Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Want to use encrypted root without luks but need UUID?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
tholin
Apprentice
Apprentice


Joined: 04 Oct 2008
Posts: 184

PostPosted: Wed Sep 14, 2011 9:17 pm    Post subject: Want to use encrypted root without luks but need UUID? Reply with quote

I've started thinking about finally encrypting my system. I have 7 data disks and one root ssd.

I've decided that luks is not for me. It's stores the keys in a small header before the data and if there is a bad block in that header all data is lost. That is not acceptable. The header can be backed up but I still think it's a bad idea. Too much things that can go wrong. I value data security much more than cryptographic security. But not using luks leads to another problem. Raw dmcrypt partitions don't have any uuid so I have no good way of uniquely identifying the disks. Going by /dev/sd** device is not possible because they change around too often. So how should I identify the partitions in the init script?

I have two ideas and they both sux. I could create a filesystem header with an uuid at the beginning of the partition and encrypt the data after the header. A swap partition header is 4096B so I could call cryptsetup with --offset 8 too make it ignore the swap header. This is a bad idea because the kernel, livecds and everything else will assume they are real swap partitions and might try to use them as such.
The second idea is to use some complicated grep in hdparm for serial number and match that with a list of serial numbers and partitions.
Anyone have any better idea?

I don't want to enter 8 passwords at boot so I need some way go get around that. I could use the same password on all disks and use pam_mount to mount then automatically on boot with the login password. By doing so I would have to enter two passwords at boot. It's acceptable but I've used pam_mount before and I often had problems with it. Another way would be to mount everything in the initramfs and then use autologin. That way I would only have to enter a single password. I could read in the password with read and then do something like echo $password | cryptsetup -d - create root $dev or maybe echo $password | hashalot ripemd160 | cryptsetup -d - create root $dev. I haven't tested that yet.
Other ideas?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16008

PostPosted: Wed Sep 14, 2011 11:31 pm    Post subject: Reply with quote

Use LUKS and archive the relevant header blocks. Usually, if you get to the point of disk blocks being so corrupt as to be unreadable, you are in big trouble and need to go to your backups anyway. You could just as easily have the dentries for / get corrupted and then you would not be able to find any files on the filesystem.
Back to top
View user's profile Send private message
tholin
Apprentice
Apprentice


Joined: 04 Oct 2008
Posts: 184

PostPosted: Thu Sep 15, 2011 9:19 am    Post subject: Reply with quote

Hu wrote:
Use LUKS and archive the relevant header blocks.
Not good enough.
Quote:
Usually, if you get to the point of disk blocks being so corrupt as to be unreadable, you are in big trouble and need to go to your backups anyway.
Not every file is backed up, only the ones I can't afford to loose. The other files are expendable but I would prefer to keep them safe if possible.
Quote:
You could just as easily have the dentries for / get corrupted and then you would not be able to find any files on the filesystem.
Then the orphaned inodes that used to reside in / would be placed into lost+found folder on the next fsck. They would loose their filenames but all subfolders and data would be intact. Modern filesystems are designed to avoid single points of failure like that.
Back to top
View user's profile Send private message
mp342
Apprentice
Apprentice


Joined: 03 Aug 2010
Posts: 165
Location: France

PostPosted: Thu Sep 15, 2011 11:31 am    Post subject: Re: Want to use encrypted root without luks but need UUID? Reply with quote

tholin wrote:
Anyone have any better idea?

You can use fake raid (a raid 0 with 1 partition or disk) and use uuid of the raid.
Quote:
I don't want to enter 8 passwords at boot so I need some way go get around that. I could use the same password on all disks and use pam_mount to mount then automatically on boot with the login password. By doing so I would have to enter two passwords at boot. It's acceptable but I've used pam_mount before and I often had problems with it. Another way would be to mount everything in the initramfs and then use autologin. That way I would only have to enter a single password. I could read in the password with read and then do something like echo $password | cryptsetup -d - create root $dev or maybe echo $password | hashalot ripemd160 | cryptsetup -d - create root $dev. I haven't tested that yet.
Other ideas?

I use a script in initrd to mount an encrypted partition (could be on an external device if needed) witch contain all other keys and unmount it when all the partitions/disks are unencrypted.
Back to top
View user's profile Send private message
tholin
Apprentice
Apprentice


Joined: 04 Oct 2008
Posts: 184

PostPosted: Thu Sep 15, 2011 1:27 pm    Post subject: Re: Want to use encrypted root without luks but need UUID? Reply with quote

I found the /dev/disk/by-id folder and it contains WWN ids for the disks (MAC for hard drives). I can use them instead of UUID. Just hope busybox's udev replacement create those files.

mp342 wrote:
I use a script in initrd to mount an encrypted partition (could be on an external device if needed) witch contain all other keys and unmount it when all the partitions/disks are unencrypted.

That is a good idea. Simple and clean.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum