[Support] System Encryption DM-Crypt with LUKS

[specmurt]

I more or less successfully setup Gentoo following the guide and would like to share my experience. Now I am able to boot system with USB stick containing GPG encrypted password, which is cool. I still have a couple of non-critical issue though.

Firstly, guide mentions uClibc as recommended C library for BusyBox. I'd like to notice that building BusyBox with uClibc is not an easy task or at least I couldn't figure out to do it the easy way. To use uClibc you need to emerge it first and then you need to build uClibc tool-chain to be able to cross-compile applications. It requires crossdev script:

Code: Select all

fortress ~ # emerge crossdev

Then create a tool-chain with:

Code: Select all

fortress ~ # crossdev --target i686-pc-linux-uclibc

This will cause a long, time consuming binutils and gcc compilation for the new target.

Too much hassle, I think. You'd better off with glibc unless you want to build tiny kernel to boot from floppy drive.

Secondly, the latest BusyBox 1.2.0, then compiled against glibc, segfaults then running dmesg from init script:

Code: Select all

fortress ~ # usb-boot/initramfs/bin/dmesg -n 1
Segmentation fault

The solution is simple - use BusyBox 1.1.3.

Now the issues. Here is my extlinux.conf:

Code: Select all

DEFAULT menu.c32
TIMEOUT 100
PROMPT 0

MENU TITLE Gentoo Linux

LABEL Gentoo
        MENU LABEL Gentoo ^Linux 2.6.14-hardened-r8
        MENU DEFAULT
        KERNEL vmlinuz
        APPEND root=/dev/hde2:ext3 gpg=root_key.gpg

LABEL GentooRescue
        MENU LABEL Gentoo Linux 2.6.14-hardened-r8 ^Rescue
        MENU DEFAULT
        KERNEL vmlinuz
        APPEND rescue

Everything works and system boots but I can see the

Code: Select all

[: -eq unkown operand

message on the screen just before it shows the ASCII banner. I couldn't figure out why. I'm sure it comes from init script.

Second, and more annoying issue is the error, reported by checkroot startup script then it tries to re-mount root file-system read-only.
This the output:

Code: Select all

Remounting root filesystem readonly
mount / not mounted already or bad option

And then it shows a message about dangers of checking r/w file-system so I have to answer "No" manually each time I boot a system. I don't
care too much because my Gentoo box supposed to be a 24/7 server, but still it's a bit annoying to have red [!!!] during the system startup.

Anyway, thank you for good guide!

Regards,
Egor.

[BarbedWire]

Hi there.

I just gave that tutorial a try and installed gentoo from the beginning following the tut. Now after I have finished it gentoo won`t boot up. Grub returns

Code: Select all

GRUB Loading stage1.5.


GRUB loading, please wait...
Error 21

I tried to use a usb-stick but without gpg yet since i couldnt find a usuable statically linked gpg binary for amd64. If i turn the machine on it reads something from the usb-stick and returns the error then.

I followed the tutorial as exactly as possible and don`t think there could be some major error but maybe i have to change some kind of config-file.
Any help would be very welcome since it took me almost three days to set my laptop up and I would not like to go through the whole process again without knowing wheather it will work next time or not.

btw. I know that my laptop is capable of booting from usb so thats not the problem.

[BarbedWire]

Thinking about it... where would i have to install grub if i want to boot from usb? I installed it with the line from the tutorial which was "grub-install /dev/hda" I believe on my harddrive, would I have to install it rather on my usb device (/dev/sda)?
Sorry for asking such noobish questions but I'd really like to get this working.

Thanks in advance for any replies.

[specmurt]

Thinking about it... where would i have to install grub if i want to boot from usb? I installed it with the line from the tutorial which was "grub-install /dev/hda" I believe on my harddrive, would I have to install it rather on my usb device (/dev/sda)?
Sorry for asking such noobish questions but I'd really like to get this working.

Thanks in advance for any replies.

This guide recommends EXTLINUX for UBS stick. You don't need GRUB at all. Just follow the guide. I reckon you can install GRUB on USB stick (/dev/sda in you case) but not 100% sure. I wouldn't bother actually. EXTLINUX works just fine for me.

[specmurt]

Hi there.
I tried to use a usb-stick but without gpg yet since i couldnt find a usuable statically linked gpg binary for amd64. If i turn the machine on it reads something from the usb-stick and returns the error then.

I just downloaded GPG sources from http://www.gnupg.org, and built static binary by myself.

Code: Select all

fortress ~/gpg-1.4.4 # ./configure --static
...
fortress ~/gpg-1.4.4 # make

Don't do make install. Then find the gpg executable inside gpg-1.4.4 directory and use it. It worked for me.

[BarbedWire]

Thanks for your quick reply specmurt. I solved the proplem with Grub giving me error 21 on boot by repeating the steps needed for installing extlinux. Now I get a menu on boot in which I can choose my kernel. So far so good. But sadly after loading the kernel from usb-stick my system dies. The hd-light flashes two times and the screen turns black. After that nothing happens, not even an error message occurs. I'll keep on trying.
You say Grub isn't needed at all? So where would I tell the system which drives to decrypt? In extlinux.conf?
An other thing I did not understand is why should I edit fstab two times according to the tutorial? One time we set up our mapped drives in fstab at the beginning of the tut then at the end again. Or did I get it wrong?

Thanks.

Edit:
Going after the tutorial I'm not telling extlinux in extlinux.conf which initramfs to use is that correct?

Edit:
I changed my extlinux.conf and now linux gives me lots of messages . Sadly it stops after a while telling me:

Code: Select all

...
Failed to execute /init
Kernel panic - not syncing: no init found. Try passing init= option to kernel.

The init-file is in the top directory of the usb-stick and executable&readable&writable for root. If it should be in the init-ramdisk is there a simple way to check my initrd-file from within the live-cd environment for it and mabe even copy it into it or changing permissions?

Edit:
Have found the init file also in my initrd-file in the top directory with rwx permissions for root. Don't know what to do anymore. Please help.

[Woldamer]

Hi!

I tried to setup your howto (thank for this great work!)... But I get trouble caused by RSBAC...

But perhaps you could help me out here?

On booting an own created initrd will be started to open luks encrypted
filesystem, so this last steps of linuxrc-script fails (on umount
command):

Code: Select all

pivot_root . initrd

# Start init and flush ram device exec
chroot . /bin/sh <<- EOF >/dev/console 2>&1
umount initrd
rm -rf initrd
blockdev --flushbufs /dev/ram0
exec /sbin/init ${CMDLINE}
EOF

So I get this error:

Code: Select all

EXT3 FS on dm-0, internal journal
EXT3-fs: dm-0: 1 orphan inode deleted
EXT3-fs: recovery complete.
EXT3-fs: mounted filesystem with journal data mode.
0000000037|rsbac_free_dat_dentry(): freeing dat dir dentries
0000000038|do_umount() [sys_umount()]: umount failed -> calling
rsbac_mount for Device 01:00

I've run the kernel with this options:

Code: Select all

Kernel command line: root=/dev/ram0 rw init=/linuxrc rsbac_softmode console=ttyS0,57600 console=tty0

Has somebody a suggestion for me to solve this problem?

Thanks a lot

[specmurt]

Has somebody a suggestion for me to solve this problem?

You followed the obsolete guide. New guide is at http://gentoo-wiki.com/SECURITY_System_ ... _with_LUKS. To my understanding initrd is deprecated now in favour of initramfs.

[Reikinio]

Hello people,

Firstly, guide mentions uClibc as recommended C library for BusyBox. I'd like to notice that building BusyBox with uClibc is not an easy task or at least I couldn't figure out to do it the easy way. To use uClibc you need to emerge it first and then you need to build uClibc tool-chain to be able to cross-compile applications. It requires crossdev script:

Code: Select all

fortress ~ # emerge crossdev

Then create a tool-chain with:

Code: Select all

fortress ~ # crossdev --target i686-pc-linux-uclibc

This will cause a long, time consuming binutils and gcc compilation for the new target.

Too much hassle, I think. You'd better off with glibc unless you want to build tiny kernel to boot from floppy drive.

Secondly, the latest BusyBox 1.2.0, then compiled against glibc, segfaults then running dmesg from init script:

Code: Select all

fortress ~ # usb-boot/initramfs/bin/dmesg -n 1
Segmentation fault

The solution is simple - use BusyBox 1.1.3.

Thanks, I'll keep it in mind the next time I edit the guide with new content.

Now the issues. Here is my extlinux.conf:
(...)

Everything works and system boots but I can see the

Code: Select all

[: -eq unkown operand

message on the screen just before it shows the ASCII banner. I couldn't figure out why. I'm sure it comes from init script.

Yes, most likely caused by the line in the init script that says"#fixme"(an if condition that test the root filesystem type is awfully wrong and doesn't make any sense).
You could try commenting out or even deleteing it entirely, that should get rid of the error.

Since I have a new laptop(yay!) and I want to be able to use hibernation(suspend-to-disk), I am "somewhat" working on a new init script(complete rewrite), which should support suspend2, it's not done yet and will need some testing since a stupid mistake could cause data loss.
Anyway, once it's done I'll replace the init script and update the guide with new instructions for it.

Second, and more annoying issue is the error, reported by checkroot startup script then it tries to re-mount root file-system read-only.
This the output:

Code: Select all

Remounting root filesystem readonly
mount / not mounted already or bad option

And then it shows a message about dangers of checking r/w file-system so I have to answer "No" manually each time I boot a system. I don't
care too much because my Gentoo box supposed to be a 24/7 server, but still it's a bit annoying to have red [!!!] during the system startup.

Mmm, Could you post your fstab ?

(...)
You say Grub isn't needed at all? So where would I tell the system which drives to decrypt? In extlinux.conf?
An other thing I did not understand is why should I edit fstab two times according to the tutorial? One time we set up our mapped drives in fstab at the beginning of the tut then at the end again. Or did I get it wrong?

Grub is not needed if you're going to boot from an usb-stick, we use extlinux as the bootloader instead.
You should edit extlinux.conf as recommended in the guide, it's the init-script's job to decrypt the root partition, you should set its arguments as if they where kernel parameters, the script will see them and will use them to get the job done.
The guide mentions how to edit fstab, it re-informs you of the importance of not using the devices directly, it tells you to use the mappings instead, and there is another example in "Decrypting/Encrypting partitions at startup".
That's pretty much it, nothing complicated at all, just remember that you should always use the mapping names(eg:/dev/mapper/root) instead of the real devices(eg:/dev/sda3).

Edit:
Going after the tutorial I'm not telling extlinux in extlinux.conf which initramfs to use is that correct?

Edit:
I changed my extlinux.conf and now linux gives me lots of messages . Sadly it stops after a while telling me:

Code: Select all

...
Failed to execute /init
Kernel panic - not syncing: no init found. Try passing init= option to kernel.

The init-file is in the top directory of the usb-stick and executable&readable&writable for root. If it should be in the init-ramdisk is there a simple way to check my initrd-file from within the live-cd environment for it and mabe even copy it into it or changing permissions?

The init script should exist inside the initramfs, once the kernel decompress the cpio archive, it will attempt to execute init, if it's not there you will get that kernel panic error.
Make sure you're building your initramfs correctly, if you have doubts feel free to ask, all the information you need is in the guide, plus you should read the posts in the previous page of this thread, there might be some answers there.
Also, could you post your extlinux.conf ?

Woldamer:
Hi, I am afraid I have no clue on your problem, I don't know RSBAC.
One question however, any reason why you're using an initrd instead of an initramfs ?
Perhaps you could try using an initramfs with busybox's switch_root and see what happens.

Besides that, all I could tell you is to google, I found this, maybe it will give you a hint or two, or maybe not..

Good luck,
ps: if you find an answer you should consider adding it to the FAQ section, I am sure others will find it useful.


Bye

[specmurt]

Thanks for your quick reply specmurt. I solved the proplem with Grub giving me error 21 on boot by repeating the steps needed for installing extlinux. Now I get a menu on boot in which I can choose my kernel. So far so good. But sadly after loading the kernel from usb-stick my system dies. The hd-light flashes two times and the screen turns black. After that nothing happens, not even an error message occurs. I'll keep on trying.
You say Grub isn't needed at all? So where would I tell the system which drives to decrypt? In extlinux.conf?
An other thing I did not understand is why should I edit fstab two times according to the tutorial? One time we set up our mapped drives in fstab at the beginning of the tut then at the end again. Or did I get it wrong?

Thanks.

Edit:
Going after the tutorial I'm not telling extlinux in extlinux.conf which initramfs to use is that correct?

Edit:
I changed my extlinux.conf and now linux gives me lots of messages . Sadly it stops after a while telling me:

Code: Select all

...
Failed to execute /init
Kernel panic - not syncing: no init found. Try passing init= option to kernel.

The init-file is in the top directory of the usb-stick and executable&readable&writable for root. If it should be in the init-ramdisk is there a simple way to check my initrd-file from within the live-cd environment for it and mabe even copy it into it or changing permissions?

Edit:
Have found the init file also in my initrd-file in the top directory with rwx permissions for root. Don't know what to do anymore. Please help.

The answers:
1) Yes, I didn't use GRUB.
2) init script does the decryption, you pass root=/dev/hdX:ext3 gpg=root_key.gpg parameters and script uses this data to decrypt.
3) You pass parameters to init in extlinux.conf

Code: Select all

APPEND root=/dev/sda3:ext3 gpg=root_key.gpg

4) I don't know what do you mean. You edit /etc/fstab once as described in Creating /etc/fstab section. You edit it again only if you have another partition encryped as well as /root.
5) The kernel creates initramfs using CONFIG_INITRAMFS_SOURCE parameter. Actually initramfs gets compiled into kernel, it becomes a part of kernel's bzImage.
6) Please post your BusyBox .config and /usr/src/linux/usr/initramfs_list for further investigation
7) You do not need initrd if you use initramfs. initrd is deprecated in favour of initramfs.

The guide is a bit ambiguos, I'll try to edit it if I have some time. Don't promise though.

[specmurt]

Second, and more annoying issue is the error, reported by checkroot startup script then it tries to re-mount root file-system read-only.
This the output:

Code: Select all

Remounting root filesystem readonly
mount / not mounted already or bad option

And then it shows a message about dangers of checking r/w file-system so I have to answer "No" manually each time I boot a system. I don't
care too much because my Gentoo box supposed to be a 24/7 server, but still it's a bit annoying to have red [!!!] during the system startup.

Mmm, Could you post your fstab ?

Here it is:

Code: Select all

/dev/mapper/swap        none            swap            sw              0 0
/dev/mapper/root        /               ext3            noatine         0 1
/dev/cdrom              /mnt/cdrom      auto            noauto,ro       0 0
/dev/fd0                /mnt/floppy     auto            noauto          0 0
proc                    /proc           proc            defaults        0 0
shm                     /dev/shm        tmpfs           nodev,nosuid,noexec    0 0

[Reikinio]

Here it is:

Code: Select all

/dev/mapper/swap        none            swap            sw              0 0
/dev/mapper/root        /               ext3            noatine         0 1
/dev/cdrom              /mnt/cdrom      auto            noauto,ro       0 0
/dev/fd0                /mnt/floppy     auto            noauto          0 0
proc                    /proc           proc            defaults        0 0
shm                     /dev/shm        tmpfs           nodev,nosuid,noexec    0 0

See the /dev/mapper/root line, s/noatine/noatime, that is, substitute it with "noatime".

[specmurt]

Here it is:

Code: Select all

/dev/mapper/swap        none            swap            sw              0 0
/dev/mapper/root        /               ext3            noatine         0 1
/dev/cdrom              /mnt/cdrom      auto            noauto,ro       0 0
/dev/fd0                /mnt/floppy     auto            noauto          0 0
proc                    /proc           proc            defaults        0 0
shm                     /dev/shm        tmpfs           nodev,nosuid,noexec    0 0

See the /dev/mapper/root line, s/noatine/noatime, that is, substitute it with "noatime".

Damn, I missed a typo

Edit: It works now!

[Woldamer]

Has somebody a suggestion for me to solve this problem?

You followed the obsolete guide. New guide is at http://gentoo-wiki.com/SECURITY_System_ ... _with_LUKS. To my understanding initrd is deprecated now in favour of initramfs.

Thanks for your response... I will read that...

[BarbedWire]

I repeated all the steps beginning with "Building BusyBox" again but it did not help. I'm still having the same problem. Concerning gpg I remember that I could not get it properly running to encrypt the partition passwords so I've let it be because it said in the tutorial or somewhere here in the forums (don't really remember where) that one can still encrypt the keys after one finished the tut. So now a statically linked version of gpg is in my ramdisk but I do not yet need it since I did not yet encrypt the passwords. I believe during boot the system should ask me for the passphrase (should it not?). Tried different options in /etc/conf.d/crypt.fs but that didn't help either. Tried the two different ways of creating the ramdisk which changed nothing also. I read somewhere on the web that my errormessage indicates that my root-fs cannot get properly mounted during boot which seems quite logical since its encrypted. So I'd guess now that my error is rather in some configuration file telling the kernel how to mount the partitions than in the kernel or ramdisk.

I don't know whether this is important but in my BusyBox-Menuconfig theres no option like:

Code: Select all

BusyBox Settings ---> General Configuration ---> Buffer allocation policy (Allocate with Malloc) --->
     (x) Allocate with Malloc

and it's also

Code: Select all

--- echo (basic SuSv3 version taking no options)

instead of

Code: Select all

(x) echo (basic SuSv3 version taking no options)

under Coreutils. The rest of configuring BusyBox with menuconfig was identical with the tutorial.

Here are the files you requested but I couldn't find initramfs_list. The directory '/usr/src/linux/usr/' does not even exist.

/etc/fstab

Code: Select all

# <fs>			<mountpoint>	<type>		<opts>		<dump/pass>

/dev/mapper/root        /                ext3	        noatime          0 1
/dev/mapper/swap      none           swap	   sw                  0 0
/dev/mapper/tmp	       /tmp           ext3            defaults          0 2
/dev/mapper/home     /home         ext3            defaults          0 2
/dev/cdroms/cdrom0   /mnt/cdrom iso9660       noauto,ro       0 0

###???
/dev/mapper/crypt-swap none        swap           sw                0 0
/dev/mapper/crypt-hda2 /              auto            noatime        0 1
/dev/mapper/crypt-hda3 /tmp         auto            noatime        0 0
/dev/mapper/crypt-hda4 /home      auto            noatime        0 0
###???

none			/proc		proc		defaults	0 0

none			/dev/shm	tmpfs		nodev,nosuid,noexec	0 0

extlinux.conf

Code: Select all

DEFAULT menu.c32
TIMEOUT 100
PROMPT 0

LABEL Gentoo
	MENU LABEL Gentoo 2.6.17 Twofish
	MENU DEFAULT
	KERNEL kernel-2.6.17-twofish
	APPEND root=/dev/hda2:ext3 loadkmap=de-latin1-nodeadkeys-amd64.bin loadramdisk=1 initrd=initramfs_data.cpio.gz

The result of the boot-process does not change if I delete everything out of the APPEND line exept : "APPEND root=/dev/hda2:ext3". It just tells me additionally that its loading the ramdisk.

BusyBox.config

Code: Select all

#
# Automatically generated make config: don't edit
#
HAVE_DOT_CONFIG=y

#
# Busybox Settings
#

#
# General Configuration
#
# CONFIG_NITPICK is not set
# CONFIG_FEATURE_BUFFERS_USE_MALLOC is not set
# CONFIG_FEATURE_BUFFERS_GO_ON_STACK is not set
# CONFIG_FEATURE_BUFFERS_GO_IN_BSS is not set
CONFIG_SHOW_USAGE=y
# CONFIG_FEATURE_VERBOSE_USAGE is not set
# CONFIG_FEATURE_COMPRESS_USAGE is not set
# CONFIG_FEATURE_INSTALLER is not set
# CONFIG_LOCALE_SUPPORT is not set
CONFIG_GETOPT_LONG=y
CONFIG_FEATURE_DEVPTS=y
# CONFIG_FEATURE_CLEAN_UP is not set
# CONFIG_FEATURE_SUID is not set
# CONFIG_FEATURE_SUID_CONFIG is not set
# CONFIG_FEATURE_SUID_CONFIG_QUIET is not set
# CONFIG_SELINUX is not set
CONFIG_BUSYBOX_EXEC_PATH="/proc/self/exe"

#
# Build Options
#
CONFIG_STATIC=y
# CONFIG_BUILD_LIBBUSYBOX is not set
# CONFIG_FEATURE_FULL_LIBBUSYBOX is not set
# CONFIG_FEATURE_SHARED_BUSYBOX is not set
CONFIG_LFS=y
# USING_CROSS_COMPILER is not set
CROSS_COMPILER_PREFIX=""
# CONFIG_BUILD_AT_ONCE is not set

#

# Debugging Options
#
# CONFIG_DEBUG is not set
# CONFIG_DEBUG_PESSIMIZE is not set
# CONFIG_NO_DEBUG_LIB is not set
# CONFIG_DMALLOC is not set
# CONFIG_EFENCE is not set
CONFIG_DEBUG_YANK_SUSv2=y

#
# Installation Options
#
CONFIG_INSTALL_NO_USR=y
CONFIG_INSTALL_APPLET_SYMLINKS=y
# CONFIG_INSTALL_APPLET_HARDLINKS is not set
# CONFIG_INSTALL_APPLET_DONT is not set
PREFIX="./_install"

#
# Busybox Library Tuning
#
CONFIG_MD5_SIZE_VS_SPEED=2

#
# Applets
#

#
# Archival Utilities
#
# CONFIG_AR is not set
# CONFIG_FEATURE_AR_LONG_FILENAMES is not set
# CONFIG_BUNZIP2 is not set
CONFIG_CPIO=y
# CONFIG_DPKG is not set
# CONFIG_DPKG_DEB is not set
# CONFIG_FEATURE_DPKG_DEB_EXTRACT_ONLY is not set
# CONFIG_GUNZIP is not set
# CONFIG_FEATURE_GUNZIP_UNCOMPRESS is not set
CONFIG_GZIP=y
# CONFIG_RPM2CPIO is not set
# CONFIG_RPM is not set
# CONFIG_TAR is not set
# CONFIG_FEATURE_TAR_CREATE is not set
# CONFIG_FEATURE_TAR_BZIP2 is not set
# CONFIG_FEATURE_TAR_LZMA is not set
# CONFIG_FEATURE_TAR_FROM is not set
# CONFIG_FEATURE_TAR_GZIP is not set
# CONFIG_FEATURE_TAR_COMPRESS is not set
# CONFIG_FEATURE_TAR_OLDGNU_COMPATIBILITY is not set
# CONFIG_FEATURE_TAR_GNU_EXTENSIONS is not set
# CONFIG_FEATURE_TAR_LONG_OPTIONS is not set
# CONFIG_UNCOMPRESS is not set
# CONFIG_UNLZMA is not set
# CONFIG_FEATURE_LZMA_FAST is not set
# CONFIG_UNZIP is not set

#
# Common options for cpio and tar
#
# CONFIG_FEATURE_UNARCHIVE_TAPE is not set
# CONFIG_FEATURE_DEB_TAR_GZ is not set
# CONFIG_FEATURE_DEB_TAR_BZ2 is not set
# CONFIG_FEATURE_DEB_TAR_LZMA is not set

#
# Coreutils
#
# CONFIG_BASENAME is not set
# CONFIG_CAL is not set
CONFIG_CAT=y
# CONFIG_CATV is not set
# CONFIG_CHGRP is not set
# CONFIG_CHMOD is not set
# CONFIG_CHOWN is not set
# CONFIG_CHROOT is not set
# CONFIG_CKSUM is not set
# CONFIG_CMP is not set
# CONFIG_COMM is not set
# CONFIG_CP is not set
CONFIG_CUT=y
# CONFIG_DATE is not set
# CONFIG_FEATURE_DATE_ISOFMT is not set
# CONFIG_DD is not set
# CONFIG_FEATURE_DD_SIGNAL_HANDLING is not set
# CONFIG_FEATURE_DD_IBS_OBS is not set
# CONFIG_DF is not set
# CONFIG_DIFF is not set
# CONFIG_FEATURE_DIFF_BINARY is not set
# CONFIG_FEATURE_DIFF_DIR is not set
# CONFIG_FEATURE_DIFF_MINIMAL is not set
# CONFIG_DIRNAME is not set
# CONFIG_DOS2UNIX is not set
# CONFIG_UNIX2DOS is not set
# CONFIG_DU is not set
# CONFIG_FEATURE_DU_DEFAULT_BLOCKSIZE_1K is not set
CONFIG_ECHO=y
CONFIG_FEATURE_FANCY_ECHO=y
# CONFIG_ENV is not set
# CONFIG_FEATURE_ENV_LONG_OPTIONS is not set
# CONFIG_EXPR is not set
# CONFIG_EXPR_MATH_SUPPORT_64 is not set
CONFIG_FALSE=y
# CONFIG_FOLD is not set
# CONFIG_HEAD is not set
# CONFIG_FEATURE_FANCY_HEAD is not set
# CONFIG_HOSTID is not set
# CONFIG_ID is not set
# CONFIG_INSTALL is not set
# CONFIG_FEATURE_INSTALL_LONG_OPTIONS is not set
# CONFIG_LENGTH is not set
# CONFIG_LN is not set
# CONFIG_LOGNAME is not set
CONFIG_LS=y
CONFIG_FEATURE_LS_FILETYPES=y
CONFIG_FEATURE_LS_FOLLOWLINKS=y
CONFIG_FEATURE_LS_RECURSIVE=y
CONFIG_FEATURE_LS_SORTFILES=y
CONFIG_FEATURE_LS_TIMESTAMPS=y
CONFIG_FEATURE_LS_USERNAME=y
CONFIG_FEATURE_LS_COLOR=y
CONFIG_FEATURE_LS_COLOR_IS_DEFAULT=y
# CONFIG_MD5SUM is not set
CONFIG_MKDIR=y
# CONFIG_FEATURE_MKDIR_LONG_OPTIONS is not set
# CONFIG_MKFIFO is not set
CONFIG_MKNOD=y
# CONFIG_MV is not set
# CONFIG_FEATURE_MV_LONG_OPTIONS is not set
# CONFIG_NICE is not set
# CONFIG_NOHUP is not set
# CONFIG_OD is not set
# CONFIG_PRINTENV is not set
# CONFIG_PRINTF is not set
# CONFIG_PWD is not set
# CONFIG_REALPATH is not set
# CONFIG_RM is not set
# CONFIG_RMDIR is not set
# CONFIG_SEQ is not set
# CONFIG_SHA1SUM is not set
# CONFIG_SLEEP is not set
# CONFIG_FEATURE_FANCY_SLEEP is not set
# CONFIG_SORT is not set
# CONFIG_FEATURE_SORT_BIG is not set
# CONFIG_STAT is not set
# CONFIG_FEATURE_STAT_FORMAT is not set
# CONFIG_STTY is not set
# CONFIG_SUM is not set
# CONFIG_SYNC is not set
# CONFIG_TAIL is not set
# CONFIG_FEATURE_FANCY_TAIL is not set
# CONFIG_TEE is not set
# CONFIG_FEATURE_TEE_USE_BLOCK_IO is not set
CONFIG_TEST=y
# CONFIG_FEATURE_TEST_64 is not set
# CONFIG_TOUCH is not set
# CONFIG_TR is not set
# CONFIG_FEATURE_TR_CLASSES is not set
# CONFIG_FEATURE_TR_EQUIV is not set
CONFIG_TRUE=y
# CONFIG_TTY is not set
# CONFIG_UNAME is not set
# CONFIG_UNIQ is not set
# CONFIG_USLEEP is not set
# CONFIG_UUDECODE is not set
# CONFIG_UUENCODE is not set
# CONFIG_WATCH is not set
# CONFIG_WC is not set
# CONFIG_WHO is not set
# CONFIG_WHOAMI is not set
# CONFIG_YES is not set
# CONFIG_FEATURE_PRESERVE_HARDLINKS is not set

#
# Common options for ls, more and telnet
#
CONFIG_FEATURE_AUTOWIDTH=y

#
# Common options for df, du, ls
#
# CONFIG_FEATURE_HUMAN_READABLE is not set
# CONFIG_FEATURE_MD5_SHA1_SUM_CHECK is not set

#
# Console Utilities
#
# CONFIG_CHVT is not set
CONFIG_CLEAR=y
# CONFIG_DEALLOCVT is not set
CONFIG_DUMPKMAP=y
CONFIG_LOADFONT=y
CONFIG_LOADKMAP=y
# CONFIG_OPENVT is not set
# CONFIG_RESET is not set
# CONFIG_SETCONSOLE is not set
# CONFIG_FEATURE_SETCONSOLE_LONG_OPTIONS is not set
# CONFIG_SETKEYCODES is not set
# CONFIG_SETLOGCONS is not set

#
# Debian Utilities
#
# CONFIG_MKTEMP is not set
# CONFIG_PIPE_PROGRESS is not set
# CONFIG_READLINK is not set
# CONFIG_FEATURE_READLINK_FOLLOW is not set
# CONFIG_RUN_PARTS is not set
# CONFIG_FEATURE_RUN_PARTS_LONG_OPTIONS is not set
CONFIG_START_STOP_DAEMON=y
CONFIG_FEATURE_START_STOP_DAEMON_FANCY=y
# CONFIG_FEATURE_START_STOP_DAEMON_LONG_OPTIONS is not set
# CONFIG_WHICH is not set

#
# Editors
#
# CONFIG_AWK is not set
# CONFIG_FEATURE_AWK_MATH is not set
# CONFIG_ED is not set
# CONFIG_PATCH is not set
# CONFIG_SED is not set
# CONFIG_VI is not set
# CONFIG_FEATURE_VI_COLON is not set
# CONFIG_FEATURE_VI_YANKMARK is not set
# CONFIG_FEATURE_VI_SEARCH is not set
# CONFIG_FEATURE_VI_USE_SIGNALS is not set
# CONFIG_FEATURE_VI_DOT_CMD is not set
# CONFIG_FEATURE_VI_READONLY is not set
# CONFIG_FEATURE_VI_SETOPTS is not set
# CONFIG_FEATURE_VI_SET is not set
# CONFIG_FEATURE_VI_WIN_RESIZE is not set
# CONFIG_FEATURE_VI_OPTIMIZE_CURSOR is not set

#
# Finding Utilities
#
# CONFIG_FIND is not set
# CONFIG_FEATURE_FIND_PRINT0 is not set
# CONFIG_FEATURE_FIND_MTIME is not set
# CONFIG_FEATURE_FIND_MMIN is not set
# CONFIG_FEATURE_FIND_PERM is not set
# CONFIG_FEATURE_FIND_TYPE is not set
# CONFIG_FEATURE_FIND_XDEV is not set
# CONFIG_FEATURE_FIND_NEWER is not set
# CONFIG_FEATURE_FIND_INUM is not set
# CONFIG_FEATURE_FIND_EXEC is not set
# CONFIG_GREP is not set
# CONFIG_FEATURE_GREP_EGREP_ALIAS is not set
# CONFIG_FEATURE_GREP_FGREP_ALIAS is not set
# CONFIG_FEATURE_GREP_CONTEXT is not set
# CONFIG_XARGS is not set
# CONFIG_FEATURE_XARGS_SUPPORT_CONFIRMATION is not set
# CONFIG_FEATURE_XARGS_SUPPORT_QUOTES is not set
# CONFIG_FEATURE_XARGS_SUPPORT_TERMOPT is not set
# CONFIG_FEATURE_XARGS_SUPPORT_ZERO_TERM is not set

#
# Init Utilities
#
CONFIG_INIT=y
# CONFIG_DEBUG_INIT is not set
CONFIG_FEATURE_USE_INITTAB=y
# CONFIG_FEATURE_INIT_SCTTY is not set
CONFIG_FEATURE_EXTRA_QUIET=y
# CONFIG_FEATURE_INIT_COREDUMPS is not set
CONFIG_FEATURE_INITRD=y
CONFIG_HALT=y
CONFIG_MESG=y

#
# Login/Password Management Utilities
#
# CONFIG_FEATURE_SHADOWPASSWDS is not set
# CONFIG_USE_BB_SHADOW is not set
# CONFIG_USE_BB_PWD_GRP is not set
# CONFIG_ADDGROUP is not set
# CONFIG_DELGROUP is not set
# CONFIG_ADDUSER is not set
# CONFIG_DELUSER is not set
# CONFIG_GETTY is not set
# CONFIG_FEATURE_UTMP is not set
# CONFIG_FEATURE_WTMP is not set
# CONFIG_LOGIN is not set
# CONFIG_FEATURE_SECURETTY is not set
# CONFIG_PASSWD is not set
# CONFIG_SU is not set
# CONFIG_SULOGIN is not set
# CONFIG_VLOCK is not set

#
# Linux Ext2 FS Progs
#
# CONFIG_CHATTR is not set
# CONFIG_E2FSCK is not set
# CONFIG_FSCK is not set
# CONFIG_LSATTR is not set
# CONFIG_MKE2FS is not set
# CONFIG_TUNE2FS is not set
# CONFIG_E2LABEL is not set
# CONFIG_FINDFS is not set

#
# Linux Module Utilities
#
CONFIG_INSMOD=y
# CONFIG_FEATURE_INSMOD_VERSION_CHECKING is not set
# CONFIG_FEATURE_INSMOD_KSYMOOPS_SYMBOLS is not set
# CONFIG_FEATURE_INSMOD_LOADINKMEM is not set
# CONFIG_FEATURE_INSMOD_LOAD_MAP is not set
# CONFIG_FEATURE_INSMOD_LOAD_MAP_FULL is not set
CONFIG_RMMOD=y
CONFIG_LSMOD=y
# CONFIG_FEATURE_LSMOD_PRETTY_2_6_OUTPUT is not set
CONFIG_MODPROBE=y
CONFIG_FEATURE_MODPROBE_MULTIPLE_OPTIONS=y

#
# Options common to multiple modutils
#
CONFIG_FEATURE_CHECK_TAINTED_MODULE=y
CONFIG_FEATURE_2_4_MODULES=y
CONFIG_FEATURE_2_6_MODULES=y
# CONFIG_FEATURE_QUERY_MODULE_INTERFACE is not set

#
# Linux System Utilities
#
CONFIG_DMESG=y
# CONFIG_FBSET is not set
# CONFIG_FEATURE_FBSET_FANCY is not set
# CONFIG_FEATURE_FBSET_READMODE is not set
# CONFIG_FDFLUSH is not set
# CONFIG_FDFORMAT is not set
# CONFIG_FDISK is not set
FDISK_SUPPORT_LARGE_DISKS=y
# CONFIG_FEATURE_FDISK_WRITABLE is not set
# CONFIG_FEATURE_AIX_LABEL is not set
# CONFIG_FEATURE_SGI_LABEL is not set

# CONFIG_FEATURE_SUN_LABEL is not set
# CONFIG_FEATURE_OSF_LABEL is not set
# CONFIG_FEATURE_FDISK_ADVANCED is not set
# CONFIG_FREERAMDISK is not set
# CONFIG_FSCK_MINIX is not set
# CONFIG_MKFS_MINIX is not set
# CONFIG_FEATURE_MINIX2 is not set
# CONFIG_GETOPT is not set
# CONFIG_HEXDUMP is not set
# CONFIG_HWCLOCK is not set
# CONFIG_FEATURE_HWCLOCK_LONG_OPTIONS is not set
# CONFIG_FEATURE_HWCLOCK_ADJTIME_FHS is not set
# CONFIG_IPCRM is not set
# CONFIG_IPCS is not set
# CONFIG_LOSETUP is not set
CONFIG_MDEV=y
# CONFIG_FEATURE_MDEV_CONF is not set

# CONFIG_FEATURE_MDEV_EXEC is not set
# CONFIG_MKSWAP is not set
# CONFIG_FEATURE_MKSWAP_V0 is not set
# CONFIG_MORE is not set
# CONFIG_FEATURE_USE_TERMIOS is not set
CONFIG_MOUNT=y
# CONFIG_FEATURE_MOUNT_NFS is not set
# CONFIG_PIVOT_ROOT is not set
# CONFIG_RDATE is not set
# CONFIG_READPROFILE is not set
# CONFIG_SETARCH is not set
# CONFIG_SWAPONOFF is not set
CONFIG_SWITCH_ROOT=y
CONFIG_UMOUNT=y
# CONFIG_FEATURE_UMOUNT_ALL is not set

#
# Common options for mount/umount
#
# CONFIG_FEATURE_MOUNT_LOOP is not set
# CONFIG_FEATURE_MTAB_SUPPORT is not set

#
# Miscellaneous Utilities
#
# CONFIG_ADJTIMEX is not set
# CONFIG_BBCONFIG is not set
# CONFIG_CROND is not set
# CONFIG_DEBUG_CROND_OPTION is not set
# CONFIG_FEATURE_CROND_CALL_SENDMAIL is not set
# CONFIG_CRONTAB is not set
# CONFIG_DC is not set

# CONFIG_DEVFSD is not set
# CONFIG_DEVFSD_MODLOAD is not set
# CONFIG_DEVFSD_FG_NP is not set
# CONFIG_DEVFSD_VERBOSE is not set
# CONFIG_FEATURE_DEVFS is not set
# CONFIG_EJECT is not set
# CONFIG_LAST is not set
# CONFIG_LESS is not set
# CONFIG_FEATURE_LESS_BRACKETS is not set
# CONFIG_FEATURE_LESS_FLAGS is not set
# CONFIG_FEATURE_LESS_FLAGCS is not set
# CONFIG_FEATURE_LESS_MARKS is not set
# CONFIG_FEATURE_LESS_REGEXP is not set
# CONFIG_HDPARM is not set
# CONFIG_FEATURE_HDPARM_GET_IDENTITY is not set
# CONFIG_FEATURE_HDPARM_HDIO_SCAN_HWIF is not set
# CONFIG_FEATURE_HDPARM_HDIO_UNREGISTER_HWIF is not set
# CONFIG_FEATURE_HDPARM_HDIO_DRIVE_RESET is not set
# CONFIG_FEATURE_HDPARM_HDIO_TRISTATE_HWIF is not set
# CONFIG_FEATURE_HDPARM_HDIO_GETSET_DMA is not set
# CONFIG_MAKEDEVS is not set
# CONFIG_FEATURE_MAKEDEVS_LEAF is not set
# CONFIG_FEATURE_MAKEDEVS_TABLE is not set
CONFIG_MOUNTPOINT=y
# CONFIG_MT is not set
# CONFIG_RUNLEVEL is not set
# CONFIG_RX is not set
# CONFIG_STRINGS is not set
# CONFIG_SETSID is not set
# CONFIG_TASKSET is not set
# CONFIG_TIME is not set
# CONFIG_WATCHDOG is not set

#
# Networking Utilities
#
# CONFIG_FEATURE_IPV6 is not set
# CONFIG_ARPING is not set
# CONFIG_DNSD is not set
# CONFIG_ETHER_WAKE is not set
# CONFIG_FAKEIDENTD is not set
# CONFIG_FTPGET is not set
# CONFIG_FTPPUT is not set

# CONFIG_FEATURE_FTPGETPUT_LONG_OPTIONS is not set
# CONFIG_HOSTNAME is not set
# CONFIG_HTTPD is not set
# CONFIG_FEATURE_HTTPD_WITHOUT_INETD is not set
# CONFIG_FEATURE_HTTPD_RELOAD_CONFIG_SIGHUP is not set
# CONFIG_FEATURE_HTTPD_SETUID is not set
# CONFIG_FEATURE_HTTPD_BASIC_AUTH is not set
# CONFIG_FEATURE_HTTPD_AUTH_MD5 is not set
# CONFIG_FEATURE_HTTPD_CONFIG_WITH_MIME_TYPES is not set
# CONFIG_FEATURE_HTTPD_CGI is not set
# CONFIG_FEATURE_HTTPD_CONFIG_WITH_SCRIPT_INTERPR is not set
# CONFIG_FEATURE_HTTPD_SET_REMOTE_PORT_TO_ENV is not set
# CONFIG_FEATURE_HTTPD_ENCODE_URL_STR is not set
# CONFIG_IFCONFIG is not set
# CONFIG_FEATURE_IFCONFIG_STATUS is not set
# CONFIG_FEATURE_IFCONFIG_SLIP is not set
# CONFIG_FEATURE_IFCONFIG_MEMSTART_IOADDR_IRQ is not set
# CONFIG_FEATURE_IFCONFIG_HW is not set
# CONFIG_FEATURE_IFCONFIG_BROADCAST_PLUS is not set
# CONFIG_IFUPDOWN is not set
# CONFIG_FEATURE_IFUPDOWN_IP is not set
# CONFIG_FEATURE_IFUPDOWN_IP_BUILTIN is not set
# CONFIG_FEATURE_IFUPDOWN_IPV4 is not set
# CONFIG_FEATURE_IFUPDOWN_IPV6 is not set
# CONFIG_FEATURE_IFUPDOWN_IPX is not set
# CONFIG_FEATURE_IFUPDOWN_MAPPING is not set
# CONFIG_INETD is not set
# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_ECHO is not set
# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_DISCARD is not set
# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_TIME is not set
# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_DAYTIME is not set
# CONFIG_FEATURE_INETD_SUPPORT_BUILTIN_CHARGEN is not set
# CONFIG_FEATURE_INETD_RPC is not set
# CONFIG_IP is not set
# CONFIG_FEATURE_IP_ADDRESS is not set
# CONFIG_FEATURE_IP_LINK is not set
# CONFIG_FEATURE_IP_ROUTE is not set
# CONFIG_FEATURE_IP_TUNNEL is not set
# CONFIG_FEATURE_IP_SHORT_FORMS is not set
# CONFIG_IPADDR is not set
# CONFIG_IPLINK is not set
# CONFIG_IPROUTE is not set
# CONFIG_IPTUNNEL is not set
# CONFIG_IPCALC is not set
# CONFIG_FEATURE_IPCALC_FANCY is not set
# CONFIG_FEATURE_IPCALC_LONG_OPTIONS is not set
# CONFIG_NAMEIF is not set
# CONFIG_NC is not set
# CONFIG_NC_GAPING_SECURITY_HOLE is not set
# CONFIG_NETSTAT is not set
# CONFIG_NSLOOKUP is not set
# CONFIG_PING is not set
# CONFIG_FEATURE_FANCY_PING is not set
# CONFIG_PING6 is not set
# CONFIG_FEATURE_FANCY_PING6 is not set
# CONFIG_ROUTE is not set
# CONFIG_TELNET is not set
# CONFIG_FEATURE_TELNET_TTYPE is not set
# CONFIG_FEATURE_TELNET_AUTOLOGIN is not set
# CONFIG_TELNETD is not set
# CONFIG_FEATURE_TELNETD_INETD is not set
# CONFIG_TFTP is not set
# CONFIG_FEATURE_TFTP_GET is not set
# CONFIG_FEATURE_TFTP_PUT is not set
# CONFIG_FEATURE_TFTP_BLOCKSIZE is not set
# CONFIG_DEBUG_TFTP is not set
# CONFIG_TRACEROUTE is not set
# CONFIG_FEATURE_TRACEROUTE_VERBOSE is not set
# CONFIG_FEATURE_TRACEROUTE_SOURCE_ROUTE is not set
# CONFIG_FEATURE_TRACEROUTE_USE_ICMP is not set

#
# udhcp Server/Client
#
# CONFIG_APP_UDHCPD is not set
# CONFIG_APP_UDHCPC is not set
# CONFIG_APP_DUMPLEASES is not set
# CONFIG_FEATURE_UDHCP_SYSLOG is not set
# CONFIG_FEATURE_UDHCP_DEBUG is not set
# CONFIG_VCONFIG is not set
# CONFIG_WGET is not set
# CONFIG_FEATURE_WGET_STATUSBAR is not set
# CONFIG_FEATURE_WGET_AUTHENTICATION is not set
# CONFIG_FEATURE_WGET_IP6_LITERAL is not set
# CONFIG_FEATURE_WGET_LONG_OPTIONS is not set
# CONFIG_ZCIP is not set

#
# Process Utilities
#
# CONFIG_FREE is not set
# CONFIG_FUSER is not set
# CONFIG_KILL is not set
# CONFIG_KILLALL is not set
# CONFIG_PIDOF is not set

# CONFIG_FEATURE_PIDOF_SINGLE is not set
# CONFIG_FEATURE_PIDOF_OMIT is not set
# CONFIG_PS is not set
# CONFIG_FEATURE_PS_WIDE is not set
# CONFIG_RENICE is not set
# CONFIG_BB_SYSCTL is not set
# CONFIG_TOP is not set
# CONFIG_FEATURE_TOP_CPU_USAGE_PERCENTAGE is not set
# CONFIG_UPTIME is not set

#
# Shells
#
# CONFIG_FEATURE_SH_IS_ASH is not set
# CONFIG_FEATURE_SH_IS_HUSH is not set
# CONFIG_FEATURE_SH_IS_LASH is not set
# CONFIG_FEATURE_SH_IS_MSH is not set
CONFIG_FEATURE_SH_IS_NONE=y
CONFIG_ASH=y


#
# Ash Shell Options
#
CONFIG_ASH_JOB_CONTROL=y
CONFIG_ASH_READ_NCHARS=y
# CONFIG_ASH_READ_TIMEOUT is not set
CONFIG_ASH_ALIAS=y
CONFIG_ASH_MATH_SUPPORT=y
# CONFIG_ASH_MATH_SUPPORT_64 is not set
# CONFIG_ASH_GETOPTS is not set
CONFIG_ASH_BUILTIN_ECHO=y
CONFIG_ASH_BUILTIN_TEST=y
# CONFIG_ASH_CMDCMD is not set
CONFIG_ASH_MAIL=y
CONFIG_ASH_OPTIMIZE_FOR_SIZE=y
# CONFIG_ASH_RANDOM_SUPPORT is not set
# CONFIG_ASH_EXPAND_PRMT is not set
# CONFIG_HUSH is not set
# CONFIG_LASH is not set
# CONFIG_MSH is not set

#
# Bourne Shell Options
#
CONFIG_FEATURE_SH_EXTRA_QUIET=y
# CONFIG_FEATURE_SH_STANDALONE_SHELL is not set
# CONFIG_FEATURE_COMMAND_EDITING is not set
# CONFIG_FEATURE_COMMAND_EDITING_VI is not set
CONFIG_FEATURE_COMMAND_HISTORY=0
# CONFIG_FEATURE_COMMAND_SAVEHISTORY is not set
# CONFIG_FEATURE_COMMAND_TAB_COMPLETION is not set
# CONFIG_FEATURE_COMMAND_USERNAME_COMPLETION is not set
# CONFIG_FEATURE_SH_FANCY_PROMPT is not set

#
# System Logging Utilities
#
# CONFIG_SYSLOGD is not set
# CONFIG_FEATURE_ROTATE_LOGFILE is not set
# CONFIG_FEATURE_REMOTE_LOG is not set
# CONFIG_FEATURE_IPC_SYSLOG is not set
CONFIG_FEATURE_IPC_SYSLOG_BUFFER_SIZE=0
# CONFIG_LOGREAD is not set
# CONFIG_FEATURE_LOGREAD_REDUCED_LOCKING is not set
# CONFIG_KLOGD is not set
# CONFIG_LOGGER is not set

Sorry for making this post so long but I just can't find out how to make these text-boxes in which you can scroll up and down, there's no button here that produces it in the preview. Thanks for your help.

[Reikinio]

Hi,

I repeated all the steps beginning with "Building BusyBox" again but it did not help. I'm still having the same problem. Concerning gpg I remember that I could not get it properly running to encrypt the partition passwords so I've let it be because it said in the tutorial or somewhere here in the forums (don't really remember where) that one can still encrypt the keys after one finished the tut. So now a statically linked version of gpg is in my ramdisk but I do not yet need it since I did not yet encrypt the passwords. I believe during boot the system should ask me for the passphrase (should it not?). Tried different options in /etc/conf.d/crypt.fs but that didn't help either. Tried the two different ways of creating the ramdisk which changed nothing also. I read somewhere on the web that my errormessage indicates that my root-fs cannot get properly mounted during boot which seems quite logical since its encrypted. So I'd guess now that my error is rather in some configuration file telling the kernel how to mount the partitions than in the kernel or ramdisk.
(...)

Ok, take it one step at a time, otherwise you would end up doing stuff that is irrelevant to your problem, and in the end it will confuse you even more.

Reading the information you've provided, I don't know exactly which problem you have, and it gives me this feeling that you have no clue either.
For now, forget about booting with an usb-stick and encrypting your key with gnupg, you can do this later, after you have a working system.

Anyway, at boot-time, the kernel extracts the linked initramfs and executes its init script, if it cannot execute the initramfs's init script, or you failed to link the initramfs properly to the kernel image it will panic and fail.

I think this where you're having problems, re-read the "Building the initramfs image" section, create an initramfs as detailed in the "Using install.sh" sub-section, and after that, just follow the steps mentioned in the "Kernel Configuration" section.
The steps are fairly simple, just copy your initramfs_data.cpio.gz file to /usr/src/linux/usr/, touch it , configure and compile your kernel, but make sure you leave CONFIG_INITRAMFS_SOURCE empty.
After that, you have to configure grub properly(look at the example in the guide), and everything should work next time you boot into your system.

Once you have a working system you can start playing with booting from an usb-stick, etc...

If you have doubts or get into trouble with the initramfs, feel free to ask, but try reading the posts of the previous page first, there might be some answers to your questions there.

Tried different options in /etc/conf.d/crypt.fs but that didn't help either.

The /etc/conf.d/cryptfs has nothing to do with the init script, and it's not used nor needed by the initramfs's init.
the cryptfs configuration file belongs to Gentoo and it's used at the real boot-time(after the initramfs's init finishes) to start and setup dm-crypt mappings.

/etc/fstab

Code: Select all

# <fs>			<mountpoint>	<type>		<opts>		<dump/pass>

/dev/mapper/root        /                ext3	        noatime          0 1
/dev/mapper/swap      none           swap	   sw                  0 0
/dev/mapper/tmp	       /tmp           ext3            defaults          0 2
/dev/mapper/home     /home         ext3            defaults          0 2
/dev/cdroms/cdrom0   /mnt/cdrom iso9660       noauto,ro       0 0

###???
/dev/mapper/crypt-swap none        swap           sw                0 0
/dev/mapper/crypt-hda2 /              auto            noatime        0 1
/dev/mapper/crypt-hda3 /tmp         auto            noatime        0 0
/dev/mapper/crypt-hda4 /home      auto            noatime        0 0
###???

none			/proc		proc		defaults	0 0

none			/dev/shm	tmpfs		nodev,nosuid,noexec	0 0

I don't understand your partition scheme layout, what's all that crypt-* stuff ?

extlinux.conf

Code: Select all

DEFAULT menu.c32
TIMEOUT 100
PROMPT 0

LABEL Gentoo
	MENU LABEL Gentoo 2.6.17 Twofish
	MENU DEFAULT
	KERNEL kernel-2.6.17-twofish
	APPEND root=/dev/hda2:ext3 loadkmap=de-latin1-nodeadkeys-amd64.bin loadramdisk=1 initrd=initramfs_data.cpio.gz

What's "loadramdisk=1 " and "initrd=initramfs_data.cpio.gz" ?
Why did you diverted from the extlinux.conf shown in the guide ?
Anyway, worry about this stuff later, you should try to get a working system first.

Bye and good luck,

[BarbedWire]

You said:

For now, forget about booting with an usb-stick ...

The thing is that i dont have a boot partition since I planned to boot from usb from the beginning, does that matter or will grub run from a root partition too (I assume it will, if not I'll notice sooner or later)?

I rebuilded the initramfs image at least half a dozen times the last days but it didn't help. Thats why I startet some steps earlyier than building the ramdisk. But I'll try what you said.

About my partitioning sceme: I heard root partitions weren't too hard to crack since there would be a lot of known information (plaintext) so I thought I would put /tmp and /home on seperate partitions. All the crypt-* stuff I do not understand myself it is just written in the tutorial and I copied it. The loadramdisk stuff did I add because it didn't work from the beginning and so I played with options but as I sayed there's no difference in the end if I delete these options or not. It's pretty late here where I am and I could need some sleep. I'll try again tomorrow.

Thanks for your time.

[Reikinio]

You said:

For now, forget about booting with an usb-stick ...

The thing is that i dont have a boot partition since I planned to boot from usb from the beginning, does that matter or will grub run from a root partition too (I assume it will, if not I'll notice sooner or later)?
(...)

Ok, since you don't have a /boot partition, you'll have boot from an usb-stick, just pay attention to the guide and its examples and you should be ok.

About my partitioning sceme: I heard root partitions weren't too hard to crack since there would be a lot of known information (plaintext) so I thought I would put /tmp and /home on seperate partitions.

No, that's not what I meant, what I wrote in the guide is that your root partition contains a lot of well known plain-text data that it's present in most Linux systems, therefore if you're really _really_ paranoid you should consider storing your confidencial data on a separate partition.
_The above does not mean that the root partition's encryption is weak_.

All the crypt-* stuff I do not understand myself it is just written in the tutorial and I copied it.

?
You don't need those, perhaps you got confused by the example in "Decrypting/Encrypting partitions at startup".
Remember, it's just a normal fstab except that instead of using the real devices(eg:/dev/sda3) you use the mapping names(eg:/dev/mapper/root)

The loadramdisk stuff did I add because it didn't work from the beginning and so I played with options but as I sayed there's no difference in the end if I delete these options or not. It's pretty late here where I am and I could need some sleep. I'll try again tomorrow.

Thanks for your time.

I don't know what that does, but I don't see a reason for it either, just follow what is on the guide and you'll be ok.
Remember to take it one step at a time, try to understand why you have to do each step, otherwise you'll end up confusing yourself even more.

Sleep well and good luck,

[BarbedWire]

So far so good (or bad?).

I think I have found the error now. Seems like I have not compiled the c-library correctly since I did it again and had output I had not seen before. So it showed that uClibc is masked for my architecture and I had to use glibc wich didn't compile either at first because it needed some extra USE variables. After setting them correctly it compiled for some hours wich I cannot remember from the first time I did this. So I believe I must have typed 'emerge uclibc' or 'emerge glibc' left the room and having returned I just kept on following the guide missing that it did not compile correctly.

However with new compiled c-library, busybox, kernel and initramfs it starts to boot and gives me:

Code: Select all

...
VFS: Cannot open root device "hda2:ext3" or unknown-block(2,0)
Please append a correct "root=" boot option
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(2,0)

I saw that skceb had a similar problem postet in this forum so I changed the APPEND line in extlinux.conf to

Code: Select all

APPEND root=/dev/hda2:ext3 loadkmap=de-latin1-nodeadkeys-amd64.bin loadramdisk=1 initrd=initramfs_data.cpio.gz

again so it loads the image it should have included in the kernel from a file on the usb-stick and now it starts to boot and asks me for the LUKS passphrase. It unlocks my root partition and tells me

Code: Select all

...
* dm-crypt map crypt-swap ...
Command failed: Error opening device: No such file or directory
* failure running cryptsetup                                                         [!!]
...

Then it asks me for the passphrase for my root partition again and then for my other partitions and tells me they were all unlocked.
Then I get

Code: Select all

...
* Failed to setup dm-crypt devices                                    [!!]
* Checking all filesystems ...
/dev/sda1: clean, 74/62992 files, 41807/251688 blocks
fsck.ext3: No such file or directory while trying to open /dev/mapper/tmp
/dev/mapper/tmp:
The superblock could not be read or does not describe a correct ext2 
filesystem. If the device is valid and it really contains a ext2 
filesystem (and not swap or ufs or something else), then the superblock
is corrupt, and you might try running e2fsck with an alternate superblock:
      e2fsck -b 8193 <device>

The same message I get for /dev/mapper/tmp I do also get for /dev/mapper/home and then

Code: Select all

* Fsck could not correct all errors, manual repair needed        [!!]

after which it asks me for the root password to throw me into a shell for repairing the filesystems.

As I said so far so good (?).

I think the thing with the initramfs inside the kernel will be easy to fix even for me (Especially since I became an expert in initramfs the last days ).
What I read out of the above lines is that my swap isn't encrypted and loaded correctly which is bad. I don't understand why I have to give the passphrase for root two times. Furtheron I don't know what to make of the systems complains about my other two partitions. Allthough / is decrypted and mounted correctly the other two partitions are not. Are they really corrupted like the system says or can the system not read them cause it can't find them or are they not decrypted properly so that the system does not know what to do with the data on them?

I'm happy I've made some progress and again thanks a lot for your help folks.

Edit:
As I said in one of my earlier posts:

I don't know whether this is important but in my BusyBox-Menuconfig theres no option like:
Code:
BusyBox Settings ---> General Configuration ---> Buffer allocation policy (Allocate with Malloc) --->
(x) Allocate with Malloc

This option does still not appear in my menuconfig for BusyBox so I edited it by hand in my BusyBox.config because it seems to be turned off as a standard. Maybe its worth mentioning in the tut if it *is* important. I'm on an amd64 if that matters.

[Reikinio]

So far so good (or bad?).

I think I have found the error now. Seems like I have not compiled the c-library correctly since I did it again and had output I had not seen before. So it showed that uClibc is masked for my architecture and I had to use glibc wich didn't compile either at first because it needed some extra USE variables. After setting them correctly it compiled for some hours wich I cannot remember from the first time I did this. So I believe I must have typed 'emerge uclibc' or 'emerge glibc' left the room and having returned I just kept on following the guide missing that it did not compile correctly.

Recompiling glibc is not needed, but anyway.. if uclibc is masked or if it gives you too much trouble just stick with glibc, besides all gets wiped from memory when it switches root.

However with new compiled c-library, busybox, kernel and initramfs it starts to boot and gives me:

Code: Select all

...
VFS: Cannot open root device "hda2:ext3" or unknown-block(2,0)
Please append a correct "root=" boot option
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(2,0)

This happens because your initramfs is not linked to the kernel image.

I saw that skceb had a similar problem postet in this forum so I changed the APPEND line in extlinux.conf to

Code: Select all

APPEND root=/dev/hda2:ext3 loadkmap=de-latin1-nodeadkeys-amd64.bin loadramdisk=1 initrd=initramfs_data.cpio.gz

again so it loads the image it should have included in the kernel from a file on the usb-stick and now it starts to boot and asks me for the LUKS passphrase. It unlocks my root partition and (....)

Now it works because you loaded your initramfs, you can also link it directly as it's shown in the guide, but it's really up to you.

(...) It unlocks my root partition and tells me

Code: Select all

...
* dm-crypt map crypt-swap ...
Command failed: Error opening device: No such file or directory
* failure running cryptsetup                                                         [!!]
...

Then it asks me for the passphrase for my root partition again and then for my other partitions and tells me they were all unlocked.
Then I get

Code: Select all

...
* Failed to setup dm-crypt devices                                    [!!]
* Checking all filesystems ...
/dev/sda1: clean, 74/62992 files, 41807/251688 blocks
fsck.ext3: No such file or directory while trying to open /dev/mapper/tmp
/dev/mapper/tmp:
The superblock could not be read or does not describe a correct ext2 
filesystem. If the device is valid and it really contains a ext2 
filesystem (and not swap or ufs or something else), then the superblock
is corrupt, and you might try running e2fsck with an alternate superblock:
      e2fsck -b 8193 <device>

The same message I get for /dev/mapper/tmp I do also get for /dev/mapper/home and then

Code: Select all

* Fsck could not correct all errors, manual repair needed        [!!]

after which it asks me for the root password to throw me into a shell for repairing the filesystems.

Ok, first, you should know that this is not caused by the initramfs's init script, all this stuff gets executed once you're booting your Gentoo system, by the _real init_(/sbin/init, which exists on your now decrypted root partition).

What you're seeing here is caused by cryptfs implementation script, so what you need to do is fix your /etc/conf.d/cryptfs and /etc/fstab(take that crypt-* stuff out) files.
You should have a look at the section "Decrypting/Encrypting partitions at startup", plus the cryptfs.example file that ships with gentoo's cryptsetup-luks package.
If you still have problems, you can post your cryptfs file here, and I'll _try_ to help you out.

Btw, what do you mean it asks you for your root passphrase again ??
Your root partition is already decrypted, do not try to decrypt it with cryptfs, only use this conf file for other partitions beside root.

As I said so far so good (?).

I think the thing with the initramfs inside the kernel will be easy to fix even for me (Especially since I became an expert in initramfs the last days ).

Edit:
As I said in one of my earlier posts:

I don't know whether this is important but in my BusyBox-Menuconfig theres no option like:
Code:
BusyBox Settings ---> General Configuration ---> Buffer allocation policy (Allocate with Malloc) --->
(x) Allocate with Malloc

This option does still not appear in my menuconfig for BusyBox so I edited it by hand in my BusyBox.config because it seems to be turned off as a standard. Maybe its worth mentioning in the tut if it *is* important. I'm on an amd64 if that matters.

Don't worry about it.

[BarbedWire]

So everything works fine now, just had to adjust fstab and cryptfs as you said.

Only one more thing would be needed to make it perfect. I would like to read the keys from keyfiles on my usb-stick so that I do not have to type my password 4 times for every single partition and it would be great too if at boot my swap could be encrypted with a new randomly generated key everytime so there's no keyfile needed for it. So how can I change from manually entering the passphrase to automatically letting luks read it from the usb-stick? Could someone drop some lines about how to do this if it is not too much work?
I do not understand why I should not write my keys unencrypted to a disk (usb-stick). I mean the usb-stick is the key to the partitions anyway so if I give it away it doesn't matter if the keys are encrypted or not since my system will boot with it anyway.
Forgive me my ignorance and thanks for all your help.

[BarbedWire]

So here is how to get your system to encrypt its swap partition at every boot with a new random passphrase.

Open the file /etc/init.d/localmount and look for the line containing 'swapon -a'. Enter a new line before this command containing the following:

Code: Select all

cryptsetup -c twofish -s 256 -d /dev/urandom create swap /dev/hda1 
mkswap /dev/mapper/swap
swapon /dev/mapper/swap 

Of course change twofish with your algorithm and hda1 with your swap partition. This works for me. Now I do not have to type a password for swap at every boot or provide a keyfile. The password is random and new chosen on every boot.

C ya.

[Reikinio]

Hi

So here is how to get your system to encrypt its swap partition at every boot with a new random passphrase.

Open the file /etc/init.d/localmount and look for the line containing 'swapon -a'. Enter a new line before this command containing the following:

Code: Select all

cryptsetup -c twofish -s 256 -d /dev/urandom create swap /dev/hda1 
mkswap /dev/mapper/swap
swapon /dev/mapper/swap 

Of course change twofish with your algorithm and hda1 with your swap partition. This works for me. Now I do not have to type a password for swap at every boot or provide a keyfile. The password is random and new chosen on every boot.

C ya.

It's no longer needed to edit localmount by hand, besides, it's not a good solution because you'll have to take care of editing it again everytime a new localmount comes up.
Gentoo's cryptfs file can be used for encrypting swap, in fact there is an example for swap partitions in the cryptfs file.

Only one more thing would be needed to make it perfect. I would like to read the keys from keyfiles on my usb-stick so that I do not have to type my password 4 times for every single partition and it would be great too if at boot my swap could be encrypted with a new randomly generated key everytime so there's no keyfile needed for it. So how can I change from manually entering the passphrase to automatically letting luks read it from the usb-stick? Could someone drop some lines about how to do this if it is not too much work?
(...)

As you know, instructions for booting and reading the root key from an usb-stick at boot time are on the guide.
So, what to do with the other partitions ?
If you want a randomly generated key for swap each time you boot, it's easy, as I already told you, use the cryptfs file and read the key from /dev/urandom(you could read it from /dev/random instead, but it will annoy you if it hangs your boot sequence).

As for other partitions such as /home, if you don't want to be asked for the passphrase, you could use a key-file and store it on the root partition(since / is encrypted) which is safe enough for almost everybody.
Another approach is reading the key(s) directly from the usb-stick, this can be done, but you'll need to modify the cryptfs implementation(/lib/rcscripts/addons/dm-crypt-start.sh).
Don't know..., I think the people that would benefit from reading the partitions keys directly from a removable media devices(such as usb-sticks) would be mostly those who don't have their root partition encrypted.

(...)
I do not understand why I should not write my keys unencrypted to a disk (usb-stick). I mean the usb-stick is the key to the partitions anyway so if I give it away it doesn't matter if the keys are encrypted or not since my system will boot with it anyway.

No, if your root key is encrypted and someone tries to boot your system with it, he/she will be asked for the passphrase to decrypt the key, so no, it's not possible to boot your system just by having the usb-stick.

Having your key(s) encrypted or not is up to you, I wrote the reason for having them encrypted in the guide, what would happen if your attacker finds the usb-stick and the keys are not encrypted ?
Game over, he/she can now access your system.
But if they are encrypted, he/she would have to break the key's encryption first.
There could also be people paranoid enough to have the key hiden by using steganography so noone will even know that the key is there.

FWIW, I am neither an expert nor paranoid enough to do all that, I have a /boot partition(someone could even tamper with it and I wont probably notice it) plus a / partition, no /home, etc...

Hope this cleared some of your doubts, and btw congratulations for having an encrypted working system

Bye

[BarbedWire]

Changed my swap setting now in cryptfs as you proposed.
Also changed your init file so it loads the key for my root device from usb where it is unencrypted. So I do not have to type in a single password on boot just as with a normal installation. I'm not afraid of someone lurkin the keyfile from my usb device since it always is under my eyes. It would be my own fault if I let someone do that and it would be equal stupid as letting someone know the password you type in at boot.

[Taichan]

Hello,

i follow the HowTo Step for Step. But booting fails.

failed to setup dm-crypt mapping.
failed to read from key storage
Command failed: No key available with this passphrase.

In the "minimal shell" im also unable to decrypt the device. The same error occours.

I check the kernel config for dm-crypt and co. everything seems to be right.