[gentoo-user] Encrypting everything

[gentoo-user] Encrypting everything

[Alex Schuster]

Hi there!

The last two PCs (A and B) I installed are fully encrypted. I used 
different methods. I used genkernel --luks --lvm --install all to create 
kernel and initramfs. I like to have everything as kernel modules, but the 
crypto stuff has to be directly in the kernel, unless I put these modules 
into the initramfs by hand.


A: LVM -> LUKS
Many partitions make two volume groups with many LVMs. Each LVM is LUKS-
encrypted. This gives me maximum flexibility, who knows what other OSes I 
might need to install on that drive. The boot partition is on a USB stick 
and also holds the key.

This did not work out of the box, I had to modify 
/lib/rcscripts/addons/dm-crypt-start.sh in order to open the other 
partitions than swap and root. I need to add something to close them when 
shutting down, but it seems to work fine without this for the moment. Do 
you know if there already is a solution for this?


B: LUKS -> LVM
A simpler approach. sda1 is a small boot partition, sda2 (the rest of the 
drive) is a LUKS-formatted LVM physical volume with volume group 'pvcrypt' 
on it. This does not work yet, the initramfs does not find the LVM.

I looked into the init script. I wants to do a cryptsetup luksOpen 
$LUKS_DEVICE $LUKS_NAME with $LUKS_NAME=root, which is not the name I use. 
But changing this does not help anyway. I get /dev/mapper/pvcrypt created, 
but pvscan does not find it. At this point I thought I'd ask here, do you 
have ideas what's wrong?

Using a live CD I can easily access my data:
cryptsetup luksOpen /dev/sda2 pvcrypt
pvscan
vgchange -a y
mount /dev/vgcrypt/root /gentoo

	Wonko

Re: [gentoo-user] Encrypting everything

[Alex Schuster]

I wrote:

> B: LUKS -> LVM
> A simpler approach. sda1 is a small boot partition, sda2 (the rest of the
> drive) is a LUKS-formatted LVM physical volume with volume group
> 'pvcrypt' on it. This does not work yet, the initramfs does not find the
> LVM.
>
> I looked into the init script. I wants to do a cryptsetup luksOpen
> $LUKS_DEVICE $LUKS_NAME with $LUKS_NAME=root, which is not the name I
> use. But changing this does not help anyway. I get /dev/mapper/pvcrypt
> created, but pvscan does not find it. At this point I thought I'd ask
> here, do you have ideas what's wrong?

BTW, I have another drive in the PC, with LVMs on it. pvscan / vgscan does 
not find them either. So it's probably not a problem with the encryption 
itself.

But why does this work on my other system? I don't get it.

	Wonko

Re: [gentoo-user] Encrypting everything

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 2251 bytes --]

Am Mittwoch 01 Juli 2009 12:40:20 schrieb Alex Schuster:

> The last two PCs (A and B) I installed are fully encrypted. I used
> different methods. I used genkernel --luks --lvm --install all to create
> kernel and initramfs.

First, see one of my replies to David Shen's thread "Self created initramfs 
cannot work" from last saturday. It has my init(ram)fs creation scripts 
attached.

> I like to have everything as kernel modules, but the
> crypto stuff has to be directly in the kernel, unless I put these modules
> into the initramfs by hand.

It doesn't make much sense to compile things as module which are needed right 
after (or even for) booting. The reason distributions do this is to give the 
most possible flexibility and useability on as much different systems as 
possible. having said that, you can even do w/o initramfs, just put everything 
into /boot (which should be a separate partition, then). Again, see my reply 
to David for the details.

> A: LVM -> LUKS
> Many partitions make two volume groups with many LVMs. Each LVM is LUKS-
> encrypted. This gives me maximum flexibility, who knows what other OSes I
> might need to install on that drive. The boot partition is on a USB stick
> and also holds the key.

Why? LUKS means Linux Unified Key Storage. No need to store the key elsewhere. 
Put a password based key on the root LV and encrypt everything else with a 
random key you put somewhere into /etc (I use /etc/crypt/keyfile).

> This did not work out of the box, I had to modify
> /lib/rcscripts/addons/dm-crypt-start.sh in order to open the other
> partitions than swap and root.

Then you did something wrong. It works out of the box.

> I need to add something to close them when
> shutting down, but it seems to work fine without this for the moment. Do
> you know if there already is a solution for this?

Well, it works fine here, so yes, there is.

> B: LUKS -> LVM
> A simpler approach. sda1 is a small boot partition, sda2 (the rest of the
> drive) is a LUKS-formatted LVM physical volume with volume group 'pvcrypt'
> on it. This does not work yet, the initramfs does not find the LVM.

Because in Gentoo, only A is implemented/supported.

HTH...

	Dirk

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 190 bytes --]

Re: [gentoo-user] Encrypting everything

[Alex Schuster]

Dirk Heinrichs writes:
	
> Am Mittwoch 01 Juli 2009 12:40:20 schrieb Alex Schuster:
> > The last two PCs (A and B) I installed are fully encrypted. I used
> > different methods. I used genkernel --luks --lvm --install all to
> > create kernel and initramfs.
>
> First, see one of my replies to David Shen's thread "Self created
> initramfs cannot work" from last saturday. It has my init(ram)fs
> creation scripts attached.

Thanks, I will have a look. Although I'd like to use Gentoo's tool for 
that purpose, genkernel, which I used for the first time now. And it 
worked fine, except that it did not know I how to activate the other 
partitons (/usr, /var and many more) besides root and swap. 


> > I like to have everything as kernel modules, but the
> > crypto stuff has to be directly in the kernel, unless I put these
> > modules into the initramfs by hand.
>
> It doesn't make much sense to compile things as module which are needed
> right after (or even for) booting. The reason distributions do this is
> to give the most possible flexibility and useability on as much
> different systems as possible. 

I know. I did it anyway, just out of curiosity if this would work, and 
which things could in principle be modules. No problem with building this 
stuff directly into the kernel.

> having said that, you can even do w/o
> initramfs, just put everything into /boot (which should be a separate
> partition, then). Again, see my reply to David for the details.

Interesting. Getting rid of initramfs looks like a simpler approach, no 
need to fiddle with cpio in order to change things.


> > A: LVM -> LUKS
> > Many partitions make two volume groups with many LVMs. Each LVM is
> > LUKS- encrypted. This gives me maximum flexibility, who knows what
> > other OSes I might need to install on that drive. The boot partition
> > is on a USB stick and also holds the key.
>
> Why? LUKS means Linux Unified Key Storage. No need to store the key
> elsewhere. Put a password based key on the root LV and encrypt
> everything else with a random key you put somewhere into /etc (I use
> /etc/crypt/keyfile).

I do not want to have to enter a password every time my machine boots, so 
I put the key onto a stick. And simply made it the same for all 
partitions. And while I was at it, for maximum security, I also put /boot 
onto the stick. Sure, who would ever break into my house and modify my 
boot partition, replacing the kernel with kernel+keylogger or such... but 
then, I would probably also not need to encrypt my stuff at all.

> > This did not work out of the box, I had to modify
> > /lib/rcscripts/addons/dm-crypt-start.sh in order to open the other
> > partitions than swap and root.
>
> Then you did something wrong. It works out of the box.

Really? I know it does for root and swap (it works here), but how do I 
tell the system to also luskOpen all my other LVM volumes?


> > B: LUKS -> LVM
> > A simpler approach. sda1 is a small boot partition, sda2 (the rest of
> > the drive) is a LUKS-formatted LVM physical volume with volume group
> > 'pvcrypt' on it. This does not work yet, the initramfs does not find
> > the LVM.
>
> Because in Gentoo, only A is implemented/supported.

Oh. I thought this would be even easier than approach A. And looking at 
the /init code it seems to me it should just work. There's a call to 
startVolumes after the root partition is unlocked by cryptsetup, which I 
think should activate the LVM, but it does nothing, it does not even find 
regular physical LVM volumes that are not on top of a crypt setup.

I'll have a look at my .config again. This may take a while, I only have 
remote access to that PC at the moment.

> HTH...

A little :)

Thanks,

	Wonko

Re: [gentoo-user] Encrypting everything

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 1532 bytes --]

Am Samstag 04 Juli 2009 14:51:54 schrieb Alex Schuster:
> Dirk Heinrichs writes:
> >
> > having said that, you can even do w/o
> > initramfs, just put everything into /boot (which should be a separate
> > partition, then). Again, see my reply to David for the details.
>
> Interesting. Getting rid of initramfs looks like a simpler approach, no
> need to fiddle with cpio in order to change things.

Also with initramfs, you don't need to fiddle with cpio. The kernel build 
system does this for you.

> I do not want to have to enter a password every time my machine boots, so
> I put the key onto a stick.

And how do you protect the key on the stick? What if you loose it?

> And simply made it the same for all
> partitions. And while I was at it, for maximum security, I also put /boot
> onto the stick. Sure, who would ever break into my house and modify my
> boot partition, replacing the kernel with kernel+keylogger or such... but
> then, I would probably also not need to encrypt my stuff at all.

Encryption doesn't protect a _running_ system, because then, all needed LVs 
are readable. It only protects the system while switched of (so that an 
attacker can not acces your data after stealing the entire system, or after 
you sold your harddisk).

> > Then you did something wrong. It works out of the box.
>
> Really? I know it does for root and swap (it works here), but how do I
> tell the system to also luskOpen all my other LVM volumes?

By listing them in /etc/conf.d/dmcrypt.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 190 bytes --]

Re: [gentoo-user] Encrypting everything

[Alex Schuster]

Dirk Heinrichs writes:

> Am Samstag 04 Juli 2009 14:51:54 schrieb Alex Schuster:
> > Dirk Heinrichs writes:
> > > having said that, you can even do w/o
> > > initramfs, just put everything into /boot (which should be a separate
> > > partition, then). Again, see my reply to David for the details.
> >
> > Interesting. Getting rid of initramfs looks like a simpler approach, no
> > need to fiddle with cpio in order to change things.
>
> Also with initramfs, you don't need to fiddle with cpio. The kernel build
> system does this for you.

Right. But at my first attempts I had some problems, and investigated them 
by looking into /init in the initramfs. In order to understand this stuff, I 
need to see it :)


> > I do not want to have to enter a password every time my machine boots,
> > so I put the key onto a stick.
>
> And how do you protect the key on the stick? What if you loose it?

It's a long sentence from The Hichhiker's Guide To The Galaxy I can find 
again. And meanwhile I also have a gpg-encrypted backup of the stick's 
partition somewhere.


> > And simply made it the same for all
> > partitions. And while I was at it, for maximum security, I also put
> > /boot onto the stick. Sure, who would ever break into my house and
> > modify my boot partition, replacing the kernel with kernel+keylogger or
> > such... but then, I would probably also not need to encrypt my stuff at
> > all.
>
> Encryption doesn't protect a _running_ system, because then, all needed
> LVs are readable. 

By me only. And when I leave, the screensaver kicks in and asks for a 
password.

> It only protects the system while switched of (so that
> an attacker can not acces your data after stealing the entire system, or
> after you sold your harddisk).

Right.

> > > Then you did something wrong. It works out of the box.
> >
> > Really? I know it does for root and swap (it works here), but how do I
> > tell the system to also luskOpen all my other LVM volumes?
>
> By listing them in /etc/conf.d/dmcrypt.

Oh, thanks. I overlooked this. Did not find this mentioned in any of the 
guides I read, and I thought it only belonged to /etc/nit.d/dm-crypt, which 
is for baselayout 2. But I should have found it being used while editing 
/lib/rcscripts/addons/dm-crypt-start.sh.

I think I will try that, then. With a little modification, I will try to add 
a & after dm_crypt_execute_${SVCNAME}, so all LVMs will be opened in 
parallel. Otherwise it takes a second for each LVM, and I have 12 of them.

	Wonko

Re: [gentoo-user] Encrypting everything

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 498 bytes --]

Am Sonntag 05 Juli 2009 16:28:22 schrieb Alex Schuster:
> Dirk Heinrichs writes:
> >
> > And how do you protect the key on the stick? What if you loose it?
>
> It's a long sentence from The Hichhiker's Guide To The Galaxy I can find
> again. And meanwhile I also have a gpg-encrypted backup of the stick's
> partition somewhere.

I'm a bit confused now. So that means the key is protected by some passphrase? 
That would mean you need a key to get at the key, right? 

Bye...

	Dirk

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 190 bytes --]

Re: [gentoo-user] Encrypting everything

[Alex Schuster]

Dirk Heinrichs writes:

> Am Sonntag 05 Juli 2009 16:28:22 schrieb Alex Schuster:
> > Dirk Heinrichs writes:
> > > And how do you protect the key on the stick? What if you loose it?
> >
> > It's a long sentence from The Hichhiker's Guide To The Galaxy I can
> > find again. And meanwhile I also have a gpg-encrypted backup of the
> > stick's partition somewhere.
>
> I'm a bit confused now. So that means the key is protected by some
> passphrase? That would mean you need a key to get at the key, right?

Right :) I didn't want my LUKS key to be in clear-text, even if it's in a 
binary file on some server which probably no one will ever see and identify 
as a boot partition. I have my GPG secret key in different locations, not 
only on the encrypted PC we are talking about.
I only did backup the boot partition because I use the XTS cipher and did 
not have a live cd which knew about it. But now the new GRML 2009.05 
supports it.

	Wonko

Re: [gentoo-user] Encrypting everything

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 528 bytes --]

Am Sonntag 05 Juli 2009 19:53:20 schrieb Alex Schuster:

> Right :) I didn't want my LUKS key to be in clear-text

The LUKS key isn't stored as cleartext, it's encrypted.

> even if it's in a
> binary file on some server which probably no one will ever see and identify
> as a boot partition. I have my GPG secret key in different locations, not
> only on the encrypted PC we are talking about.

With LUKS, there is no need for GPG. I always wonder why people do that GPG 
stuff when using LUKS.

Bye...

	Dirk

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 190 bytes --]

Re: [gentoo-user] Encrypting everything

[Alex Schuster]

Dirk Heinrichs writes:

> Am Sonntag 05 Juli 2009 19:53:20 schrieb Alex Schuster:
> > Right :) I didn't want my LUKS key to be in clear-text
>
> The LUKS key isn't stored as cleartext, it's encrypted.

Um, I mean the passphrase I specify with --key-file to cryptsetup. Or which 
would be asked at the prompt if I would not give it.

> > even if it's in a
> > binary file on some server which probably no one will ever see and
> > identify as a boot partition. I have my GPG secret key in different
> > locations, not only on the encrypted PC we are talking about.
>
> With LUKS, there is no need for GPG. I always wonder why people do that
> GPG stuff when using LUKS.

No, my LUKS setup does not make use of GPG. But the backup of my boot 
partition, residing on a server somewhere, is encrypted with GPG.

	Wonko

Re: [gentoo-user] Encrypting everything

[Dirk Heinrichs]

[-- Attachment #1: Type: text/plain, Size: 922 bytes --]

Am Sonntag 05 Juli 2009 20:26:23 schrieb Alex Schuster:

> > The LUKS key isn't stored as cleartext, it's encrypted.
>
> Um, I mean the passphrase I specify with --key-file to cryptsetup. Or which
> would be asked at the prompt if I would not give it.

OK, now I get it. But those are two different beasts. The keyfile is usually one 
that consists of random data (created by reading from /dev/urandom). If you 
don't protect that by some means, you don't gain any security.

The one you're asked for at the prompt is more like a password/-phrase.

So here's what I do, as an example:

I've got a small unencrypted /boot which holds the kernel and enough Linux to 
open the LUKS encrypted root LV. So I'm prompted for the passphrase to unlock 
it. Once unlocked and mounted, I get access to the random data keyfile stored 
in /etc which is used to unlock all other LVs automatically.

Bye...

	Dirk

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 190 bytes --]