Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Encrypted Root File System, Swap, etc...
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3 ... 5, 6, 7 ... 11, 12, 13  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
Ian
l33t
l33t


Joined: 28 Oct 2002
Posts: 834
Location: Somerville, MA

PostPosted: Sat Jun 07, 2003 9:33 pm    Post subject: Re: usb dirve? Reply with quote

watersb wrote:

Your system needs to support bootable USB devices from the BIOS...


would most modern motherboards, both desktop and laptop, support this? the only reason i ask is because over the next year, i'll be getting new of both things, so i could theoretically have one /boot for both computers, if i get a big enough keychain, set up the different kernels, and be too lazy to use two :p.
Back to top
View user's profile Send private message
watersb
Apprentice
Apprentice


Joined: 04 Sep 2002
Posts: 297
Location: where the hell is Tesuque, New Mexico?

PostPosted: Wed Jun 11, 2003 1:32 am    Post subject: Re: usb dirve? Reply with quote

Ian wrote:


would most modern motherboards, both desktop and laptop, support this?


Well, mine does not... :roll:
old Dell Inspiron 8000

Google is your friend. Make certain it can to what you want before you purchase a new system!
Back to top
View user's profile Send private message
watersb
Apprentice
Apprentice


Joined: 04 Sep 2002
Posts: 297
Location: where the hell is Tesuque, New Mexico?

PostPosted: Wed Jun 11, 2003 2:02 am    Post subject: Reply with quote

from the cryptoapi-devel mailing list:

jari ruusu wrote:

Attached is third version of unified util-linux crypto patch. This version
has been tested with loop-AES on 2.0, 2.2, 2.4 and 2.5 kernels, and with
cryptoapi+cryptoloop on 2.4 and 2.5 kernels.

Changes since version 2:
- Blockmode is now passed to cryptoloop on 2.5 kernels. Previous version
didn't pass that because it was unclear whether cryptoloop on 2.5 kernels
would handle that correctly. Now tested - works ok.
- Removed unused code from 'losetup -C' processing so that losetup and mount
programs are now little bit smaller.
- Changed one losetup error message to be understandable for non-geeks.
- Cosmetic fixes to losetup man page.


Get the patch here

Please Test!
Back to top
View user's profile Send private message
Wilhelm
Tux's lil' helper
Tux's lil' helper


Joined: 27 May 2003
Posts: 149

PostPosted: Thu Jun 12, 2003 12:26 pm    Post subject: Reply with quote

Hi everybody

I'm a n00b too :] but i gave it a go and i worked through both your comments and those on the loop-AES site.

Some things i'd like to add are the following

# Test if your loop.o works before getting screwed
make tests

# AES256 has a minimal 20 character password

# Do read loop-AES readme file to atleast understand what loop-AES does on your system

I must comment that it was easy to do however i haven't encrypted my root partition yet because i haven't backed up for the Worst-Case-Scenario.... A fully encrypted domain which is unreadable and theoretically uncrackable with todays hardware (unless you have a few million years to spare) :twisted:

Also remembering a 20-alfa counting password is hard, so i'm thinking of buying a chipcard reader and somehow putting the password on it. (Ofcourse removing the chipcard after reboot).

EDIT: On second thoughts i'm gonna stick it on a mini-CD :)

I have however tested the install on a file holding an ext3 partition and that worked A-OK.
Back to top
View user's profile Send private message
Wilhelm
Tux's lil' helper
Tux's lil' helper


Joined: 27 May 2003
Posts: 149

PostPosted: Thu Jun 12, 2003 12:51 pm    Post subject: Reply with quote

Stupid idea but looping through loop to loop8 giving you 9-fold encyption :P

Great for system admins who don't trust each other each can have there own key.
Back to top
View user's profile Send private message
Wilhelm
Tux's lil' helper
Tux's lil' helper


Joined: 27 May 2003
Posts: 149

PostPosted: Thu Jun 12, 2003 7:02 pm    Post subject: Reply with quote

Chadders i read some more info in this thread and i found you to have the same mini-cd idea already.

I've found a possible way to use a mini-cd as a keycard based om some educated guessing.

If i'm not mistaken a mini-cd in the drive would be available as /dev/hdd at boot time right?.

Also the build-initrd.sh discloses a nice feature whch is mentioned nowhere.
USEROOTSETUP=1
LOSETUPPROG="someproginyourbootdir"

I'm currently building a tool (not too good with C++) which passes the password from the mini-CD to the losetup tool.

This should hopefully give me a system which will boot with my keycard-CD.

Note: Try building an iso somehow with a boot partition if you want a boot-cd.
Back to top
View user's profile Send private message
discomfitor
l33t
l33t


Joined: 21 Feb 2003
Posts: 927
Location: None

PostPosted: Thu Jun 12, 2003 9:19 pm    Post subject: Reply with quote

I followed the directions, but now it gives me this error:
Warning: unable to open an initial console.
flushing ide devices: hda hdc
System halted.
_________________
There is no substitute for experience.
Imperfection indicates a lack of effort.
Back to top
View user's profile Send private message
usingloser
Apprentice
Apprentice


Joined: 18 May 2003
Posts: 297
Location: ->Here<-

PostPosted: Thu Jun 12, 2003 10:50 pm    Post subject: Reply with quote

i am using the gaming sources and loop.o does not exist in /lib/modules/"kernel name"/block/loop.o

it doesnt even have a /block/ directory, what is the deal?
Back to top
View user's profile Send private message
Wilhelm
Tux's lil' helper
Tux's lil' helper


Joined: 27 May 2003
Posts: 149

PostPosted: Thu Jun 12, 2003 10:52 pm    Post subject: Reply with quote

Darckness wrote:
I followed the directions, but now it gives me this error:
Warning: unable to open an initial console.
flushing ide devices: hda hdc
System halted.


Which instructions did you follow and what did you try to do?? I'm still not confident enough to risk my root partition until i've tested it multiple times on files etc.

Also i've got gpg working :].

here's how i did it

1. Create a dir for your key and cd to it
2. gpg --gen-key (I made a 2048 bit gpg key for myself) [Follow interactive questionaire]
3. run the instruction in loop-AES example 4 to create the keyfile (the line head...> keyfile.gpg) using the name filled in at step 2
4. You now have the kyfile to stick on your media
4a. public and secure key are stuck on the key-CD too according to example 4.
5. now add the fstab line (see Example 4)

# my test fstab line (1 line)
/test /xxx ext3 defaults,noauto,loop=/dev/loop2,encryption=AES256,gpgkey=/root/passwords/gpg/keyfile.gpg,gpghome=/root/.gnupg 0 0

6. When mounting use losetup -F /dev/loop2 and enter the phrase entered at 2

Following things i'm gonna try
- Put my keys (pub,sec,keyf) on the boot partition and see if it works.
- Then make one (empty partition) with a test file and encrypt it using dd
- Then see if it will mount using my mini-CD holding the key
- Then figure out if i can use the mini-CD key to mount my root partition
- Then make damn well sure i don't fuck up
- Backup
- dd my root partition.
- Pray :)

VOILA A GPGKEY SECURITY!!!!
Back to top
View user's profile Send private message
usingloser
Apprentice
Apprentice


Joined: 18 May 2003
Posts: 297
Location: ->Here<-

PostPosted: Fri Jun 13, 2003 2:01 am    Post subject: Reply with quote

where does the loop.o get saved too??? i have looked all over but cant find it, and yes i have looked at the readme, but it just states the obvious

also, ./configre says i need "-lcrypt" is this important
Back to top
View user's profile Send private message
riggagoogoo
Tux's lil' helper
Tux's lil' helper


Joined: 06 Apr 2003
Posts: 108

PostPosted: Fri Jun 13, 2003 7:28 am    Post subject: Reply with quote

I have my xbox link in to my linux server using ccxstream for playing movies/mp3's and displaying pictures I have on my servers hard drives, if I encrypted the filesystem that the files where held on would the xbox still be able to read them??

Cheers

Rigga

P.s great post Chadders
Back to top
View user's profile Send private message
Wilhelm
Tux's lil' helper
Tux's lil' helper


Joined: 27 May 2003
Posts: 149

PostPosted: Fri Jun 13, 2003 2:20 pm    Post subject: Reply with quote

usingloser wrote:
where does the loop.o get saved too??? i have looked all over but cant find it, and yes i have looked at the readme, but it just states the obvious

also, ./configre says i need "-lcrypt" is this important


No -lcrypt is not important i got the error too. loop.o get's saved in the current dir atleast for me /usr/src/myloopdir/ after correct compilation.

For compiling got to your /usr/src/myloopdir/ directory and run these commands (as stated in the loop-AES readme)

Quote:

To compile and install loop.o driver, as root, use commands:

make clean
make


run 'make tests' too, to check if it works
Back to top
View user's profile Send private message
discomfitor
l33t
l33t


Joined: 21 Feb 2003
Posts: 927
Location: None

PostPosted: Fri Jun 13, 2003 7:15 pm    Post subject: Reply with quote

update:
it still gives me the 'unable to open initial console' error message, but I am now able to mount the partition inside my other gentoo. I'm using the devfs support (enabled pivot also) in the build.sh script, and changed my grub line accordingly.

fstab line:
/dev/hda3 / xfs noatime,loop=/dev/loop5,encryption=AES256 0 0

grub line:
root (hd0,1)
kernel /bzImage root=/dev/ram0 hdc=ide-scsi video=vesa:mtrr,ywrap vga=791 init=/linuxrc
initrd=/initrd.gz

hopefully someone can help me get this to boot
_________________
There is no substitute for experience.
Imperfection indicates a lack of effort.
Back to top
View user's profile Send private message
usingloser
Apprentice
Apprentice


Joined: 18 May 2003
Posts: 297
Location: ->Here<-

PostPosted: Fri Jun 13, 2003 9:34 pm    Post subject: Re: This sounds great, but . . . Reply with quote

TinheadNed wrote:
When I first read this, I was really tempted to wipe RedHat off my laptop (which I'm going to do soon anyway), and install an encrypted Gentoo. But, after thinking about it, I've seen two problems, and I just wanted to throw them out here to see what people think.

Encrypting a file is very secure, as you can't make many guesses as to what might be inside it, unless you know what you're looking for. It's only a small file after all, which makes it very difficult to crack. However, if you're encrypting an N Gb HD there's a lot more bytes to look for patterns in. Considering you know you're booting Gentoo (or at least some linux kernel) you can make a few guesses as to which filesystem you're installing. Surely then you can look for the thousands of empty inodes on the disc? They'll be in fairly predictable places. You also know the directory structure, and can guess at the contents of quite a few of the plaintext files. Wouldn't this make it far easier (though not actually EASY for non-governmental bodies) to break?

A second problem (if you live in the UK), is that encrypting your drive is completely pointless, unless it is hiding evidence of crimes that carry sentences of greater than 3 years in prison, as failing to hand over a password to encrypted data when instructed by a representative of the Home Office is itself now a crime, courtesy of the RIP Act. And you have to prove you don't have the key, innocence is not assumed (which controvenes other laws I hope). And it's illegal to tell anybody if they ask you for the key too, IIRC.

I'd be really happy to be proved wrong on either of these points though.


use higher encryption, maybe two pass

tell them that the password auto scrambles if you dont do something in a certain amount of time, or you forgot, heh, what are they going to do, no way to prove the lie
Back to top
View user's profile Send private message
usingloser
Apprentice
Apprentice


Joined: 18 May 2003
Posts: 297
Location: ->Here<-

PostPosted: Fri Jun 13, 2003 10:24 pm    Post subject: Reply with quote

okay, i got everything working, as far as i can tell, except when it goes to bring up the password prompt, it tries a insmod on on the loop driver which it believes it to be in /lib/ so rebooted with knoppix and saved a copy there. It stills says it cannot find it which makes sense since it still should be encrypted, so why isnt it searching in the boot directory?

i think this stems from it thinking it is using a different kernel than it is, due to an aborted compile. How do i tell gentoo that it is using the current kernel and not the different version one I aborted.
Back to top
View user's profile Send private message
Wilhelm
Tux's lil' helper
Tux's lil' helper


Joined: 27 May 2003
Posts: 149

PostPosted: Sat Jun 14, 2003 12:15 pm    Post subject: Reply with quote

Could someone tell me why this happened during encrypion of a partition holding some (luckily not so important data it only held a few dirs i believe).
And what i did wrong??

Quote:

echo mypasswordwhichissecret | losetup -p 0 -F /dev/loop5
dd if=/dev/hdb1 of=/dev/loop5 bs=64k conv=notrunc
dd: reading `/dev/hdb1': Input/output error
1373305+1 records in
1373305+1 records out


my fstab line

The partition is 80Gb give or take which is 64k * 1373305.

The drive WAS unmounted when i did this.
The process took a good hour or 2 to complete on my AMD700
The partition DOES mount but no data was in it

I'm gonna retry it WITH data in the partition too see what happens. Also i'm going to use the AESPipe to make sure i do it BY THE MANUAL.
Back to top
View user's profile Send private message
hackerError
Guru
Guru


Joined: 14 Mar 2003
Posts: 341
Location: Reston, VA, USA

PostPosted: Wed Jun 18, 2003 5:48 am    Post subject: Reply with quote

heh, okay I would love to do this, (mainly so the guys at lan parties cant mount with knoppix or a gentoo boot disk on me again... but thats a long story)

but I am sorta dumb (er lazy same thing) and got stuck on the first step of recompiling my kernel, i managed to guess at one or two things, but, I use make menuconfig to set up my kernel, any chance of someone posting what i should check yes/no/module to, i couldnt find some stuff (albeit didnt look very hard) like where you set the ram thing to 4086
I appreciate it.
Back to top
View user's profile Send private message
rhodyne
n00b
n00b


Joined: 25 Oct 2002
Posts: 16
Location: Granger TX

PostPosted: Wed Jun 18, 2003 11:52 am    Post subject: Reply with quote

Well I looked thru the entire thread and didn't find anyone else asking this so I'll step off the paranoid precipice.

Is there a way to make this setup a little more "hyper secure"?

Say I have data on a mobile system that is a security risk. If the system is taken, using some of the ideas related before about unused space/inodes having possible patterns to be located by intensive cracking, that data could still be in trouble.

What if on a specified number of wrong password attempts the file system scrambles (random format)? Or you have one correct password to access and one password that starts a wipe? This for the, UK gentleman discussing their law structure, would leave you in the boat of "you had something encrypted but no one can prove what it was" not even the originator. You might still be in trouble, but possibly not as much trouble as whatever was there could have put you, if they managed to crack it.

Could something like this, in any capacity, be done? Would this be handled by the loop-AES developer(s) maybe?
_________________
./done
Back to top
View user's profile Send private message
esapersona
n00b
n00b


Joined: 17 May 2003
Posts: 16
Location: Perth, Western Australia

PostPosted: Wed Jun 18, 2003 1:25 pm    Post subject: Reply with quote

rhodyne wrote:
Could something like this, in any capacity, be done? Would this be handled by the loop-AES developer(s) maybe?


Hmm...Well, if you read the build-initrd.sh script, then you can see the source code for the password entering phase of the start up...You could slap a test in there that increments a counter, so when that counter == 3 it starts a dd if=/dev/zero of=/dev/whatever...All you'd have to do is include a copy of dd in the /boot directory (as you do with losetup).

The problem with that is that it takes ages for the dd to actually wipe stuff, as can be expected. I suppose that you could probably do something similar that wipes, say, every even byte, and then every odd instead, but time is still an issue. It's not enough to simply wipe the filesystem information because anyone cool enough to break your encrypted file data (which would still be there) could easily work out what the files are.

Perhaps you should stick with the electromagnets in the door trick :wink:

As for the unused inode and space problem, generally this is not touched (the 'data' space, at least) until it's needed...So, if you dd if=/dev/urandom of=/dev/WHATEVER before you encrypt, then the free space will cause alot of confusion (because random data is being encrypted) when someone tryed to look for patterns in the 'free space'
Back to top
View user's profile Send private message
rhodyne
n00b
n00b


Joined: 25 Oct 2002
Posts: 16
Location: Granger TX

PostPosted: Thu Jun 19, 2003 1:22 am    Post subject: Reply with quote

Thanks esapersona, your last comment on the realities of randominzing formats I had forgotten about.

But I wasn't considering "wiping" every bit on disk. With your script idea, have it pick a number between 3 and 22 (x), then a number between 112 and 435 (y), have it skip 'x' blocks, and format (with /dev/urandom :oops: ) @ block size 'y', continue til end of disk or maybe even loop. All it would have to do is a few sectors this way before the data is completely unrecoverable. And if the format is with random data, like you said, it would be easy to confuse with real data or blank space.

Yes those numbers where just picked out of thin air :)

The idea here though is for a soft solution (if there is one) instead of a hard solution. Hard solutions are obvious and have to be implemented with your presence. Soft solutions could, theoretically, be done without your knowledge, and most of the time destroy them selves during implementation.

Like I said before, my paranoia knows no bounds 8O
_________________
./done
Back to top
View user's profile Send private message
echto
Tux's lil' helper
Tux's lil' helper


Joined: 30 Jun 2002
Posts: 107

PostPosted: Thu Jun 19, 2003 9:46 pm    Post subject: Reply with quote

Done. / is encrypted and now onto encrypting swap. This thread is a great start!

Btw, I'm still in the mothers womb.
Back to top
View user's profile Send private message
esapersona
n00b
n00b


Joined: 17 May 2003
Posts: 16
Location: Perth, Western Australia

PostPosted: Fri Jun 20, 2003 6:57 am    Post subject: Reply with quote

Alright - I'm benchmarking these filesystems to see what the overhead is and which performs best when encrypted.

I'm using time <command> in a script..One question - Should I record the real, user and system times, or just the user and the system? I'm in single user mode.
Back to top
View user's profile Send private message
viperlin
Veteran
Veteran


Joined: 15 Apr 2003
Posts: 1317
Location: UK

PostPosted: Fri Jun 20, 2003 5:36 pm    Post subject: Reply with quote

so has anybody managed to either boot 2 initrd's at once

or merge 2 initrd's together?

what would really be kool is having the silent bootsplash with the progress bar and then a box appears for your password...... sadly i have no idea how this would be done and can't work in it myself.

the initrd's are a bit risky but i'll be giving it a go, please give me any tips on merging or booting with 2 initrd files.
Back to top
View user's profile Send private message
echto
Tux's lil' helper
Tux's lil' helper


Joined: 30 Jun 2002
Posts: 107

PostPosted: Fri Jun 20, 2003 7:10 pm    Post subject: Reply with quote

This is wrong.

Darckness wrote:
update:

fstab line:
/dev/hda3 / xfs noatime,loop=/dev/loop5,encryption=AES256 0 0



It should read

/dev/loop5 / xfs noatime 0 1
Back to top
View user's profile Send private message
bryon
Apprentice
Apprentice


Joined: 14 Feb 2003
Posts: 163

PostPosted: Sat Jun 21, 2003 12:00 pm    Post subject: it just hangs Reply with quote

I dont know what I am doing wrong but once i get to the

Code:

patch -p1 <../util-linux-2.11y.diff

It just sits there and does nothing
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3 ... 5, 6, 7 ... 11, 12, 13  Next
Page 6 of 13

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum