On Sun, May 24, 2009 at 10:30:34AM -0400, Travis Beatty wrote: > My season of lacrosse finally ended, so I'm hard back at work with > learning more about GNU/Linux, UNIX, and computers in general! > I've been meaning to learn more about full-partition-encryption [the > most advanced prior I've used was truecrypt for MySQL database backups], so > took to reading a few things on dm-crypt and LUKS for LVM2. This is all on > a building-gentoo system.
Google gentoo + initramfs + cryptset, there are some good howtos > I have a question though, and hope someone out there can explain it a > little better. I understand that I need an initramfs, initrd, or one of > those [things? I'm not quite sure what to call them even!] since I have my > root partition encrypted. I know busybox is used for this kind of thing, > but how do I exactly go about it? I've found a few guides to it, but I'm > not quite sure what ELSE I need to include other than the busybox binary, > or even how to force grub to use it. I also have no idea how to have IT > load my other partitions and use them as the primary [since I wanted my > busybox compact, it holds very few tools that could actually help my > full-blown-setup system]. Also, I've read about uclibC-- do I need a C > library to be included with busybox? Is one already? If so, can I have it > use uclibC while my real system still uses GlibC? You could, but there's really no reason. I use libc and standard gnu tools, it was simpler that way. Attached is my init script, which handles encrypted root, encrypted suspend/resume on swap, and loads the drive crypt keys from an encrypted disk image on /boot so it only prompts for the keydisk password. Also attached is the list of files. -m -- Mike Kershaw/Dragorn <[email protected]> GPG Fingerprint: 3546 89DF 3C9D ED80 3381 A661 D7B2 8822 738B BDB1 Life is just Natures way of keeping meat fresh -- The Doctor
#!/bin/sh
ROOTDEV=/dev/sda1
SWAPDEV=/dev/sda2
BOOTDEV=/dev/sda3
export PATH=/bin:/sbin
# Get the cmdline
mount -t proc proc /proc
CMDLINE=`cat /proc/cmdline`
# Make nodes on udev
sh devmap_mknod.sh
sleep 1
# Mount the boot drive to get at the keychain drive
mount ${BOOTDEV} /tmp-boot -o ro
/sbin/losetup /dev/loop0 /tmp-boot/keydisk
# Unlock the keydrive
cryptsetup -y luksOpen /dev/loop0 keydrive
while test $? -ne 0; do
cryptsetup -y luksOpen /dev/loop0 keydrive
done
# Mount it
mount /dev/mapper/keydrive /key -o ro
# Map root and swap from the stored passwords
echo "Mapping root..."
cryptsetup -y luksOpen ${ROOTDEV} root --key-file=/key/root.pwd
while test $? -ne 0; do
echo "Mapping root from keyfile failed, supply pw?"
cryptsetup -y luksOpen ${ROOTDEV} root
done
echo "Mapping swap..."
cryptsetup -y luksOpen ${SWAPDEV} swap --key-file=/key/swap.pwd
# Unmount and unmap stuff
umount /key
cryptsetup -y luksClose keydrive
/sbin/losetup -d /dev/loop0
umount /tmp-boot
# Try to resume
/bin/resume
# Pivot
umount /proc
mount /dev/mapper/root /new
cd /new
mkdir initrd
pivot_root . initrd
# Start init and flush the ram device
exec chroot . /bin/sh <<- EOF >/dev/console 2>&1
umount initrd
rm -rf initrd
blockdev --flushbufs /dev/ram0
exec /sbin/init ${CMDLINE}
EOF
./ ./lost+found ./bin ./bin/sh ./bin/cat ./bin/mount ./bin/umount ./bin/mkdir ./bin/chroot ./bin/sleep ./bin/mknod ./bin/sed ./bin/rm ./bin/cryptsetup ./bin/resume ./dev ./dev/console ./dev/null ./dev/sda1 ./dev/tty ./dev/sda2 ./dev/snapshot ./dev/sda3 ./dev/loop0 ./devmap_mknod.sh ./etc ./etc/fstab ./etc/mtab ./etc/suspend.conf ./lib ./lib/libblkid.so.1 ./lib/libuuid.so.1 ./lib/libc.so.6 ./lib/ld-linux.so.2 ./lib/libdl.so.2 ./lib/libncurses.so.5 ./linuxrc ./proc ./sbin ./sbin/pivot_root ./sbin/blockdev ./sbin/losetup ./tmp-boot
pgpZsxHhJLIrA.pgp
Description: PGP signature
_______________________________________________ Mid-Hudson Valley Linux Users Group http://mhvlug.org http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug Upcoming Meetings (6pm - 8pm) MHVLS Auditorium Jun 3 - TBD Jul 1 - TBD Aug 5 - TBD
