Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Securely dual booting Gentoo and Windows
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
zaidgs
n00b
n00b


Joined: 08 Sep 2015
Posts: 16

PostPosted: Wed Sep 09, 2015 4:35 pm    Post subject: Securely dual booting Gentoo and Windows Reply with quote

I want to install Gentoo securely on an encrypted partition (not hard-drive, just a partition on the hard-drive). How do I do that?

I want to create a dual-boot system for the "paranoid" mode...

Here are my requirements and the rationale for them:

I want to install Gentoo with maximum security and privacy on an encrypted file system that only unlocks with a password. The drive has to be encrypted so that the Windows OS cannot access the unencrypted/plaintext data on that drive in any shape or form. I want my Gentoo installation to be safe from the preying eyes of Microsoft or any other 3rd party.

I want the linux partition to be fully encrypted even the filenames and directories... It is okay if the Windows OS can detect the existence of an encrypted partition as long as it has no access to its unencrypted contents. For example, it is okay if the Windows OS can detect the existence of a file system such as "eCryptfs" (just as an example), but no additional information beyond that.

Could someone advise me on a filesystem and other settings to choose to achieve this goal?
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2574

PostPosted: Wed Sep 09, 2015 4:54 pm    Post subject: Reply with quote

Google "gentoo luks" without quotes.

But that is overkill as Windows can't read the ext2/3/4 partitions anyway.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
zaidgs
n00b
n00b


Joined: 08 Sep 2015
Posts: 16

PostPosted: Wed Sep 09, 2015 6:22 pm    Post subject: Reply with quote

Thank you for the hint...

I am currently testing the setup process inside a VMware machine before deploying it on my machine.

I have decided to use the "hardened" system. I am not familiar with it, but based on a quick glance, it seems to be a more secure version of Gentoo. Is using a "hardened" setup necessary?! What are the advantages and disadvantages of it in terms of security and privacy? What about usability?
Back to top
View user's profile Send private message
roki942
Apprentice
Apprentice


Joined: 18 Apr 2005
Posts: 284
Location: Seattle

PostPosted: Wed Sep 09, 2015 6:32 pm    Post subject: Reply with quote

The Doctor wrote:
Google "gentoo luks" without quotes.
But that is overkill as Windows can't read the ext2/3/4 partitions anyway.

It's easy to access extfs on windows http://www.ext2fsd.com/ for example.
Back to top
View user's profile Send private message
doni88
n00b
n00b


Joined: 09 Sep 2015
Posts: 1

PostPosted: Wed Sep 09, 2015 6:54 pm    Post subject: Reply with quote

install VMware and install gentoo on VMware

Mod Edit: This user posted with intention to spam and has been banned. Post kept here because it got a meaningful reply
Back to top
View user's profile Send private message
zaidgs
n00b
n00b


Joined: 08 Sep 2015
Posts: 16

PostPosted: Wed Sep 09, 2015 7:02 pm    Post subject: Reply with quote

doni88 wrote:
install VMware and install gentoo on VMware


Key loggers and screen capture technologies could easily circumvent this setup, IMO.

The reason I want this setup is that I installed Tor Browser on windows for additional privacy, however, on second thought, I realized that this is not secure because there are plenty of closed-source software on Windows, which can easily make this a pointless exercise.

So, I want to keep Windows for usability. And install Gentoo on dual boot when I want/need something more secure.

I want it to be kind of like using "Tails Live CD" which is used for secure computing, but having it as an installed OS rather than a live CD.
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2574

PostPosted: Wed Sep 09, 2015 9:33 pm    Post subject: Reply with quote

Quote:
It's easy to access extfs on windows http://www.ext2fsd.com/ for example.
Yes, but that isn't the default behavior so it might be acceptable depending on the level of paranoia.

zaidgs wrote:
I have decided to use the "hardened" system. I am not familiar with it, but based on a quick glance, it seems to be a more secure version of Gentoo.
Indeed. NSA wrote SElinux so if you absolutely must use a policy use Gsecurity. At least, as long as you want to avoid the NSA software. In practice, the hardened sources and profile should give you a good level of protection by default. Again, google has a few hundred pages on the subject. I found some software like LXDE wouldn't run on hardened as pcmanfm was detected making a stack smashing attack. It was a bug, not an attack and I don't know if it was ever fixed.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
Logicien
Veteran
Veteran


Joined: 16 Sep 2005
Posts: 1368
Location: Montréal

PostPosted: Wed Sep 09, 2015 9:47 pm    Post subject: Reply with quote

It's funny to see that someone want to encrypt Gentoo along a Windows installation. Is it to prevent Gentoo from being corrupted by any Windows access?

A good practice in my opinion is NOT to use Windows. If one must use it, use it alone on a computer with no network access with Gentoo. Even if Windows cannot access Gentoo, when install on the same machine, it can change the Linux behavior after a restart. There is a significative security lift when use only free softwares.
_________________
Paul
Back to top
View user's profile Send private message
zaidgs
n00b
n00b


Joined: 08 Sep 2015
Posts: 16

PostPosted: Wed Sep 09, 2015 10:10 pm    Post subject: Reply with quote

The NSA writing a software is not a big deal if it is open-source, and open for review by the community. I would not trust a binary file from the NSA, but source code that is compiled on my PC (and reviewed by the community) should be safe. Although, I think it is reasonable to assume that publicly released software by the NSA has some weaknesses known to them.

I want to assume that binary files are not safe, and that Microsoft or some other 3rd party might include a backdoor/trojan in their software.

Since through windows all the hard disk data is accessible, then encryption seems necessary to me.

Logicien wrote:
It's funny to see that someone want to encrypt Gentoo along a Windows installation. Is it to prevent Gentoo from being corrupted by any Windows access?

A good practice in my opinion is NOT to use Windows. If one must use it, use it alone on a computer with no network access with Gentoo. Even if Windows cannot access Gentoo, when install on the same machine, it can change the Linux behavior after a restart. There is a significative security lift when use only free softwares.


You make a valid point, since malicious software could be installed in the bootloader.

"Is it to prevent Gentoo from being corrupted by any Windows access?"

Yes, I am assuming that malicious software could modify a Gentoo installation (say, replace a binary system file), this is why I want to encrypt the whole linux partition (/).

Is there a way to protect against that? Or is it just better to stick to a Live CD setup?

PS: I am not an expert in security or anything (obviously)... I want to have something as secure as possible for my own peace of mind, nothing mission critical...
Back to top
View user's profile Send private message
roki942
Apprentice
Apprentice


Joined: 18 Apr 2005
Posts: 284
Location: Seattle

PostPosted: Wed Sep 09, 2015 11:19 pm    Post subject: Reply with quote

Just a thought as don't know if the speed hit would trouble you. You could always have gentoo on an external eSata or usb3 drive that's attached only when running gentoo.
Back to top
View user's profile Send private message
zaidgs
n00b
n00b


Joined: 08 Sep 2015
Posts: 16

PostPosted: Wed Sep 09, 2015 11:46 pm    Post subject: Reply with quote

roki942 wrote:
Just a thought as don't know if the speed hit would trouble you. You could always have gentoo on an external eSata or usb3 drive that's attached only when running gentoo.


That is a better alternative to a Live CD. But I am trying to make the dual boot setup work.
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2574

PostPosted: Thu Sep 10, 2015 12:20 am    Post subject: Reply with quote

Another option. IF you are only worried about windows, don't bother installing it on hardware. Vmplayer can be a fine container for it. That is where my copy of windows lives. With a bit of power under the hood I can have a good gaming experience and get around Hulu doing stupid things with their Linux tech requirements.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
schorsch_76
Guru
Guru


Joined: 19 Jun 2012
Posts: 450

PostPosted: Thu Sep 10, 2015 7:00 am    Post subject: Reply with quote

On my Desktop i had such an Installation:
/dev/sda1: winboot
/dev/sda2: Windows
/dev/sda3: boot (ext2)
/dev/sda4: extended
/dev/sda5: LUKS

In Luks i had gentoo installed.
* /boot contained the kernel and initrd and all grub stuff
* grub booted my Windows in chainload
_________________
// valid again: I forgot about the git access. Now 1.2GB big. Start: 2015-06-25
git daily portage tree
Web: https://portage.schorsch-tech.de
git clone https://portage.schorsch-tech.de/portage.git
Back to top
View user's profile Send private message
zaidgs
n00b
n00b


Joined: 08 Sep 2015
Posts: 16

PostPosted: Thu Sep 10, 2015 3:27 pm    Post subject: Reply with quote

I am facing a technical difficulty that I seem to not be able to solve...

I am currently still testing in a VM environment.

I have one HDD such that:
/dev/sda
/dev/sda1 (LVM on LUKS)

The /dev/sda1 is offset by 2MBs as usual for the GRUB to be installed.

My /boot is INSIDE the LUKS (/dev/sda1) partition.

The problem is that "grub2-install /dev/sda" fails with the following error message:
Quote:
grub2-install /dev/sda
Installing for i386-pc platform # I am using amd64, is this a problem?
File descriptor 3 (pipe:[XXXX]) leaked on vgs invocation.
Volume group "enc_sda1" not found
Skipping enc_sda1
File descriptor 3 (pipe:[XXXX]) leaked on vgs invocation.
Volume group "enc_sda1" not found
Skipping enc_sda1
grub2-install: error: disk 'lvm/lvm2-lvm2_root' not found


What gives?

Note: At first I used only LUKS *without* LVM. I got a similar message that looked like this:
Quote:
grub2-install /dev/sda
Installing for i386-pc platform
Volume group "enc_sda1" not found
Skipping enc_sda1
Volume group "enc_sda1" not found
Skipping enc_sda1
grub2-install: error: disk 'lvm/enc_sda1' not found
Back to top
View user's profile Send private message
schorsch_76
Guru
Guru


Joined: 19 Jun 2012
Posts: 450

PostPosted: Fri Sep 11, 2015 6:33 am    Post subject: Reply with quote

You cant access /boot from the bootloader as it is still encrypted inside LUKS. You need the kernel and the initrd outside of LUKS.
Options are: Boot on an external USB stick or on a seperate, unencrypted, partiton like my solution.
_________________
// valid again: I forgot about the git access. Now 1.2GB big. Start: 2015-06-25
git daily portage tree
Web: https://portage.schorsch-tech.de
git clone https://portage.schorsch-tech.de/portage.git
Back to top
View user's profile Send private message
zaidgs
n00b
n00b


Joined: 08 Sep 2015
Posts: 16

PostPosted: Fri Sep 11, 2015 1:39 pm    Post subject: Reply with quote

schorsch_76 wrote:
You cant access /boot from the bootloader as it is still encrypted inside LUKS. You need the kernel and the initrd outside of LUKS.
Options are: Boot on an external USB stick or on a seperate, unencrypted, partiton like my solution.


I am aware of that. But I found one article that claims that GRUB has the capability to mount encrypted devices.

http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
Back to top
View user's profile Send private message
zaidgs
n00b
n00b


Joined: 08 Sep 2015
Posts: 16

PostPosted: Sat Sep 12, 2015 2:46 pm    Post subject: Reply with quote

Ok, I have it all figured out now...

I will share my results for anyone who may need it in the future.

1) To instruct grub to decrypt the drive before mounting it, you have to add the following to "/etc/default/grub":
Quote:
ENCR_DEVICE_ROOT="/dev/sda2"
DECR_ROOT="/dev/mapper/luks_decrypted" # LUKS *without* LVM
#DECR_ROOT="/dev/lvm_vg/lvm_root" # LVM over LUKS
GRUB_CMDLINE_LINUX="crypt_root=$ENCR_DEVICE_ROOT real_root=$DECR_ROOT"


2) It is optional to use LVM. This is not a requirement. However, if LVM is being used then add the following line in "/etc/default/grub":
Quote:
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX dolvm"


3) Make sure to compile the kernel with the needed modules built-in. These include:
3a) Device mapper support (in: Multiple devices driver support)
3b) Crypt target support (in: Multiple devices driver support)
3c) Cryptographic API's (These are well documented elsewhere. Google them.)

4) Make sure the initram has all necessary modules by using the following command for genkernel:
Quote:
genkernel --luks --lvm --pgp --busybox --menuconfig all


5) Make sure that your USE flags are properly set.
5a) Make sure that genkernel is built with "cryptsetup" flag.
5b) Make sure that grub is built with "device-mapper" flag.
It is better to simply add those two use flag to the global "/etc/portage/make.conf" file.

6) It is optional if you want to also encrypt the "/boot" partition. If the "/boot" is inside an encrypted partition, add the following line to "/etc/default/grub":
Quote:
GRUB_ENABLE_CRYPTODISK=y


Note: The scenario of #6 where the boot partition is also encrypted has the annoyance of having to enter the password of the encrypted device twice. If I manage to fix this annoyance, I will share my results.

Note: This article should also be helpful for a more detailed guide: https://www.preney.ca/paul/archives/389
Back to top
View user's profile Send private message
schorsch_76
Guru
Guru


Joined: 19 Jun 2012
Posts: 450

PostPosted: Mon Sep 14, 2015 5:48 am    Post subject: Reply with quote

Thanks for that info! I didn't know that :)
_________________
// valid again: I forgot about the git access. Now 1.2GB big. Start: 2015-06-25
git daily portage tree
Web: https://portage.schorsch-tech.de
git clone https://portage.schorsch-tech.de/portage.git
Back to top
View user's profile Send private message
zaidgs
n00b
n00b


Joined: 08 Sep 2015
Posts: 16

PostPosted: Wed Sep 16, 2015 7:25 pm    Post subject: Reply with quote

Ok, I have moved from installing the system on a VMWare machine, into installing it onto the physical computer. However, I have run into two nasty problems. It is worth nothing that these problems were not faced while installing on a VM. Also, the physical installation boots fine when placed on an unencrypted partition, with both the USB stick and keyboard available...

The way I have setup the system is that the key for decrypting the HDD resides on a USB stick. The problems are as follows:
1- The USB is not seen by the kernel during the boot operation.
2- The keyboard is not seen by the kernel during the boot operation.

This means that I cannot enter a passphrase using the keyboard, nor can I load the key from the USB stick.

Here are two screenshots: 1- http://tinypic.com/r/a40t8n/8 2- http://tinypic.com/r/10eitn7/8

The device name is actually "/dev/sdc2", however I used UUID just to be sure it was not a naming issue.

Please note that the following kernel options have been turned on already as built-in modules (=y):
Code:
USB_OHCI_HCD USB_OHCI_HCD_PCI USB_UHCI_HCD USB_EHCI_HCD USB_EHCI_PCI USB_XHCI_HCD USB_XHCI_PCI USB_STORAGE USB_HID USB_HIDDEV HID_GENERIC


Last edited by zaidgs on Wed Sep 16, 2015 7:52 pm; edited 1 time in total
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2574

PostPosted: Wed Sep 16, 2015 7:35 pm    Post subject: Reply with quote

Support must be in your kernel for usb devices, not as a module.
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
zaidgs
n00b
n00b


Joined: 08 Sep 2015
Posts: 16

PostPosted: Wed Sep 16, 2015 7:42 pm    Post subject: Reply with quote

The Doctor wrote:
Support must be in your kernel for usb devices, not as a module.


Yes, that is already taken care of... The modules mentioned above are all installed as built-in modules (=y). Still the problem exists... Unless there is a module that has not been included in the above list, this is not the issue at hand... Or at least not a complete solution.
Back to top
View user's profile Send private message
dasPaul
Apprentice
Apprentice


Joined: 14 Feb 2012
Posts: 192
Location: Dresden

PostPosted: Thu Sep 17, 2015 3:11 pm    Post subject: Reply with quote

Some USB controllers need some time to get initialized. You can try to add some usb-wait function. I had USB controller that needed usb-wait from 5 to 15 seconds before they where recognized and mountable.
Back to top
View user's profile Send private message
zaidgs
n00b
n00b


Joined: 08 Sep 2015
Posts: 16

PostPosted: Thu Sep 17, 2015 4:15 pm    Post subject: Reply with quote

I have fixed my issue... As it turns out, this was due to a misconfigured genkernel... It was not using my intended .config file, and so, the kernel was not compiled with the options I have chosen...

Thanks to the folk at the IRC channel who suggested I confirm my kernel configuration using "zcat /proc/config.gz"
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum