[Support] System Encryption DM-Crypt with LUKS

[Mr.Pink]

Hi all,

sorry swit for interrupting you and posting a new question without yours being answered...

I read the HOWTO and the posts in here and now I'd like to try to setup an encrypted system. The problem thereby is that I'd like to use LVM to create individual resizable partitions for not only root but also /home, /usr etc.
Am I right when I say that in this case it would be necessary to encrypt the whole harddisc at once using /dev/hda for instance and then setting up the LVM partitions to use with LVM or will I have to encrypt every LVM partition itself with a different key/passphrase?
Or is it even impossible to use LVM and encryption at the same time?

Regards
Mr.Pink

[unixtroll]

but, i've a problem: i tried to starting the system with an usb-device, but when starting the system syslinux print out a message that say "the sysstem is not avabile for this device, inserit the corret device"

I have no idea how to fix the syslinux issue, but if it does not work I would recommend to keep a boot partition with the kernel image etc. unencrypted on your harddisk. Since this partition doesn't contain any sensitive data, there's no need for it to be encrypted. You can then modify the linuxrc file in the initrd image to mount a usb-stick with your keyfiles stored on and after that mount your encrypted partitions.

[alecpap]

I don't mean to beat a dead horse, but I'm also getting the failed to setup dm-crypt mapping error message. I have all of the kernel additions compiled into the kernel, as well as all of the crypto options, as in the howto. Here are some exerpts form my config file:

Code: Select all

CONFIG_BLK_DEV_DM=y
CONFIG_DM_CRYPT=y
CONFIG_BLK_DEV_LOOP=y
CONFIG_BLK_DEV_INITRD=y
CONFIG_BLK_DEV_RAM=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_BLOWFISH=y
CONFIG_CRYPTO_SERPENT=y

I'm pretty lost with this. When I boot off of the live cd and download the precompiled binary, everything goes smoothly. I can decrypt the partition and chroot into it fine, but when I boot off of the hard disk, I get that message. Any ideas?

[rr]

Great article on file encryption. I'm trying to set it up now, but have run into a problem. You say to download the
precompiled cryptsetup-luks binary from http://luks.endorphin.org/dm-crypt, but you don't say how. My Gentoo 2005.1 install does not have FTP or Lynx. How do you download?

[rr]

Answered my own question. It's called links2.

[rainbow flag]

I don't mean to beat a dead horse, but I'm also getting the failed to setup dm-crypt mapping error message.

it seems that this is a question for me, isn't it?
i'm sorry to answer very late - the last time i wasn't here very often..

my mistake, that resulted in this error message, had been not to compile dm-mod (CONFIG_BLK_DEV_DM), dm_crypt (CONFIG_DM_CRYPT) and my cipher into the kernel but as modules and to forget to insmod them, later to insmod them accidently in the wrong order. the error might occure if you try to use any other cipher than sha256, blowfish and serpent (wich are included in your kernel) - but that doesn't seem to be the case, does it?

since you have built everything into the kernel your problem seems to be another one - something that is icluded in either the lifecd or the binary but not in your initrd. i have no idea . but - if you did not just solve it during the last 10 days - maybe, you want to include dmesg into the initrd-image and call it somewhere in the linuxrc-script (just to see if it provides some more information).

[alecpap]

rainbow flag-
thanks for your reply. I did solve it, I think. I was using the 2.6.13 kernel, and when I tried it with 2.6.12, it worked perfectly! Maybe I changed something else that I didn't know about, but, it works now.

Now I have another question, though. I'd like to be able to use a key on a usb stick to decrypt it (actually, I'd like to encrypt the key on the usb stick, decrypt that, and then use that key to decrypt the hdd). So, I put

Code: Select all

 exec /bin/sh 

in the linuxrc and re-do the initrd process, and reboot. I get the shell, like I should, and I plug in the usb stick. dmesg reports:

Code: Select all

usb 2-1: new full speed USB device using ohci_hcd and address 2
ub(2.2): GetMaxLUN returned 0, using 1 LUNs
 uba: uba1 < uba5 >

So, I do:

Code: Select all

mkdir /mnt
mkdir /mnt/usbkey
mount -t ext2 /dev/uba5 /mnt/usbkey

But it tells me that device /dev/uba5 does not exist.

I had already formatted that partition with ext2, and it works fine. If I boot up normally, I can mount the drive and use it normally.

Any ideas?

[rainbow flag]

hi again.

i'm just not sure if my proposals are very useful (as you can see, i'm a newbie like you)

but maybe, the device node /dev/uba5 does not exist and you have to create it (by something like "mknod /dev/uba5 b <major> <minor>") ...

[alecpap]

rainbow flag-
Thanks for the help! That sure did the trick, I can't believe I forgot that part - I was going crazy! Everything is working very smoothly now, thanks again!

I just had to make the nod /dev/uba and /dev/uba5

And thanks for the great How-To Reikinio!

[jester42]

I just read the Wiki and used some information from there to encrypt a single hdd... Around X-Mas I will try the whole encryption of my system, impressions will follow.

I have got one question right now: is the skull-ascii-art shown in the article available for download somewhere? i quite like it

Well... more in two weeks then.
jester

[Armageddon]

hello,

first of all thank you for this really great howto

i installed a encryptet system and all works fine.

The only thing not working correctly is the Encypting swap at boot.

It needs more then 15 mins to make the swap is that normal?

[GenKreton]

It needs more then 15 mins to make the swap is that normal?

Nope. If it weren't for the script telling me I was making an encrypted swap, I wouldn't even know it happened.

[daff]

Could it be that there are no CONFIG_BLK_DEV_DM or CONFIG_DM_CRYPT options in gentoo-sources-2.6.15-r1? I can't seem to find them.

EDIT: Feeling stupid right now. These options are available only if you enable Multiple devices driver support (RAID and LVM) under Device Drivers.

[fuzebest]

Sorry, for little offtopic.
Are there any guide how to create encrypted CD/DVD images using LUKS?

thank you!
sorry again

[b0rsten]

i've tried this howto, but after reboot i get this error:

Code: Select all

unable to mount root fs on unknown-block{1,0)

but i had nowhere typed (1,0) in... im using hda1 for boot, 2 for swap and 3 for root...
any idea what i have done wrong?


my menu.lst

Code: Select all

default 0
timeout 5
splashimage=(hd0,0)/grub/splash.xpm.gz

title=Gentoo
root(hd0,0)
kernel /kernel-2.6.15-gentoo-r1 root=/dev/ram0 rw init=/linuxrc vga=0x318 video=vedafb:mtrr,ywrap
initid (hd0,0)/initrd

[mephist0]

Very good HOWTO !

works perfectly !

Thanks very much !

Is it possible to install windows xp afterwards ? is it safe ?

I mean, I dont want to loose my data

EDIT : As I installed Gentoo I left 50GB free space for windows for gaming ... someone got a tip ?

Thanks

[mephist0]

*push*

[GenKreton]

Is it possible to install windows xp afterwards ? is it safe ?

I mean, I dont want to loose my data

EDIT : As I installed Gentoo I left 50GB free space for windows for gaming ... someone got a tip ?

Thanks

luks encryption is done to the partition, not the disk. It is safe to install windows IF you left free space for it. Be aware that windows will overwrite your MBR though.

[mephist0]

Is it possible to install windows xp afterwards ? is it safe ?

I mean, I dont want to loose my data

EDIT : As I installed Gentoo I left 50GB free space for windows for gaming ... someone got a tip ?

Thanks

luks encryption is done to the partition, not the disk. It is safe to install windows IF you left free space for it. Be aware that windows will overwrite your MBR though.

Thanks for the info !

After installing Windows, I think I can boot from the Gentoo installCD and launch grub-install again ?

so, time to go to bed ...

gn8 all

[GenKreton]

Thanks for the info !

After installing Windows, I think I can boot from the Gentoo installCD and launch grub-install again ?

so, time to go to bed ...

gn8 all

That should be sufficient. You just need to add it to the grub menu as well. It's actually easier to get grub to boot windows than it is Linux ironically...

[anuron]

nice work.

just for the record and for people expieriencing the same problem as I. sys-fs/cryptsetup-luks-1.0.1-r1 is somehow broken (see http://bugs.gentoo.org/show_bug.cgi?id=128925) and produces regardless of what you try the error "invalid argument".

anuron

[Reikinio]

Hello,
I forgot about this thread, I am sorry
The email notifications for this thread stopped, I didn't knew that you had to be logged in for the email notification system log that you have followed the link sent by email, it won't happen again.

Anyway, I have rewrited the guide, many things have been added, I spent a _lot_ of time on it so you better like it.

ChangeLog:
* Added initramfs support, initrd is gone.
* Using BusyBox for the initramfs image.
* Added a bash script to handle initramfs images.
* Added steps for booting from an USB-stick.
* Added steps for gpg protected keys(randomly generated).
* Removed all the childish comments and excessive smileys that made the guide look it was written by a five year old kid.
* Guide wikified(using wiki code, should look better now)
* And more...

What do you guys think of the new guide ?

Bye.

[Reikinio]

I am looking for people interested in helping to mantain and improve the guide, also there is another guide on gentoo-wiki which has the same goal of this guide, so I proposed merging the two guides into one.
This is the other guide: http://gentoo-wiki.com/SECURITY_Encrypt ... _with_LUKS

What do you think?

[Reikinio]

Sorry, for little offtopic.
Are there any guide how to create encrypted CD/DVD images using LUKS?

thank you!
sorry again

Yes, read the last entry of the FAQ section.

Those of you who wanted to boot from an USB-stick but couldn't, should read the new guide, I did it using extlinux(a syslinux derivative) and it works fine.

Those of you having problems with the linuxrc and the initrd, should read the new guide, the new initramfs method should work without problems.

hello,

first of all thank you for this really great howto

i installed a encryptet system and all works fine.

The only thing not working correctly is the Encypting swap at boot.

It needs more then 15 mins to make the swap is that normal?

No, it's not, make sure you're not reading the passphrase from /dev/random.
Anyway, the old method(the one you used) is now deprecated. so check the new guide, it'll tell you to use the cryptfs file from the Gentoo cryptsetup-luks package.

I have got one question right now: is the skull-ascii-art shown in the article available for download somewhere? i quite like it

here

Hi all,

sorry swit for interrupting you and posting a new question without yours being answered...

I read the HOWTO and the posts in here and now I'd like to try to setup an encrypted system. The problem thereby is that I'd like to use LVM to create individual resizable partitions for not only root but also /home, /usr etc.
Am I right when I say that in this case it would be necessary to encrypt the whole harddisc at once using /dev/hda for instance and then setting up the LVM partitions to use with LVM or will I have to encrypt every LVM partition itself with a different key/passphrase?
Or is it even impossible to use LVM and encryption at the same time?

Regards
Mr.Pink

I have no idea, I think i remember seeing something about this in on some Mailing lists, but I dont have the links to it, sorry.


Regards,

[andersenep]

Hi, I've been trying to get this working all day with no luck. I've stuck to the howto as closely as possible and I think my main problem is with initramfs. I'm using gentoo-sources-2.6.16-r7 and for starters there is no default initramfs_date.cpio.gz in /usr/src/linux/usr. I've tried adding the gzip'd cpio I created following the howto (in /output) and touching it but when I build the kernel it is overwritten. I gunzip'd the cpio to / and set CONFIG_INITRAMFS_SOURCE="/initramfs_data.cpio" and rebuilt and this generates what seems to be the right image in /usr/src/linux/usr (zcat initramfs_date.cpio.gz | cpio -t spits out the files/dirs in my testimage dir) but I still can seem to get a working kernel. It will boot and go through everything until it tries to init (I forget the actual error) and then the kernel panics and I have to reboot.
I'm not sure if I have something wrong in my kernel config or in the init script in my initramfs_data.cpio.gz. I set set the line:

Code: Select all

root=*) # get root and fs type

to:

Code: Select all

root=/dev/sda2:ext3) # get root and fs type

which is my encrypted root partition.

This is my grub.conf

Code: Select all

default 0
timeout 90
splashimage=(hd0,0)/grub/splash.xpm.gz

title=Gentoo Linux 2.6.16
root (hd0,0)
kernel /kernel-2.6.16-gentoo-r7 root=/dev/sda2:ext3 vga=0x31B video=vesafb:ywrap,mtrr:3

Any ideas what I'm doing wrong?

thanks