issues.

Cheers,
Pappy
_________________
This space left intentionally blank, except for these ASCII symbols.

[Moriah]

As noted earlier in this thread, the laptop that is the experimental guinea pig subject of this thread boots from a usb stick to a fully encrypted disk, using LUKS. The disk also is under LVM2 control, and has no partition table on it whatsoever. LVM provides the virtual partitions directly on the unencrypted pseudo-device that LUKS creates from the fully encrypted disk.

At boot time, the operator must insert the USB boot key into a bootable USB socket. Part way into the boot sequence, he must enter his pass phrase thru the keyboard. With the pass phrase, LUKS is able to unencrypt a view of the disk to the aforementioned pseudo-device. Here is where LVM takes over, making the volume groups, whose logical devices amount to virtual partitions, on the drive visible. At this point, the initramfs is about finished; it does the pivot-root and voila! The system finishes booting from the encrypted solid state disk, and the operator may now remove the USB boot key.

This USB boot key is nothing more than a 1 GB USB flash drive that has grub and a kernel suitable for running the laptop. LUKS keeps all the key management stuff on the encrypted drive; the pass phrase allows LUKS to access the key table, and the key table contains the actual key to unencrypt the drive itself.

Since the usb boot key is a "key", I wanted to carry it on my keychain.
I also wanted to carry a liveusb on my keychain, just incase...

I had been using a couple of el cheapo usb drives, but the plastic hole where the keyring went thru broke, and the cap broke so it wouldn'stay on.

I wanted something better, especially now that I knew everything was working well. I searched the web and found a very nicely packaged 1 GB USB flash drive from Imation. It even has a write protect switch!

It also has a rubber carrier equiped with one of those keyring snap-clip things. Other than the write protect swirtch, it is a pretty generic usb drive, but the case is very well designed to go on a real key-ring and be thrown into your pocket, banged around as keys do, etc.

Its a bit expensive, but for this application, its ideal. I wrote the boot key code onto one of them, and the liveusb code onto another one. I then set the write-protect switch and verified that it was indeed hardware write-protected. Finally I made a nice laminated label for each drive on my Brother label maker. I wrapped the label around the drive so it could not come off, and also so it covered the write-protect switch, keeping it from being tampered with.

These 2 drives are now on my key-ring.

If you are interested, I bought them thru amazon.com and they are called "Imation Clip Flash Drive". The packing slip says they are "IMN 18404", and the UPC bar code number is 51122 18404. I bought mine at "Shoplet.com" thru the amazom.com web site. The pair of them, with shipping, was $38.20, and they arrived in 6 days using the cheap freight. The url for the drives is:

http://www.amazon.com/gp/product/B0012E58NC/ref=oss_product

I give this detail not as a commercial, but because such a drive is hard to find, and this one is perfect for a crypto-boot usb key.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

[Moriah]

Given that I now have a laptop that runs a fully encrypted disk drive, I need some way to back it up.

On my home network, I have a network backup server that runs an encrypted raid-1 mirror to hold the backups, but when I am on the road, I can only backup to usb shirt pocket sized disk drives.

I also make an image backup to a second 256 GB SSD using the Lenovo ThinkPad ultrabay adapter for a hard disk. This gives me full SATA-2 speed, so I can make a full image backup of the laptop's main drive to the second SSD in about 30 minutes.

But for nightly incremental backups, I still needed a solution. The answer was to use basicly the same rsync approach I am using on my network backup server, only all running on a single computer to a locally attached usb disk drive. I run 2 backup scripts: one to backup the gentoo linux system, excluding the vmware disk image files used by the windows xp system, and a second script running in the windows environment under cygwin to back up the windows side.

Now it doesn't do much good to have a fully encrypted disk on the laptop and then keep the backups in an unencrypted form, so I encrypted the backup usb disk using luks and then put lvm on top of that, then xfs on top of that, and wrote a couple of little scripts to mount and dismount the usb backup drive. Now I can make incremental backups in a format similar to my big backup server back home, even when I am on the road.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.

[Moriah]

Well, its been a little over 2 months since I posted here. The laptop is still going strong. I've changed my backup technique slightly: I now backup to a regular 500 GB SATA2 drive in the ultra-bay adapter, since it is *MUCH* faster than USB. I hardly ever use USB drives on this machines anymore, as the bare laptop SATA drives are faster and cheaper, and with the ultra-bay adapter, I can switch them as easily as a USB drive. Besides, a USB drive dangles on a cable, while the ultra-bay is internal to the laptop when it is snapped in, making it more portable when a second drive is attached.

Still have a few little rough edges:

1. The video still has that race condition when I boot up, in that about 1/4 the time it doesn't switch into hi-res mode, but a reboot always fixes it.

2. I have had a few (very few) hangs when running lots of vmware vm's -- probably running out of ram. I do not have swap enabled since I have 8 gb of ram, but vmware hogs a lot of ram, and with the other linux stuff running along with it, I could be pushing the edge, or over the edge.

3. Bluetooth mouse is still not completely right. If it sits until the mouse times out, I have to re-pair it; it will not just reconnect like it should. I've fiddled and tinkered with the bluetooth config files until I just burned out on it. The docs for bluetooth are terrible, and out of date.

4. No hibernation, due to the catch-22 of needing to read the swap file before enabling LVM, but my fully encrypted drive is LVM on bare metal, with no partitions, so the swap file would be an LVM logical volume, hence must enable LVM to use it.

Sleep works great though, but the drive encryption is still decrypted when sleeping, so the machine is not really secure against theft of data if it gets stolen when it is sleeping. Hibernation would solve this.

Overall, I love the system, and it works well for me. It would just be nice to fix these few nits.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.