Author: robert Date: 2009-09-20 14:44:45 -0600 (Sun, 20 Sep 2009) New Revision: 1108
Modified: trunk/crypt-rootfs.txt Log: Updated crypt-rootfs.txt Modified: trunk/crypt-rootfs.txt =================================================================== --- trunk/crypt-rootfs.txt 2009-09-13 17:37:13 UTC (rev 1107) +++ trunk/crypt-rootfs.txt 2009-09-20 20:44:45 UTC (rev 1108) @@ -1,6 +1,6 @@ AUTHOR: Lars Bamberger <Lars.Bamberger at gmx dot de> -DATE: 2009-02-15 +DATE: 2009-11-20 LICENSE: GNU Free Documentation License Version 1.2 @@ -53,7 +53,7 @@ 2.2 cryptsetup with LUKS extension -Get it from http://luks.endorphin.org/dm-crypt +Get it from http://code.google.com/p/cryptsetup/ Compile and install it. Required to handle encrypted partitions. @@ -277,7 +277,7 @@ You'll need all the standard directories (bin, sbin, usr/{bin,sbin}, proc, sys, dev, lib). In bin we put our busybox-large (rename to busybox) and a softlink to busybox named hush. Copy cryptsetup to sbin. -In dev put some useful devices: console, null, sd?? and a directory +In dev put some useful devices: console, null, urandom, sd?? and a directory 'mapper' containing 'control'. Then make a copy of dev: cp -a dev init-dev In lib (and dev) put everything needed to run busybox and cryptsetup. @@ -323,6 +323,11 @@ mount -t $FSTYPE /dev/mapper/sd?? /new-root cp -a $BACKUPROOTFS /new-root +PITFALL: Since your old rootfs isn't mounted, you might not be able to to run + mkefs do to missing libraries. Either copy everything needed to where + the linker can find it, or use the mkefs from busybox. Be sure to + configure busybox accordingly. + Next, modify /etc/fstab (on /new-root) to reflect the new device for the rootfs. Also modify the cryptsetup script as described below (7. PITFALL). @@ -370,7 +375,7 @@ Once everything works as it should, remove the unencrypted backup of your rootfs. Protect your bootloader (and possibly the BIOS) with a password to -disable fiddling with the boot parameters. +disable unauthorized fiddling with the boot parameters. Create a bootscript (checkbootfs) that makes sure that the unencrypted partition we booted from was not compromised. Use something like: @@ -398,13 +403,18 @@ ACKNOWLEDGEMENTS: * Various for the wiki at http://de.gentoo-wiki.com/Cryptsetup-luks_initramfs - and + (not online anymore) and http://en.gentoo-wiki.com/wiki/SECURITY_System_Encryption_DM-Crypt_with_LUKS * Clemens Fruhwirth (http://clemens.endorphin.org/) - for LUKS for dm-crypt: http://luks.endorphin.org/dm-crypt + for LUKS for dm-crypt: http://code.google.com/p/cryptsetup CHANGELOG: +[2009-11-20] + * cryptsetup needs /dev/urandom + * mkefs might not work from initramfs + * update some URLs + * some minor touchups [2009-02-15] * Basic rewrite. [2008-02-17] -- http://linuxfromscratch.org/mailman/listinfo/hints FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
