I thought the following may interest the list ...
I was recently inspired by an article in Linux Journal to set up a gentoo system in which the root filesystem is encrypted. I have successfully done so by hacking up the initrd generated by genkernel. Basically, the changes needed are:
1. Compile the kernel with dm-crypt plus the appropriate crypto modules
2. I had to populate /dev with hda* on which the enrcypted filesystem lives
3. Busybox wasn't enough so I had to add statically linked versions of blockdev, dmsetup, e2fsck, hashalot.
My next step will be to hack up /usr/share/genkernel/gen_initrd.sh so this is automated when genkernel is run, and then a line in grub.conf like
kernel /kernel-<version> ... doencrypt
will load the appropriate modules, something like doscsi.
Here's a stripped down verson of linuxrc which gives you an idea of how it works...
<begin linuxrc>
#!/bin/sh
mount -o remount,rw / mount -t proc proc /proc
insmod /lib/modules/2.6.7-hardened-r17/kernel/crypto/blowfish.ko loadkmap < /lib/keymaps/us.map
DEVICE=/dev/hda2 BDEVSIZE=$(blockdev.static --getsize $DEVICE) KEY=$(hashalot.static -x -n 32 rmd160) LINE="0 $BDEVSIZE crypt blowfish-plain $KEY 0 $DEVICE 0"
echo $LINE | dmsetup.static create root /bin/e2fsck.static /dev/mapper/root
mkdir /newroot mount -t ext2 -o rw /dev/mapper/root /newroot dmsetup.static remove_all
cd /newroot touch fastboot pivot_root . tmp/.initrd
umount tmp/.initrd/proc
exec <dev/console >dev/console 2>&1
exec chroot . /bin/sh <<- EOF
umount /tmp/.initrd || echo "*: Failed to unmount the initrd!"
/sbin/blockdev --flushbufs /dev/ram0 >/dev/null 2>&1
exec /sbin/init
EOF<end linuxrc>
-------------------------------------------------------------------
Anthony G. Basile, Ph.D. Director of Information Technology, D'Youville College, 320 Porter Ave. Buffalo NY, 14201
Work: (716) 829-8197 (voicemail)
-- [email protected] mailing list
