[gentoo-user] Full disk encryption

[gentoo-user] Full disk encryption

[czernitko]

[-- Attachment #1: Type: text/plain, Size: 145 bytes --]

Hello!
I would like to set up an encrypted partition for my /home directories on
Gentoo Hardened. Which approach do you recommend?
Thanks, Peter

[-- Attachment #2: Type: text/html, Size: 156 bytes --]

Re: [gentoo-user] Full disk encryption

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 635 bytes --]

On Wed, 30 Nov 2011 16:19:18 +0100, czernitko wrote:

> I would like to set up an encrypted partition for my /home directories
> on Gentoo Hardened. Which approach do you recommend?

Do you want a single encrypted filesystem, or separately encrypted home
directories for each user. for the former, emerge cryptsetup, use it to
create the encrypted block device and set it up in /etc/conf.d/dmcrypt.

For individually encrypted home directories, using ecryptfs on top of a
standard filesystem, as used by Ubuntu, is probably the best way.


-- 
Neil Bothwick

"You want us to do WHAT?" - Ancient Chinese wall engineer.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Full disk encryption

[czernitko]

[-- Attachment #1: Type: text/plain, Size: 1042 bytes --]

Hello, thanks for your response, Neil!
As for dmcrypt usage, what do you think about truecrypt or pgp whole disk
encryption as alternatives to dmcrypt?
I would like to have only one partition with all home directories on it,
and I would like to avoid usage of initrd as I don't use it now and I would
like to keep it that way if possible.

Peter


2011/11/30 Neil Bothwick <neil@digimed.co.uk>

> On Wed, 30 Nov 2011 16:19:18 +0100, czernitko wrote:
>
> > I would like to set up an encrypted partition for my /home directories
> > on Gentoo Hardened. Which approach do you recommend?
>
> Do you want a single encrypted filesystem, or separately encrypted home
> directories for each user. for the former, emerge cryptsetup, use it to
> create the encrypted block device and set it up in /etc/conf.d/dmcrypt.
>
> For individually encrypted home directories, using ecryptfs on top of a
> standard filesystem, as used by Ubuntu, is probably the best way.
>
>
> --
> Neil Bothwick
>
> "You want us to do WHAT?" - Ancient Chinese wall engineer.
>

[-- Attachment #2: Type: text/html, Size: 1446 bytes --]

Re: [gentoo-user] Full disk encryption

[Felix Kuperjans]

[-- Attachment #1: Type: text/plain, Size: 1689 bytes --]

Hello Peter,

dmcrypt works perfectly without initrd as long as you do not encrypt the
root filesystem.

So for encrypted home directories, you can just create and use a LUKS
volume with dmcrypt (AFAIK the fastest and easy-to-use way).

Regarding other techniques like gpg or truecrypt, you should keep in
mind, that dmcrypt works directly in the kernelspace, so it may be a lot
faster with the same encryption strength (but it don't know any
benchmark about that).

Regards,
Felix

Am 30.11.2011 16:40, schrieb czernitko:
> Hello, thanks for your response, Neil!
> As for dmcrypt usage, what do you think about truecrypt or pgp whole
> disk encryption as alternatives to dmcrypt?
> I would like to have only one partition with all home directories on
> it, and I would like to avoid usage of initrd as I don't use it now
> and I would like to keep it that way if possible.
>
> Peter
>
>
> 2011/11/30 Neil Bothwick <neil@digimed.co.uk <mailto:neil@digimed.co.uk>>
>
>     On Wed, 30 Nov 2011 16:19:18 +0100, czernitko wrote:
>
>     > I would like to set up an encrypted partition for my /home
>     directories
>     > on Gentoo Hardened. Which approach do you recommend?
>
>     Do you want a single encrypted filesystem, or separately encrypted
>     home
>     directories for each user. for the former, emerge cryptsetup, use
>     it to
>     create the encrypted block device and set it up in
>     /etc/conf.d/dmcrypt.
>
>     For individually encrypted home directories, using ecryptfs on top
>     of a
>     standard filesystem, as used by Ubuntu, is probably the best way.
>
>
>     --
>     Neil Bothwick
>
>     "You want us to do WHAT?" - Ancient Chinese wall engineer.
>
>

[-- Attachment #2: Type: text/html, Size: 2775 bytes --]

Re: [gentoo-user] Full disk encryption

[czernitko]

[-- Attachment #1: Type: text/plain, Size: 1820 bytes --]

Ok, it seems I'll stick with dmcrypt using
http://en.gentoo-wiki.com/wiki/DM-Crypt.
Thanks for your responses guys!
Peter

2011/11/30 Felix Kuperjans <felix@desaster-games.com>

>  Hello Peter,
>
> dmcrypt works perfectly without initrd as long as you do not encrypt the
> root filesystem.
>
> So for encrypted home directories, you can just create and use a LUKS
> volume with dmcrypt (AFAIK the fastest and easy-to-use way).
>
> Regarding other techniques like gpg or truecrypt, you should keep in mind,
> that dmcrypt works directly in the kernelspace, so it may be a lot faster
> with the same encryption strength (but it don't know any benchmark about
> that).
>
> Regards,
> Felix .
>
> Am 30.11.2011 16:40, schrieb czernitko:
>
> Hello, thanks for your response, Neil!
> As for dmcrypt usage, what do you think about truecrypt or pgp whole disk
> encryption as alternatives to dmcrypt?
> I would like to have only one partition with all home directories on it,
> and I would like to avoid usage of initrd as I don't use it now and I would
> like to keep it that way if possible.
>
> Peter
>
>
> 2011/11/30 Neil Bothwick <neil@digimed.co.uk>
>
>> On Wed, 30 Nov 2011 16:19:18 +0100, czernitko wrote:
>>
>> > I would like to set up an encrypted partition for my /home directories
>> > on Gentoo Hardened. Which approach do you recommend?
>>
>>  Do you want a single encrypted filesystem, or separately encrypted home
>> directories for each user. for the former, emerge cryptsetup, use it to
>> create the encrypted block device and set it up in /etc/conf.d/dmcrypt.
>>
>> For individually encrypted home directories, using ecryptfs on top of a
>> standard filesystem, as used by Ubuntu, is probably the best way.
>>
>>
>> --
>> Neil Bothwick
>>
>> "You want us to do WHAT?" - Ancient Chinese wall engineer.
>>
>
>

[-- Attachment #2: Type: text/html, Size: 3128 bytes --]

[gentoo-user] Re: Full disk encryption

[Jack Byer]

czernitko wrote:


> I would like to have only one partition with all home directories on it,
> and I would like to avoid usage of initrd as I don't use it now and I
> would like to keep it that way if possible.

You don't need an initramfs but you might want to reconsider not using one 
at some point. I avoided them for a long time but when I wanted to do whole 
disk encrypted I learned how to make my own (not particularly difficult) and 
later started using dracut which basically "just works".

Re: [gentoo-user] Re: Full disk encryption

[Dale]

Jack Byer wrote:
> czernitko wrote:
>
>
>> I would like to have only one partition with all home directories on it,
>> and I would like to avoid usage of initrd as I don't use it now and I
>> would like to keep it that way if possible.
> You don't need an initramfs but you might want to reconsider not using one
> at some point. I avoided them for a long time but when I wanted to do whole
> disk encrypted I learned how to make my own (not particularly difficult) and
> later started using dracut which basically "just works".
>
>
>


Did you use a howto for Dracut?  If so, have a link you could post?  I 
tried making a init thingy and after about 20 failed reboots, I scraped 
the idea.  I was trying to follow the howto on the Gentoo wiki I think.  
The unofficial wiki.

Thanks.

Dale

:-)  :-)

-- 
I am only responsible for what I said ... Not for what you understood or how you interpreted my words!

Re: [gentoo-user] Re: Full disk encryption

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 563 bytes --]

On Wed, 30 Nov 2011 12:31:00 -0600, Dale wrote:

> Did you use a howto for Dracut?  If so, have a link you could post?  I 
> tried making a init thingy and after about 20 failed reboots, I scraped 
> the idea.  I was trying to follow the howto on the Gentoo wiki I
> think.  

That worked for me (dracut didn't). If it fails, make sure you have set
ity to drop you into a rescue shell as described on the wiki. Adding a
few echo and ls commands to the init script helps too.


-- 
Neil Bothwick

Blessed be the pessimist for he hath made backups.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[Dale]

Neil Bothwick wrote:
> On Wed, 30 Nov 2011 12:31:00 -0600, Dale wrote:
>
>> Did you use a howto for Dracut?  If so, have a link you could post?  I
>> tried making a init thingy and after about 20 failed reboots, I scraped
>> the idea.  I was trying to follow the howto on the Gentoo wiki I
>> think.
> That worked for me (dracut didn't). If it fails, make sure you have set
> ity to drop you into a rescue shell as described on the wiki. Adding a
> few echo and ls commands to the init script helps too.
>
>

I did.  It failed so badly even the rescue didn't work.  I did get some 
flashing lights and introduced to the reset button tho.  We all know 
what happened the last time I had to hit the reset button.  :/

Dale

:-)  :-)

-- 
I am only responsible for what I said ... Not for what you understood or how you interpreted my words!

Re: [gentoo-user] Re: Full disk encryption

[czernitko]

[-- Attachment #1: Type: text/plain, Size: 172 bytes --]

I wonder whether it is posible to simply resize the dm-crypt encrypted
partition? Or do I have to create new, bigger partition with required size
and move the data?

Peter

[-- Attachment #2: Type: text/html, Size: 182 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 561 bytes --]

On Wed, 30 Nov 2011 21:19:51 +0100, czernitko wrote:

> I wonder whether it is posible to simply resize the dm-crypt encrypted
> partition? Or do I have to create new, bigger partition with required
> size and move the data?

Enlarge the partition then use cryptsetup resize to enlarge the encrypted
device (man cryptsetup has the details). Then resize the filesystem to
fit.


-- 
Neil Bothwick

Keyboard: (n.) a device used by programmers to write software for a mouse
or joystick and by operators for playing games such as 'word processing.'

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-user] Re: Re: Full disk encryption

[Jack Byer]

Dale wrote:

> Did you use a howto for Dracut?  If so, have a link you could post?  I
> tried making a init thingy and after about 20 failed reboots, I scraped
> the idea.  I was trying to follow the howto on the Gentoo wiki I think.
> The unofficial wiki.
> 

I had some difficulties because the way I was doing things before with my 
homebrew solution was... non-standard.

The problem areas that I remember from the transition were: setting the USE 
flags correctly to build the modules I needed, initially confusing 
dracutmodules and add_dracutmodules in dracut.conf (actually you probably 
don't even need to edit that file at all), making sure to have a sane 
/etc/fstab line for the root file system and passing the right root= kernel 
command line. root=UUID=... works the best in my experience.

Re: [gentoo-user] Re: Re: Full disk encryption

[Dale]

Jack Byer wrote:
> Dale wrote:
>
>> Did you use a howto for Dracut?  If so, have a link you could post?  I
>> tried making a init thingy and after about 20 failed reboots, I scraped
>> the idea.  I was trying to follow the howto on the Gentoo wiki I think.
>> The unofficial wiki.
>>
> I had some difficulties because the way I was doing things before with my
> homebrew solution was... non-standard.
>
> The problem areas that I remember from the transition were: setting the USE
> flags correctly to build the modules I needed, initially confusing
> dracutmodules and add_dracutmodules in dracut.conf (actually you probably
> don't even need to edit that file at all), making sure to have a sane
> /etc/fstab line for the root file system and passing the right root= kernel
> command line. root=UUID=... works the best in my experience.
>
>
>


I did change the USE flags for the packages it said to.  I think some 
things have changed or something, maybe openrc?, and the script I was 
copying and working with just didn't work.  Maybe it needs updating or 
something.  I'm hoping to see a up-to-date howto or someone will post a 
good up-to-date howto for dracut.  Something even a idiot could follow.  
I think it will work for me then.  lol

Dale

:-)  :-)

-- 
I am only responsible for what I said ... Not for what you understood or how you interpreted my words!

[gentoo-user] Re: Re: Re: Full disk encryption

[Jack Byer]

Dale wrote:

> Jack Byer wrote:
>> Dale wrote:
>>
>>> Did you use a howto for Dracut?  If so, have a link you could post?  I
>>> tried making a init thingy and after about 20 failed reboots, I scraped
>>> the idea.  I was trying to follow the howto on the Gentoo wiki I think.
>>> The unofficial wiki.
>>>
>> I had some difficulties because the way I was doing things before with my
>> homebrew solution was... non-standard.
>>
>> The problem areas that I remember from the transition were: setting the
>> USE flags correctly to build the modules I needed, initially confusing
>> dracutmodules and add_dracutmodules in dracut.conf (actually you probably
>> don't even need to edit that file at all), making sure to have a sane
>> /etc/fstab line for the root file system and passing the right root=
>> kernel command line. root=UUID=... works the best in my experience.
>>
>>
>>
> 
> 
> I did change the USE flags for the packages it said to.  I think some
> things have changed or something, maybe openrc?, and the script I was
> copying and working with just didn't work.  Maybe it needs updating or
> something.  I'm hoping to see a up-to-date howto or someone will post a
> good up-to-date howto for dracut.  Something even a idiot could follow.
> I think it will work for me then.  lol
> 
> Dale
> 
> :-)  :-)

> 
I can tell you how mine is set up.

emerge -v dracut

These are the packages that would be merged, in order:

[ebuild   R   ~] sys-kernel/dracut-013-r2  USE="-debug (-selinux)" 
DRACUT_MODULES="btrfs crypt lvm -biosdevname -caps -crypt-gpg -dmraid -
dmsquash-live -gensplash -iscsi -livenet -mdraid -multipath -nbd -nfs -
plymouth -syslog -xen" 0 kB

I don't use any of the other modules so all I enable are btrfs, crypt and 
lvm.

/etc/dracut.conf has no changes from the default except for the line:

add_dracutmodules+="crypt dm lvm"

but I'm about 80% sure even that isn't necessary and you could just leave 
the default values alone. One of these days I'll get around to testing that.

I make an initramfs with the following command:

dracut --lzma <hostname>.dracut.lzma <kernel version>

(obviously change --lzma to whatever type of compression your kernel 
expects 
to use and name the file whatever you want. Make sure to include the kernel 
version just like it appears in your /lib/modules/ directory so that dracut 
includes the correct kernel modules)

Then I make grub.conf look something like this:

root (hd0,0)
kernel /<hostname> root=UUID=08b00d7f-b633-4c03-98fe-dd5942a8fb7e 
initrd /<hostname>.dracut.lzma

I like to name my kernels and initramfs files by the hostname of the 
computer since I have three that I manage but use whatever you want and 
just 
make sure you put the right filenames in grub.conf.

You can obtain the UUID of your root filesystem by a number of methods, but 
the easiest is to use ls -l /dev/disks/by-uuid/

That's really all there is to it. Dracut will boot up and load the modules 
it is compiled with and search through the disks, logical volumes, and 
dmcrypt containers until it finds a filesystem with the UUID you specify. 
Once it finds the root filesystem it mounts it with whatever options you've 
specified in /etc/fstab and then hands control over to OpenRC.

If it has the necessary modules (kernel and dracut) and you pass the right 
root= option then it Just Works.

Re: [gentoo-user] Re: Re: Re: Full disk encryption

[Dale]

Jack Byer wrote:
> I can tell you how mine is set up.
>
> emerge -v dracut
>
> These are the packages that would be merged, in order:
>
> [ebuild   R   ~] sys-kernel/dracut-013-r2  USE="-debug (-selinux)"
> DRACUT_MODULES="btrfs crypt lvm -biosdevname -caps -crypt-gpg -dmraid -
> dmsquash-live -gensplash -iscsi -livenet -mdraid -multipath -nbd -nfs -
> plymouth -syslog -xen" 0 kB
>
> I don't use any of the other modules so all I enable are btrfs, crypt and
> lvm.
>
> /etc/dracut.conf has no changes from the default except for the line:
>
> add_dracutmodules+="crypt dm lvm"
>
> but I'm about 80% sure even that isn't necessary and you could just leave
> the default values alone. One of these days I'll get around to testing that.
>
> I make an initramfs with the following command:
>
> dracut --lzma<hostname>.dracut.lzma<kernel version>
>
> (obviously change --lzma to whatever type of compression your kernel
> expects
> to use and name the file whatever you want. Make sure to include the kernel
> version just like it appears in your /lib/modules/ directory so that dracut
> includes the correct kernel modules)
>
> Then I make grub.conf look something like this:
>
> root (hd0,0)
> kernel /<hostname>  root=UUID=08b00d7f-b633-4c03-98fe-dd5942a8fb7e
> initrd /<hostname>.dracut.lzma
>
> I like to name my kernels and initramfs files by the hostname of the
> computer since I have three that I manage but use whatever you want and
> just
> make sure you put the right filenames in grub.conf.
>
> You can obtain the UUID of your root filesystem by a number of methods, but
> the easiest is to use ls -l /dev/disks/by-uuid/
>
> That's really all there is to it. Dracut will boot up and load the modules
> it is compiled with and search through the disks, logical volumes, and
> dmcrypt containers until it finds a filesystem with the UUID you specify.
> Once it finds the root filesystem it mounts it with whatever options you've
> specified in /etc/fstab and then hands control over to OpenRC.
>
> If it has the necessary modules (kernel and dracut) and you pass the right
> root= option then it Just Works.
>

< Dale copies to his "Important" folder >

I'm going to give this way a shot next time.  I'm downloading a lot of 
TV shows right now so can't reboot very often.

Thanks much for posting this tho.  This helps me a LOT.  With all the 
time I have on my hands, I really need to learn how to add things to all 
these wiki sites.

Dale

:-)  :-)

-- 
I am only responsible for what I said ... Not for what you understood or how you interpreted my words!

Re: [gentoo-user] Re: Full disk encryption

[David W Noon]

[-- Attachment #1: Type: text/plain, Size: 1502 bytes --]

On Wed, 30 Nov 2011 12:31:00 -0600, Dale wrote about Re: [gentoo-user]
Re: Full disk encryption:

[snip]
> I tried making a init thingy and after about 20 failed reboots, I
> scraped the idea.  I was trying to follow the howto on the Gentoo
> wiki I think. The unofficial wiki.

I posted a couple of months ago that you should "watch this space" for a
small and simple initramfs solution.  That still applies.

I have a working initramfs layout, but currently it is too large
(>32MiB) for my /boot partition.  The problem package is e2fsprogs, as
it requires dynamic linkage and, consequently, a full-sized glibc.
This sucks, so I need to patch the Makefile(s) to build a more sensible
set of executables for an initramfs.

All of the code I have written myself compiles and links statically,
typically using klibc, so my finished code is tiny.

I haven't been working on this for a couple of months now, because the
need for it is not really pressing.  The assertion that udev would
require /usr and /var (plus the kitchen sink) really soon is unfounded,
at least for those of us who run more elderly hardware.

Anyhow, when I'm finished there will be a zsh script that will build an
initramfs image, and even install it to /boot, with a single command.
-- 
Regards,

Dave  [RLU #314465]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
dwnoon@ntlworld.com (David W Noon)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 356 bytes --]

On Wed, 30 Nov 2011 20:28:28 +0000, David W Noon wrote:

> I have a working initramfs layout, but currently it is too large
> (>32MiB) for my /boot partition.  The problem package is e2fsprogs, as  
> it requires dynamic linkage and, consequently, a full-sized glibc.

Why do you need e2fsprogs on an initramfs?


-- 
Neil Bothwick

mpeg@11..

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[David W Noon]

[-- Attachment #1: Type: text/plain, Size: 745 bytes --]

On Wed, 30 Nov 2011 21:47:33 +0000, Neil Bothwick wrote about Re:
[gentoo-user] Re: Full disk encryption:

> On Wed, 30 Nov 2011 20:28:28 +0000, David W Noon wrote:
> 
> > I have a working initramfs layout, but currently it is too large
> > (>32MiB) for my /boot partition.  The problem package is e2fsprogs,
> > as it requires dynamic linkage and, consequently, a full-sized
> > glibc.
> 
> Why do you need e2fsprogs on an initramfs?

One needs e2fsck to do a "preen" prior to mounting the required
volume(s).
-- 
Regards,

Dave  [RLU #314465]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
dwnoon@ntlworld.com (David W Noon)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 421 bytes --]

On Wed, 30 Nov 2011 22:07:35 +0000, David W Noon wrote:

> > Why do you need e2fsprogs on an initramfs?  
> 
> One needs e2fsck to do a "preen" prior to mounting the required
> volume(s).

Why not mount root read-only, just like in a non-initramfs system?

Any e2fsck commands will be run during the boot runlevel, before
remounting root rw.


-- 
Neil Bothwick

Top Oxymorons Number 21: "Now, then ..."

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[David W Noon]

[-- Attachment #1: Type: text/plain, Size: 1635 bytes --]

On Wed, 30 Nov 2011 23:26:56 +0000, Neil Bothwick wrote about Re:
[gentoo-user] Re: Full disk encryption:

> On Wed, 30 Nov 2011 22:07:35 +0000, David W Noon wrote:
> 
> > > Why do you need e2fsprogs on an initramfs?  
> > 
> > One needs e2fsck to do a "preen" prior to mounting the required
> > volume(s).
> 
> Why not mount root read-only, just like in a non-initramfs system?
> 
> Any e2fsck commands will be run during the boot runlevel, before
> remounting root rw.

Unfortunately, the system does not work that way.  When running inside
an initramfs, one cannot load executable content from mount points --
only from within the initramfs.  So, while it is perfectly possible to
do "ls /mnt/root/sbin/e2fsck" (assuming the root partition has been
mounted ro as /mnt/root), it is not possible to load and execute that
program. [And, yes, I have adjusted the PATH and LD_LIBRARY_PATH shell
variables to address the program and library directories on the mounted
root partition.] After performing a switch_root to the actual root
partition, this restriction is lifted.

When running without (or with the default) initramfs, the root
partition itself becomes the active filesystem, so loading programs
from /sbin or /bin and libraries from /lib works as expected.

This might be one of Dale's problems, if he was trying to use commands
from the root filesystem within the initramfs.
-- 
Regards,

Dave  [RLU #314465]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
dwnoon@ntlworld.com (David W Noon)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[Dale]

David W Noon wrote:
> This might be one of Dale's problems, if he was trying to use commands 
> from the root filesystem within the initramfs. 

I don't think that was the issue.  I had nano, busybox and that was it.  
Basically, I just wanted it to be able to load enough that it could boot 
even if /usr and /var was on a separate partition.  Nothing real fancy, 
just the basics.  I was going to save the fancy stuff for later.

Still, it didn't work.  I fixed one error only to have another.  The 
last error, I couldn't find a fix for.  I don't even recall what it was 
now.

Dale

:-)  :-)

-- 
I am only responsible for what I said ... Not for what you understood or how you interpreted my words!

Re: [gentoo-user] Re: Full disk encryption

[Michael Mol]

[-- Attachment #1: Type: text/plain, Size: 1821 bytes --]

Stupid question...Would using LZMA and a tarball reduce the size of your
initeamfs?

ZZ
On Nov 30, 2011 7:30 PM, "David W Noon" <dwnoon@ntlworld.com> wrote:

> On Wed, 30 Nov 2011 23:26:56 +0000, Neil Bothwick wrote about Re:
> [gentoo-user] Re: Full disk encryption:
>
> > On Wed, 30 Nov 2011 22:07:35 +0000, David W Noon wrote:
> >
> > > > Why do you need e2fsprogs on an initramfs?
> > >
> > > One needs e2fsck to do a "preen" prior to mounting the required
> > > volume(s).
> >
> > Why not mount root read-only, just like in a non-initramfs system?
> >
> > Any e2fsck commands will be run during the boot runlevel, before
> > remounting root rw.
>
> Unfortunately, the system does not work that way.  When running inside
> an initramfs, one cannot load executable content from mount points --
> only from within the initramfs.  So, while it is perfectly possible to
> do "ls /mnt/root/sbin/e2fsck" (assuming the root partition has been
> mounted ro as /mnt/root), it is not possible to load and execute that
> program. [And, yes, I have adjusted the PATH and LD_LIBRARY_PATH shell
> variables to address the program and library directories on the mounted
> root partition.] After performing a switch_root to the actual root
> partition, this restriction is lifted.
>
> When running without (or with the default) initramfs, the root
> partition itself becomes the active filesystem, so loading programs
> from /sbin or /bin and libraries from /lib works as expected.
>
> This might be one of Dale's problems, if he was trying to use commands
> from the root filesystem within the initramfs.
> --
> Regards,
>
> Dave  [RLU #314465]
> *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
> dwnoon@ntlworld.com (David W Noon)
> *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
>

[-- Attachment #2: Type: text/html, Size: 2297 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[David W Noon]

[-- Attachment #1: Type: text/plain, Size: 563 bytes --]

On Wed, 30 Nov 2011 19:39:11 -0500, Michael Mol wrote about "Re:
[gentoo-user] Re: Full disk encryption":

[snip]
>Stupid question...Would using LZMA and a tarball reduce the size of
>your initeamfs?

Not really.  I am already using gzip -9, and binaries don't compress
especially well.  Moreover, the archiver *must* be cpio, not tar.
-- 
Regards,

Dave  [RLU #314465]
======================================================================
dwnoon@ntlworld.com (David W Noon)
======================================================================

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[Michael Mol]

On Wed, Nov 30, 2011 at 8:23 PM, David W Noon <dwnoon@ntlworld.com> wrote:
> On Wed, 30 Nov 2011 19:39:11 -0500, Michael Mol wrote about "Re:
> [gentoo-user] Re: Full disk encryption":
>
> [snip]
>>Stupid question...Would using LZMA and a tarball reduce the size of
>>your initeamfs?
>
> Not really.  I am already using gzip -9, and binaries don't compress
> especially well.  Moreover, the archiver *must* be cpio, not tar.

I don't understand initrd that well, but I understand you run an
init-type script inside it.

My thought was:
1) Include enough in your cpio blob to extract a .tar.xz file. Even
better if you can use a self-extracting, statically-linked LZMAball.
2) launch a second-stage init sequence from the subsequently-extracted data.

Large groups of binaries can compress pretty well, but, obviously, it
depends greatly on the data in question.

Also, wasn't there an ELF-specific compressor making the rounds a few
months ago? And I take it there are no existing tools to take a
dynamically-linked binary, pack in all the pulled-in files, rewrite
symbol tables to include only the symbols used, pull the thing all
into a single now-statically-linked binary, and perform something like
COMDAT folding to remove duplicate functions? It would seem possible,
at least.

-- 
:wq

Re: [gentoo-user] Re: Full disk encryption

[David W Noon]

[-- Attachment #1: Type: text/plain, Size: 3175 bytes --]

On Thu, 1 Dec 2011 11:41:50 -0500, Michael Mol wrote about Re:
[gentoo-user] Re: Full disk encryption:

> On Wed, Nov 30, 2011 at 8:23 PM, David W Noon <dwnoon@ntlworld.com>
> wrote:
> > On Wed, 30 Nov 2011 19:39:11 -0500, Michael Mol wrote about "Re:
> > [gentoo-user] Re: Full disk encryption":
> >
> > [snip]
> >>Stupid question...Would using LZMA and a tarball reduce the size of
> >>your initeamfs?
> >
> > Not really.  I am already using gzip -9, and binaries don't compress
> > especially well.  Moreover, the archiver *must* be cpio, not tar.
> 
> I don't understand initrd that well, but I understand you run an
> init-type script inside it.
> 
> My thought was:
> 1) Include enough in your cpio blob to extract a .tar.xz file. Even
> better if you can use a self-extracting, statically-linked LZMAball.
> 2) launch a second-stage init sequence from the
> subsequently-extracted data.
> 
> Large groups of binaries can compress pretty well, but, obviously, it
> depends greatly on the data in question.

The initramfs is already a compressed archive.  It can be compressed
using gzip, bzip2 or lzma/xz.  All of these give only modest reduction
in size.

> Also, wasn't there an ELF-specific compressor making the rounds a few
> months ago? And I take it there are no existing tools to take a
> dynamically-linked binary, pack in all the pulled-in files, rewrite
> symbol tables to include only the symbols used, pull the thing all
> into a single now-statically-linked binary, and perform something like
> COMDAT folding to remove duplicate functions? It would seem possible,
> at least.

The problem with that is that internal references within a .so library
are somewhat ambiguous, because the address constants have already been
partially relocated, eliminating symbol dictionary lookups (i.e.
references that were originally external have been made internal by
symbol dictionary lookup and then the symbol converted into an offset
within the load library).

In contrast, an ar-format library is simply a collection of object
decks (old mainframe term) indexed by their external symbols.  Thus the
linker is forced to keep doing symbol dictionary lookups and object
code extraction from libraries until all the external references have
been resolved.  There are no unresolved external references left in a
correctly linked .so library, so this process cannot be repeated.

The only feasible option I can think of is to use a full delinker on
the main program. [I wrote one of these delinkers for the IBM mainframe
back in the 1980s, so it's a technology I understand fairly well.] This
would reverse all the partially relocated addresses back to external
references by a reverse lookup in the symbol dictionary and relocation
dictionary.  This could restore the original object deck(s) of the main
program and it/they could be relinked using the static libraries (if
they exist).
-- 
Regards,

Dave  [RLU #314465]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
dwnoon@ntlworld.com (David W Noon)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 1327 bytes --]

On Thu, 1 Dec 2011 00:27:06 +0000, David W Noon wrote:

> > Why not mount root read-only, just like in a non-initramfs system?
> > 
> > Any e2fsck commands will be run during the boot runlevel, before
> > remounting root rw.  
> 
> Unfortunately, the system does not work that way.  When running inside
> an initramfs, one cannot load executable content from mount points --
> only from within the initramfs.  So, while it is perfectly possible to
> do "ls /mnt/root/sbin/e2fsck" (assuming the root partition has been
> mounted ro as /mnt/root), it is not possible to load and execute that
> program. [And, yes, I have adjusted the PATH and LD_LIBRARY_PATH shell
> variables to address the program and library directories on the mounted
> root partition.] After performing a switch_root to the actual root
> partition, this restriction is lifted.

I understand that, but not why you need to run e2fsck before the
switch_root. Is this to do with the way your system is set up? The object
of the initramfs is only to get the system into a state where / can be
mounted and switch_root run, I assume you are trying to do more than that
with it.


-- 
Neil Bothwick

WORM: (n.) acronym for Write Once, Read Mangled. Used to describe a
      normally-functioning computer disk of the very latest design.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[David W Noon]

[-- Attachment #1: Type: text/plain, Size: 1819 bytes --]

On Thu, 1 Dec 2011 08:47:27 +0000, Neil Bothwick wrote about "Re:
[gentoo-user] Re: Full disk encryption":

>On Thu, 1 Dec 2011 00:27:06 +0000, David W Noon wrote:
[snip]
>> Unfortunately, the system does not work that way.  When running
>> inside an initramfs, one cannot load executable content from mount
>> points -- only from within the initramfs.  So, while it is perfectly
>> possible to do "ls /mnt/root/sbin/e2fsck" (assuming the root
>> partition has been mounted ro as /mnt/root), it is not possible to
>> load and execute that program. [And, yes, I have adjusted the PATH
>> and LD_LIBRARY_PATH shell variables to address the program and
>> library directories on the mounted root partition.] After performing
>> a switch_root to the actual root partition, this restriction is
>> lifted.
>
>I understand that, but not why you need to run e2fsck before the
>switch_root. Is this to do with the way your system is set up? The
>object of the initramfs is only to get the system into a state where /
>can be mounted and switch_root run, I assume you are trying to do more
>than that with it.

The objective is to get /, /usr, /var and any other directory path the
user feels is needed mounted before udev starts.  This is a
continuation of the "udev now sucks" thread from a few months ago.

I need to fsck / before I mount /usr, /var and everything else.  This
is because the mount point directories could be zombies that would be
removed by fsck, thus invalidating the mount.  We all hope that /usr
and /var are not zombies, but fsck won't take my word for it.
-- 
Regards,

Dave  [RLU #314465]
======================================================================
dwnoon@ntlworld.com (David W Noon)
======================================================================

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 803 bytes --]

On Thu, 1 Dec 2011 13:43:01 +0000, David W Noon wrote:

> >I understand that, but not why you need to run e2fsck before the
> >switch_root. Is this to do with the way your system is set up? The
> >object of the initramfs is only to get the system into a state where /
> >can be mounted and switch_root run, I assume you are trying to do more
> >than that with it.  
> 
> The objective is to get /, /usr, /var and any other directory path the
> user feels is needed mounted before udev starts.  This is a
> continuation of the "udev now sucks" thread from a few months ago.
> 
> I need to fsck / before I mount /usr, /var and everything else.

Now it makes sense, but can't you use busybox fsck?


-- 
Neil Bothwick

An expert is nothing more than an ordinary person away from home.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[Dale]

Neil Bothwick wrote:
> On Thu, 1 Dec 2011 13:43:01 +0000, David W Noon wrote:
>
>>> I understand that, but not why you need to run e2fsck before the
>>> switch_root. Is this to do with the way your system is set up? The
>>> object of the initramfs is only to get the system into a state where /
>>> can be mounted and switch_root run, I assume you are trying to do more
>>> than that with it.
>> The objective is to get /, /usr, /var and any other directory path the
>> user feels is needed mounted before udev starts.  This is a
>> continuation of the "udev now sucks" thread from a few months ago.
>>
>> I need to fsck / before I mount /usr, /var and everything else.
> Now it makes sense, but can't you use busybox fsck?
>
>

I thought the file system was mounted ro, then the file system checks 
done, then remounted rw and boot continues on?  I see mine do this 
without the init thingy and from what I see as things zoom by, that is 
what it does.  What am I missing here?

Just curious.  No flaming please.

Dale

:-)  :-)

-- 
I am only responsible for what I said ... Not for what you understood or how you interpreted my words!

Re: [gentoo-user] Re: Full disk encryption

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 876 bytes --]

On Thu, 01 Dec 2011 08:13:24 -0600, Dale wrote:

> >> I need to fsck / before I mount /usr, /var and everything else.  
> > Now it makes sense, but can't you use busybox fsck?
> >
> >  
> 
> I thought the file system was mounted ro, then the file system checks 
> done, then remounted rw and boot continues on?  I see mine do this 
> without the init thingy and from what I see as things zoom by, that is 
> what it does.  What am I missing here?

That's how it normally happens, with or without an initramfs, but
mounting /usr on / without checking / first could possibly be problematic
if / turns out to be corrupt. That is the situation David is trying to
guard against.

I'm not sure it's a big deal, because if / is badly corrupt, the main
init will bail out soon enough anyway.  


-- 
Neil Bothwick

Love is grand. Divorce is a few grand more.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[David W Noon]

[-- Attachment #1: Type: text/plain, Size: 738 bytes --]

On Thu, 1 Dec 2011 14:03:18 +0000, Neil Bothwick wrote about Re:
[gentoo-user] Re: Full disk encryption:

> On Thu, 1 Dec 2011 13:43:01 +0000, David W Noon wrote:
[snip]
> > I need to fsck / before I mount /usr, /var and everything else.
> 
> Now it makes sense, but can't you use busybox fsck?

AFAIAA, busybox does not have an fsck command.  If it did, it would
only be a transparent loader for filesystem-specific programs, such as
e2fsck or reiserfsck; this is how the standard fsck program works too.
-- 
Regards,

Dave  [RLU #314465]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
dwnoon@ntlworld.com (David W Noon)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 712 bytes --]

On Fri, 2 Dec 2011 22:00:18 +0000, David W Noon wrote:

> > Now it makes sense, but can't you use busybox fsck?  
> 
> AFAIAA, busybox does not have an fsck command.  If it did, it would
> only be a transparent loader for filesystem-specific programs, such as
> e2fsck or reiserfsck; this is how the standard fsck program works too.

Busybox does have an fsck, it doesn't recognise the filesystem type, you
have to give it as an argument. A quick Google suggest that it does
indeed pass the work on to e2fsck, however, I tried renaming /sbin/e2fsck
and then running "busybox fsck -t ext2 /dev/summat" and it worked.


-- 
Neil Bothwick

Copy from another: plagiarism. Copy from many: research.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[David W Noon]

[-- Attachment #1: Type: text/plain, Size: 823 bytes --]

On Fri, 2 Dec 2011 23:24:29 +0000, Neil Bothwick wrote about Re:
[gentoo-user] Re: Full disk encryption:

[snip]
> Busybox does have an fsck, it doesn't recognise the filesystem type,
> you have to give it as an argument. A quick Google suggest that it
> does indeed pass the work on to e2fsck, however, I tried
> renaming /sbin/e2fsck and then running "busybox fsck -t
> ext2 /dev/summat" and it worked.

The reason for that working is that the fsck command loads fsck.ext2,
not e2fsck.  That used to be a symlink to e2fsck, but these days it is
a separate copy (byte-for-byte identical).
-- 
Regards,

Dave  [RLU #314465]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
dwnoon@ntlworld.com (David W Noon)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 311 bytes --]

On Sat, 3 Dec 2011 00:44:18 +0000, David W Noon wrote:

> The reason for that working is that the fsck command loads fsck.ext2,
> not e2fsck.  That used to be a symlink to e2fsck, but these days it is
> a separate copy (byte-for-byte identical).

Doh!


-- 
Neil Bothwick

Does fuzzy logic tickle?

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-user] Re: Re: Full disk encryption

[Jack Byer]

David W Noon wrote:

> I have a working initramfs layout, but currently it is too large
> (>32MiB) for my /boot partition.  The problem package is e2fsprogs, as
> it requires dynamic linkage and, consequently, a full-sized glibc.
> This sucks, so I need to patch the Makefile(s) to build a more sensible
> set of executables for an initramfs.
> 
> All of the code I have written myself compiles and links statically,
> typically using klibc, so my finished code is tiny.
> 
> I haven't been working on this for a couple of months now, because the
> need for it is not really pressing.  The assertion that udev would
> require /usr and /var (plus the kitchen sink) really soon is unfounded,
> at least for those of us who run more elderly hardware.
> 
> Anyhow, when I'm finished there will be a zsh script that will build an
> initramfs image, and even install it to /boot, with a single command.

When I made my own initramfs I was operating under the "RAM and disk space 
are cheap" assumption and did it the easiest way possible:

I included the *entirety* of /etc, /bin, /lib{32,64} and /sbin

Then I wrote a small bash script for /init

Throw the kernel and initramfs on a USB stick, install GRUB on said USB 
stick and call it a day. If anything breaks, well I've got all the command 
like repair tools included so it's no big deal to fix as long as the bash 
script sends me to a command line if it has any problems.

Re: [gentoo-user] Re: Full disk encryption

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 1128 bytes --]

On Dec 1, 2011 3:32 AM, "David W Noon" <dwnoon@ntlworld.com> wrote:
>

----- >8 snip

>
> I have a working initramfs layout, but currently it is too large
> (>32MiB) for my /boot partition.  The problem package is e2fsprogs, as
> it requires dynamic linkage and, consequently, a full-sized glibc.
> This sucks, so I need to patch the Makefile(s) to build a more sensible
> set of executables for an initramfs.
>
> All of the code I have written myself compiles and links statically,
> typically using klibc, so my finished code is tiny.
>
> I haven't been working on this for a couple of months now, because the
> need for it is not really pressing.  The assertion that udev would
> require /usr and /var (plus the kitchen sink) really soon is unfounded,
> at least for those of us who run more elderly hardware.
>
> Anyhow, when I'm finished there will be a zsh script that will build an
> initramfs image, and even install it to /boot, with a single command.

You know, Debian has an e2fsck-static package. Why don't Gentoo,  I
wonder...

That said, you *can* have an "almost-static" e2fsck if you compile it
yourself.

Rgds,

[-- Attachment #2: Type: text/html, Size: 1411 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[David W Noon]

[-- Attachment #1: Type: text/plain, Size: 1314 bytes --]

On Fri, 2 Dec 2011 08:55:35 +0700, Pandu Poluan wrote about Re:
[gentoo-user] Re: Full disk encryption:

> On Dec 1, 2011 3:32 AM, "David W Noon" <dwnoon@ntlworld.com> wrote:
> > I have a working initramfs layout, but currently it is too large
> > (>32MiB) for my /boot partition.  The problem package is e2fsprogs,
> > as it requires dynamic linkage and, consequently, a full-sized
> > glibc. This sucks, so I need to patch the Makefile(s) to build a
> > more sensible set of executables for an initramfs.
[snip]
> You know, Debian has an e2fsck-static package. Why don't Gentoo,  I
> wonder...
> 
> That said, you *can* have an "almost-static" e2fsck if you compile it
> yourself.

Clearly you have not tried this yourself. [I have.]

The reason modern e2fsprogs no longer have the static option is that
the Makefile logic has long been neglected for the static modules and
they no longer build correctly to produce e2fsck.static.  I am
currently (on and off) building a patched Makefile to correct this, but
the build is so convoluted that it is something of a chore.
-- 
Regards,

Dave  [RLU #314465]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
dwnoon@ntlworld.com (David W Noon)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[Michael Mol]

On Fri, Dec 2, 2011 at 1:58 PM, David W Noon <dwnoon@ntlworld.com> wrote:
> On Fri, 2 Dec 2011 08:55:35 +0700, Pandu Poluan wrote about Re:
> [gentoo-user] Re: Full disk encryption:
>
>> On Dec 1, 2011 3:32 AM, "David W Noon" <dwnoon@ntlworld.com> wrote:
>> > I have a working initramfs layout, but currently it is too large
>> > (>32MiB) for my /boot partition.  The problem package is e2fsprogs,
>> > as it requires dynamic linkage and, consequently, a full-sized
>> > glibc. This sucks, so I need to patch the Makefile(s) to build a
>> > more sensible set of executables for an initramfs.
> [snip]
>> You know, Debian has an e2fsck-static package. Why don't Gentoo,  I
>> wonder...
>>
>> That said, you *can* have an "almost-static" e2fsck if you compile it
>> yourself.
>
> Clearly you have not tried this yourself. [I have.]
>
> The reason modern e2fsprogs no longer have the static option is that
> the Makefile logic has long been neglected for the static modules and
> they no longer build correctly to produce e2fsck.static.  I am
> currently (on and off) building a patched Makefile to correct this, but
> the build is so convoluted that it is something of a chore.

I like Gentoo because I'm a perpetual edge case. This and mdev makes
two edge-case things you're tackling in your spare time that I know
of...Drop me a line if you're ever in the vicinity of Grand Rapids,
MI. I'll buy you a beer.

-- 
:wq

[gentoo-user] Beers in Michigan (was: Full disk encryption

[David W Noon]

[-- Attachment #1: Type: text/plain, Size: 923 bytes --]

On Fri, 2 Dec 2011 14:10:55 -0500, Michael Mol wrote about Re:
[gentoo-user] Re: Full disk encryption:

[snip]
> I like Gentoo because I'm a perpetual edge case. This and mdev makes
> two edge-case things you're tackling in your spare time that I know
> of...Drop me a line if you're ever in the vicinity of Grand Rapids,
> MI. I'll buy you a beer.
> 

:-)

The last time I was in Michigan (Auburn Heights) I took a wrong turn
in downtown Detroit and ended up in Canada (Windsor).  At the time I was
living in Plano, TX, so I was somewhat off my patch.  That was in 1988.

These days I live even further away than Texas, as I am in Luton,
Bedfordshire, about 30 miles north of London.
-- 
Regards,

Dave  [RLU #314465]
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
dwnoon@ntlworld.com (David W Noon)
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[czernitko]

[-- Attachment #1: Type: text/plain, Size: 667 bytes --]

Yup, establishing encrypted partition for /home was easy as a pie using
cryptsetup. I was considering using truecrypt as it offers multiplatform
support, so I could access encrypted partition even from my dualbooted
windoze, but I didn't want to put effort into something not as well
documented (how-toed) as dmcrypt.
As for initrd, I believe it has a lot of advantages, but as long as I can
avoid it, I don't see any reason why to spend time learning that stuff and
making my kernel deployment more complicated. I know that one day I will
have to learn that stuff. But as far as it is not today, it makes my day
even better :)

Thanks for all your responses!

Peter

[-- Attachment #2: Type: text/html, Size: 699 bytes --]

Re: [gentoo-user] Re: Full disk encryption

[Aljosha Papsch]

Am Mittwoch, den 30.11.2011, 19:32 +0100 schrieb czernitko:
> Yup, establishing encrypted partition for /home was easy as a pie
> using cryptsetup. I was considering using truecrypt as it offers
> multiplatform support, so I could access encrypted partition even from
> my dualbooted windoze, but I didn't want to put effort into something
> not as well documented (how-toed) as dmcrypt.

You can use FreeOTFE[0] for that. I don't use Windows, so I can't tell
whether you need to install the filesystem driver for Windows.

[0] http://www.freeotfe.org/