Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
boot encrypted partition with luks key-file on usb?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Installing Gentoo
View previous topic :: View next topic  
Author Message
Francois1
n00b
n00b


Joined: 26 Feb 2016
Posts: 12

PostPosted: Fri Feb 26, 2016 10:47 am    Post subject: boot encrypted partition with luks key-file on usb? Reply with quote

Hello
some weeks ago I believed I would choose a standard approach to install Gentoo on my laptop. Since I have read many documents, forum entries and websites. It is weird. The available information is more cryptic than the encryption itself.

I want to have a full disc encryption (FDE) using luks/dmcrypt. A keyfile on an external usb stick should open the encrypted container at boot. I have setup all corresponding partitions, encryption, and keyfile and can open, mount and access them. But I did not find a comprehensive instruction how to boot such a system. As boot manager should act grub2.
Here some backround information:
    partitions are: sdx1= /boot (ef00); sdx2 =crypt container
    within encrypted partitio, lvm with lvs: vg-root and vg-home
    key-file is on usb-stick
    System is UEFI/GPT, the efi boot partion is mounted directly to /boot
    used genkernel --lvm --luks --menuconfig all to get the kernel, initramfs and System.map into /boot

I installed grub2 after having set the platform variable to efi-64. From then on I am lost. What are the correct command parameters for
Code:
grub2-mkconfig
grub2-install
About half a year ago the very same question here in the forum ended with the notion, that the thread starter will program his own initramfs. I cannot not believe this is neccessary. Should I be wrong, I need help, since this is far beyond my knowledge.

Any advice?
Thanks,
Francois
Back to top
View user's profile Send private message
Francois1
n00b
n00b


Joined: 26 Feb 2016
Posts: 12

PostPosted: Fri Feb 26, 2016 10:08 pm    Post subject: Reply with quote

Nobody? According to this thread there some experts around here.

Hope its not because the NSA objects :roll:
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43221
Location: 56N 3W

PostPosted: Fri Feb 26, 2016 10:26 pm    Post subject: Reply with quote

Francois1,

The kernel plus the initrd needs to be able to read the key file from USB.
The key file can be called anything and can be anywhere in the USB directory structure.
The initrd needs to know all this.

I don't think you need to make your own initrd but it looks like you need no make your own initrd init script, or at least edit the one provided by genkernel, so it can find the key file.

There is a wrinkle or two due to the use of USB for the key file. USB is not normally started until root is mounted but you need USB to work to get the key to unlock the container before you can even see root.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
tdude
n00b
n00b


Joined: 26 Feb 2016
Posts: 9

PostPosted: Fri Feb 26, 2016 10:28 pm    Post subject: Reply with quote

Give this a try: http://gentoovps.net/encrypted-root-on-gentoo-usb-keyfile/
Back to top
View user's profile Send private message
Francois1
n00b
n00b


Joined: 26 Feb 2016
Posts: 12

PostPosted: Sun Feb 28, 2016 9:30 am    Post subject: Reply with quote

tdude wrote:
Give this a try: http://gentoovps.net/encrypted-root-on-gentoo-usb-keyfile/

Link is broken, returns
Code:
Error establishing a database connection

Tried internet search with several hits, but none can access this site.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43221
Location: 56N 3W

PostPosted: Sun Feb 28, 2016 9:50 am    Post subject: Reply with quote

Francois1,

This wiki page has /boot including the key file on USB.

After booting, you can remove the USB device, the down side is that it needs to be there to install kernel updates.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Francois1
n00b
n00b


Joined: 26 Feb 2016
Posts: 12

PostPosted: Sun Feb 28, 2016 10:02 am    Post subject: Reply with quote

NeddySeagoon wrote:
The kernel plus the initrd needs to be able to read the key file from USB.
The key file can be called anything and can be anywhere in the USB directory structure.
The initrd needs to know all this.

Ok, that's understood.
NeddySeagoon wrote:
I don't think you need to make your own initrd but it looks like you need no make your own initrd init script, or at least edit the one provided by genkernel, so it can find the key file.

Is there no instruction anywhere how to do that? I never edited a script, I am not familiar with scripting language.
NeddySeagoon wrote:
There is a wrinkle or two due to the use of USB for the key file. USB is not normally started until root is mounted but you need USB to work to get the key to unlock the container before you can even see root.

I get more and more sceptical about dm-crypt based encryption. When a disc/partition is encrypted, the (top secret) procedure is within this encrypted container. However, to "launch" the decryption, i.e. to open it, a simple password-if it is not a key-file- is all that is needed? I would have assumed that the encryption key itself would be on a separate (removable) device. In the end, to break into a complicated encrypted system all that is needed is a simple password? This is not the topic of this thread, but I would love to discuss that further.

Francois
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1747

PostPosted: Sun Feb 28, 2016 10:13 am    Post subject: Reply with quote

The init script within initramfs is usually just a shell script, if you're running gentoo you should already be familiar enough with it to understand what's going on.
Scripts included by genkernel are pretty easy to follow, particularly considering you do not have to read all of them. They are written mostly in a functional manner, so you can search for the command line options related to encryption and you will narrow the interesting code to a dozen or two of lines.
Quote:
I would have assumed that the encryption key itself would be on a separate (removable) device. In the end, to break into a complicated encrypted system all that is needed is a simple password?
Well, the trade-off between security and convenience. If you want to store a key on a separate device, you might consider using LUKS with detached header (and put the full header on a pendrive), or even skip LUKS and configure encryption manually, without any header at all.
However, if someone actually wanted to get access to your data, convincing you to share that password would be way easier than breaking it, so it hardly makes a difference. The best way to go depends on what you want to avoid.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 43221
Location: 56N 3W

PostPosted: Sun Feb 28, 2016 10:26 am    Post subject: Reply with quote

Francois1,

The 'simple password' can be as complex as you like. Vogon poetry might be a good source of pass phrases but for the fact that so little is known. :)

On a more serious note. The pass phrase is not stored anywhere. Its the pass phrase hash that is stored.
Look in /etc/shadow to see how your normal passwords appear.
Password cracking does not normally involve guessing a password, its discovering a hash collision. That is, another pass phrase that has the same hash value. If you choose a poor pass phrase (people do), they tend to be too short and not very random, then you leave yourself open to brute forcing and/or dictionary attacks.

How good a password you need depends on how determined your perceived attackers are. If its the American NSA, forget it. They will send the boys round to beat it out of you. If its someone that finds/steals your laptop, they will likely install windows and sell it on. They won't try very hard to look at your data.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3383

PostPosted: Sun Feb 28, 2016 11:52 am    Post subject: Reply with quote

NeddySeagoon wrote:
They will send the boys round to beat it out of you.


AKA "Rubber host cryptography", mentioned (coined?) on Bruce Schneier's website.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Francois1
n00b
n00b


Joined: 26 Feb 2016
Posts: 12

PostPosted: Sun Feb 28, 2016 6:20 pm    Post subject: Reply with quote

NeddySeagoon wrote:
This wiki page has /boot including the key file on USB.

After booting, you can remove the USB device, the down side is that it needs to be there to install kernel updates.

I had tried this (really well written) HowTo in the first place. And the second. In both cases the system boots but the encrypted container won't open any longer. Neither with a key-file, nor with an additionally set simple password. Even trying to access it from another Linux would not open it any longer. Probably my fault, just dont know what went wrong twice.

The other point is Sakaki has written some tools to create the initramfs, locate the key-file, etc. that needs to be downloaded during the installation process. I would prefer, at least in the first instance, to do it manually or using standard tools.

Francois
Back to top
View user's profile Send private message
Francois1
n00b
n00b


Joined: 26 Feb 2016
Posts: 12

PostPosted: Sun Feb 28, 2016 6:41 pm    Post subject: Reply with quote

szatox wrote:
The init script within initramfs is usually just a shell script, if you're running gentoo you should already be familiar enough with it to understand what's going on.

My last Gentoo installation dates back 10 years ago (and usually took about 1 full week including long nights, but it was fun!), after that my job kept my away from this type of things. When I re-started again, I started with Arch Linux, which is very handy. But I kept on dreaming to use Gentoo one day again, and recently I purchased a nifty laptop....[/quote]
szatox wrote:
Scripts included by genkernel are pretty easy to follow, particularly considering you do not have to read all of them. They are written mostly in a functional manner, so you can search for the command line options related to encryption and you will narrow the interesting code to a dozen or two of lines.
Stupid question: where do I get the genkernel scrips to look into?
szatox wrote:
Well, the trade-off between security and convenience. If you want to store a key on a separate device, you might consider using LUKS with detached header (and put the full header on a pendrive), or even skip LUKS and configure encryption manually, without any header at all.

The inconvenience to me is to torture my poor brain with an increasing number of passwords. It appears to me convenient to have a mini-usb-stick or sd-card with it in my pocket (or real-life key-ring :wink: )
szatox wrote:
However, if someone actually wanted to get access to your data, convincing you to share that password would be way easier than breaking it, so it hardly makes a difference.
Agreed. I think encryption is primarily a protection in case the laptop gets lost/stolen. Its just a matter of personal preference, how to keep the access key.
Back to top
View user's profile Send private message
Francois1
n00b
n00b


Joined: 26 Feb 2016
Posts: 12

PostPosted: Sun Feb 28, 2016 6:49 pm    Post subject: Reply with quote

As mentioned above, the key question remains (whether with password or key-file)
Code:
grub2-mkconfig
grub2-install

The system is in place. The encryption as well, but I do not understand how to get it to boot.

I just would love to get a working and encrypted system. Once done, I can still carry on to change it using a key-file. But this is ongoing now for weeks and I am on my wits' ends

Thanks
Francois
Back to top
View user's profile Send private message
ennui
n00b
n00b


Joined: 24 Apr 2003
Posts: 17
Location: Copenhagen, Denmark

PostPosted: Mon Feb 29, 2016 5:05 pm    Post subject: Reply with quote

Francois1 wrote:
Stupid question: where do I get the genkernel scrips to look into?


Hi Francois,

An ebuild for genkernel can be found in the portage tree at sys-kernel/genkernel. Looking in that ebuild, it looks like the main package files (genkernel-*.tar.xz) can be found in the distfiles on any Gentoo mirror.

Francois1 wrote:
The system is in place. The encryption as well, but I do not understand how to get it to boot.

I just would love to get a working and encrypted system. Once done, I can still carry on to change it using a key-file. But this is ongoing now for weeks and I am on my wits' ends


Could you describe your setup at present?

I'm afraid I'm not too familiar with genkernel myself as I boot using a custom initramfs, but if you want to get a good understanding of what's going on here, I'd suggest reading Robert Landley's excellent series of initramfs articles:
Back to top
View user's profile Send private message
Elleni
l33t
l33t


Joined: 23 May 2006
Posts: 859

PostPosted: Tue Mar 01, 2016 12:12 am    Post subject: Reply with quote

Hi Francois,

I managed to get a fully encrypted system with reading lots of tutorials. But the one helped me most, to understand the key thing was the following.

http://blog.guya.de/linux-gentoo-encrypted-boot-partition/

Now I boot grub2 which asks me for a password. Initrd created by genkernel then mounts crypted rootfs and boots system. I hope, this helps.

As for the broken link, there is chached version. See:

http://webcache.googleusercontent.com/search?q=cache:mwmbDA9yYCgJ:gentoovps.net/encrypted-root-on-gentoo-usb-keyfile/+&cd=11&hl=de&ct=clnk&gl=ch

Following some ressources that helped me when trying to find out how to setup encrypted disk incl. boot. I have boot on same partition as root, and no lvm though..

http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
https://wiki.gentoo.org/wiki/DM-Crypt_LUKS
http://www.funtoo.org/Rootfs_over_encrypted_lvm
http://www.0xrage.com/?p=129

Now I update my kernel using

Code:
emerge hardened-sources -v && eselect kernel set 2 && cd /usr/src/linux && make menuconfig && make && make install && genkernel --luks initramfs && grub2-mkconfig -o /boot/grub/grub.cfg




Good luck :D
Back to top
View user's profile Send private message
Francois1
n00b
n00b


Joined: 26 Feb 2016
Posts: 12

PostPosted: Tue Mar 01, 2016 11:26 am    Post subject: Reply with quote

Thanks for the links. I will work them through, lets see.

Isn't it surprising, what should be the standard for all laptops, data theft protection by encryption, is such a hassle. I mean, should it not be the default for an installation?

Francois
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3383

PostPosted: Tue Mar 01, 2016 4:28 pm    Post subject: Reply with quote

Francois1 wrote:
Thanks for the links. I will work them through, lets see.

Isn't it surprising, what should be the standard for all laptops, data theft protection by encryption, is such a hassle. I mean, should it not be the default for an installation?

Francois


No, because many installations are not laptops.

However enough installations are "secure" that it should be in the Gentoo handbook as a standard option. Many resources were listed, and there are minor differences between them that you have to pick and choose your way through.
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Installing Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum