Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
Try `emerge -pvT $foo`. With whatever package $foo you are trying to install. That is already solved (I had selected it somehow) by simply deselecting it. But is now a little OT. I now try to compile x11-libs/libxcb, and dev-python/elementtree is not installed on my system. Regards, Florian Philipp Regards, Roland
Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
That is already solved (I had selected it somehow) by simply deselecting it. But is now a little OT. I now try to compile x11-libs/libxcb, and dev-python/elementtree is not installed on my system. There is hope for this matter, see my forum posting: http://forums.gentoo.org/viewtopic-p-7133700.html#7133700 In short: USE=*build* foo bar That build was wrong and has disabled a lot required python modules (including _elementtree, gdbm, curses, ...). Roland
Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
To add my 2:All you need is build initram and pass it as a argument to pre configured kernel (with needed encryption and hash algorithms built in) Initram scripts are on github here https://github.com/tokiclover/mkinitramfs-ll Can I also use dracut? Or wont it setup initrd? I I didnt setup LVM just encryption, on top of it LUKS and then mkfs.ext4 /dev/mapper/envVolRoland
Re: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
On Wed, Sep 5, 2012 at 12:04 PM, Roland Häder r.hae...@web.de wrote: To add my 2¢: All you need is build initram and pass it as a argument to pre configured kernel (with needed encryption and hash algorithms built in) Initram scripts are on github here https://github.com/tokiclover/mkinitramfs-ll Can I also use dracut? Or won't it setup initrd? I I didn't setup LVM just encryption, on top of it LUKS and then mkfs.ext4 /dev/mapper/envVol dracut and genkernel will both set up initrd. -- :wq
Aw: Re: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
dracut and genkernel will both set up initrd. Okay, thank you. :) Now I hang with this: --- Emerging (1 of 203) dev-db/oracle-instantclient-basic-10.2.0.3-r1 * Fetching files in the background. To view fetch progress, run * `tail -f /var/log/emerge-fetch.log` in another terminal. --- How can I disable it? I don't want to have an Oracle client or so. In my /etc/make.conf I already said -oracle but it still shows up. Can I somehow find out which package requires it?
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
Am 05.09.2012 20:18, schrieb Roland Häder: dracut and genkernel will both set up initrd. Okay, thank you. :) Now I hang with this: --- Emerging (1 of 203) dev-db/oracle-instantclient-basic-10.2.0.3-r1 * Fetching files in the background. To view fetch progress, run * `tail -f /var/log/emerge-fetch.log` in another terminal. --- How can I disable it? I don't want to have an Oracle client or so. In my /etc/make.conf I already said -oracle but it still shows up. Can I somehow find out which package requires it? Try `emerge -pvT $foo`. With whatever package $foo you are trying to install. Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
I think I made a (tollerateable) mistake: My hard drive has two partitions: - sda1 - encrypted swap - sda2 - encrypted root How should it boot? One way could be by external media (e.g. stick), other is from hard drive. But that is encrypted. So I must leave a small area left for kernel, initrd, System.map and maybe config. So the page at [1] is a little wrong because it misses the boot partition, so the new layout should be: - sda1 - unencrypted boot (/boot) partition - sda2 - encrypted swap (at least as double as your RAM) (crypt-swap) - sda3 - encrypted root (crypt-root) Can someone update this? Regards, Roland [1]: http://wiki.gentoo.org/wiki/DM-Crypt
Re: Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
Roland Häder wrote: - sda2 - encrypted swap (at least as double as your RAM) (crypt-swap) Regards, Roland [1]: http://wiki.gentoo.org/wiki/DM-Crypt I don't think this is true anymore. It was back when machines had small amounts of ram. Case in point, I have 16Gbs of ram. If I have a program that needs more than that, I need a bigger machine anyway. Since ram has got so large, and cheap, I always make my swap around 1Gb or so. If something does run away and eat up ram, I got enough swap that I have time to kill it. I would not make a 32Gb swap partition tho. That would slow about any machine to a crawl if it starts using that much. I think the new method for determining swap is to use what makes sense and not the old rule of 'twice the ram'. Hope that helps. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
On Tue, 04 Sep 2012 09:15:31 -0500 Dale rdalek1...@gmail.com wrote: I think the new method for determining swap is to use what makes sense and not the old rule of 'twice the ram'. Alan's new rule of swap is: If you ever use swap as swap at all, find out how your machine is misconfigured. When my 16G is not enough anymore, something is badly wrong and it isn't not enough RAM and I need swap to wiggle around in :-) I think the 2 x RAM rule stopped being applicable when the average machine got to more than 16M. Some old memes are like zombies - very hard to kill. This laptop has a swap partition, but it's not for swap, it's for hibernate. And I never use it, it takes longer to come out of hibernate than to just boot up from cold! These days I just suspend. None of this changes the fact that the kernel still does get upset when it has no swap at all (even just a little bit). But that doesn't mean we should still be using it as full-blown swap. -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
Alan McKinnon wrote: On Tue, 04 Sep 2012 09:15:31 -0500 Dale rdalek1...@gmail.com wrote: I think the new method for determining swap is to use what makes sense and not the old rule of 'twice the ram'. Alan's new rule of swap is: If you ever use swap as swap at all, find out how your machine is misconfigured. When my 16G is not enough anymore, something is badly wrong and it isn't not enough RAM and I need swap to wiggle around in :-) I think the 2 x RAM rule stopped being applicable when the average machine got to more than 16M. Some old memes are like zombies - very hard to kill. This laptop has a swap partition, but it's not for swap, it's for hibernate. And I never use it, it takes longer to come out of hibernate than to just boot up from cold! These days I just suspend. None of this changes the fact that the kernel still does get upset when it has no swap at all (even just a little bit). But that doesn't mean we should still be using it as full-blown swap. Yup. I have swap but I have it set to where it won't use it unless it is REALLY bad. I have swappiness set to like 20 or something. It will fill up my ram with cache and such but it rarely uses more than a few hundred kilobytes of swap. When I see it using that, I usually kill swap and add it back. I just don't like a machine with 16Gbs of ram using swap at all. I have thought about setting it to 10. Maybe then it will leave it alone until it really hits the fan. ;-) That said, I did roll over one night and notice that the CPU was going ape. I got up and into my chair to notice it was using almost all the ram and was starting to use a bit of swap. I switched to a console, ran htop and noticed that some KDE process was using about ~15.5Gbs of ram. It was crazy to see. I couldn't get it to die with kill -15 so I did a kill -9. I guess it had to know I really wanted it dead. It has not happened since so no clue on why it did that. Heck, it ran the same version of KDE for a good while and still didn't do it. Cosmic rays from Mars I guess. I would recommend at least 500Mbs or so of swap regardless of ram tho. Some swap is a good idea. Just try not to use it since it is dog slow. If you are using hibernate/suspend thingys then that is different. Isn't that when it has to be at least as much swap as you have ram? Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Aw: Re: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
I think the new method for determining swap is to use what makes sense and not the old rule of 'twice the ram'. Okay, agreed. Roland
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
On Tue, Sep 4, 2012 at 11:53 AM, Dale rdalek1...@gmail.com wrote: Alan McKinnon wrote: On Tue, 04 Sep 2012 09:15:31 -0500 Dale rdalek1...@gmail.com wrote: I think the new method for determining swap is to use what makes sense and not the old rule of 'twice the ram'. Alan's new rule of swap is: If you ever use swap as swap at all, find out how your machine is misconfigured. When my 16G is not enough anymore, something is badly wrong and it isn't not enough RAM and I need swap to wiggle around in :-) I think the 2 x RAM rule stopped being applicable when the average machine got to more than 16M. Some old memes are like zombies - very hard to kill. This laptop has a swap partition, but it's not for swap, it's for hibernate. And I never use it, it takes longer to come out of hibernate than to just boot up from cold! These days I just suspend. None of this changes the fact that the kernel still does get upset when it has no swap at all (even just a little bit). But that doesn't mean we should still be using it as full-blown swap. Yup. I have swap but I have it set to where it won't use it unless it is REALLY bad. I have swappiness set to like 20 or something. It will fill up my ram with cache and such but it rarely uses more than a few hundred kilobytes of swap. When I see it using that, I usually kill swap and add it back. I just don't like a machine with 16Gbs of ram using swap at all. I have thought about setting it to 10. Maybe then it will leave it alone until it really hits the fan. ;-) Set swappiness to 0. Swap will be used if and only if absolutely necessary. Also, you're unlikely to notice a performance hit if the amount of data in swap is only a few tens of megabytes; the seek-and-read rate of even spinning platter disks should tend to cause that bit of latency to get lost in the normal noise of library linkage, data file loading, etc. (heck, it might even still be in the drive cache) The performance hit is there, but probably not subjectively noticeable. That said, I did roll over one night and notice that the CPU was going ape. I got up and into my chair to notice it was using almost all the ram and was starting to use a bit of swap. I switched to a console, ran htop and noticed that some KDE process was using about ~15.5Gbs of ram. It was crazy to see. I couldn't get it to die with kill -15 so I did a kill -9. I guess it had to know I really wanted it dead. It has not happened since so no clue on why it did that. Heck, it ran the same version of KDE for a good while and still didn't do it. Cosmic rays from Mars I guess. I would recommend at least 500Mbs or so of swap regardless of ram tho. Some swap is a good idea. Just try not to use it since it is dog slow. Indeed. If you are using hibernate/suspend thingys then that is different. Isn't that when it has to be at least as much swap as you have ram? Yes. -- :wq
Re: Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04.09.2012 15:48, Roland Häder wrote: I think I made a (tollerateable) mistake: My hard drive has two partitions: - sda1 - encrypted swap - sda2 - encrypted root How should it boot? One way could be by external media (e.g. stick), other is from hard drive. But that is encrypted. So I must leave a small area left for kernel, initrd, System.map and maybe config. So the page at [1] is a little wrong because it misses the boot partition, so the new layout should be: - sda1 - unencrypted boot (/boot) partition - sda2 - encrypted swap (at least as double as your RAM) (crypt-swap) - sda3 - encrypted root (crypt-root) Can someone update this? Regards, Roland [1]: http://wiki.gentoo.org/wiki/DM-Crypt In theory grub2 is able to open a luks-encrypted volume though it seems to have some disadvantages: you'll need to enter the passphrase (or pass the keyfile) two times, because grub itself needs to decrypt the volume to get the later stages from the encrypted volume and afterwards the decryption in the bootprocess itself takes place. I can't give any real advice about it though, because I use an unencrypted boot partition. Depending on your needs it could be an increase of security, because you can stop an attacker from injecting malicious code into your kernel (or replace it completely). WKR Hinnerk -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQRjxMAAoJEJwwOFaNFkYcWfcIAJvh9CxmlPeWTlJ8qMMb24tf 8tCVPo7FjnELrOqHwccqRceC1/1kIfjfYy0BowbRBOAV49WEIt3WWZhySVcS5PzH mh30OVZZ1Gb94QjwUSoKb+4FfULpM8oVp3kpaxf11Ls7SlJgRkW4hiSNmEWGt/2Q RRgTQpkFp7W6b1sWnbnKY491iCsL657G90UK7lKe3qe15u7V0E8bY2XvzJrPSf4E K3V0mpHunLWDMbr0lfoezbeOEuqSfRdUlgQWw3Q4iCKBxFX5hh9ac5T8cne4xUJ7 OKp6HAYE3sl8othQ+ngMNVyu/vX6j0dCtZHgPtAZEDU1pjE33rjiaLXm15aCVbU= =AG8l -END PGP SIGNATURE-
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
Am 04.09.2012 19:37, schrieb Hinnerk van Bruinehsen: On 04.09.2012 15:48, Roland Häder wrote: I think I made a (tollerateable) mistake: My hard drive has two partitions: - sda1 - encrypted swap - sda2 - encrypted root How should it boot? One way could be by external media (e.g. stick), other is from hard drive. But that is encrypted. So I must leave a small area left for kernel, initrd, System.map and maybe config. So the page at [1] is a little wrong because it misses the boot partition, so the new layout should be: - sda1 - unencrypted boot (/boot) partition - sda2 - encrypted swap (at least as double as your RAM) (crypt-swap) - sda3 - encrypted root (crypt-root) Can someone update this? Regards, Roland [1]: http://wiki.gentoo.org/wiki/DM-Crypt In theory grub2 is able to open a luks-encrypted volume though it seems to have some disadvantages: you'll need to enter the passphrase (or pass the keyfile) two times, because grub itself needs to decrypt the volume to get the later stages from the encrypted volume and afterwards the decryption in the bootprocess itself takes place. I can't give any real advice about it though, because I use an unencrypted boot partition. Depending on your needs it could be an increase of security, because you can stop an attacker from injecting malicious code into your kernel (or replace it completely). WKR Hinnerk For personal use, I see no point in using an encrypted boot partition. An attacker needs physical or root access to change the kernel or initrd in order to get to your encrypted data. In both cases, you are hosed anyway (keyloggers, etc.). Encrypting everything except the boot partition still protects you against theft, seizure and so on (as long as you sanitize the device when you get it back). Secure Boot would help further but let's not re-iterate that particular flame/FUD war. Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
On Tue, Sep 4, 2012 at 2:18 PM, Florian Philipp li...@binarywings.net wrote: Am 04.09.2012 19:37, schrieb Hinnerk van Bruinehsen: On 04.09.2012 15:48, Roland Häder wrote: I think I made a (tollerateable) mistake: My hard drive has two partitions: - sda1 - encrypted swap - sda2 - encrypted root How should it boot? One way could be by external media (e.g. stick), other is from hard drive. But that is encrypted. So I must leave a small area left for kernel, initrd, System.map and maybe config. So the page at [1] is a little wrong because it misses the boot partition, so the new layout should be: - sda1 - unencrypted boot (/boot) partition - sda2 - encrypted swap (at least as double as your RAM) (crypt-swap) - sda3 - encrypted root (crypt-root) Can someone update this? Regards, Roland [1]: http://wiki.gentoo.org/wiki/DM-Crypt In theory grub2 is able to open a luks-encrypted volume though it seems to have some disadvantages: you'll need to enter the passphrase (or pass the keyfile) two times, because grub itself needs to decrypt the volume to get the later stages from the encrypted volume and afterwards the decryption in the bootprocess itself takes place. I can't give any real advice about it though, because I use an unencrypted boot partition. Depending on your needs it could be an increase of security, because you can stop an attacker from injecting malicious code into your kernel (or replace it completely). WKR Hinnerk For personal use, I see no point in using an encrypted boot partition. An attacker needs physical or root access to change the kernel or initrd in order to get to your encrypted data. In both cases, you are hosed anyway (keyloggers, etc.). Now you've got me pondering cryptographically-verified input devices. But perhaps a paired USB key fob with a challenge/response setup would be reasonable. -- :wq
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
Am 04.09.2012 00:12, schrieb Roland Häder: Okay, I have made a little progress. I have generated my private key using some random data + gpg: # head -c 3705 /dev/urandom | head -n 66 | tail -n 65 key.out # gpg --symmetric -a --s2k-count 8388608 key.out Enter your password twice # mv key.out.asc key.gpg # rm -f key.out Two minor suggestions: 1. Maybe it would be a good idea to use an ASCII-only random string, for example by piping it through `base64 -w 0`. That way you don't loose any entropy (the key just gets longer) but it is easier to type the keyfile manually, in case you ever need to. You also don't have to worry about odd behavior of password prompts anymore. 2. You should `shred` key.out instead of `rm`. Now I have to copy that file on my stick and setup /etc/conf.d/dmcrypt: # whole root system encrypted with gpg key from removeable media target=crypt-root source='/dev/hdaX' key='/key:gpg' # This is your stick remdev='/dev/sda1' But what next? The example at [1] is based on key-only file (no passphrase). I know, later on /etc/conf.d/dmcrypt must be placed on the new root-fs but what now? I still have to setup it. cryptsetup doesn't do anything with gpg. So I have setup a pipeline? I'm not entirely sure I understand what you mean, therefore I just start babbling. ;-) The dmcrypt init script cannot be used for encrypting the root fs, a separate /usr or /etc. At least, I don't see a way to do it and I don't see it in the examples in my /etc/conf.d/dmcrypt. However, you can use it for all other directories containing sensitive data (/home, /srv, /var, /tmp). You might still need a skeleton directory structure of /var for the early boot stages but that's about it. Getting root encrypted is the sole responsibility of your initrd. Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
Am 04.09.2012 20:27, schrieb Michael Mol: On Tue, Sep 4, 2012 at 2:18 PM, Florian Philipp li...@binarywings.net wrote: Am 04.09.2012 19:37, schrieb Hinnerk van Bruinehsen: On 04.09.2012 15:48, Roland Häder wrote: I think I made a (tollerateable) mistake: My hard drive has two partitions: - sda1 - encrypted swap - sda2 - encrypted root How should it boot? One way could be by external media (e.g. stick), other is from hard drive. But that is encrypted. So I must leave a small area left for kernel, initrd, System.map and maybe config. So the page at [1] is a little wrong because it misses the boot partition, so the new layout should be: - sda1 - unencrypted boot (/boot) partition - sda2 - encrypted swap (at least as double as your RAM) (crypt-swap) - sda3 - encrypted root (crypt-root) Can someone update this? Regards, Roland [1]: http://wiki.gentoo.org/wiki/DM-Crypt In theory grub2 is able to open a luks-encrypted volume though it seems to have some disadvantages: you'll need to enter the passphrase (or pass the keyfile) two times, because grub itself needs to decrypt the volume to get the later stages from the encrypted volume and afterwards the decryption in the bootprocess itself takes place. I can't give any real advice about it though, because I use an unencrypted boot partition. Depending on your needs it could be an increase of security, because you can stop an attacker from injecting malicious code into your kernel (or replace it completely). WKR Hinnerk For personal use, I see no point in using an encrypted boot partition. An attacker needs physical or root access to change the kernel or initrd in order to get to your encrypted data. In both cases, you are hosed anyway (keyloggers, etc.). Now you've got me pondering cryptographically-verified input devices. But perhaps a paired USB key fob with a challenge/response setup would be reasonable. Don't forget to look for hidden cameras or telescopes pointed at nearby windows. You also have to worry about the characteristic electromagnetic interference caused by your input devices (you don't need to wear a tinfoil hat but maybe your keyboard should ;-) ). Once you start to worry, there is no end. This seems to be of interest: http://news.cnet.com/8301-10784_3-9741357-7.html But this should not be forgotten, either: http://xkcd.com/538/ Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
In theory grub2 is able to open a luks-encrypted volume though it seems to have some disadvantages: you'll need to enter the passphrase (or pass the keyfile) two times, because grub itself needs to decrypt the volume to get the later stages from the encrypted volume and afterwards the decryption in the bootprocess itself takes place. I can't give any real advice about it though, because I use an unencrypted boot partition. Depending on your needs it could be an increase of security, because you can stop an attacker from injecting malicious code into your kernel (or replace it completely). I don't think so, I still can replace your bootloader and grab your password. If you really think you might need something like this, I suggest you put your kernel and bootloader on a USB stick and boot your machine from that. When not in use keep the stick on your person. That still does not protect you from physically tempering with your device. Anyway, what about one those fancy tin foil hats to protect oneself against the governments mind control rays :)
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
Am 03.09.2012 23:23, schrieb Roland Häder: No comment on dracut as I have no experience with it. Okay, so I have to try it out myself. When I found something out, I expand the wiki with it. However, as I see it, you need no key file if you just use a pass phrase. In my opinion, a key file is only necessary for two improvements: Entering just a pass phrase means that this pass phrase will be used to decrypt the device, if you decrypt a key before and then with that key decrypt all your volumes you have a much better security because that key will then be used as 'pass phrase' which is *way* much stronger (4096+ chars + ~10-20 chars you can remember). That's not exactly how it works. 1. An attacker could still simply break the pass phrase used to encrypt the key file. 2. You don't actually weaken the encryption of your disk if you use a small key (besides the obviously easier guessing of the key). The actual encryption key is generated from the pass phrase (or key file) by a hash function (default: SHA-1). This always expands or compresses your key to the key size defined when issuing `cryptsetup luksFormat`. 1. Two-factor authentication (read: encrypted key file) This is what makes a key file better and more secure. The attacker not only needs a pass phrase /or/ a memory stick; he needs both. 2. Avoiding re-typing the pass phrase for multiple dmcrypt partitions See above. :) You can easily achieve the second point by putting an unencrypted key file on the first partition which you encrypt with a pass phrase. You don't even need dracut for this, /etc/conf.d/dmcrypt lets you configure it easily (as long as it doesn't affect /usr). Okay, I look into this. However, I personally find it easier to put LVM on a single dmcrypt volume and be done this. All you need for this to work are two lines in /etc/rc.conf: rc_dmcrypt_before=lvm rc_dmcrypt_after=udev I'm new to LVM, does it setup key-based encryption (best is to put that key on an USB stick, so the attacker needs my stick). Regards, Roland I guess I didn't make myself clear. Mostly because I didn't want to write a whole article on it before someone actually showed interest in this. Anyway: LVM has nothing to do with the encryption. It is just a way to partition a single dmcrypt partition into more devices. Maybe it gets clearer if I show my partitioning scheme (shortened a bit and with some artistic liberties): /dev/sda1 # /boot /dev/sda2 # root + /usr + /etc /dev/sda3 - /dev/mapper/crypt # dmcrypt partition /dev/mapper/crypt - vg_notebook # LVM volume group on dmcrypt vg_noteboot - /dev/mapper/vg_notebook-var # /var vg_noteboot - /dev/mapper/vg_notebook-home # /home vg_noteboot - /dev/mapper/vg_notebook-swap # swap vg_noteboot - /dev/mapper/vg_notebook-opt # /opt vg_noteboot - /dev/mapper/vg_notebook-usr-local # /usr/local You see, it is just an alternative to different approaches on getting several parts of your file system encrypted without having to enter pass phrases for several dmcrypt partitions. Alternatives are 1. Put an unencrypted key file on the first encrypted partition. 2. Use a single file system on a single dmcrypt partition and then `mount --bind` or `ln -s` parts of it in different places. For me personally, it is a nice compromise as it allows me to work without an initrd while still keeping most of my file systems encrypted. I just have to make sure to leave nothing private on root, /usr or /etc. Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
1. Maybe it would be a good idea to use an ASCII-only random string, for example by piping it through `base64 -w 0`. That way you don't loose any entropy (the key just gets longer) but it is easier to type the keyfile manually, in case you ever need to. You also don't have to worry about odd behavior of password prompts anymore. I think that is now to late for? I have already formated it and added ext4 on it plus installed some packages already (was a long way). 2. You should `shred` key.out instead of `rm`. That key file was on RAM disk, not on real. ;) Roland
Re: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
On Tue, Sep 4, 2012 at 3:40 PM, Roland Häder r.hae...@web.de wrote: 1. Maybe it would be a good idea to use an ASCII-only random string, for example by piping it through `base64 -w 0`. That way you don't loose any entropy (the key just gets longer) but it is easier to type the keyfile manually, in case you ever need to. You also don't have to worry about odd behavior of password prompts anymore. I think that is now to late for? I have already formated it and added ext4 on it plus installed some packages already (was a long way). 2. You should `shred` key.out instead of `rm`. That key file was on RAM disk, not on real. ;) So shred your swap partition. :P -- :wq
Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
Okay, I have setup so far this: /dev/sda1 - /boot (unencrypted) /dev/sda2 - swap (not yet setup, will be encrypted) /dev/sda3 - / (encrypted) /dev/sda3 is the underlaying drive, where I used gpg: # gpg --decrypt key.gpg | cryptsetup --verbose luksFormat /dev/sda3 # gpg --decrypt key.gpg | cryptsetup --verbose luksOpen /dev/sda3 encVol # dd if=/dev/zero of=/dev/mapper/encVol bs=100M (to avoid filesystem corruption) # mkfs.ext4 -L root /dev/mapper/encVol Now I continued as usual with the Gentoo handbook (mount all, copy things on it, etc.) After I compiled the kernel, emerged cryptsetup on the new system, I editied /boot/grub/grub.conf: --- default 0 timeout 30 splashimage=(hd0,0)/boot/grub/splash.xpm.gz title Gentoo Linux root (hd0,0) kernel /boot/kernel-genkernel-x86-3.3.8-gentoo root=/dev/ram0 crypt_root=/dev/sda3 initrd /boot/initramfs-genkernel-x86-3.3.8-gentoo --- (I read not to use real_root, but crypt_root instead?) Then I emerged grub as usual (also: # cat /proc/mounts etc/mtab ) and did: # grub-install --no-floppy /dev/sda Still as usual. Now it is downloading plymouth (to have some cool things) + dracut (easiest way as I read in wiki). I also had to expand /etc/make.conf (not /etc/portage/make.conf ??? Is this a mistake in handbook?): --- DRACUT_MODULES=crypt_gpg plymouth --- Now I really hope, that after I installed dracut on it, that I can boot it and the initrd will be updated. It needs at least some kernel modules (e.g. dm_crypt, ext4, sha512_generic, aes_generic) plus gpg and cryptsetup tools to actually decrypt the hard drive. Regards, Roland
Re: Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04.09.2012 20:48, Michael Hampicke wrote: In theory grub2 is able to open a luks-encrypted volume though it seems to have some disadvantages: you'll need to enter the passphrase (or pass the keyfile) two times, because grub itself needs to decrypt the volume to get the later stages from the encrypted volume and afterwards the decryption in the bootprocess itself takes place. I can't give any real advice about it though, because I use an unencrypted boot partition. Depending on your needs it could be an increase of security, because you can stop an attacker from injecting malicious code into your kernel (or replace it completely). I don't think so, I still can replace your bootloader and grab your password. If you really think you might need something like this, I suggest you put your kernel and bootloader on a USB stick and boot your machine from that. When not in use keep the stick on your person. That still does not protect you from physically tempering with your device. Anyway, what about one those fancy tin foil hats to protect oneself against the governments mind control rays :) Ah yes - the aluminium foil deflector beanie (http://zapatopi.net/afdb/)... I just use it, when going out of my house or when updating my MindGuard (http://zapatopi.net/mindguard/) Enough fun - I just wanted to name the possibility because it's there and it would't require you to repartition your drive. I think it would be an increase in security nonetheless, though you're correct: there are a lot more possible attack vectors with side channel stuff getting very freaky indeed (i.e.: there is an interesting paper about using the gyroscopes of a mobile telephone to make a (80%) correct guess about the pressed key) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQRl/GAAoJEJwwOFaNFkYcHbcH/i5ncHgButsE3ximu7Mdm113 ly0JVbINO4Bc7mkzj9eQAI8Ewr3JYhTpxpShfmWGGSBTTaAwltp1pYt+bj7xw3/E +euJGjfffmcxsBkLtlaI5SQHvO/fNiKZ8cAga++HXtxWoJ/DTN5UBEmzI6xXm3Tk RA6kGCDukiSpo4VjsfBMz1h8O9vtr2cgj4HlnOjNByzeSWk40XC9jKlSCLgjpkTp pJNvY0qHE7hMZoH+S9Ai3ZDtDgHpcdtSCslJGiOGh16BBzhOyunDdj1SVfkSq0bg 1vKnqT6zQS0vSl3JyoP9zc8MOW9/IwK2anKRHhE817Y9rXrawsx1QwPu6xVLxe0= =0NRV -END PGP SIGNATURE-
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
On Tue, 04 Sep 2012 10:53:38 -0500, Dale wrote: If you are using hibernate/suspend thingys then that is different. Isn't that when it has to be at least as much swap as you have ram? Not necessarily because the data is compressed before saving, but you can't know how much it is going to compress, so only if your RAM is all used up with incompressible data (an unlikely scenario) will you need that much. Not that hibernating a system with 16GB is ever going to be fast enough to be worth bothering with. As Alan has discovered, it can take longer than a cold boot. -- Neil Bothwick Be strict when sending and tolerant when receiving. RFC 1958 - Architectural Principles of the Internet - section 3.9 signature.asc Description: PGP signature
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
On Tue, 04 Sep 2012 20:59:34 +0200, Florian Philipp wrote: I just have to make sure to leave nothing private on root, /usr or /etc. Like your passwd and shadow files? -- Neil Bothwick Ifyoucanreadthis,youspendtoomuchtimefiguringouttaglines. signature.asc Description: PGP signature
Re: Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04.09.2012 22:05, Roland Häder wrote: Okay, I have setup so far this: /dev/sda1 - /boot (unencrypted) /dev/sda2 - swap (not yet setup, will be encrypted) /dev/sda3 - / (encrypted) /dev/sda3 is the underlaying drive, where I used gpg: # gpg --decrypt key.gpg | cryptsetup --verbose luksFormat /dev/sda3 # gpg --decrypt key.gpg | cryptsetup --verbose luksOpen /dev/sda3 encVol # dd if=/dev/zero of=/dev/mapper/encVol bs=100M (to avoid filesystem corruption) # mkfs.ext4 -L root /dev/mapper/encVol Now I continued as usual with the Gentoo handbook (mount all, copy things on it, etc.) After I compiled the kernel, emerged cryptsetup on the new system, I editied /boot/grub/grub.conf: --- default 0 timeout 30 splashimage=(hd0,0)/boot/grub/splash.xpm.gz title Gentoo Linux root (hd0,0) kernel /boot/kernel-genkernel-x86-3.3.8-gentoo root=/dev/ram0 crypt_root=/dev/sda3 initrd /boot/initramfs-genkernel-x86-3.3.8-gentoo --- (I read not to use real_root, but crypt_root instead?) Then I emerged grub as usual (also: # cat /proc/mounts etc/mtab ) and did: # grub-install --no-floppy /dev/sda Still as usual. Now it is downloading plymouth (to have some cool things) + dracut (easiest way as I read in wiki). I also had to expand /etc/make.conf (not /etc/portage/make.conf ??? Is this a mistake in handbook?): --- DRACUT_MODULES=crypt_gpg plymouth --- Now I really hope, that after I installed dracut on it, that I can boot it and the initrd will be updated. It needs at least some kernel modules (e.g. dm_crypt, ext4, sha512_generic, aes_generic) plus gpg and cryptsetup tools to actually decrypt the hard drive. Regards, Roland I thin you need to add crypt as a dracut module since crypt_gpg is afaik just an extension to crypt. The output from equery seems to support my assumption: ... dracut_modules_crypt : Decrypt devices encrypted with cryptsetup/LUKS dracut_modules_crypt-gpg : Support for GPG-encrypted keys for crypt module ... WKR Hinnerk -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQRmFOAAoJEJwwOFaNFkYc4eoH/0TthI9pSRXF/AKTp1fYFiwM qFPW7ZvvQVVX3QctL+h/NiPceWw6G5WGjc+eqiTput1A8B9ledi87OGvT13JFb40 vMfRWrlqrn89dtL/pkLQUHrT1FtjP4/jp6oY98XN1fcODKItQ8+F6TZN0/wrTzrJ CPJtdPdR8X2U+40zBUU8pxkm1doIbiMGmsU0hAf8aq2GC65Eer4rOCqPcLsTvMnz 9zUYzTFxSq4rj34apuGrS8RxEsj9uABi4JpfMD+k3nzmI6D2ya1wOHJUMYtgiAoe itsuJxRsi5j0gZNwHz4XqF7iBTzMHHbKcQ2qtfSpJ/hx0LrMCXGeIALHylPeU+Q= =F+nL -END PGP SIGNATURE-
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 04 Sep 2012 19:37:16 +0200, Hinnerk van Bruinehsen wrote: In theory grub2 is able to open a luks-encrypted volume though it seems to have some disadvantages: you'll need to enter the passphrase (or pass the keyfile) two times, because grub itself needs to decrypt the volume to get the later stages from the encrypted volume and afterwards the decryption in the bootprocess itself takes place. You don't need to mount /boot as part of the boot process, only when you want to install a new kernel or reconfigure the bootloader. - -- Neil Bothwick What do you call a dead bee? - A was. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlBGYWoACgkQum4al0N1GQPiEgCdE2ZCKHSAe7fmZOuLxt/7QSWX QbEAniwZxHfxfOpyYrdNKNhGcpfWbPOW =fft+ -END PGP SIGNATURE-
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
Am 04.09.2012 21:40, schrieb Roland Häder: 1. Maybe it would be a good idea to use an ASCII-only random string, for example by piping it through `base64 -w 0`. That way you don't loose any entropy (the key just gets longer) but it is easier to type the keyfile manually, in case you ever need to. You also don't have to worry about odd behavior of password prompts anymore. I think that is now to late for? I have already formated it and added ext4 on it plus installed some packages already (was a long way). Well, if you want, you can just change the pass phrase. Or even create another one. LUKS supports multiple key slots. Use `cryptsetup luksAddKey` and friends. Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
Am 04.09.2012 22:14, schrieb Neil Bothwick: On Tue, 04 Sep 2012 20:59:34 +0200, Florian Philipp wrote: I just have to make sure to leave nothing private on root, /usr or /etc. Like your passwd and shadow files? *g*, good point. However, I'm willing to take the risk on just these two: passwd doesn't contain anything of considerable interest. shadow contains exactly two passwords, both as sha256-sums (or similar, did not really check). The passwords themselves are in excess of 90 bit entropy, depending on how you estimate it. Most of the rest which might be of interest and is usually in /etc can be symlinked there from a safe location in /var. Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
Am 04.09.2012 22:09, schrieb Neil Bothwick: On Tue, 04 Sep 2012 10:53:38 -0500, Dale wrote: If you are using hibernate/suspend thingys then that is different. Isn't that when it has to be at least as much swap as you have ram? Not necessarily because the data is compressed before saving, but you can't know how much it is going to compress, so only if your RAM is all used up with incompressible data (an unlikely scenario) will you need that much. I think the capability of compressing hibernate images is still limited to sys-kernel/tuxonice-sources. Not that hibernating a system with 16GB is ever going to be fast enough to be worth bothering with. As Alan has discovered, it can take longer than a cold boot. Yes but (at least with tuxonice) you don't need to repopulate your in-memory disk cache which might again save you time. However, I find it easier to just suspend. In my experience it is more stable and many modern laptops can easily survive a week in suspension. Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
On Tue, 04 Sep 2012 22:45:07 +0200, Florian Philipp wrote: I just have to make sure to leave nothing private on root, /usr or /etc. Like your passwd and shadow files? *g*, good point. However, I'm willing to take the risk on just these two: passwd doesn't contain anything of considerable interest. shadow contains exactly two passwords, both as sha256-sums (or similar, did not really check). The passwords themselves are in excess of 90 bit entropy, depending on how you estimate it. Most of the rest which might be of interest and is usually in /etc can be symlinked there from a safe location in /var. I used to do that, but as the number of sensitive directories grew - samba, wicd, etc. - I decided it was less hassle to set up an encrypted / and forget about it. -- Neil Bothwick When you go to court you are putting yourself in the hands of 12 people that were not smart enough to get out of jury duty. signature.asc Description: PGP signature
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
To add my 2¢: I have 3 working setups almost done by this http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS guide which results in either unencrypted /boot on drive or booting from stick resulting layout is following: /dev/sda1 /boot /dev/sda2 dm-crypt container with lvm vg atop of it In vg is: vg-root vg-swap vg-home All you need is build initram and pass it as a argument to pre configured kernel (with needed encryption and hash algorithms built in) Initram scripts are on github here https://github.com/tokiclover/mkinitramfs-ll Hope it helps if not contact me (first time I needed to reinstall the system three times before successful boot but that time I was complete noob in gentoo) S Neil Bothwick n...@digimed.co.uk wrote: On Tue, 04 Sep 2012 22:45:07 +0200, Florian Philipp wrote: I just have to make sure to leave nothing private on root, /usr or /etc. Like your passwd and shadow files? *g*, good point. However, I'm willing to take the risk on just these two: passwd doesn't contain anything of considerable interest. shadow contains exactly two passwords, both as sha256-sums (or similar, did not really check). The passwords themselves are in excess of 90 bit entropy, depending on how you estimate it. Most of the rest which might be of interest and is usually in /etc can be symlinked there from a safe location in /var. I used to do that, but as the number of sensitive directories grew - samba, wicd, etc. - I decided it was less hassle to set up an encrypted / and forget about it. -- Neil Bothwick When you go to court you are putting yourself in the hands of 12 people that were not smart enough to get out of jury duty. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
[gentoo-user] dm-crypt + ext4 = where will the journal go?
Hi all, I'm currently testing dm-crypt to encrypt my whole hard drive. So far I followed this [1] guide and have to wait for the randomization part of the hard drive. In the wiki, ext4 is being used. Since ext3 a journal has been added. From my times with loop-aes I know that I have to store the journal through an encrypted loop device else it might be written on the hard drive. As of I'm new to dm-crypt and Gentoo, where will that journal now go? Any help is welcomed. :) Regards, Roland
Aw: [gentoo-user] dm-crypt + ext4 = where will the journal go?
Opps, here is the missing link: http://wiki.gentoo.org/wiki/DM-Crypt (I don't think it is a good idea to store the keyFile somewhere plain, [2] tells that there is support for crypt-gnupg, but it doesn't show any help how to setup it. [2]: http://wiki.gentoo.org/wiki/Dracut
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
Am 03.09.2012 22:20, schrieb Roland Häder: Hi all, I'm currently testing dm-crypt to encrypt my whole hard drive. So far I followed this [1] guide and have to wait for the randomization part of the hard drive. You forgot the link to [1]. In the wiki, ext4 is being used. Since ext3 a journal has been added. From my times with loop-aes I know that I have to store the journal through an encrypted loop device else it might be written on the hard drive. Never used loop-aes myself. Sorry if I miss the reason for your confusion because of it. As of I'm new to dm-crypt and Gentoo, where will that journal now go? Opening a dmcrypt volume creates a mapped block device in /dev/mapper. You treat it like a partition and format it with ext4. Unless you use some exotic flags for mke2fs, the journal will be put on the same block device and is encrypted along with the rest of it. So: No need to worry about it. Hope this helps, Florian Philipp signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
The journal is generally located on the partition in question. If the partition is encrypted the journal should also be encrypted. You can use `tune2fs -l` to list the contents of the partition's superblock which will have details on the partition such as journal location, etc... On Mon, Sep 3, 2012 at 4:20 PM, Roland Häder r.hae...@web.de wrote: Hi all, I'm currently testing dm-crypt to encrypt my whole hard drive. So far I followed this [1] guide and have to wait for the randomization part of the hard drive. In the wiki, ext4 is being used. Since ext3 a journal has been added. From my times with loop-aes I know that I have to store the journal through an encrypted loop device else it might be written on the hard drive. As of I'm new to dm-crypt and Gentoo, where will that journal now go? Any help is welcomed. :) Regards, Roland -- Sincerely, Steve Buzonas Jr.
Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
You forgot the link to [1]. Already mailed but here again: http://wiki.gentoo.org/wiki/DM-Crypt Never used loop-aes myself. Sorry if I miss the reason for your confusion because of it. http://loop-aes.sourceforge.net There is the source code. It needs patched util-linux(-ng) package to get working. Also you should not use (crypt-)loop because it conflicts with it (see README inside tar ball). It also provides a really simple swap encryption: - /etc/fstab - /dev/blaX noneswap sw,loop=/dev/loop0,encryption=AES256,itercountk=100 0 0 This will make sure that everytime you bootup your system a new encryption is setup with an iteration of 100 (still performant enough for most things). Opening a dmcrypt volume creates a mapped block device in /dev/mapper. You treat it like a partition and format it with ext4. Unless you use some exotic flags for mke2fs, the journal will be put on the same block device and is encrypted along with the rest of it. So: No need to worry about it. Thank you for the explanation. Maybe it should be added to the wiki? Hope this helps, Florian Philipp Sure it does. :) Roland
Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
Am 03.09.2012 22:36, schrieb Roland Häder: Opps, here is the missing link: http://wiki.gentoo.org/wiki/DM-Crypt (I don't think it is a good idea to store the keyFile somewhere plain, [2] tells that there is support for crypt-gnupg, but it doesn't show any help how to setup it. [2]: http://wiki.gentoo.org/wiki/Dracut No comment on dracut as I have no experience with it. However, as I see it, you need no key file if you just use a pass phrase. In my opinion, a key file is only necessary for two improvements: 1. Two-factor authentication (read: encrypted key file) 2. Avoiding re-typing the pass phrase for multiple dmcrypt partitions You can easily achieve the second point by putting an unencrypted key file on the first partition which you encrypt with a pass phrase. You don't even need dracut for this, /etc/conf.d/dmcrypt lets you configure it easily (as long as it doesn't affect /usr). However, I personally find it easier to put LVM on a single dmcrypt volume and be done this. All you need for this to work are two lines in /etc/rc.conf: rc_dmcrypt_before=lvm rc_dmcrypt_after=udev Regards, Florian Philipp signature.asc Description: OpenPGP digital signature
Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
No comment on dracut as I have no experience with it. Okay, so I have to try it out myself. When I found something out, I expand the wiki with it. However, as I see it, you need no key file if you just use a pass phrase. In my opinion, a key file is only necessary for two improvements: Entering just a pass phrase means that this pass phrase will be used to decrypt the device, if you decrypt a key before and then with that key decrypt all your volumes you have a much better security because that key will then be used as 'pass phrase' which is *way* much stronger (4096+ chars + ~10-20 chars you can remember). 1. Two-factor authentication (read: encrypted key file) 2. Avoiding re-typing the pass phrase for multiple dmcrypt partitions See above. :) You can easily achieve the second point by putting an unencrypted key file on the first partition which you encrypt with a pass phrase. You don't even need dracut for this, /etc/conf.d/dmcrypt lets you configure it easily (as long as it doesn't affect /usr). Okay, I look into this. However, I personally find it easier to put LVM on a single dmcrypt volume and be done this. All you need for this to work are two lines in /etc/rc.conf: rc_dmcrypt_before=lvm rc_dmcrypt_after=udev I'm new to LVM, does it setup key-based encryption (best is to put that key on an USB stick, so the attacker needs my stick). Regards, Roland
Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?
Okay, I have made a little progress. I have generated my private key using some random data + gpg: # head -c 3705 /dev/urandom | head -n 66 | tail -n 65 key.out # gpg --symmetric -a --s2k-count 8388608 key.out Enter your password twice # mv key.out.asc key.gpg # rm -f key.out Now I have to copy that file on my stick and setup /etc/conf.d/dmcrypt: # whole root system encrypted with gpg key from removeable media target=crypt-root source='/dev/hdaX' key='/key:gpg' # This is your stick remdev='/dev/sda1' But what next? The example at [1] is based on key-only file (no passphrase). I know, later on /etc/conf.d/dmcrypt must be placed on the new root-fs but what now? I still have to setup it. cryptsetup doesn't do anything with gpg. So I have setup a pipeline?
