Encrypted Root File System, Swap, etc...

[easykill]

yeah, that's kinda what i was thinking...i just didn't get around to doing it, and instead just told devfs not to mount automatically at boot, since gentoo does it itself with devfsd

and i think i figured out how to encrypt the other drives with a fixed key...reading a bit past the encrypt root FS stuff in the loop-AES readme gives some examples (including the magic -p 0 for losetup)

so I'm gonna try that tomorow after some sleep

[chadders]

I think using a key gotten from /dev/random and then the key encrypted with GPG would be lots better than using a hashed key from a pass phrase. I know how to do this on partitions that aren't root. If anyone knows how to do it on a root filesystem please post!

Chad

[easykill]

the loop-AES faq pretty much sums it up, just substitute the steps. I recommend using one of those little USB hard drive thingies (the dongles) as they won't break on you.

[easykill]

the loop-AES faq pretty much sums it up, just substitute the steps. I recommend using one of those little USB hard drive thingies (the dongles) as they won't break on you.

[easykill]

gah, sorry for the double post...mozilla was acting up

here is a little summary for how I set up my /usr/local partition to be encrypted, and mounted without a password (this is unsecure if you don't have an encrypted root fs, since the password is stored in a file)

READ THIS THROUGH BEFORE TRYING IT IN CASE I FORGOT ANYTHING. BE SURE TO BACKUP YOUR DATA!!!

1.) Run the following twice to get your seed and password

Code: Select all

head -c 15 /dev/urandom | uuencode -m - | head -2 | tail -1

You will get 2 strings similar to the following
djYFGvsKuiMIJkerw3H8
zZEomoTvDgFTfRz+o7RN

copy them to a file, or write them down...the first one will be used as your random seed, the second will be used as your password.

2.) Make sure to backup all important data on the partition you are going to encrypt.

3.) Make the loop device. Assuming you want /dev/loop4 to be the device to use for your mounted device, and assuming /dev/hdb5 is the partition you want to encrypt, the following works. Substitute your random seeds and passwords for the ones i just made up....

Code: Select all

 echo "zZEomoTvDgFTfRz+o7RN" | /sbin/losetup -e AES256 -p 0 -S  djYFGvsKuiMIJkerw3H8 /dev/loop4 /dev/hdb5

This sets up a loop device that will use AES256 encryption....the password is read from the echo because of the -p 0 flag, and the -S sets the random seed (which was missing from the original howto in this thread, because it's not necessary, but does make it more secure. If you are going to do the -S for the encrypting root, READ THE LOOP-AES README!!! IT has very nice instructions!

4.) Encrypt the drive:

Code: Select all

dd if=/dev/hdb5 of=/dev/loop4 bs=64k conv=notrunc

This will take a while, and won't show anything, but your hard drive light should be flashing (if the light works, that is)
So be patient...read Calvin and Hobbes or play the new Zelda game.

5.) Your drive is now encrypted....you need to make an rc script with the following in it (or something similar)

Code: Select all

#!/sbin/runscript
 
 depend() {
     before modules
 }
      
start() {
  ebegin "Starting loop setup for /usr/local"
  echo "zZEomoTvDgFTfRz+o7RN" | /sbin/losetup -e AES256 -p 0 -S djYFGvsKuiMIJkerw3H8 /dev/loop4 /dev/hdb5
  eend $? "Failed to start loop setup!"
}
                   

again, substitute your seed and password and drive and loop device for my sample ones.

6.) Ack! can't have anyone find our our random seeds/passwords!

Code: Select all

chmod 700 /etc/init.d/loopsetup

Substitute whatever you named the rc script

7.) Put the script in your startup

Code: Select all

rc-update add loopsetup boot

This puts it in the boot runlevel (an early one) and should (for me it doesnt...???) have it run before your modules are loaded....it may work for you.

8.) Edit your fstab...change the line for /usr/local (or whatever) to read as so:

Code: Select all

/dev/loop4              /usr/local      ext3            noauto,noatime      0 0

I have the noauto in there because for whatever reason, the rc-update isn't running the loopsetup where it is supposed to, even with the depend statement...I'm not sure why. It's very annoying. If anyone can solve that, it would be nice. It (for me) ends up getting ran way later on. If that gets solved, make sure to change the last number in that fstab line to a 1, so the loop device gets fscked for errors.

9.) If you have gotten it working so that it will run the loopsetup before it tries to mount filesystems, then ignore this step. If you didn't get rc-update to work correctly, put the following in your /etc/conf.d/local.start or make a new init script, whatever...

Code: Select all

/bin/mount /usr/local

again, substitute...blah blah...

10.) Your partiton should be encrypted and should autoload without a password now. Make sure you keep the loopsetup file chmod 700 so that nobody else can read it, as it has your passwords in it. This is relatively secure since your root filesystem is encrypted so that anybody who would steal the drive and try to read it would first have to break the encryption for the root drive before they could get the password out of the file


I don't think I've forgotten anything, but let me know if I have.

[Woody2143]

Well Gentlemen, I have run in to a problem using this little trick... Now mind you it may not be a direct result of encrypting my root fs, but I can't say for sure that it isn't....

One day after work I came back to my apartment to find that my beloved computer had a little panic attack. Upon rebooting I came to the

Code: Select all

loop: loaded (max 8 devices)

Encrypted file system, please supply correct password to continue

Password:

I put in my password and this is what I got for my troubles...

Code: Select all

EXT3-fs: unsupported inode size: 14776
Looks like you didn't say the magic word. Mounting /dev/loop/5 failed

Encrypted file system, please supply the correct password to continue

Password:

I have tried to type in the WRONG password on purpose to see if I was getting that particular error msg, but indeed it wasn't....

Code: Select all

VFS: Can't find ext3 filesystem on dev loop(7,5).
Looks like you didn't say the magic word. Mounting /dev/loop/5 failed

Encrypted file system, please supply the correct password to continue

Password:

I'm currently looking around [think google] for an answer of how to repair my little unsupported inode size problem but I figured I'd drop a msg here as well....

After typing this out I realized what I should be doing... I broke out my Knoppix CD, unencrypted the partition, and ran e2fsck on it... I knew I kept that Knoppix CD around for some reason.

Oh well, I'll leave this just in case someone elses brain doesn't start up right away....

[chadders]

Probably would have been easier to:

1) Boot Knoppix
2) losetup -e whatever /dev/loop0 /dev/hdWhateverWasYourRoot
3) e2fsck /dev/dev/loop0
4) Reboot like normal

Chad

[Woody2143]

Yeah, that is what I ment by unencrypting the partition... My mistake.

It worked but man was my drive hosed up. I'm gonna have to recover some key files and reinstall I think... To many files are giving me errors like syslog and rsync... Oh well, stuff happens...

[revoohc]

Has anyone been able to do this root encryption storing part of the key/passphrase on removable media? This question is coming from example 4.

I have a 256MB USB key card that I would love to have incorporated in this so that you can't boot my laptop without it.

Any ideas/help would be appreciated.

BTW, my system is setup as follows:
/dev/hda1 1048MB (suspend to disk area)
/dev/hda2 ~50MB - boot
/dev/hda3 1024MB - swap
/dev/hda5 ~38GB /

thanks,

chris

[chadders]

I think it would be really great to have the whole /boot filesystem on a USB keychain drive. That way NOTHING would have to be on the /root or other filesystems thats not encrypted I don't have a USB keychain drive but i am going to get one and try it I think.

Does anyone know if a USB keychain disk drive is seen by the BIOS? Will it try to boot from it?

Btw the partition types don't have to be 82 or 83 on anything except the /boot. You can set them to DA = NON-FS DATA or anything else you want and it works. With /boot on a USB keychain noone would even know what operating system is on the hard disk!

Chad

[easykill]

ok, not having tried this, I'm just randomly guessing here....

If the USB dongles are anything like my digital camera, they will end up being /dev/sda or something along those lines.

Pretending you have your /dev/hda set up as following:
/dev/hda1 /
/dev/hda2 swap
/dev/hda3 /usr/local
or something like that
and you have your /boot on the keychain drive located at (find this out before you do this) /dev/sda1

I don't think it would be easy to have the BIOS boot from the keychain drive, unless the BIOS would see it as a SCSI device as well...?
however, you could use lilo (or grub) to accomplish this, I would imagine, by having lilo install itself in the MBR of /dev/hda but having the /boot in lilo point to /dev/sda1 or something

Thinking about this more, it might not work since the kernel hasn't loaded yet, and unless the BIOS assigns the keychain drive a value of sorts, it wouldn't be loaded yet as /dev/sda. I'm not sure.

In retrospect, this whole post is probably incorrect and pointless. Sorry, heh.

[ghetto]

Wow what an exciting idea! I mean to have the entire harddrive encrypted and the kernel on some sort of external media.
I agree that a usb keychain would be cool, but if its not possible then what about a floppy disk? or maybe a cdrom? Wouldnt one of those work? Or would the external media need to contain the entire /boot partition? a cdrom could hold that easily but i doubt a floppy could. meh..

[chadders]

Ive been trying to figure out how to make a little cdrom (one that will fit in my pocket) that contains just the /boot stuff. So far I dont know how to make it bootable. Once I can get it to load the kernel it should be ok to use the loop-AES initrd.gz and ramdisk and then prompt for the pass phrase and chroot/pivot to the real encrypted root.

Does anyone know how to make a bootable cdrom with grub? or where a HOWTO is? What I dont know how to do is tell grub to put its bootstrap stuff that normally goes in the mbr into something that the BIOS understands when it tries to boot the CDROM. Everything I found so far says it has to be a floppy or a disk image and I'm real confused about how to make that part.

Chad

[easykill]

you should be able to get around that, with lilo i would expect...probably not with grub, as grub will only let you specify hard drives as your devices.

in lilo, you would edit the /etc/lilo.conf file so that

Code: Select all

boot=/dev/hdc

or whatever the CD rom is....

but have lilo install itself onto /dev/hda (your hard drive) with

Code: Select all

lilo -b /dev/hda

i believe would work. otherwise, man lilo and find the right option.

Then, lilo will load off of the hard drive, but will scan /dev/hdc for the lilo mapping or whatever.

That may not work, but I would think that it would be worth a try, at least.

You would also have to modify /etc/fstab obviously

[ghetto]

The problem with lilo of course is that if you change kernels, or change configuration you have to re-run lilo.. so this may mean that you would have to burn a new disk everytime you needed to run lilo again (i think..)

[TinheadNed]

When I first read this, I was really tempted to wipe RedHat off my laptop (which I'm going to do soon anyway), and install an encrypted Gentoo. But, after thinking about it, I've seen two problems, and I just wanted to throw them out here to see what people think.

Encrypting a file is very secure, as you can't make many guesses as to what might be inside it, unless you know what you're looking for. It's only a small file after all, which makes it very difficult to crack. However, if you're encrypting an N Gb HD there's a lot more bytes to look for patterns in. Considering you know you're booting Gentoo (or at least some linux kernel) you can make a few guesses as to which filesystem you're installing. Surely then you can look for the thousands of empty inodes on the disc? They'll be in fairly predictable places. You also know the directory structure, and can guess at the contents of quite a few of the plaintext files. Wouldn't this make it far easier (though not actually EASY for non-governmental bodies) to break?

A second problem (if you live in the UK), is that encrypting your drive is completely pointless, unless it is hiding evidence of crimes that carry sentences of greater than 3 years in prison, as failing to hand over a password to encrypted data when instructed by a representative of the Home Office is itself now a crime, courtesy of the RIP Act. And you have to prove you don't have the key, innocence is not assumed (which controvenes other laws I hope). And it's illegal to tell anybody if they ask you for the key too, IIRC.

I'd be really happy to be proved wrong on either of these points though.

[karrots]

To boot off of a CD you could just use ISOLinux as your boot loader its part of the syslinux family. I use it to have multiple boot images on one CD.

Also to who ever was wondering how to boot Knoppix on their laptop that doesn't support BootCD's. There is a disk image you can write to a floppy that will allow you to boot the CD. Browse around the cd and you will find it.

Karrots

[barlad]

Well... looks like I messed up everything. I followed instructions step by step and ended up with a unreadable root partition .
There was a problem with devfs so I decided to decrypt the partition, and that's where shit hits the fan. When I tried to mount /dev/loop5 (under Knopix, after doing a losetup) it told me it could not recognize filesystem. Then after I did my decrypt (dd if=/dev/loop5 of=/dev/sdb3 bs=64k notrunc), sdb3 could not be read either.
It does not recognize the file system.

Any idea? if it's only some minor stuff that got damaged, I could maybe recover it.

[thehyperintelligentslug]

A second problem (if you live in the UK), is that encrypting your drive is completely pointless, unless it is hiding evidence of crimes that carry sentences of greater than 3 years in prison, as failing to hand over a password to encrypted data when instructed by a representative of the Home Office is itself now a crime, courtesy of the RIP Act. And you have to prove you don't have the key, innocence is not assumed (which controvenes other laws I hope). And it's illegal to tell anybody if they ask you for the key too, IIRC.

I don't know about anyone else but I encrypted my drive (laptop) so if it gets nicked, I know nobody will be able to see what I have on there* - eg my companies accounts!

(* without a lot of work anyway).

Besides, I store all information pertaining to my organised crime activities on my windows machine - thats secure right?

[barlad]

Well, I just crashed another patition by trying to encrypt the system, although that time I didn't lose anything since it was a stage1 install . Anyway I think I narrowed down a bit better the problem and I have a question everyone who made this working should be able to answer.

When you first use the losetup program, it asks you for a password. After that you encrypt the system with dd if/of.

Now when you use again losetup to mount your encrypted partition (be it to decrypt it or to mount it), it asks for a password. You MUST enter the password that you entered the FIRST TIME right? and if you enter something else... it fails, right? Seems quite logical... The problem is after I encrypt my partition, if I want to mount it using losetup, it asks again for a password. But I can enter whatever I want, like if it had not been encrypted the first time.
Basically, I think that the encryption process fucks up somewhere and that then the partition cannot be recognized, either as a reiserfs system or as a crypted system. Thus losetup always thinks it's a "decrypted" partition.

Any though please? and has anyone read/heard about a problem with encrypthing scsi disks? I started looking into mailing-list but haven't found anything yet.

Anyway... off to the reinstall again!

[ghetto]

man oh man oh man oh man oh man oh man oh man oh man oh man oh man man oh man oh man oh man oh man oh man oh man oh man oh man oh man man oh man oh man oh man oh man oh man oh man oh man oh man oh man man oh man oh man oh man oh man oh man oh man oh man oh man oh man man oh man oh man oh man oh man oh man oh man oh man oh man oh man man oh man oh man oh man oh man oh man oh man oh man oh man oh man man oh man oh man oh man oh man oh man oh man oh man oh man oh man man oh man oh man oh man oh man oh man oh man oh man oh man oh man

OH MAN I WISH I HAD A SPARE SYSTEM SO I COULD TRY THIS!!

anyone got a spare they want to lend me?

[easykill]

Well, I just crashed another patition by trying to encrypt the system, although that time I didn't lose anything since it was a stage1 install . Anyway I think I narrowed down a bit better the problem and I have a question everyone who made this working should be able to answer.

When you first use the losetup program, it asks you for a password. After that you encrypt the system with dd if/of.

Now when you use again losetup to mount your encrypted partition (be it to decrypt it or to mount it), it asks for a password. You MUST enter the password that you entered the FIRST TIME right? and if you enter something else... it fails, right? Seems quite logical... The problem is after I encrypt my partition, if I want to mount it using losetup, it asks again for a password. But I can enter whatever I want, like if it had not been encrypted the first time.
Basically, I think that the encryption process fucks up somewhere and that then the partition cannot be recognized, either as a reiserfs system or as a crypted system. Thus losetup always thinks it's a "decrypted" partition.

Any though please? and has anyone read/heard about a problem with encrypthing scsi disks? I started looking into mailing-list but haven't found anything yet.

Anyway... off to the reinstall again!

Yeah, it will let you enter in anything when you losetup...but you should enter the password you used. If you don't enter that password, it won't decrypt correctly, and if you try to dd if=/dev/loop5 of=/dev/sda1 or whatever, it's gonna fuck up the system, and there's nothing you can do.

Make SURE you use the correct password...it does ask twice with the -t switch

[jlade]

I like the idea, great howto Chadders. Wish I was into this stuff when I was 13 and a half.

Anyway has anyone tried this on a laptop. Mine is still installing at the moment. Reason I am asking is I had to do a floppy boot disk then a network install using redhat. So booting from knoppix CD is not an option.

Anyway great stuff I am thinking on giving it a try

Jason

[mihochan]

Don't want to throw cold water on this idea, but why would you want to encrypt your ENTIRE filesystem?
Anybody can get a copy of 'ls', they don't have to steal one.
Which, leads to a second point. Probably, encrypting the entire filesystem is actually less secure than just encrypting you own personal data. After all, it is much easier to crack encryption if you have some idea of what is encrypted. A hacker would simply need to compare your encrypted copy of some common config file to their unencrypted one. This would give them a hand hold to break into the system.
Maybe I'm wrong. I don't actually know anything about the details of this but prima facie the point seems valid.

Tom

[thehyperintelligentslug]

Don't want to throw cold water on this idea, but why would you want to encrypt your ENTIRE filesystem?

Some may want to keep people off it (brothers, sisters, government!), personaly, I have my laptop encrypted as I do alot of my work on there. If somebody steals it, I can be as sure as I can be that they can't boot the system / view my files.

Anybody can get a copy of 'ls', they don't have to steal one.
Which, leads to a second point. Probably, encrypting the entire filesystem is actually less secure than just encrypting you own personal data. After all, it is much easier to crack encryption if you have some idea of what is encrypted. A hacker would simply need to compare your encrypted copy of some common config file to their unencrypted one. This would give them a hand hold to break into the system.

An intruder can't get a 'copy of ls' of an encrypted system / partition / file, you misunderstand how this encryption works. Check out Chadders first post or the loopAES README file for an overview.