Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
What's the best way to do system encryption with 4 paritions
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
bman66
n00b
n00b


Joined: 02 Jun 2015
Posts: 8

PostPosted: Tue Jun 02, 2015 3:55 pm    Post subject: What's the best way to do system encryption with 4 paritions Reply with quote

Hello,

I going to make another Gentoo setup for my laptop, this time with Gentoo Hardened + Systemd + Gnome 3 w/ encryption and secure UEFI. I am planning on setting up 4 partitions. /dev/sda1 is /boot (vfat). /dev/sda2 is / (luks/dm-crypt xfs). /dev/sda3 is swap (luks/dmcrypt, random password each bootup) and /dev/sda4 is /mnt/data (luks/dm-crypt xfs). I'm hoping that I can start up the system while only typing one password in, and being asked if I want to unlock /dev/sda4 on bootup (This means if my laptops stolen while on, there is still a chance my other data is safe. Also it means I don't need to type in my password in userspace and instead typing it inside a signed initramfs). If that's not possible, then automounting both partitions is also acceptable.

My plan is to use a custom initramfs with an /init like so (I'm more of a perl guy, so there could be mistakes):
Code:

#!/bin/busybox ash

error() {
        echo "An error has occurred in initramfs."
        while true
        do
                sleep 1d
        done
}

echo 0 > /proc/sys/kernel/printk

mount -t proc none /proc || error
mount -t sysfs none /sys || error

while true
do
        echo -n "Password: "
        read -s password
        echo $password | cryptsetup -T 1 luksOpen /dev/sda2 root || continue
        mount /dev/mapper/root /mnt || error
        break
done

read -p "Mount /mnt/data? (Y/N)  " -n 1 -r
echo
if [[ $REPLY =~ ^[Yy]$ ]]
then
        echo $password | cryptsetup -T 1 luksOpen /dev/sda4 data || error
        mount /dev/mapper/data /mnt/data || error
fi

umount /proc || error
umount /sys || error

echo 1 > /proc/sys/kernel/printk

exec switch_root /mnt /usr/lib/systemd/systemd


And then in /etc/crypttab . I don't think I need to include /dev/sda4 or /dev/sda2 here, right?
Code:

swap         /dev/sda3        /dev/random            swap,cipher=aes-xts-plain64:whirlpool,size=512


And fstab. Again, I don't think I need to include /dev/sda4?
Code:

/dev/sda1                       /boot               vfat      defaults,noatime        0 2
/dev/mapper/root            /                      xfs       defaults,noatime        0 1
/dev/mapper/swap         none               swap    sw                            0 0
/dev/cdrom                     /mnt/cdrom      auto     noauto,ro                   0 0


Any advise would be helpful! Thanks.
Back to top
View user's profile Send private message
bman66
n00b
n00b


Joined: 02 Jun 2015
Posts: 8

PostPosted: Wed Jun 03, 2015 7:59 am    Post subject: Reply with quote

I tried this out... The problem is that the ramfs's /dev/mapper/* can't be transferred over. Also I learned that there's a (seemingly undocumented in the wiki) flag for systemd to enable crypttab (use="cryptsetup").

If I want to encrypt multiple partitions with a single password, it looks like the easier method is to use lvm. I'll give it a shot.
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3806
Location: Austro Bavaria

PostPosted: Wed Jun 03, 2015 4:56 pm    Post subject: Reply with quote

my setup is

grub2 / linux mint in 512mb ext2 /boot partition.

initramfs => genkernel generated (lvm, luks ....)
kernel compiled by myself
luks / lvm / ext4 => lvm container which has a luks container which has ext4.

I am not a friend of several partitions anymore. I made several 100gb junks which i than readded in lvm and than luks + ext4.

works and i gave this advise several times here and should work quite easily.
Back to top
View user's profile Send private message
bman66
n00b
n00b


Joined: 02 Jun 2015
Posts: 8

PostPosted: Thu Jun 04, 2015 5:11 pm    Post subject: Reply with quote

Hey, thanks for the reply!

First I have a question about your setup (more of curiosity).
> luks / lvm / ext4 => lvm container which has a luks container which has ext4.
If your LVM is just used for storing the ext4 partition, then can't you forgo the LVM? Or is there an advantage to this setup (I've seen RAID -> LVM -> Single partition before and I'm not sure what the idea behind that is vs RAID -> Single partition). Also, isn't it usually easier to have LUKS -> LVM -> Partitions so you're getting the advantage of LVM after decryption?

> I am not a friend of several partitions anymore.
Yeah, your setup would "just work" and be easier. But at the very least I would like to have an encrypted swap because swap (I guess I could use a swapfile). Ideally I'll be able to suspend to disk. Then I usually like to have an extra data partition, just so I can re-install the OS while not loosing any of my stuff (and not relying solely on my backup). I guess I can just keep it in a directory and "not touch it", but I'm not 100% sure how that would work if I decided I wanted to install Fedora/Ubuntu etc (black magic gui installer).

Anyways, I've set this up and I've ran into a problem. First, here's what my setup looks like:
Code:

Top row    = where it's mounted/mapped to
Middle row = volume type
Bottom row = where it's mounted/mapped from
$dm = /dev/mapper
            +------------+--------------+--------------+
            | none       | /            | /mnt/data    |
            | swap       | xfs          | xfs          |
            | $dm/lvm-sw | $dm/lvm-root | $dm/lvm-data |
+-----------+------------+--------------+--------------+
| /boot     | $dm/lvm                                  |
| vfat      | luks                                     |
| /dev/sda1 | /dev/sda2                                |
+-----------+------------------------------------------+

$ cat /etc/fstab
/dev/sda1         /boot      vfat   defaults,noatime   0 2
/dev/mapper/lvm-sw      none      swap   sw         0 0
/dev/mapper/lvm-root      /      xfs   noatime         0 1
/dev/mapper/lvm-data      /mnt/data   xfs   noatime         0 1
/dev/cdrom         /mnt/cdrom   auto    noauto,user      0 0

BOOTX64.EFI is just a copy of vmlinuz.
$ ls -R /boot
config-3.18.9-hardened                      System.map-3.18.9-hardened
EFI                                         vmlinuz-3.18.9-hardened
initramfs-genkernel-x86_64-3.18.9-hardened

./EFI:
BOOT

./EFI/BOOT:
BOOTX64.EFI

Command to create initramfs (genkernel-next)
$ genkernel --luks --udev --lvm initramfs

Kernel command line (build into kernel)
initrd=/initramfs-genkernel-x86_64-3.18.9-hardened crypt_root=/dev/sda2 root=/dev/mapper/lvm-root init=/usr/lib/systemd/systemd dolvms


When I boot up I'm getting this error:
[img]http://s23.postimg.org/6tpbrg39z/IMG_20150604_114220.jpg[/img]

I *think* (but could be completely wrong) initramfs is being loaded and executed correctly, bit initramfs isn't running cryptsetup before attempting to mount lvm or root. I would modify initramfs directly, but they're doing some crazy stuff with symlinks (presumably to busybox) which I don't feel like doing over again. If possible, I would like to try get genkernel to work. If a setup like this is too much for genkernel, then should I try the Dracut thing, or should I just screw it and write my own hardcoded one (should be a lot easier now with lvm hopefully)?[/code][/b]

EDIT (for forum/google/text only browsers): The error is "[ end Kernel panic - not syncing: VFS: Unable to mount roof fs on unknown-block(0,0)"


Last edited by bman66 on Thu Jun 04, 2015 5:22 pm; edited 3 times in total
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2970
Location: Germany

PostPosted: Thu Jun 04, 2015 5:17 pm    Post subject: Reply with quote

My initramfs opens several LUKS containers with a single password (the password being for a LUKS container that holds the keys for all other LUKS containers).

Code:

# Unlock Key
cryptsetup luksOpen --header /root/key.luks /root/key KEY
...
# Unlock HDD
for i in 1 2 3 4 5 6 7 8
do
    cryptsetup luksOpen --key-file=/dev/mapper/KEY --keyfile-offset=$(($i*512)) --keyfile-size=512 /dev/md"$i" luksHDD"$i" &
done


See here:
https://wiki.gentoo.org/wiki/Custom_Initramfs#Encrypted_keyfile
https://wiki.gentoo.org/wiki/Custom_Initramfs/Examples#Multiple_RAID.2C_LUKS_containers.2C_Encrypted_Keyfiles.2C_LVM

I'm not sure what you meant by your statement """The problem is that the ramfs's /dev/mapper/* can't be transferred over.""" - of course it transfers over, if it didn't then the root partition wouldn't work either. Or more precisely, the mappings transfer over so as long as you mount your stuff by UUID or similar, you don't need /dev/mapper/*, it's sufficient to have /dev/dm-42.
Back to top
View user's profile Send private message
bman66
n00b
n00b


Joined: 02 Jun 2015
Posts: 8

PostPosted: Thu Jun 04, 2015 5:59 pm    Post subject: Reply with quote

frostschutz wrote:
Or more precisely, the mappings transfer over so as long as you mount your stuff by UUID or similar, you don't need /dev/mapper/*, it's sufficient to have /dev/dm-42.


Is there a difference between "/dev/mapper/*" and "/dev/dm-*"? Or is it just always more portable to use UUID? Or should they be equivalent?
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2970
Location: Germany

PostPosted: Thu Jun 04, 2015 6:11 pm    Post subject: Reply with quote

They're different names for the same device, with the exception of /dev/mapper/control which is special.

Code:

$ ls -l /dev/mapper/luksSSD1 /dev/dm-9
brw-rw---- 1 root disk 253, 9 Jun  4 10:03 /dev/dm-9
brw------- 1 root root 253, 9 Jun  4 10:03 /dev/mapper/luksSSD1


(Curious difference in the permissions, but no matter...)

If you're not sure about the device name, it's better to use UUID.
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3806
Location: Austro Bavaria

PostPosted: Sat Jun 06, 2015 8:44 am    Post subject: Reply with quote

bman66 wrote:
Hey, thanks for the reply!

First I have a question about your setup (more of curiosity).
> luks / lvm / ext4 => lvm container which has a luks container which has ext4.
If your LVM is just used for storing the ext4 partition, then can't you forgo the LVM? Or is there an advantage to this setup (I've seen RAID -> LVM -> Single partition before and I'm not sure what the idea behind that is vs RAID -> Single partition). Also, isn't it usually easier to have LUKS -> LVM -> Partitions so you're getting the advantage of LVM after decryption?


first lvm container
than luks container
than ext4 container

lvm for moving those chunks from one disk to the other when i change hardware
luks for privacy
ext4 because it was the most mature fs, though it had issues as i started to use it (still issues with ext4 and kernel 4.0.x what i readhere ...)

the advantage is that i can move my fs in use because i move the physicsal extens as they are called in lvm. i am independed of the hardware below... personally i will never use anything except lvm anymore because the aditional layer gives more benefit as drawbacks. drawback is a complicated initramfs and kernel parameters(but whatever)

Quote:
> I am not a friend of several partitions anymore.
Yeah, your setup would "just work" and be easier. But at the very least I would like to have an encrypted swap because swap (I guess I could use a swapfile). Ideally I'll be able to suspend to disk. Then I usually like to have an extra data partition, just so I can re-install the OS while not loosing any of my stuff (and not relying solely on my backup). I guess I can just keep it in a directory and "not touch it", but I'm not 100% sure how that would work if I decided I wanted to install Fedora/Ubuntu etc (black magic gui installer).


lvm is sufficent with ext4, luks is transparent and you do not see it really when in use.
I really disliked those smaller many partition layouts and than you had everywhere free disk space which was wasted.

separate data partiton => usually /home which is on a separate partition
on paper ubutnu works with encryption, waht i sAW a year ago using linux mint installer.

you can always grow shrink your data when you rely on a "mature proven fs" like ext4

just checked root was just moved and the user data resides in 7x 100gb junks which sums up to 700gb. (just made many 100gb junks and added them. hardly in use these days)

Code:
lvdisplay
  /dev/cdrom: open failed: No medium found
  --- Logical volume ---
  LV Path                /dev/vg_user_data/lv_user_data
  LV Name                lv_user_data
  VG Name                vg_user_data
  LV UUID               
  LV Write Access        read/write
  LV Creation host, time localhost, 2013-03-12 11:45:54 +0100
  LV Status              available
  # open                 0
  LV Size                699,97 GiB
  Current LE             179193
  Segments               7
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:0
   
  --- Logical volume ---
  LV Path                /dev/vg_root_volume/lv_real_root
  LV Name                lv_real_root
  VG Name                vg_root_volume
  LV UUID               
  LV Write Access        read/write
  LV Creation host, time ,
  LV Status              available
  # open                 1
  LV Size                102,00 GiB
  Current LE             26112
  Segments               1
  Allocation             inherit
  Read ahead sectors     auto
  - currently set to     256
  Block device           253:1


Quote:

Kernel command line (build into kernel)
initrd=/initramfs-genkernel-x86_64-3.18.9-hardened crypt_root=/dev/sda2 root=/dev/mapper/lvm-root init=/usr/lib/systemd/systemd dolvms


usually you need dolvm and some others. self written grub2 entry. as you can see the initramfs is very very old lol
check your bootlaoder which entry you need to boot your setup. /BOOT IS 512 mb ext2 unencrypted here. grub2 from linux mint, ~3 years old ...

Code:

menuentry ' 3.10.73-gentoo_2015_04_01' --class gento --class gnu-linux --class gnu --class os {
 linux /3.10.79-gentoo_2015_05_30 init=linuxrc ramdisk=8192 crypt_root=dev/mapper/vg_root_volume-lv_real_root realroot=/dev/mapper/lv_real_root dolvm net.ifnames=0
 initrd /initramfs-genkernel-x86_64-3.5.3-gentoo_Sept_2012
}


edit: I highly recommend that you stick to a kernel.org stable release long term kernel, like 3.10 or 3.18. Thats more a personal opinion but worth mentioning. you do not want to screw up your filesystem / encryption because you run "unstable/ too new " kernels.

3.10.x is mature. though the support ends in august or so => Than I will switch to 3.18.x branch
I heard 4.x.x has sometimes ext4 issues. Since I used that 3.10 branch I hardly had any mayor issues kernel related.
Back to top
View user's profile Send private message
bman66
n00b
n00b


Joined: 02 Jun 2015
Posts: 8

PostPosted: Sun Jun 07, 2015 1:35 am    Post subject: Reply with quote

Quote:
lvm for moving those chunks from one disk to the other when i change hardware
luks for privacy
ext4 because it was the most mature fs, though it had issues as i started to use it (still issues with ext4 and kernel 4.0.x what i readhere ...)


Oh, that makes a lot of sense! I never thought about it that way. Though I'm not sure if the order is that important: luks -> lvm would require you to luksFormat the second hard disk, but then the lvm should still be portable between the two encrypted devices, whereas lvm ->.luks would require you to pvcreate the second hard disk, but then the luks should be portable between the two (which might have an advantage because you're not re-encrypting it). I think I might stick with luks -> lvm so I don't need to worry about setting up keyfiles.

Quote:
you can always grow shrink your data when you rely on a "mature proven fs" like ext4


I'm using xfs because it's old, robust and fast (I'd say more mature then ext4). It was developed in 1993, and ported to linux in 2001 (actively developed). It seems to perform consistently well under lots of hdd workloads (not to mention RHEL/Fedora/CentOS use it default). The drawback is it can't be re-sized. But my data is backed up & compressed incrementally (evens out read/writes on the disk maximizing life, easy compression, gives me a way to "reverse" non revisioned files). My OS partition is usually small (<=100GB), and I usually make a point of making it easily reproducible, so I'm not expecting re-sizing come up as an issue for my personal setup. In scaled setups, you can "resize" by creating a smaller xfs with the same uuid and smaller size on another disk, and sync the files over.

`/boot` is vfat because UEFI (and I'd like to take advantage of secure boot with a re-keyed bios).

Quote:
separate data partiton => usually /home which is on a separate partition

Yep. I find /home can get messy sometimes with all the .XXX files though, not to mention my own configurations, so I use it more of as a "temporary workbench" and use /media/data as my permanent storage. Some people say I over organize my stuff. :P

Quote:
just checked root was just moved and the user data resides in 7x 100gb junks which sums up to 700gb. (just made many 100gb junks and added them. hardly in use these days)

Ouch. Was the thought to break it up into parts so that you can move individual partitions around your systems? I keep my permanent data on one large fs (seperate from my os), and organize it on a simple hierarchy. If I was in the situation of needing individual sections moved, I would just rsync the sections of the needed hierarchy with the main server that is incrementally backed up. In the case that I need to scale to lot's of systems, I would use torrents to sync everything because of the auto-balancing (most businesses find it surprising that torrents are "the" canonical way of load balancing static files).

Quote:
I highly recommend that you stick to a kernel.org stable release long term kernel, like 3.10 or 3.18.

True, I usually stick to the distro's "stable" kernel. Though there's nothing wrong with using newer kernels on personal systems since it's trivial to restart with another one. When hacking the kernel, I use linus's trunk.

EDIT: MArking this as solved, since I think I know how I should set up my partitions.
EDIT2: Never mind, I don't see a button to mark it as solved.
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2970
Location: Germany

PostPosted: Sun Jun 07, 2015 12:33 pm    Post subject: Reply with quote

bman66 wrote:
The drawback is it can't be re-sized.


You can grow it; only shrinking requires some more work (indirectly through xfs dump/restore).

I'm quite happy with XFS myself. On ext* I tend to run out of inodes [of which Gentoo in particular needs loads] and those you can't grow either.
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Mon Jun 08, 2015 2:33 pm    Post subject: Reply with quote

bman66 wrote:
EDIT2: Never mind, I don't see a button to mark it as solved.

Hit the "edit" button on the original post (OP), and modify the subject line.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum