Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Howto gpg encrypt your root using udev,cryptsetup,dm-crypt
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
dreamshadow
n00b
n00b


Joined: 15 Nov 2004
Posts: 18
Location: Reno, NV

PostPosted: Mon Nov 15, 2004 7:23 am    Post subject: Howto gpg encrypt your root using udev,cryptsetup,dm-crypt Reply with quote

Howto gpg encrypt your root using udev,cryptsetup,dm-crypt

Theres lots of documents on using dm-crypt to encrypt your root partition but i couldn't find any using gpg. So heres how I did it. Please be gentle, this is my first gentoo howto post.

Thanks to hulk2nd for this post https://forums.gentoo.org/viewtopic.php?t=108162&highlight=encrypted+root
Thanks to veezi for this post https://forums.gentoo.org/viewtopic.php?t=191052&highlight=dmcrypt
Both of these were a great help!

Things to Note:
This is all explain in regards to my setup, yours will differ.
This was all done immediately after a fresh install!
I use lilo instead of grub, so things are explained with lilo
I have done this and it is currently working on my laptop for 3 days now.
Very Important:
You will need a spare partition that can hold the entire contents of your / directory.
All commands were done with regards to MY setup.

My Setup:
This was done on a Toshiba Tecra 8000, PentiumII, 256M ram, 10G HD. Heres how i partitioned, yours will be
different. Note: Im using hda3 as my / and ill be using hda7 as the backup /

Code:

        hda1    /boot           ext2    25
        hda2    swap            sw      128
        hda3    /               ext3    2G                                                                     
        hda5    /usr            ext3    4G
        hda6    /usr/portage    ext3    2G
        hda7                    ext3    900M                                               
        hda8    /var            ext3    800M

Requirements
You must be using udev!
You will need a LiveCD disk, I'm using Knoppix but the gentoo install disk will work.
I'm using development sources 2.6.10-rc1, You need the following in your kernel config:
Code:

             Device Drivers -->
                        Block Devices -->
                                <*> Loopback device support
                                <*>    Cryptoloop Support
                                <*> RAM disk support
                                (8192) Default RAM disk size (kbytes)
                                [*] Initial RAM disk (initrd) support
                                [*] Support for Large Block Devices
                        Multi-device support (RAID and LVM) -->
                                [*] Multiple devices driver support (RAID and LVM)
                                <*> Device mapper support
                                <*>   Crypt target support
                        File systems -->
                                Pseudo filesystems -->
                                        [ ] /dev file system support
                        Cryptographic options -->
                                <*> SHA256 digest algorithm
                                <*> SHA384 and SHA512 digest algorithms
                                <*> AES cypher algorithms (i586)

Im using a 8M initrd cause 4M isnt quite enough.
You need the following programs emerged:
  • udev
  • hotplug
  • coldplug
  • device-mapper
  • cryptsetup
  • gnupg
  • sharutils (needed for uuencode)

and on last thing:
Code:

nano /etc/conf.d/rc
  set RC_DEVICE_TARBALL = no

Step 1
Boot from your Live CD. Were going to make a mirror of your / directory then another backup.
Code:

        mkdir /{gentoo,newroot}
        mount /dev/hda3 /gentoo
        mke2fs -j /dev/hda7
        mount /dev/hda7 /newroot
        cp -r -p -v /gentoo/* /newroot/
        tar -cjvvf /newroot/root.tar.bz2 /gentoo/*
        mount /dev/hda1 /newroot/boot
        mount /dev/hda5 /newroot/usr
        mount /dev/hda6 /newroot/usr/portage
        mount /dev/hda8 /newroot/var
        mount -o bind /proc /newroot/proc
        chroot /newroot /bin/bash
        env-update
        source /etc/profile
        nano /etc/lilo.conf
Heres my new lilo.conf file:
Code:

        image=/boot/vmlinuz-2.6.10.0
        root=/dev/hda7            (NOT /dev/hda3 LIKE THE ORIGINAL)
        label=wonderland

after your done editing lilo.conf run lilo
Code:

        lilo
        nano /etc/fstab
                change the root=/dev/hda3 to root=/dev/hda7
        exit
        umount /newroot/{boot,usr/portage,usr,var,proc}
        umount /newroot
        umount /gentoo
        reboot

If things went as planned your new root should be /dev/hda7 and everything else worked ok.

Step 2
Now were on our new / (/dev/hda7) lets get some stuff installed
Code:

        mkdir /{rabbithole.rd,rabbithole,root/.gnupg}
        mount /boot
        cd /boot

Lets create our gpg key
Code:

        head -c 2880 /dev/urandom | uuencode -m - | head -n 65 | \
tail -n 64 |  gpg -ac >/boot/rabbithole.key

Lets check the key to make sure it works ok:
Code:

        gpg --quiet -d /boot/rabbithole.key

that should give you a big screen of characters =)
now lets create our RAM disk
Code:

        cd /root
        touch rabbithole.rd
        dd if=/dev/zero of=/root/rabbithole.rd bs=1024k count=8
        losetup /dev/loop0 /root/rabbithole.rd
        mke2fs /dev/loop0
        mount /dev/loop0 /rabbithole.rd
        cd /rabbithole.rd
        mkdir {bin,boot,dev,etc,lib,proc,rabbithole,root,root/.gnupg,.gnupg}
        cp /boot/rabbithole.key /rabbithole.rd/boot/
        cp /root/.gnupg/* /rabbithole.rd/root/.gnupg/
        cp /root/.gnupg/* /rabbithole.rd/.gnupg/
        touch linuxrc
        chmod +x linuxrc

Step 3
Lets populate the rabbithole.rd
Code:

        cp /bin/{sh,cat,mount,umount,mkdir,chroot,cryptsetup} /rabbithole.rd/bin/
        cp /sbin/{pivot_root,blockdev} /rabbithole.rd/bin/
        cp /usr/bin/gpg /rabbithole.rd/bin/

Now to copy the libraries over. For each file in /rabbithole.rd/bin find its
needed libraries by typing ldd filename, heres and example:
Code:

        ldd /rabbithole.rd/blockdev
                linux-gate.so.1 => (0xffffe000)
                libc.so.6 => /lib/libc.so.6 (0xb7ece000)
                /lib/ld-linux.so.2 (0xb7f3b000)

So blockdev requires libc.so.6, ld-linux.so.2 so copy these over:
Code:

        cp /lib/libc.so.6 /rabbithole.rd/lib/
        cp /lib/ld-linux.so.2 /rabbithole.rd/lib/

Now do this for all the other programs in /rabbithole.rd/bin and copy
there needed libraries over.

Step 4
Now lets create the devices on the RAM disk
Code:

        mknod /rabbithole.rd/dev/console c 5 1
        mknod /rabbithole.rd/dev/null c 1 3
        mknod /rabbithole.rd/dev/hda3 b 3 3
        mknod /rabbithole.rd/dev/tty c 4 0
        mkdir /rabbithole.rd/dev/mapper
        mknod /rabbithole.rd/dev/mapper/control c 10 63
        mknod /rabbithole.rd/dev/random c 1 8
        mknod /rabbithole.rd/dev/urandom c 1 9

Step 5
Now lets create the linuxrc (thanks veezi)
Code:

        nano /rabbithole.rd/linuxrc

The following is what needs to be in the linuxrc
Code:

#!/bin/sh
export PATH=/bin

#grab the command line:
mount -t proc proc /proc
CMDLINE=`cat /proc/cmdline`
umount /proc

#mount the rabbithole and fall through it:
gpg --quiet -d /boot/rabbithole.key | cryptsetup -h plain -c aes \
-s 256 create rabbithole /dev/hda3
mount /dev/mapper/rabbithole /rabbithole
cd /rabbithole
mkdir potion
pivot_root . potion

#drink the potion and away we go
exec chroot . /bin/sh <<- EOF >dev/console 2>&1
umount potion
rm -rf potion
/sbin/blockdev --flushbufs /dev/ram0
exec /sbin/init ${CMDLINE}
EOF

Step 6
Lets check the RAM disk to make sure it works properly
Code:

        cd /
        chroot /rabbithole.rd /bin/sh
        /bin/blockdev --help
        /bin/cat --help
        /bin/chroot --help
        /bin/cryptsetup --help
        /bin/gpg --help
        /bin/mkdir --help
        /bin/mount --help
        /bin/pivot_root --help
        /bin/sh  --help
        /bin/umount --help
        /bin/gpg --quiet -d /boot/rabbithole.key
        exit

If all went good you should see a help screen for each program and your
gpg should decrypt the key. If theres missing library's, exit,
copy them over and try again. when all is good:
Code:

        umount /rabbithole.rd
        mount /boot
        cp /root/rabbithole.rd /boot


Step 7
Now lets prepare our encrypted root
Code:

dd if=/dev/zero of=/dev/hda3
gpg --quiet -d /boot/rabbithole.key | cryptsetup -h plain -c aes \
-s 256 create rabbithole /dev/hda3
mke2fs -j /dev/mappper/rabbithole
mount /dev/mapper/rabbithole /rabbithole
cd /rabbithole
tar jxvf /root.tar.bz2
mv gentoo/* ./
rmdir gentoo/lost*
rm gentoo/.bash*
rmdir gentoo
cd /rabbithole/etc/
nano fstab

Change the /dev/hda3 to /dev/mapper/rabbithole so the line will look like this:
Code:

/dev/mapper/rabbithole  /       ext3    noatime 0 1

Now lets prepare lilo:
Code:
nano /etc/lilo.conf

heres what my new lilo looks like (im leaving the old root in there in case
things dont go so well)
Code:

        image=/boot/vmlinuz-2.6.10.0
                root=/dev/hda7
                read-only
                label=wonderland-bak

        image=/boot/vmlinuz-2.6.10.0
                label=wonderland
                root=/dev/ram0
                read-write
                initrd=/boot/rabbithole.rd
                append="init=linuxrc"

and then run lilo:
Code:
lilo

You may get the following error:
Code:

        Warning: '/proc/partitions' does not match '/dev' directory structure.
                Name change: '/dev/dm-0' -> '/dev/mapper/rabbithole'

but thats ok, dont worry about it.
now lets finish things up
Code:

        cp /etc/lilo.conf /rabbithole/etc/lilo.conf
        losetup -d /dev/loop0
        umount /rabbithole
        umount /boot
        cryptsetup remove rabbithole


Thats it, reboot. You may get an error on shutdown saying theres a
file system error, enter root password. I just ignored this and it restarted as normal. If things went ok you'll be a happy camper. I have been running this for a while now and it works pretty good. Havent had any problems.
_________________
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+

Life is but a dream, reality is but a shadow

+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+


Last edited by dreamshadow on Sat Dec 18, 2004 11:25 pm; edited 3 times in total
Back to top
View user's profile Send private message
S_aIN_t
Guru
Guru


Joined: 11 May 2002
Posts: 488
Location: Ottawa

PostPosted: Mon Nov 15, 2004 8:48 pm    Post subject: Reply with quote

Sounds like fun. When I get more time to play with Linux I will be sure to try this.

Looks like excellent work. Thanks.
_________________
"That which is overdesigned, too highly
specific, anticipates outcome; the anicipation of
outcome guatantees, if not failure, the
absence of grace."
- William Gibson, "All Tomorrow's Parties"
----
http://petro.tanreisoftware.com
Back to top
View user's profile Send private message
ali3nx
l33t
l33t


Joined: 21 Sep 2003
Posts: 612
Location: Winnipeg, Canada

PostPosted: Wed Jan 19, 2005 11:11 pm    Post subject: Reply with quote

Just wanted to say thanks! very nice tutorial. I made a few adjustments to my setup to suit my requirements but all is working nicely 8) Good job.
_________________
Compiling Gentoo since version 1.4
Thousands of Gentoo Installs Completed
Emerged on every continent but Antarctica
Compile long and Prosper!
Back to top
View user's profile Send private message
mcpi
n00b
n00b


Joined: 04 Jun 2003
Posts: 39

PostPosted: Tue Mar 29, 2005 2:49 pm    Post subject: it works Reply with quote

yep thanx thanx thanx, it works for me.

ok I found some "errors", but I fixed them all and now it works. great.

my changes:

important: if you create a hda device which is not hda3 you must modify the device number!
for me: hda6 is my rootpartion, so the command is: mknod /rabbithole.rd/dev/hda6 b 3 6 <------ that was my mistake (i wrote here 3 and that was wrong!)

and there is a mistake in your linuxrc:
exec chroot . /bin/sh <<- EOF > dev/console 2>&1

you should change it to
exec chroot . /bin/sh <<- EOF > /dev/console 2>&1 (missing a slash "/" at the beginning)

do you know a good way to mount an usb stick or cdrom device into a initrd? background: I just want to put the gpg key to an external device.

thanx for help
Back to top
View user's profile Send private message
cheops05
n00b
n00b


Joined: 03 Jan 2005
Posts: 62

PostPosted: Wed Mar 30, 2005 11:23 am    Post subject: Reply with quote

Hi, I want to implement this method of encrytion but with a few modifications.

(1). How would you modify this to also encrypt the swap partition and my home partition.

(2).Would it be possible to story the key file on a usb stick?

maybe a better method would be to get the USB stick to boot gentoo i.e boot partion on the SDA stick?

Thanks

cheops.
Back to top
View user's profile Send private message
dreamshadow
n00b
n00b


Joined: 15 Nov 2004
Posts: 18
Location: Reno, NV

PostPosted: Fri Apr 01, 2005 3:36 am    Post subject: Reply with quote

ok a few things,
to do the swap and /tmp directories look at /etc/conf.d/cryptfs, heres how mine looks:

Code:
swap=swamp
source='/dev/hda2'

mount=wasteland
source='/dev/hda8'
options='-d /dev/urandom'
pre_mount='/sbin/mke2fs /dev/mapper/wasteland'
post_mount='chown root:root /tmp; chmod 1777 /tmp'


and my /etc/fstab for those looks like:
Code:

/dev/mapper/swamp       none            swap            sw                      0 0  #/dev/hda2
/dev/mapper/wasteland   /tmp            ext2            defaults,noexec         0 0  #/dev/hda


that will give you an encrypted swap and and encrypted /tmp directory.

as for other partitions, heres how i did that:
i create a key directory in my /root directory
something like /root/.keys/
i made a key for all other partitions
/root/.keys/usr.key
/root/.keys/var.key
etc etc for each partition.
the command i used was:
Code:

head -n 10 /dev/urandom | uuencode -m - | head -n 6 | tail -n 5 > usr.key

this makes a pretty decent random key, and come on, im PaRanOiD, but some one trying to decrypt a gpg key on a gpg encrypted root partition, its going to take a long time. they have to decrypt the root partition to even get these keys.

then i would encrypt those partitions by backing them up, and device mapping encrypting them like in the howto except this time it would be /usr or /home or whatever partition your working on instead of the root partition.

then all you need to do is write an init script that has the following lines:

Code:
       
ebegin "Setting up userland..."
cat /root/.keys/usr.key | cryptsetup -h plain -c anubis -s 320 create userland /dev/hda5
eend $?

ebegin "Setting up var..."
cat /root/.keys/var.key | cryptsetup -h plain -c anubis -s 320 create var /dev/hda7
eend $?


NOTE: this MUST be run right after /etc/init.d/modules, if you dont know how to do this, just add the above lines at the end or /etc/init.d/modules !!!!

also those files should be chmod 0400 read only by root, same with the directory /root/.keys

ok, i hope that makes sense, if not ask and ill g/et you an answer as soon as possible.
as for putting the key on a usb stick. i havent had time to actually do it yet, but ill give you a couple things that should set you one the right path:

the kernel must be built with usb support and everything needed to normally read a usb key.
in your initrd, you will need to add the mount point to where the usb key mounts to and the device nodes for the usb device
example, mine usually is /dev/sda and mounts to /usb so you would need devices for sda, sda1, etc etc depending on how
your usb key is partitioned. and a mount point ( /usb) make sure they have the right mknod settingds like mine mounts to /dev/sda
its a block device with 8, 0 so i woulnd create the following devices in my initrd:
Code:

mknod /dev/sda b 8 0
mknod /dev/sda1 b 8 1
mknod /dev/sda2 b 8 2


you will need to write some code that automatically mounts the usb device or sits and waits for the usb key to be inserted
then change the linuxrc to cat the gpg key off the usb instead of from /boot.

kinda the same if you want to use a cdrom to store the key
anyways if someone actually gets time and makes this work, please post how you did it, and ill help anyone that needs help, just gotta
give me some time to respond, its final month of my senior year =|

quick bonus: encrypted /home directoy
heres how i do mine
each user has a usb key with there encrypted home parition on it.
i have edited udev to do custom dev mapping depending on the serial number of the usb key
for example, johndoe has his usb key. when its put in udev make a link to /dev/johndoe
so then i have a init script that does the mounting of the home partition

NOTE: the following script will delete your initrd file if you fail it 3 times, to prevent this please read over it carefully and if testing
comment out the rm /boot/rabbithole.rd and shutdown -h 0 lines, YOU HAVE BEEN WARNED


now heres the code for /etc/init.d/crypt-home
Code:

#!/sbin/runscript
#coded by dreamshadow@futilesystems.net
#

depend() {
 after vixie-cron
}

check_vault() {
 thecheck="no"
 if [ -e /dev/johndoe ]; then
  thecheck="johndoe"
 fi
}

check_user() {
 case $thecheck in
  "johndoe")
   einfo "     Found user vault"
   cryptsetup -h sha1 -c anubis -s 320 create vault /dev/johndoe
   e2fsck /dev/mapper/vault
   mount /dev/mapper/vault /home/johndoe
   echo "0" > /etc/conf.d/homecount
   einfo "     Vault Opened"
   ;;
  "no")
   if [ "$keyerror" = "yes" ]; then
    key_wait
   else
    do_error
   fi
   ;;
 esac
}

do_error() {
 eerror "     No Vaults Found"
 let homecount=$homecount+1
 echo "$homecount" > /etc/conf.d/homecount
 if [ $homecount -eq 2 ]; then
  ewarn "     Unauthorized Access Attempt Detected"
  ewarn "     System will auto-erase on one more failure"     
  sleep 5
  shutdown -h 0
 elif [ $homecount -ge 3 ]; then
  mount /boot
  rm /boot/rabbithole.rd
  ewarn "     Unauthorized Access Detected........."
  ewarn "     Destroying the filesystem....YOU *&^(^&*!!!!!!!"
  shutdown -h 0
 else
  key_wait
 fi
}

key_wait() {
 let keycount=$keycount+1
 if [ $keycount -eq 1 ]; then
  eerror "     Please insert User Vault"
  sleep 10
  keyerror="yes"
  check_vault
  check_user
 elif [ $keycount -eq 2 ]; then
  eerror "          20 seconds remaining."
  sleep 10
  keyerror="yes"
  check_vault
  check_user
 elif [ $keycount -eq 3 ]; then
  eerror "          10 seconds remaining."
  sleep 10
  check_vault
  check_user
  shutdown -h 0
 fi
}

start() {
 ebegin "Checking for Vaults"
  if [ -e /etc/conf.d/homecount ]; then
   homecount="$(cat /etc/conf.d/homecount)"
  else
   homecount=0
  fi
  keyerror="no"
  keycount=0
  check_vault
  check_user
 eend $?
}

stop() {
 ebegin "Closing the vault"
  if [ -e /dev/johndoe ]; then
   umount /home/johndoe >/dev/null 2>&1
  fi
  einfo "     The vault is closed"
  cryptsetup remove vault
 eend $?
}


ok, so with the above script a user just plugs there usb key during the boot and the script will run, ask for a password, mount the users
directory and walla, everythings encrypted on a portable usb key. and yes it does work, ive been using it for over a couple months now.
_________________
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+

Life is but a dream, reality is but a shadow

+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
Back to top
View user's profile Send private message
cheops05
n00b
n00b


Joined: 03 Jan 2005
Posts: 62

PostPosted: Fri Apr 01, 2005 10:16 am    Post subject: Reply with quote

Thanks for all the new info it is just what I was looking for.

I will be trying all this new stuff soon as I sort out a problem with the encrypting root howto maybe you can help?



I have a problem with the boot up sequence everything works I can mount the encryted partition manually and see all my encryted partition when using the backup image but soon as I try and boot the encrypted partition

I get this error

Code:

Remounting  root filesystem read-only (if necessary)...
Checking root filesystem.

Failed to open the device '/dev/mapper/rabbithole': No Such file or directory.


My initrd is working fine it loads up with no errors I did have a few problems but managed to sort them out, I have read somewhere that people were having to put /bin/sleep 5 to wait for udev to catch up in the /etc/init.d/check* startup scripts which I have tried but it doesnt seem to make a difference.

I am at a total loss with what else to try if anyone can think of anything that could be causing this then it would be greatly appreciated. I know it can't be far off working now. :-|


Thanks

Cheops
Back to top
View user's profile Send private message
dreamshadow
n00b
n00b


Joined: 15 Nov 2004
Posts: 18
Location: Reno, NV

PostPosted: Fri Apr 01, 2005 5:01 pm    Post subject: Reply with quote

couple things to check just off the top of my head

if you using lilo, you must have read-write in there instead of read-only.

Code:

image=/boot/vmlinuz-2.6.10.0
        label=nowhere
        read-write


same thing for grub.

is your initrd an ext2 filesystem, ext3 or others wont work, i dont know why
but thats all i can give you for now, ill check my notes when i make it home later today.
_________________
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+

Life is but a dream, reality is but a shadow

+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
Back to top
View user's profile Send private message
cheops05
n00b
n00b


Joined: 03 Jan 2005
Posts: 62

PostPosted: Tue Apr 05, 2005 6:25 am    Post subject: Reply with quote

Thanks

I finally got it working i needed to emerge the latest baselayout?

you might want to add it to your howto

Cheops
Back to top
View user's profile Send private message
dreamshadow
n00b
n00b


Joined: 15 Nov 2004
Posts: 18
Location: Reno, NV

PostPosted: Thu Apr 07, 2005 2:38 am    Post subject: Reply with quote

cool, wonder why putting in the latest baselayout worked. hmmm anyways now that you have it running, can you think of anything to make it a little more secure other than moving the gpg key to like a cd or usb disk. i mean the encryption (depending on what you used) is pretty good, ive tried to think of different ways that it could be bypassed, but it all boils down to the gpg key to decrypt the root parition. which reminds me, this encryption method does do filechecking, so ive found that every 15-20th boot, its always nice to do a
Code:

touch /forcefsck


this way it keeps the filesystem clean and the encryption doesnt get screwed. i have killed my system a time or two from forgetting the password, and believe me, if you dont have a copy of that gpg key, your hard drive is screwed. but if you have ideas of improvements and stuff please let me know.
_________________
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+

Life is but a dream, reality is but a shadow

+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
Back to top
View user's profile Send private message
ProtectionFault
Apprentice
Apprentice


Joined: 14 Nov 2003
Posts: 170
Location: /dev/zero

PostPosted: Sat Apr 09, 2005 2:11 pm    Post subject: Reply with quote

Great howto... :)
There was only a problem with the device numbers for the /dev/mapper/control device (had to use 10 61 instead of 10 63)
You may look up your device number with a
Code:
cat /proc/devices

for the major number and a
Code:
cat /proc/misc

for the minor number.

If you want your filesystem to be automatically checked and you're using ext2/3, you may have a look at
Code:
man tune2fs

_________________
ASUS Z87-PLUS, i7-4770, 2x8GB DDR3-1600, 700W OCZ Power Supply, EVGA GTX760 4GB, 3TB HDD, Gentoo ~amd64 (3.10.10, dm-crypt full disk, awesome)
Back to top
View user's profile Send private message
cheops05
n00b
n00b


Joined: 03 Jan 2005
Posts: 62

PostPosted: Sat Apr 09, 2005 3:10 pm    Post subject: Reply with quote

Yeah I forgot to mention mknod thing.

Anyway I now have this booting from my USB Flash Drive My \boot partition now resides on the drive an when I stick it in it boots to gentoo otherwise cr**py windows...so my drive probably looks like junk

Cheops
Back to top
View user's profile Send private message
Base
n00b
n00b


Joined: 22 Apr 2005
Posts: 17

PostPosted: Wed Apr 27, 2005 8:36 pm    Post subject: Reply with quote

Hmm dm-crypt was patched with ESSIV for security increase earlier. does this guide make essiv unneccesary? since u dont seem to use it i mean
Back to top
View user's profile Send private message
smv
n00b
n00b


Joined: 11 Oct 2004
Posts: 3

PostPosted: Mon May 23, 2005 3:21 am    Post subject: Reply with quote

This is a great tutorial! I'm trying this out using VMWare on a fresh install.

The section for creating the devices has an incorrect major number for the tty device:
Code:
mknod /rabbithole.rd/dev/tty c 4 0
should be:
Code:
mknod /rabbithole.rd/dev/tty c 5 0
This results in having gpg sit there with no prompt for the passphrase.
Back to top
View user's profile Send private message
pulzed
n00b
n00b


Joined: 19 May 2005
Posts: 20

PostPosted: Mon Jun 27, 2005 8:35 pm    Post subject: Reply with quote

Nice tutorial! I'm trying to get this to work on my laptop...

lilo.conf
Code:
boot=/dev/hda
   default=gentoo
   prompt

   image=/boot/kernel-gentoo-sources-2.6.11-r11_050626
      label=gentoo
      root=/dev/ram0
      read-write
      initrd=/boot/rabbithole.rd
      append="init=linuxrc"

   image=/boot/kernel-gentoo-sources-2.6.11-r11_050626
      label=gentoo-bak
      read-only
      root=/dev/hda1


Running 'lilo' gives this output:
Code:
Warning: The initial RAM disk is too big to fit between the kernel and
   the 15M-16M memory hole. It will be loaded in the highest memory as
   though the configuration file specified "large-memory" and it will
   be assumed that the BIOS supports memory moves above 16M.
Added gentoo ? *
Added gentoo-bak


Boot hangs on this error:
Code:
...
...
...
RAMDISK: ext2 filesystem found at block 0
RAMDISK: Loading 8192KiB [1 disk] into ram disk... done.
VFS: Mounted root (ext2 filesystem)
Freeing unused kernel memory: 252k freed
Kernel panic - not syncing: No init found.   Try passing init= option to kernel.


Any ideas howto fix this? Thanks!

Edit: I made a few errors and corrected them, and now it works like a charm :D
Back to top
View user's profile Send private message
dreamshadow
n00b
n00b


Joined: 15 Nov 2004
Posts: 18
Location: Reno, NV

PostPosted: Sat Jul 02, 2005 1:58 am    Post subject: Reply with quote

um, i had that same memory thing too when i first experimenting with this
my solution, although it may not work for you
in my bios i have the ability to turn off that memory hole so its not there.
if your bios allows this id get rid of it, i mean, do you really need that memory
hole there on your laptop?

but thats just a suggestion, if that doesnt work i dont know what to tell you.
its been a while since ive gone through this doc and added improvements and
stuff ive made to it.

anyone else that has this working have any ideas?
_________________
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+

Life is but a dream, reality is but a shadow

+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
Back to top
View user's profile Send private message
escitalopram
n00b
n00b


Joined: 05 Feb 2004
Posts: 60

PostPosted: Sun Jul 10, 2005 4:12 pm    Post subject: Reply with quote

Moving from linux-2.6.10 to linux-2.6.12.2 breaks my encrypted root fs ;(

I have compiled in dm-crypt as well as every cypher coming with linux-2.6.12.2; I even tried to recompile cryptsetup, but it doesn't work.
I can't cite the exact error message, but when I run cryptsetup with -v it says something like that:

"ioctl 0 is invalid for /dev/mapper/control"

and it doesn't even ask for a password
_________________
http://www.blasphemie.at/


Last edited by escitalopram on Thu Aug 04, 2005 2:59 pm; edited 1 time in total
Back to top
View user's profile Send private message
rajl
Apprentice
Apprentice


Joined: 25 Sep 2002
Posts: 287

PostPosted: Sun Jul 10, 2005 4:43 pm    Post subject: Reply with quote

I had a similar problem upgrading from 2.6.8 to 2.6.9 kernel awhile ago. Once I can figure out how to upgrade kernel's without seeing my encrypted partitions get nuked, I'll try doing it again.
_________________
-Rajl

-----------------------------------------------------------
It's easy to be brave once you consider the alternatives.
Back to top
View user's profile Send private message
pulzed
n00b
n00b


Joined: 19 May 2005
Posts: 20

PostPosted: Fri Jul 15, 2005 4:50 am    Post subject: Reply with quote

Is it possible to store the kernel and ramdisk on a bootable cdrom instead of boot partition? Anyone tried something like this?
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2115
Location: Kentucky

PostPosted: Sat Oct 01, 2005 6:55 am    Post subject: I submitted a bug report on a similar problem Reply with quote

Regarding:
Code:
I can't cite the exact error message, but when I run cryptsetup with -v it says something like that:

"ioctl 0 is invalid for /dev/mapper/control"

and it doesn't even ask for a password
Please see the bugzilla bug report I just submitted today on a very similar problem: Bug 107680

The solution is not yet forthcoming, but the workaround I used is described in the bug report. :D
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum