FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 09-04-2012, 08:05 PM
"Roland Häder"
 
Default Aw: dm-crypt + ext4 = where will the journal go?

Okay, I have setup so far this:

/dev/sda1 - /boot (unencrypted)
/dev/sda2 - swap (not yet setup, will be encrypted)
/dev/sda3 - / (encrypted)

/dev/sda3 is the underlaying drive, where I used gpg:

# gpg --decrypt key.gpg | cryptsetup --verbose luksFormat /dev/sda3
# gpg --decrypt key.gpg | cryptsetup --verbose luksOpen /dev/sda3 encVol
# dd if=/dev/zero of=/dev/mapper/encVol bs=100M (to avoid filesystem corruption)
# mkfs.ext4 -L root /dev/mapper/encVol

Now I continued as usual with the Gentoo handbook (mount all, copy things on it, etc.)

After I compiled the kernel, emerged cryptsetup on the new system, I editied /boot/grub/grub.conf:
-----------------------------------------------
default 0
timeout 30
splashimage=(hd0,0)/boot/grub/splash.xpm.gz

title Gentoo Linux
root (hd0,0)
kernel /boot/kernel-genkernel-x86-3.3.8-gentoo root=/dev/ram0 crypt_root=/dev/sda3
initrd /boot/initramfs-genkernel-x86-3.3.8-gentoo
-----------------------------------------------
(I read not to use real_root, but crypt_root instead?)

Then I emerged grub as usual (also: # cat /proc/mounts > etc/mtab ) and did: # grub-install --no-floppy /dev/sda

Still as usual. Now it is downloading plymouth (to have some cool things) + dracut (easiest way as I read in wiki).

I also had to expand /etc/make.conf (not /etc/portage/make.conf ??? Is this a mistake in handbook?):

-----------------------------------------------
DRACUT_MODULES="crypt_gpg plymouth"
-----------------------------------------------

Now I really hope, that after I installed dracut on it, that I can boot it and the initrd will be updated. It needs at least some kernel modules (e.g. dm_crypt, ext4, sha512_generic, aes_generic) plus gpg and cryptsetup tools to actually decrypt the hard drive.

Regards,
Roland
 
Old 09-04-2012, 08:08 PM
Hinnerk van Bruinehsen
 
Default Aw: dm-crypt + ext4 = where will the journal go?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04.09.2012 20:48, Michael Hampicke wrote:
>> In theory grub2 is able to open a luks-encrypted volume though
>> it seems to have some disadvantages: you'll need to enter the
>> passphrase (or pass the keyfile) two times, because grub itself
>> needs to decrypt the volume to get the later stages from the
>> encrypted volume and afterwards the decryption in the bootprocess
>> itself takes place.
>>
>> I can't give any real advice about it though, because I use an
>> unencrypted boot partition. Depending on your needs it could be
>> an increase of security, because you can stop an attacker from
>> injecting malicious code into your kernel (or replace it
>> completely).
>
> I don't think so, I still can replace your bootloader and grab
> your password. If you really think you might need something like
> this, I suggest you put your kernel and bootloader on a USB stick
> and boot your machine from that. When not in use keep the stick on
> your person.
>
> That still does not protect you from physically tempering with your
> device.
>
> Anyway, what about one those fancy tin foil hats to protect
> oneself against the governments mind control rays
>

Ah yes - the aluminium foil deflector beanie
(http://zapatopi.net/afdb/)...

I just use it, when going out of my house or when updating my
MindGuard (http://zapatopi.net/mindguard/)


Enough fun - I just wanted to name the possibility because it's there
and it would't require you to repartition your drive.
I think it would be an increase in security nonetheless, though you're
correct: there are a lot more possible attack vectors with side
channel stuff getting very freaky indeed (i.e.: there is an
interesting paper about using the gyroscopes of a mobile telephone to
make a (>80%) correct guess about the pressed key)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQRl/GAAoJEJwwOFaNFkYcHbcH/i5ncHgButsE3ximu7Mdm113
ly0JVbINO4Bc7mkzj9eQAI8Ewr3JYhTpxpShfmWGGSBTTaAwlt p1pYt+bj7xw3/E
+euJGjfffmcxsBkLtlaI5SQHvO/fNiKZ8cAga++HXtxWoJ/DTN5UBEmzI6xXm3Tk
RA6kGCDukiSpo4VjsfBMz1h8O9vtr2cgj4HlnOjNByzeSWk40X C9jKlSCLgjpkTp
pJNvY0qHE7hMZoH+S9Ai3ZDtDgHpcdtSCslJGiOGh16BBzhOyu nDdj1SVfkSq0bg
1vKnqT6zQS0vSl3JyoP9zc8MOW9/IwK2anKRHhE817Y9rXrawsx1QwPu6xVLxe0=
=0NRV
-----END PGP SIGNATURE-----
 
Old 09-04-2012, 08:15 PM
Hinnerk van Bruinehsen
 
Default Aw: dm-crypt + ext4 = where will the journal go?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04.09.2012 22:05, "Roland Häder" wrote:
> Okay, I have setup so far this:
>
> /dev/sda1 - /boot (unencrypted) /dev/sda2 - swap (not yet setup,
> will be encrypted) /dev/sda3 - / (encrypted)
>
> /dev/sda3 is the underlaying drive, where I used gpg:
>
> # gpg --decrypt key.gpg | cryptsetup --verbose luksFormat
> /dev/sda3 # gpg --decrypt key.gpg | cryptsetup --verbose luksOpen
> /dev/sda3 encVol # dd if=/dev/zero of=/dev/mapper/encVol bs=100M
> (to avoid filesystem corruption) # mkfs.ext4 -L root
> /dev/mapper/encVol
>
> Now I continued as usual with the Gentoo handbook (mount all, copy
> things on it, etc.)
>
> After I compiled the kernel, emerged cryptsetup on the new system,
> I editied /boot/grub/grub.conf:
> ----------------------------------------------- default 0 timeout
> 30 splashimage=(hd0,0)/boot/grub/splash.xpm.gz
>
> title Gentoo Linux root (hd0,0) kernel
> /boot/kernel-genkernel-x86-3.3.8-gentoo root=/dev/ram0
> crypt_root=/dev/sda3 initrd
> /boot/initramfs-genkernel-x86-3.3.8-gentoo
> ----------------------------------------------- (I read not to use
> real_root, but crypt_root instead?)
>
> Then I emerged grub as usual (also: # cat /proc/mounts > etc/mtab )
> and did: # grub-install --no-floppy /dev/sda
>
> Still as usual. Now it is downloading plymouth (to have some cool
> things) + dracut (easiest way as I read in wiki).
>
> I also had to expand /etc/make.conf (not /etc/portage/make.conf ???
> Is this a mistake in handbook?):
>
> -----------------------------------------------
> DRACUT_MODULES="crypt_gpg plymouth"
> -----------------------------------------------
>
> Now I really hope, that after I installed dracut on it, that I can
> boot it and the initrd will be updated. It needs at least some
> kernel modules (e.g. dm_crypt, ext4, sha512_generic, aes_generic)
> plus gpg and cryptsetup tools to actually decrypt the hard drive.
>
> Regards, Roland
>

I thin you need to add crypt as a dracut module since crypt_gpg is
afaik just an extension to crypt.

The output from equery seems to support my assumption:

...
dracut_modules_crypt : Decrypt devices encrypted with
cryptsetup/LUKS
dracut_modules_crypt-gpg : Support for GPG-encrypted keys for
crypt module
...

WKR
Hinnerk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQRmFOAAoJEJwwOFaNFkYc4eoH/0TthI9pSRXF/AKTp1fYFiwM
qFPW7ZvvQVVX3QctL+h/NiPceWw6G5WGjc+eqiTput1A8B9ledi87OGvT13JFb40
vMfRWrlqrn89dtL/pkLQUHrT1FtjP4/jp6oY98XN1fcODKItQ8+F6TZN0/wrTzrJ
CPJtdPdR8X2U+40zBUU8pxkm1doIbiMGmsU0hAf8aq2GC65Eer 4rOCqPcLsTvMnz
9zUYzTFxSq4rj34apuGrS8RxEsj9uABi4JpfMD+k3nzmI6D2ya 1wOHJUMYtgiAoe
itsuJxRsi5j0gZNwHz4XqF7iBTzMHHbKcQ2qtfSpJ/hx0LrMCXGeIALHylPeU+Q=
=F+nL
-----END PGP SIGNATURE-----
 
Old 09-05-2012, 04:04 PM
"Roland Häder"
 
Default Aw: dm-crypt + ext4 = where will the journal go?

To add my 2¢:
All you need is build initram and pass it as a argument to pre configured kernel (with needed encryption and hash algorithms built in)



Initram scripts are on github here https://github.com/tokiclover/mkinitramfs-ll
Can I also use dracut? Or won't it setup initrd? I I didn't setup LVM just encryption, on top of it LUKS and then mkfs.ext4 /dev/mapper/envVol


Roland
 
Old 09-05-2012, 06:18 PM
"Roland Häder"
 
Default Aw: dm-crypt + ext4 = where will the journal go?

> dracut and genkernel will both set up initrd.
Okay, thank you.

Now I hang with this:

-------------------------------------------
>>> Emerging (1 of 203) dev-db/oracle-instantclient-basic-10.2.0.3-r1
* Fetching files in the background. To view fetch progress, run
* `tail -f /var/log/emerge-fetch.log` in another terminal.
-------------------------------------------
How can I disable it? I don't want to have an Oracle client or so. In my /etc/make.conf I already said "-oracle" but it still shows up. Can I somehow find out which package requires it?
 
Old 09-06-2012, 02:20 PM
"Roland Häder"
 
Default Aw: dm-crypt + ext4 = where will the journal go?

> Try `emerge -pvT $foo`. With whatever package $foo you are trying to
> install.
That is already solved (I had selected it somehow) by simply deselecting it.

But is now a little OT. I now try to compile x11-libs/libxcb, and dev-python/elementtree is not installed on my system.


> Regards,
> Florian Philipp
Regards,
Roland
 
Old 09-06-2012, 03:36 PM
"Roland Häder"
 
Default Aw: dm-crypt + ext4 = where will the journal go?

> That is already solved (I had selected it somehow) by simply deselecting it.
>
> But is now a little OT. I now try to compile x11-libs/libxcb, and dev-python/elementtree is not installed on my system.

There is hope for this matter, see my forum posting:
http://forums.gentoo.org/viewtopic-p-7133700.html#7133700

In short:
USE="*build* foo bar"
That >build< was wrong and has disabled a lot required python modules (including _elementtree, gdbm, curses, ...).

Roland
 

Thread Tools




All times are GMT. The time now is 01:54 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org