Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] Problem with full encrypted root
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
AleksandrSS
n00b
n00b


Joined: 17 Jul 2015
Posts: 6

PostPosted: Thu Aug 06, 2015 7:39 pm    Post subject: [Solved] Problem with full encrypted root Reply with quote

Hi everybody.

I want to use a keyfile in a SD card to unlock my root partition in gentoo. I followed a lot of tutorials but the most part ask to modify something in /boot/grub/grub.conf and grub2 has /boot/grub/grub.cfg
Others ask me to use /etc/conf.d/dmcrypt but that don't work with the root partition. Can someone help me? I'm actually unlocking the root with a password. For that, I add GRUB_CMDLINE_LINUX="real_root=/dev/mapper/root crypt_root=/dev/sda3" to /etc/default/grub, but I want the autounlock of a keyfile.

My partitions
/dev/sda1 of 2MB for grub2 requirements
/dev/sda2 of 128MB for /boot partition. It is unencrypted
/dev/sda3 for the encrypted root partition
/dev/mmcblk0p2 for the unencrypted partition with the keyfile

The SD-reader require the module "rtsx_usb_sdmmc" which is installed in the system.


Last edited by AleksandrSS on Sat Aug 29, 2015 8:31 am; edited 1 time in total
Back to top
View user's profile Send private message
msst
Apprentice
Apprentice


Joined: 07 Jun 2011
Posts: 216

PostPosted: Thu Aug 06, 2015 9:41 pm    Post subject: Reply with quote

I think you will need some kind of initrd that is able to mount your crypted root with the help of the key on the sd card.

I am aware of better-initramfs and mkinitramfs-ll that should be able to do that. Setting it up can be nontrivial though.
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3806
Location: Austro Bavaria

PostPosted: Thu Aug 06, 2015 9:57 pm    Post subject: Reply with quote

well i use a genkernel initrd.
but for your purpose you need some sort of initrd and than hard code where the key file is.

serious when you put your unlock key on a memory, you could boot from an usb stick too than ... and carry that usb stick with you always aroud.

you need to check in the grub command line if you can access there the sd card. what the kernel sees is not relevant because it is used later.
only your boot loader matters and the boot loader needs access to the sdcard and need to be able to read that.

so as you already have written,

you need to specify the sdcard location, if possible (technically, not sure, as every sdcard reader is different ...)
and than point to that file on the sdcard.

it is much easier and faster to use an usb-stick, as I doubt you will lreave the sdcard in the laptop all the timr right?
so unplug the sdcard or an usb-stick is just the same at the end, and you can remove it after your box has booted ...
Back to top
View user's profile Send private message
AleksandrSS
n00b
n00b


Joined: 17 Jul 2015
Posts: 6

PostPosted: Fri Aug 07, 2015 10:27 am    Post subject: Reply with quote

I'm not able to find any tutorial to do a initramfs which decrypt the root.

The only solution I find is make myself the init script. Must I do it or there is some auto tool?
Back to top
View user's profile Send private message
Roman_Gruber
Advocate
Advocate


Joined: 03 Oct 2006
Posts: 3806
Location: Austro Bavaria

PostPosted: Sat Aug 08, 2015 5:43 pm    Post subject: Reply with quote

usb key + initrd from genkernel and the usb key holds all boot data.

than hack it to your needs.

well google is your friend, maybe someone did that before you.

it is a trade off of time for seraching someone did that already vs do it yourself vs easy way as i told you already usb key with all bootable stuff on the key which you carry around !

And you probably need to learn the syntax and other background to get it right too, which is maybe time consuming for myself at least.

thats why i went with 512 mb boot partition as ext 2 + initrd from genkernel from year 2012. with the modules inside. + manual entering the password on every boot of my box. I did not bother to checksum the /boot partition but when you are paranoid you could checksum that and compare it automatically on every boot to see fi someone did something to /boot... who cares ...
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1746

PostPosted: Sat Aug 08, 2015 7:31 pm    Post subject: Reply with quote

Genkernel has --luks option. Try enabling it.
After that all that should be needed for decrypting root is crypt_root option in boot line so kernel knows what it's supposed to look for.
Back to top
View user's profile Send private message
AleksandrSS
n00b
n00b


Joined: 17 Jul 2015
Posts: 6

PostPosted: Sat Aug 29, 2015 8:31 am    Post subject: Reply with quote

--luks option of genkernel work for password, not for key-files. I finally program my own initramfs.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum