Re: [gentoo-user] Encrypting everything
Dirk Heinrichs writes: Am Samstag 04 Juli 2009 14:51:54 schrieb Alex Schuster: Dirk Heinrichs writes: having said that, you can even do w/o initramfs, just put everything into /boot (which should be a separate partition, then). Again, see my reply to David for the details. Interesting. Getting rid of initramfs looks like a simpler approach, no need to fiddle with cpio in order to change things. Also with initramfs, you don't need to fiddle with cpio. The kernel build system does this for you. Right. But at my first attempts I had some problems, and investigated them by looking into /init in the initramfs. In order to understand this stuff, I need to see it :) I do not want to have to enter a password every time my machine boots, so I put the key onto a stick. And how do you protect the key on the stick? What if you loose it? It's a long sentence from The Hichhiker's Guide To The Galaxy I can find again. And meanwhile I also have a gpg-encrypted backup of the stick's partition somewhere. And simply made it the same for all partitions. And while I was at it, for maximum security, I also put /boot onto the stick. Sure, who would ever break into my house and modify my boot partition, replacing the kernel with kernel+keylogger or such... but then, I would probably also not need to encrypt my stuff at all. Encryption doesn't protect a _running_ system, because then, all needed LVs are readable. By me only. And when I leave, the screensaver kicks in and asks for a password. It only protects the system while switched of (so that an attacker can not acces your data after stealing the entire system, or after you sold your harddisk). Right. Then you did something wrong. It works out of the box. Really? I know it does for root and swap (it works here), but how do I tell the system to also luskOpen all my other LVM volumes? By listing them in /etc/conf.d/dmcrypt. Oh, thanks. I overlooked this. Did not find this mentioned in any of the guides I read, and I thought it only belonged to /etc/nit.d/dm-crypt, which is for baselayout 2. But I should have found it being used while editing /lib/rcscripts/addons/dm-crypt-start.sh. I think I will try that, then. With a little modification, I will try to add a after dm_crypt_execute_${SVCNAME}, so all LVMs will be opened in parallel. Otherwise it takes a second for each LVM, and I have 12 of them. Wonko
Re: [gentoo-user] Encrypting everything
Am Sonntag 05 Juli 2009 16:28:22 schrieb Alex Schuster: Dirk Heinrichs writes: And how do you protect the key on the stick? What if you loose it? It's a long sentence from The Hichhiker's Guide To The Galaxy I can find again. And meanwhile I also have a gpg-encrypted backup of the stick's partition somewhere. I'm a bit confused now. So that means the key is protected by some passphrase? That would mean you need a key to get at the key, right? Bye... Dirk signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Encrypting everything
Dirk Heinrichs writes: Am Sonntag 05 Juli 2009 16:28:22 schrieb Alex Schuster: Dirk Heinrichs writes: And how do you protect the key on the stick? What if you loose it? It's a long sentence from The Hichhiker's Guide To The Galaxy I can find again. And meanwhile I also have a gpg-encrypted backup of the stick's partition somewhere. I'm a bit confused now. So that means the key is protected by some passphrase? That would mean you need a key to get at the key, right? Right :) I didn't want my LUKS key to be in clear-text, even if it's in a binary file on some server which probably no one will ever see and identify as a boot partition. I have my GPG secret key in different locations, not only on the encrypted PC we are talking about. I only did backup the boot partition because I use the XTS cipher and did not have a live cd which knew about it. But now the new GRML 2009.05 supports it. Wonko
Re: [gentoo-user] Encrypting everything
Am Sonntag 05 Juli 2009 19:53:20 schrieb Alex Schuster: Right :) I didn't want my LUKS key to be in clear-text The LUKS key isn't stored as cleartext, it's encrypted. even if it's in a binary file on some server which probably no one will ever see and identify as a boot partition. I have my GPG secret key in different locations, not only on the encrypted PC we are talking about. With LUKS, there is no need for GPG. I always wonder why people do that GPG stuff when using LUKS. Bye... Dirk signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Encrypting everything
Dirk Heinrichs writes: Am Sonntag 05 Juli 2009 19:53:20 schrieb Alex Schuster: Right :) I didn't want my LUKS key to be in clear-text The LUKS key isn't stored as cleartext, it's encrypted. Um, I mean the passphrase I specify with --key-file to cryptsetup. Or which would be asked at the prompt if I would not give it. even if it's in a binary file on some server which probably no one will ever see and identify as a boot partition. I have my GPG secret key in different locations, not only on the encrypted PC we are talking about. With LUKS, there is no need for GPG. I always wonder why people do that GPG stuff when using LUKS. No, my LUKS setup does not make use of GPG. But the backup of my boot partition, residing on a server somewhere, is encrypted with GPG. Wonko
Re: [gentoo-user] Encrypting everything
Am Sonntag 05 Juli 2009 20:26:23 schrieb Alex Schuster: The LUKS key isn't stored as cleartext, it's encrypted. Um, I mean the passphrase I specify with --key-file to cryptsetup. Or which would be asked at the prompt if I would not give it. OK, now I get it. But those are two different beasts. The keyfile is usually one that consists of random data (created by reading from /dev/urandom). If you don't protect that by some means, you don't gain any security. The one you're asked for at the prompt is more like a password/-phrase. So here's what I do, as an example: I've got a small unencrypted /boot which holds the kernel and enough Linux to open the LUKS encrypted root LV. So I'm prompted for the passphrase to unlock it. Once unlocked and mounted, I get access to the random data keyfile stored in /etc which is used to unlock all other LVs automatically. Bye... Dirk signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Encrypting everything
Dirk Heinrichs writes: Am Mittwoch 01 Juli 2009 12:40:20 schrieb Alex Schuster: The last two PCs (A and B) I installed are fully encrypted. I used different methods. I used genkernel --luks --lvm --install all to create kernel and initramfs. First, see one of my replies to David Shen's thread Self created initramfs cannot work from last saturday. It has my init(ram)fs creation scripts attached. Thanks, I will have a look. Although I'd like to use Gentoo's tool for that purpose, genkernel, which I used for the first time now. And it worked fine, except that it did not know I how to activate the other partitons (/usr, /var and many more) besides root and swap. I like to have everything as kernel modules, but the crypto stuff has to be directly in the kernel, unless I put these modules into the initramfs by hand. It doesn't make much sense to compile things as module which are needed right after (or even for) booting. The reason distributions do this is to give the most possible flexibility and useability on as much different systems as possible. I know. I did it anyway, just out of curiosity if this would work, and which things could in principle be modules. No problem with building this stuff directly into the kernel. having said that, you can even do w/o initramfs, just put everything into /boot (which should be a separate partition, then). Again, see my reply to David for the details. Interesting. Getting rid of initramfs looks like a simpler approach, no need to fiddle with cpio in order to change things. A: LVM - LUKS Many partitions make two volume groups with many LVMs. Each LVM is LUKS- encrypted. This gives me maximum flexibility, who knows what other OSes I might need to install on that drive. The boot partition is on a USB stick and also holds the key. Why? LUKS means Linux Unified Key Storage. No need to store the key elsewhere. Put a password based key on the root LV and encrypt everything else with a random key you put somewhere into /etc (I use /etc/crypt/keyfile). I do not want to have to enter a password every time my machine boots, so I put the key onto a stick. And simply made it the same for all partitions. And while I was at it, for maximum security, I also put /boot onto the stick. Sure, who would ever break into my house and modify my boot partition, replacing the kernel with kernel+keylogger or such... but then, I would probably also not need to encrypt my stuff at all. This did not work out of the box, I had to modify /lib/rcscripts/addons/dm-crypt-start.sh in order to open the other partitions than swap and root. Then you did something wrong. It works out of the box. Really? I know it does for root and swap (it works here), but how do I tell the system to also luskOpen all my other LVM volumes? B: LUKS - LVM A simpler approach. sda1 is a small boot partition, sda2 (the rest of the drive) is a LUKS-formatted LVM physical volume with volume group 'pvcrypt' on it. This does not work yet, the initramfs does not find the LVM. Because in Gentoo, only A is implemented/supported. Oh. I thought this would be even easier than approach A. And looking at the /init code it seems to me it should just work. There's a call to startVolumes after the root partition is unlocked by cryptsetup, which I think should activate the LVM, but it does nothing, it does not even find regular physical LVM volumes that are not on top of a crypt setup. I'll have a look at my .config again. This may take a while, I only have remote access to that PC at the moment. HTH... A little :) Thanks, Wonko
Re: [gentoo-user] Encrypting everything
Am Samstag 04 Juli 2009 14:51:54 schrieb Alex Schuster: Dirk Heinrichs writes: having said that, you can even do w/o initramfs, just put everything into /boot (which should be a separate partition, then). Again, see my reply to David for the details. Interesting. Getting rid of initramfs looks like a simpler approach, no need to fiddle with cpio in order to change things. Also with initramfs, you don't need to fiddle with cpio. The kernel build system does this for you. I do not want to have to enter a password every time my machine boots, so I put the key onto a stick. And how do you protect the key on the stick? What if you loose it? And simply made it the same for all partitions. And while I was at it, for maximum security, I also put /boot onto the stick. Sure, who would ever break into my house and modify my boot partition, replacing the kernel with kernel+keylogger or such... but then, I would probably also not need to encrypt my stuff at all. Encryption doesn't protect a _running_ system, because then, all needed LVs are readable. It only protects the system while switched of (so that an attacker can not acces your data after stealing the entire system, or after you sold your harddisk). Then you did something wrong. It works out of the box. Really? I know it does for root and swap (it works here), but how do I tell the system to also luskOpen all my other LVM volumes? By listing them in /etc/conf.d/dmcrypt. signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Encrypting everything
Am Mittwoch 01 Juli 2009 12:40:20 schrieb Alex Schuster: The last two PCs (A and B) I installed are fully encrypted. I used different methods. I used genkernel --luks --lvm --install all to create kernel and initramfs. First, see one of my replies to David Shen's thread Self created initramfs cannot work from last saturday. It has my init(ram)fs creation scripts attached. I like to have everything as kernel modules, but the crypto stuff has to be directly in the kernel, unless I put these modules into the initramfs by hand. It doesn't make much sense to compile things as module which are needed right after (or even for) booting. The reason distributions do this is to give the most possible flexibility and useability on as much different systems as possible. having said that, you can even do w/o initramfs, just put everything into /boot (which should be a separate partition, then). Again, see my reply to David for the details. A: LVM - LUKS Many partitions make two volume groups with many LVMs. Each LVM is LUKS- encrypted. This gives me maximum flexibility, who knows what other OSes I might need to install on that drive. The boot partition is on a USB stick and also holds the key. Why? LUKS means Linux Unified Key Storage. No need to store the key elsewhere. Put a password based key on the root LV and encrypt everything else with a random key you put somewhere into /etc (I use /etc/crypt/keyfile). This did not work out of the box, I had to modify /lib/rcscripts/addons/dm-crypt-start.sh in order to open the other partitions than swap and root. Then you did something wrong. It works out of the box. I need to add something to close them when shutting down, but it seems to work fine without this for the moment. Do you know if there already is a solution for this? Well, it works fine here, so yes, there is. B: LUKS - LVM A simpler approach. sda1 is a small boot partition, sda2 (the rest of the drive) is a LUKS-formatted LVM physical volume with volume group 'pvcrypt' on it. This does not work yet, the initramfs does not find the LVM. Because in Gentoo, only A is implemented/supported. HTH... Dirk signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Encrypting everything
I wrote: B: LUKS - LVM A simpler approach. sda1 is a small boot partition, sda2 (the rest of the drive) is a LUKS-formatted LVM physical volume with volume group 'pvcrypt' on it. This does not work yet, the initramfs does not find the LVM. I looked into the init script. I wants to do a cryptsetup luksOpen $LUKS_DEVICE $LUKS_NAME with $LUKS_NAME=root, which is not the name I use. But changing this does not help anyway. I get /dev/mapper/pvcrypt created, but pvscan does not find it. At this point I thought I'd ask here, do you have ideas what's wrong? BTW, I have another drive in the PC, with LVMs on it. pvscan / vgscan does not find them either. So it's probably not a problem with the encryption itself. But why does this work on my other system? I don't get it. Wonko