Re: [gentoo-dev] Encrypted root file system.

Thu, 13 Jan 2005 10:04:28 -0800 

Antone,

check out
http://loop-aes.sourceforge.net/

IMHO its better solution than dm-crypt.

tested myself to work on a totally encrypted system. (apart from boot)

kos


--
Respectfully,
Konstantin V. Gavrilenko

Arhont Ltd - Information Security

web:    http://www.arhont.com
        http://www.wi-foo.com
e-mail: [EMAIL PROTECTED]

tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141

PGP: Key ID - 0x4F3608F7
PGP: Server - keyserver.pgp.com


[EMAIL PROTECTED] wrote: 

I thought the following may interest the list ...

I was recently inspired by an article in Linux Journal to set up a gentoo system in which the root filesystem is encrypted. I have successfully done so by hacking up the initrd generated by genkernel. Basically, the changes needed are:

1. Compile the kernel with dm-crypt plus the appropriate crypto modules
2. I had to populate /dev with hda* on which the enrcypted filesystem lives
3. Busybox wasn't enough so I had to add statically linked versions of blockdev, dmsetup, e2fsck, hashalot.

My next step will be to hack up /usr/share/genkernel/gen_initrd.sh so this is automated when genkernel is run, and then a line in grub.conf like

    kernel /kernel-<version> ... doencrypt

will load the appropriate modules, something like doscsi.

Here's a stripped down verson of linuxrc which gives you an idea of how it works...

<begin linuxrc>

#!/bin/sh

mount -o remount,rw /
mount -t proc proc /proc

insmod /lib/modules/2.6.7-hardened-r17/kernel/crypto/blowfish.ko
loadkmap < /lib/keymaps/us.map

DEVICE=/dev/hda2
BDEVSIZE=$(blockdev.static --getsize $DEVICE)
KEY=$(hashalot.static -x -n 32 rmd160)
LINE="0 $BDEVSIZE crypt blowfish-plain $KEY 0 $DEVICE 0"

echo $LINE | dmsetup.static create root
/bin/e2fsck.static /dev/mapper/root

mkdir /newroot
mount -t ext2 -o rw /dev/mapper/root /newroot
dmsetup.static remove_all

cd /newroot
touch fastboot
pivot_root . tmp/.initrd

umount tmp/.initrd/proc

exec <dev/console >dev/console 2>&1
exec chroot . /bin/sh <<- EOF
        umount /tmp/.initrd || echo "*: Failed to unmount the initrd!"
        /sbin/blockdev --flushbufs /dev/ram0 >/dev/null 2>&1
        exec /sbin/init
EOF

<end linuxrc>


-------------------------------------------------------------------

Anthony G. Basile, Ph.D.
Director of Information Technology,
D'Youville College,
320 Porter Ave.
Buffalo NY, 14201

Work: (716) 829-8197 (voicemail)


--
[email protected] mailing list




--
[email protected] mailing list

Reply via email to