[gentoo-user] dm-crypt + ext4 = where will the journal go?

[gentoo-user] dm-crypt + ext4 = where will the journal go?

["Roland Häder"]

Hi all,

I'm currently testing dm-crypt to encrypt my whole hard drive. So far I followed this [1] guide and have to wait for the randomization part of the hard drive.

In the wiki, ext4 is being used. Since ext3 a journal has been added. From my times with loop-aes I know that I have to store the journal through an encrypted loop device else it might be written on the hard drive.

As of I'm new to dm-crypt and Gentoo, where will that journal now go?

Any help is welcomed. :)

Regards,
  Roland

Aw: [gentoo-user] dm-crypt + ext4 = where will the journal go?

["Roland Häder"]

Opps, here is the missing link:
http://wiki.gentoo.org/wiki/DM-Crypt

(I don't think it is a good idea to store the keyFile somewhere plain, [2] tells that there is support for crypt-gnupg, but it doesn't show any help how to setup it.

[2]: http://wiki.gentoo.org/wiki/Dracut

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1016 bytes --]

Am 03.09.2012 22:20, schrieb "Roland Häder":
> Hi all,
> 
> I'm currently testing dm-crypt to encrypt my whole hard drive. So far
> I followed this [1] guide and have to wait for the randomization part
> of the hard drive.
> 

You forgot the link to [1].

> In the wiki, ext4 is being used. Since ext3 a journal has been added.
> From my times with loop-aes I know that I have to store the journal
> through an encrypted loop device else it might be written on the hard
> drive.
> 

Never used loop-aes myself. Sorry if I miss the reason for your
confusion because of it.

> As of I'm new to dm-crypt and Gentoo, where will that journal now
> go?
> 

Opening a dmcrypt volume creates a mapped block device in /dev/mapper.
You treat it like a partition and format it with ext4. Unless you use
some exotic flags for mke2fs, the journal will be put on the same block
device and is encrypted along with the rest of it.

So: No need to worry about it.

Hope this helps,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Steve Buzonas]

[-- Attachment #1: Type: text/plain, Size: 956 bytes --]

The journal is generally located on the partition in question.  If the
partition is encrypted the journal should also be encrypted.  You can use
`tune2fs -l` to list the contents of the partition's superblock which will
have details on the partition such as journal location, etc...

On Mon, Sep 3, 2012 at 4:20 PM, "Roland Häder" <r.haeder@web.de> wrote:

> Hi all,
>
> I'm currently testing dm-crypt to encrypt my whole hard drive. So far I
> followed this [1] guide and have to wait for the randomization part of the
> hard drive.
>
> In the wiki, ext4 is being used. Since ext3 a journal has been added. From
> my times with loop-aes I know that I have to store the journal through an
> encrypted loop device else it might be written on the hard drive.
>
> As of I'm new to dm-crypt and Gentoo, where will that journal now go?
>
> Any help is welcomed. :)
>
> Regards,
>   Roland
>
>


-- 
Sincerely,

Steve Buzonas Jr.

[-- Attachment #2: Type: text/html, Size: 1272 bytes --]

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1187 bytes --]

Am 03.09.2012 22:36, schrieb "Roland Häder":
> Opps, here is the missing link: http://wiki.gentoo.org/wiki/DM-Crypt
> 
> (I don't think it is a good idea to store the keyFile somewhere
> plain, [2] tells that there is support for crypt-gnupg, but it
> doesn't show any help how to setup it.
> 
> [2]: http://wiki.gentoo.org/wiki/Dracut
> 

No comment on dracut as I have no experience with it.

However, as I see it, you need no key file if you just use a pass
phrase. In my opinion, a key file is only necessary for two improvements:

1. Two-factor authentication (read: encrypted key file)

2. Avoiding re-typing the pass phrase for multiple dmcrypt partitions

You can easily achieve the second point by putting an unencrypted key
file on the first partition which you encrypt with a pass phrase. You
don't even need dracut for this, /etc/conf.d/dmcrypt lets you configure
it easily (as long as it doesn't affect /usr).

However, I personally find it easier to put LVM on a single dmcrypt
volume and be done this. All you need for this to work are two lines in
/etc/rc.conf:
rc_dmcrypt_before="lvm"
rc_dmcrypt_after="udev"

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

["Roland Häder"]

> You forgot the link to [1].
Already mailed but here again:
http://wiki.gentoo.org/wiki/DM-Crypt

> Never used loop-aes myself. Sorry if I miss the reason for your
> confusion because of it.
http://loop-aes.sourceforge.net

There is the source code. It needs patched util-linux(-ng) package to get working. Also you should not use (crypt-)loop because it conflicts with it (see README inside tar ball). It also provides a really simple swap encryption:

- /etc/fstab -
/dev/blaX       none    swap    sw,loop=/dev/loop0,encryption=AES256,itercountk=100     0       0

This will make sure that everytime you bootup your system a new encryption is setup with an iteration of 100 (still performant enough for most things).

> Opening a dmcrypt volume creates a mapped block device in /dev/mapper.
> You treat it like a partition and format it with ext4. Unless you use
> some exotic flags for mke2fs, the journal will be put on the same block
> device and is encrypted along with the rest of it.
> 
> So: No need to worry about it.
Thank you for the explanation. Maybe it should be added to the wiki?

> 
> Hope this helps,
> Florian Philipp
Sure it does. :)

Roland

Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

["Roland Häder"]

> No comment on dracut as I have no experience with it.
Okay, so I have to try it out myself. When I found something out, I expand the wiki with it.

> 
> However, as I see it, you need no key file if you just use a pass
> phrase. In my opinion, a key file is only necessary for two improvements:
Entering just a pass phrase means that this pass phrase will be used to decrypt the device, if you decrypt a key before and then with that key decrypt all your volumes you have a much better security because that key will then be used as 'pass phrase' which is *way* much stronger (4096+ chars + ~10-20 chars you can remember).

> 
> 1. Two-factor authentication (read: encrypted key file)
> 
> 2. Avoiding re-typing the pass phrase for multiple dmcrypt partitions
See above. :)

> You can easily achieve the second point by putting an unencrypted key
> file on the first partition which you encrypt with a pass phrase. You
> don't even need dracut for this, /etc/conf.d/dmcrypt lets you configure
> it easily (as long as it doesn't affect /usr).
Okay, I look into this.

> 
> However, I personally find it easier to put LVM on a single dmcrypt
> volume and be done this. All you need for this to work are two lines in
> /etc/rc.conf:
> rc_dmcrypt_before="lvm"
> rc_dmcrypt_after="udev"
I'm new to LVM, does it setup key-based encryption (best is to put that key on an USB stick, so the attacker needs my stick).

Regards,
  Roland

Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

["Roland Häder"]

Okay, I have made a little progress. I have generated my private key using some random data + gpg:

# head -c 3705 /dev/urandom | head -n 66 | tail -n 65 > key.out
# gpg --symmetric -a --s2k-count 8388608 key.out
<Enter your password twice>
# mv key.out.asc key.gpg
# rm -f key.out

Now I have to copy that file on my stick and setup /etc/conf.d/dmcrypt:

# whole root system encrypted with gpg key from removeable media
target=crypt-root
source='/dev/hdaX'
key='/key:gpg'
# This is your stick
remdev='/dev/sda1'

But what next? The example at [1] is based on key-only file (no passphrase). I know, later on /etc/conf.d/dmcrypt must be placed on the new root-fs but what now? I still have to setup it. cryptsetup doesn't do anything with gpg. So I have setup a pipeline?

Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

["Roland Häder"]

I think I made a (tollerateable) mistake:

My hard drive has two partitions:
- sda1 - encrypted swap
- sda2 - encrypted root

How should it boot? One way could be by external media (e.g. stick), other is from hard drive. But that is encrypted. So I must leave a small area left for kernel, initrd, System.map and maybe config.

So the page at [1] is a little wrong because it misses the boot partition, so the new layout should be:
- sda1 - unencrypted boot (/boot) partition
- sda2 - encrypted swap (at least as double as your RAM) (crypt-swap)
- sda3 - encrypted root (crypt-root)

Can someone update this?

Regards,
Roland

[1]: http://wiki.gentoo.org/wiki/DM-Crypt

Re: Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Dale]

"Roland Häder" wrote:
> - sda2 - encrypted swap (at least as double as your RAM) (crypt-swap)
>
> Regards,
> Roland
>
> [1]: http://wiki.gentoo.org/wiki/DM-Crypt
>
>

I don't think this is true anymore.  It was back when machines had small
amounts of ram.  Case in point, I have 16Gbs of ram.  If I have a
program that needs more than that, I need a bigger machine anyway. 
Since ram has got so large, and cheap, I always make my swap around 1Gb
or so.  If something does run away and eat up ram, I got enough swap
that I have time to kill it.  I would not make a 32Gb swap partition
tho.  That would slow about any machine to a crawl if it starts using
that much.  

I think the new method for determining swap is to use what makes sense
and not the old rule of 'twice the ram'. 

Hope that helps.

Dale

:-)  :-) 

-- 
I am only responsible for what I said ... Not for what you understood or how you interpreted my words!

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Alan McKinnon]

On Tue, 04 Sep 2012 09:15:31 -0500
Dale <rdalek1967@gmail.com> wrote:

> I think the new method for determining swap is to use what makes sense
> and not the old rule of 'twice the ram'. 

Alan's new rule of swap is:

If you ever use swap as swap at all, find out how your machine is
misconfigured. When my 16G is "not enough" anymore, something is badly
wrong and it isn't not enough RAM and I need swap to wiggle around
in :-)

I think the 2 x RAM rule stopped being applicable when the average
machine got to more than 16M. Some old memes are like zombies - very
hard to kill.

This laptop has a "swap" partition, but it's not for swap, it's for
hibernate. And I never use it, it takes longer to come out of hibernate
than to just boot up from cold! These days I just suspend.

None of this changes the fact that the kernel still does get upset when
it has no swap at all (even just a little bit). But that doesn't mean
we should still be using it as full-blown swap.



-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Dale]

Alan McKinnon wrote:
> On Tue, 04 Sep 2012 09:15:31 -0500
> Dale <rdalek1967@gmail.com> wrote:
>
>> I think the new method for determining swap is to use what makes sense
>> and not the old rule of 'twice the ram'. 
> Alan's new rule of swap is:
>
> If you ever use swap as swap at all, find out how your machine is
> misconfigured. When my 16G is "not enough" anymore, something is badly
> wrong and it isn't not enough RAM and I need swap to wiggle around
> in :-)
>
> I think the 2 x RAM rule stopped being applicable when the average
> machine got to more than 16M. Some old memes are like zombies - very
> hard to kill.
>
> This laptop has a "swap" partition, but it's not for swap, it's for
> hibernate. And I never use it, it takes longer to come out of hibernate
> than to just boot up from cold! These days I just suspend.
>
> None of this changes the fact that the kernel still does get upset when
> it has no swap at all (even just a little bit). But that doesn't mean
> we should still be using it as full-blown swap.
>
>
>


Yup.  I have swap but I have it set to where it won't use it unless it
is REALLY bad.  I have swappiness set to like 20 or something.  It will
fill up my ram with cache and such but it rarely uses more than a few
hundred kilobytes of swap.  When I see it using that, I usually kill
swap and add it back.  I just don't like a machine with 16Gbs of ram
using swap at all.  I have thought about setting it to 10.  Maybe then
it will leave it alone until it really hits the fan.  ;-)

That said, I did roll over one night and notice that the CPU was going
ape.  I got up and into my chair to notice it was using almost all the
ram and was starting to use a bit of swap.  I switched to a console, ran
htop and noticed that some KDE process was using about ~15.5Gbs of ram. 
It was crazy to see.  I couldn't get it to die with kill -15 so I did a
kill -9.  I guess it had to know I really wanted it dead.  It has not
happened since so no clue on why it did that.  Heck, it ran the same
version of KDE for a good while and still didn't do it.  Cosmic rays
from Mars I guess. 

I would recommend at least 500Mbs or so of swap regardless of ram tho. 
Some swap is a good idea.  Just try not to use it since it is dog slow. 
If you are using hibernate/suspend thingys then that is different. 
Isn't that when it has to be at least as much swap as you have ram? 

Dale

:-)  :-) 

-- 
I am only responsible for what I said ... Not for what you understood or how you interpreted my words!

Aw: Re: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

["Roland Häder"]

> I think the new method for determining swap is to use what makes sense
> and not the old rule of 'twice the ram'. 
Okay, agreed.

Roland

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Michael Mol]

On Tue, Sep 4, 2012 at 11:53 AM, Dale <rdalek1967@gmail.com> wrote:
> Alan McKinnon wrote:
>> On Tue, 04 Sep 2012 09:15:31 -0500
>> Dale <rdalek1967@gmail.com> wrote:
>>
>>> I think the new method for determining swap is to use what makes sense
>>> and not the old rule of 'twice the ram'.
>> Alan's new rule of swap is:
>>
>> If you ever use swap as swap at all, find out how your machine is
>> misconfigured. When my 16G is "not enough" anymore, something is badly
>> wrong and it isn't not enough RAM and I need swap to wiggle around
>> in :-)
>>
>> I think the 2 x RAM rule stopped being applicable when the average
>> machine got to more than 16M. Some old memes are like zombies - very
>> hard to kill.
>>
>> This laptop has a "swap" partition, but it's not for swap, it's for
>> hibernate. And I never use it, it takes longer to come out of hibernate
>> than to just boot up from cold! These days I just suspend.
>>
>> None of this changes the fact that the kernel still does get upset when
>> it has no swap at all (even just a little bit). But that doesn't mean
>> we should still be using it as full-blown swap.
>>
>>
>>
>
>
> Yup.  I have swap but I have it set to where it won't use it unless it
> is REALLY bad.  I have swappiness set to like 20 or something.  It will
> fill up my ram with cache and such but it rarely uses more than a few
> hundred kilobytes of swap.  When I see it using that, I usually kill
> swap and add it back.  I just don't like a machine with 16Gbs of ram
> using swap at all.  I have thought about setting it to 10.  Maybe then
> it will leave it alone until it really hits the fan.  ;-)

Set swappiness to 0. Swap will be used if and only if absolutely necessary.

Also, you're unlikely to notice a performance hit if the amount of
data in swap is only a few tens of megabytes; the seek-and-read rate
of even spinning platter disks should tend to cause that bit of
latency to get lost in the normal noise of library linkage, data file
loading, etc. (heck, it might even still be in the drive cache) The
performance hit is there, but probably not subjectively noticeable.

>
> That said, I did roll over one night and notice that the CPU was going
> ape.  I got up and into my chair to notice it was using almost all the
> ram and was starting to use a bit of swap.  I switched to a console, ran
> htop and noticed that some KDE process was using about ~15.5Gbs of ram.
> It was crazy to see.  I couldn't get it to die with kill -15 so I did a
> kill -9.  I guess it had to know I really wanted it dead.  It has not
> happened since so no clue on why it did that.  Heck, it ran the same
> version of KDE for a good while and still didn't do it.  Cosmic rays
> from Mars I guess.
>
> I would recommend at least 500Mbs or so of swap regardless of ram tho.
> Some swap is a good idea.  Just try not to use it since it is dog slow.

Indeed.

> If you are using hibernate/suspend thingys then that is different.
> Isn't that when it has to be at least as much swap as you have ram?

Yes.

-- 
:wq

Re: Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Hinnerk van Bruinehsen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04.09.2012 15:48, "Roland Häder" wrote:
> I think I made a (tollerateable) mistake:
> 
> My hard drive has two partitions: - sda1 - encrypted swap - sda2 -
> encrypted root
> 
> How should it boot? One way could be by external media (e.g.
> stick), other is from hard drive. But that is encrypted. So I must
> leave a small area left for kernel, initrd, System.map and maybe
> config.
> 
> So the page at [1] is a little wrong because it misses the boot
> partition, so the new layout should be: - sda1 - unencrypted boot
> (/boot) partition - sda2 - encrypted swap (at least as double as
> your RAM) (crypt-swap) - sda3 - encrypted root (crypt-root)
> 
> Can someone update this?
> 
> Regards, Roland
> 
> [1]: http://wiki.gentoo.org/wiki/DM-Crypt
> 

In theory grub2 is able to open a luks-encrypted volume though it
seems to have some disadvantages: you'll need to enter the passphrase
(or pass the keyfile) two times, because grub itself needs to decrypt
the volume to get the later stages from the encrypted volume and
afterwards the decryption in the bootprocess itself takes place.

I can't give any real advice about it though, because I use an
unencrypted boot partition. Depending on your needs it could be an
increase of security, because you can stop an attacker from injecting
malicious code into your kernel (or replace it completely).

WKR
Hinnerk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQRjxMAAoJEJwwOFaNFkYcWfcIAJvh9CxmlPeWTlJ8qMMb24tf
8tCVPo7FjnELrOqHwccqRceC1/1kIfjfYy0BowbRBOAV49WEIt3WWZhySVcS5PzH
mh30OVZZ1Gb94QjwUSoKb+4FfULpM8oVp3kpaxf11Ls7SlJgRkW4hiSNmEWGt/2Q
RRgTQpkFp7W6b1sWnbnKY491iCsL657G90UK7lKe3qe15u7V0E8bY2XvzJrPSf4E
K3V0mpHunLWDMbr0lfoezbeOEuqSfRdUlgQWw3Q4iCKBxFX5hh9ac5T8cne4xUJ7
OKp6HAYE3sl8othQ+ngMNVyu/vX6j0dCtZHgPtAZEDU1pjE33rjiaLXm15aCVbU=
=AG8l
-----END PGP SIGNATURE-----

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 2032 bytes --]

Am 04.09.2012 19:37, schrieb Hinnerk van Bruinehsen:
> On 04.09.2012 15:48, "Roland Häder" wrote:
>> I think I made a (tollerateable) mistake:
> 
>> My hard drive has two partitions: - sda1 - encrypted swap - sda2 -
>> encrypted root
> 
>> How should it boot? One way could be by external media (e.g.
>> stick), other is from hard drive. But that is encrypted. So I must
>> leave a small area left for kernel, initrd, System.map and maybe
>> config.
> 
>> So the page at [1] is a little wrong because it misses the boot
>> partition, so the new layout should be: - sda1 - unencrypted boot
>> (/boot) partition - sda2 - encrypted swap (at least as double as
>> your RAM) (crypt-swap) - sda3 - encrypted root (crypt-root)
> 
>> Can someone update this?
> 
>> Regards, Roland
> 
>> [1]: http://wiki.gentoo.org/wiki/DM-Crypt
> 
> 
> In theory grub2 is able to open a luks-encrypted volume though it
> seems to have some disadvantages: you'll need to enter the passphrase
> (or pass the keyfile) two times, because grub itself needs to decrypt
> the volume to get the later stages from the encrypted volume and
> afterwards the decryption in the bootprocess itself takes place.
> 
> I can't give any real advice about it though, because I use an
> unencrypted boot partition. Depending on your needs it could be an
> increase of security, because you can stop an attacker from injecting
> malicious code into your kernel (or replace it completely).
> 
> WKR
> Hinnerk


For personal use, I see no point in using an encrypted boot partition.
An attacker needs physical or root access to change the kernel or initrd
in order to get to your encrypted data. In both cases, you are hosed
anyway (keyloggers, etc.).

Encrypting everything except the boot partition still protects you
against theft, seizure and so on (as long as you sanitize the device
when you get it back). Secure Boot would help further but let's not
re-iterate that particular flame/FUD war.

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Michael Mol]

On Tue, Sep 4, 2012 at 2:18 PM, Florian Philipp <lists@binarywings.net> wrote:
> Am 04.09.2012 19:37, schrieb Hinnerk van Bruinehsen:
>> On 04.09.2012 15:48, "Roland Häder" wrote:
>>> I think I made a (tollerateable) mistake:
>>
>>> My hard drive has two partitions: - sda1 - encrypted swap - sda2 -
>>> encrypted root
>>
>>> How should it boot? One way could be by external media (e.g.
>>> stick), other is from hard drive. But that is encrypted. So I must
>>> leave a small area left for kernel, initrd, System.map and maybe
>>> config.
>>
>>> So the page at [1] is a little wrong because it misses the boot
>>> partition, so the new layout should be: - sda1 - unencrypted boot
>>> (/boot) partition - sda2 - encrypted swap (at least as double as
>>> your RAM) (crypt-swap) - sda3 - encrypted root (crypt-root)
>>
>>> Can someone update this?
>>
>>> Regards, Roland
>>
>>> [1]: http://wiki.gentoo.org/wiki/DM-Crypt
>>
>>
>> In theory grub2 is able to open a luks-encrypted volume though it
>> seems to have some disadvantages: you'll need to enter the passphrase
>> (or pass the keyfile) two times, because grub itself needs to decrypt
>> the volume to get the later stages from the encrypted volume and
>> afterwards the decryption in the bootprocess itself takes place.
>>
>> I can't give any real advice about it though, because I use an
>> unencrypted boot partition. Depending on your needs it could be an
>> increase of security, because you can stop an attacker from injecting
>> malicious code into your kernel (or replace it completely).
>>
>> WKR
>> Hinnerk
>
>
> For personal use, I see no point in using an encrypted boot partition.
> An attacker needs physical or root access to change the kernel or initrd
> in order to get to your encrypted data. In both cases, you are hosed
> anyway (keyloggers, etc.).

Now you've got me pondering cryptographically-verified input devices.
But perhaps a paired USB key fob with a challenge/response setup would
be reasonable.


-- 
:wq

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1895 bytes --]

Am 04.09.2012 00:12, schrieb "Roland Häder":
> Okay, I have made a little progress. I have generated my private key
> using some random data + gpg:
> 
> # head -c 3705 /dev/urandom | head -n 66 | tail -n 65 > key.out # gpg
> --symmetric -a --s2k-count 8388608 key.out <Enter your password
> twice> # mv key.out.asc key.gpg # rm -f key.out
> 

Two minor suggestions:

1. Maybe it would be a good idea to use an ASCII-only random string, for
example by piping it through `base64 -w 0`. That way you don't loose any
entropy (the key just gets longer) but it is easier to type the keyfile
manually, in case you ever need to. You also don't have to worry about
odd behavior of password prompts anymore.

2. You should `shred` key.out instead of `rm`.

> Now I have to copy that file on my stick and setup
> /etc/conf.d/dmcrypt:
> 
> # whole root system encrypted with gpg key from removeable media 
> target=crypt-root source='/dev/hdaX' key='/key:gpg' # This is your
> stick remdev='/dev/sda1'
> 
> But what next? The example at [1] is based on key-only file (no
> passphrase). I know, later on /etc/conf.d/dmcrypt must be placed on
> the new root-fs but what now? I still have to setup it. cryptsetup
> doesn't do anything with gpg. So I have setup a pipeline?
> 

I'm not entirely sure I understand what you mean, therefore I just start
babbling. ;-)

The dmcrypt init script cannot be used for encrypting the root fs, a
separate /usr or /etc. At least, I don't see a way to do it and I don't
see it in the examples in my /etc/conf.d/dmcrypt.

However, you can use it for all other directories containing sensitive
data (/home, /srv, /var, /tmp). You might still need a skeleton
directory structure of /var for the early boot stages but that's about it.

Getting root encrypted is the sole responsibility of your initrd.

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Michael Hampicke]

> In theory grub2 is able to open a luks-encrypted volume though it
> seems to have some disadvantages: you'll need to enter the passphrase
> (or pass the keyfile) two times, because grub itself needs to decrypt
> the volume to get the later stages from the encrypted volume and
> afterwards the decryption in the bootprocess itself takes place.
> 
> I can't give any real advice about it though, because I use an
> unencrypted boot partition. Depending on your needs it could be an
> increase of security, because you can stop an attacker from injecting
> malicious code into your kernel (or replace it completely).

I don't think so, I still can replace your bootloader and grab your
password. If you really think you might need something like this, I
suggest you put your kernel and bootloader on a USB stick and boot your
machine from that. When not in use keep the stick on your person.

That still does not protect you from physically tempering with your device.

Anyway, what about one those fancy tin foil hats to protect oneself
against the governments mind control rays :)

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 3743 bytes --]

Am 03.09.2012 23:23, schrieb "Roland Häder":
> 
>> No comment on dracut as I have no experience with it.
> Okay, so I have to try it out myself. When I found something out, I
> expand the wiki with it.
> 
>> 
>> However, as I see it, you need no key file if you just use a pass 
>> phrase. In my opinion, a key file is only necessary for two
>> improvements:
> Entering just a pass phrase means that this pass phrase will be used
> to decrypt the device, if you decrypt a key before and then with that
> key decrypt all your volumes you have a much better security because
> that key will then be used as 'pass phrase' which is *way* much
> stronger (4096+ chars + ~10-20 chars you can remember).
> 

That's not exactly how it works.

1. An attacker could still simply break the pass phrase used to encrypt
the key file.

2. You don't actually weaken the encryption of your disk if you use a
small key (besides the obviously easier guessing of the key). The actual
encryption key is generated from the pass phrase (or key file) by a hash
function (default: SHA-1). This always expands or compresses your key to
the key size defined when issuing `cryptsetup luksFormat`.

>> 
>> 1. Two-factor authentication (read: encrypted key file)
>> 

This is what makes a key file better and more secure. The attacker not
only needs a pass phrase /or/ a memory stick; he needs both.

>> 2. Avoiding re-typing the pass phrase for multiple dmcrypt
>> partitions
> See above. :)
> 
>> You can easily achieve the second point by putting an unencrypted
>> key file on the first partition which you encrypt with a pass
>> phrase. You don't even need dracut for this, /etc/conf.d/dmcrypt
>> lets you configure it easily (as long as it doesn't affect /usr).
> Okay, I look into this.
> 
>> 
>> However, I personally find it easier to put LVM on a single
>> dmcrypt volume and be done this. All you need for this to work are
>> two lines in /etc/rc.conf: rc_dmcrypt_before="lvm" 
>> rc_dmcrypt_after="udev"
> I'm new to LVM, does it setup key-based encryption (best is to put
> that key on an USB stick, so the attacker needs my stick).
> 
> Regards, Roland
> 


I guess I didn't make myself clear. Mostly because I didn't want to
write a whole article on it before someone actually showed interest in
this. Anyway:

LVM has nothing to do with the encryption. It is just a way to partition
a single dmcrypt partition into more devices. Maybe it gets clearer if I
show my partitioning scheme (shortened a bit and with some artistic
liberties):

/dev/sda1          # /boot
/dev/sda2          # root + /usr + /etc
/dev/sda3         -> /dev/mapper/crypt # dmcrypt partition
/dev/mapper/crypt -> vg_notebook       # LVM volume group on dmcrypt
vg_noteboot       -> /dev/mapper/vg_notebook-var  # /var
vg_noteboot       -> /dev/mapper/vg_notebook-home # /home
vg_noteboot       -> /dev/mapper/vg_notebook-swap # swap
vg_noteboot       -> /dev/mapper/vg_notebook-opt  # /opt
vg_noteboot       -> /dev/mapper/vg_notebook-usr-local # /usr/local


You see, it is just an alternative to different approaches on getting
several parts of your file system encrypted without having to enter pass
phrases for several dmcrypt partitions. Alternatives are

1. Put an unencrypted key file on the first encrypted partition.
2. Use a single file system on a single dmcrypt partition and then
`mount --bind` or `ln -s` parts of it in different places.

For me personally, it is a nice compromise as it allows me to work
without an initrd while still keeping most of my file systems encrypted.
I just have to make sure to leave nothing private on root, /usr or /etc.

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 2627 bytes --]

Am 04.09.2012 20:27, schrieb Michael Mol:
> On Tue, Sep 4, 2012 at 2:18 PM, Florian Philipp <lists@binarywings.net> wrote:
>> Am 04.09.2012 19:37, schrieb Hinnerk van Bruinehsen:
>>> On 04.09.2012 15:48, "Roland Häder" wrote:
>>>> I think I made a (tollerateable) mistake:
>>>
>>>> My hard drive has two partitions: - sda1 - encrypted swap - sda2 -
>>>> encrypted root
>>>
>>>> How should it boot? One way could be by external media (e.g.
>>>> stick), other is from hard drive. But that is encrypted. So I must
>>>> leave a small area left for kernel, initrd, System.map and maybe
>>>> config.
>>>
>>>> So the page at [1] is a little wrong because it misses the boot
>>>> partition, so the new layout should be: - sda1 - unencrypted boot
>>>> (/boot) partition - sda2 - encrypted swap (at least as double as
>>>> your RAM) (crypt-swap) - sda3 - encrypted root (crypt-root)
>>>
>>>> Can someone update this?
>>>
>>>> Regards, Roland
>>>
>>>> [1]: http://wiki.gentoo.org/wiki/DM-Crypt
>>>
>>>
>>> In theory grub2 is able to open a luks-encrypted volume though it
>>> seems to have some disadvantages: you'll need to enter the passphrase
>>> (or pass the keyfile) two times, because grub itself needs to decrypt
>>> the volume to get the later stages from the encrypted volume and
>>> afterwards the decryption in the bootprocess itself takes place.
>>>
>>> I can't give any real advice about it though, because I use an
>>> unencrypted boot partition. Depending on your needs it could be an
>>> increase of security, because you can stop an attacker from injecting
>>> malicious code into your kernel (or replace it completely).
>>>
>>> WKR
>>> Hinnerk
>>
>>
>> For personal use, I see no point in using an encrypted boot partition.
>> An attacker needs physical or root access to change the kernel or initrd
>> in order to get to your encrypted data. In both cases, you are hosed
>> anyway (keyloggers, etc.).
> 
> Now you've got me pondering cryptographically-verified input devices.
> But perhaps a paired USB key fob with a challenge/response setup would
> be reasonable.
> 
> 

Don't forget to look for hidden cameras or telescopes pointed at nearby
windows. You also have to worry about the characteristic electromagnetic
interference caused by your input devices (you don't need to wear a
tinfoil hat but maybe your keyboard should ;-) ).

Once you start to worry, there is no end.

This seems to be of interest:
http://news.cnet.com/8301-10784_3-9741357-7.html

But this should not be forgotten, either:
http://xkcd.com/538/

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

["Roland Häder"]

> 1. Maybe it would be a good idea to use an ASCII-only random string, for
> example by piping it through `base64 -w 0`. That way you don't loose any
> entropy (the key just gets longer) but it is easier to type the keyfile
> manually, in case you ever need to. You also don't have to worry about
> odd behavior of password prompts anymore.
I think that is now to late for? I have already formated it and added ext4 on it plus installed some packages already (was a long way).

> 
> 2. You should `shred` key.out instead of `rm`.
That key file was on RAM disk, not on real. ;)

Roland

Re: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Michael Mol]

On Tue, Sep 4, 2012 at 3:40 PM, "Roland Häder" <r.haeder@web.de> wrote:
>> 1. Maybe it would be a good idea to use an ASCII-only random string, for
>> example by piping it through `base64 -w 0`. That way you don't loose any
>> entropy (the key just gets longer) but it is easier to type the keyfile
>> manually, in case you ever need to. You also don't have to worry about
>> odd behavior of password prompts anymore.
> I think that is now to late for? I have already formated it and added ext4 on it plus installed some packages already (was a long way).
>
>>
>> 2. You should `shred` key.out instead of `rm`.
> That key file was on RAM disk, not on real. ;)

So shred your swap partition. :P


-- 
:wq

Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

["Roland Häder"]

Okay, I have setup so far this:

/dev/sda1 - /boot (unencrypted)
/dev/sda2 - swap (not yet setup, will be encrypted)
/dev/sda3 - / (encrypted)

/dev/sda3 is the underlaying drive, where I used gpg:

# gpg --decrypt key.gpg | cryptsetup --verbose luksFormat /dev/sda3
# gpg --decrypt key.gpg | cryptsetup --verbose luksOpen /dev/sda3 encVol
# dd if=/dev/zero of=/dev/mapper/encVol bs=100M (to avoid filesystem corruption)
# mkfs.ext4 -L root /dev/mapper/encVol

Now I continued as usual with the Gentoo handbook (mount all, copy things on it, etc.)

After I compiled the kernel, emerged cryptsetup on the new system, I editied /boot/grub/grub.conf:
-----------------------------------------------
default 0
timeout 30
splashimage=(hd0,0)/boot/grub/splash.xpm.gz

title Gentoo Linux
root (hd0,0)
kernel /boot/kernel-genkernel-x86-3.3.8-gentoo root=/dev/ram0 crypt_root=/dev/sda3
initrd /boot/initramfs-genkernel-x86-3.3.8-gentoo
-----------------------------------------------
(I read not to use real_root, but crypt_root instead?)

Then I emerged grub as usual (also: # cat /proc/mounts > etc/mtab ) and did: # grub-install --no-floppy /dev/sda

Still as usual. Now it is downloading plymouth (to have some cool things) + dracut (easiest way as I read in wiki).

I also had to expand /etc/make.conf (not /etc/portage/make.conf ??? Is this a mistake in handbook?):

-----------------------------------------------
DRACUT_MODULES="crypt_gpg plymouth"
-----------------------------------------------

Now I really hope, that after I installed dracut on it, that I can boot it and the initrd will be updated. It needs at least some kernel modules (e.g. dm_crypt, ext4, sha512_generic, aes_generic) plus gpg and cryptsetup tools to actually decrypt the hard drive.

Regards,
  Roland

Re: Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Hinnerk van Bruinehsen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04.09.2012 20:48, Michael Hampicke wrote:
>> In theory grub2 is able to open a luks-encrypted volume though
>> it seems to have some disadvantages: you'll need to enter the
>> passphrase (or pass the keyfile) two times, because grub itself
>> needs to decrypt the volume to get the later stages from the
>> encrypted volume and afterwards the decryption in the bootprocess
>> itself takes place.
>> 
>> I can't give any real advice about it though, because I use an 
>> unencrypted boot partition. Depending on your needs it could be
>> an increase of security, because you can stop an attacker from
>> injecting malicious code into your kernel (or replace it
>> completely).
> 
> I don't think so, I still can replace your bootloader and grab
> your password. If you really think you might need something like
> this, I suggest you put your kernel and bootloader on a USB stick
> and boot your machine from that. When not in use keep the stick on
> your person.
> 
> That still does not protect you from physically tempering with your
> device.
> 
> Anyway, what about one those fancy tin foil hats to protect
> oneself against the governments mind control rays :)
> 

Ah yes - the aluminium foil deflector beanie
(http://zapatopi.net/afdb/)...

I just use it, when going out of my house or when updating my
MindGuard (http://zapatopi.net/mindguard/)


Enough fun - I just wanted to name the possibility because it's there
and it would't require you to repartition your drive.
I think it would be an increase in security nonetheless, though you're
correct: there are a lot more possible attack vectors with side
channel stuff getting very freaky indeed (i.e.: there is an
interesting paper about using the gyroscopes of a mobile telephone to
make a (>80%) correct guess about the pressed key)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQRl/GAAoJEJwwOFaNFkYcHbcH/i5ncHgButsE3ximu7Mdm113
ly0JVbINO4Bc7mkzj9eQAI8Ewr3JYhTpxpShfmWGGSBTTaAwltp1pYt+bj7xw3/E
+euJGjfffmcxsBkLtlaI5SQHvO/fNiKZ8cAga++HXtxWoJ/DTN5UBEmzI6xXm3Tk
RA6kGCDukiSpo4VjsfBMz1h8O9vtr2cgj4HlnOjNByzeSWk40XC9jKlSCLgjpkTp
pJNvY0qHE7hMZoH+S9Ai3ZDtDgHpcdtSCslJGiOGh16BBzhOyunDdj1SVfkSq0bg
1vKnqT6zQS0vSl3JyoP9zc8MOW9/IwK2anKRHhE817Y9rXrawsx1QwPu6xVLxe0=
=0NRV
-----END PGP SIGNATURE-----

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 738 bytes --]

On Tue, 04 Sep 2012 10:53:38 -0500, Dale wrote:

> If you are using hibernate/suspend thingys then that is different. 
> Isn't that when it has to be at least as much swap as you have ram? 

Not necessarily because the data is compressed before saving, but you
can't know how much it is going to compress, so only if your RAM is all
used up with incompressible data (an unlikely scenario) will you need
that much.

Not that hibernating a system with 16GB is ever going to be fast enough
to be worth bothering with. As Alan has discovered, it can take longer
than a cold boot.


-- 
Neil Bothwick

"Be strict when sending and tolerant when receiving."
 RFC 1958 - Architectural Principles of the Internet - section 3.9

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 260 bytes --]

On Tue, 04 Sep 2012 20:59:34 +0200, Florian Philipp wrote:

> I just have to make sure to leave nothing private on root, /usr or /etc.

Like your passwd and shadow files?


-- 
Neil Bothwick

Ifyoucanreadthis,youspendtoomuchtimefiguringouttaglines.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Hinnerk van Bruinehsen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04.09.2012 22:05, "Roland Häder" wrote:
> Okay, I have setup so far this:
> 
> /dev/sda1 - /boot (unencrypted) /dev/sda2 - swap (not yet setup,
> will be encrypted) /dev/sda3 - / (encrypted)
> 
> /dev/sda3 is the underlaying drive, where I used gpg:
> 
> # gpg --decrypt key.gpg | cryptsetup --verbose luksFormat
> /dev/sda3 # gpg --decrypt key.gpg | cryptsetup --verbose luksOpen
> /dev/sda3 encVol # dd if=/dev/zero of=/dev/mapper/encVol bs=100M
> (to avoid filesystem corruption) # mkfs.ext4 -L root
> /dev/mapper/encVol
> 
> Now I continued as usual with the Gentoo handbook (mount all, copy
> things on it, etc.)
> 
> After I compiled the kernel, emerged cryptsetup on the new system,
> I editied /boot/grub/grub.conf: 
> ----------------------------------------------- default 0 timeout
> 30 splashimage=(hd0,0)/boot/grub/splash.xpm.gz
> 
> title Gentoo Linux root (hd0,0) kernel
> /boot/kernel-genkernel-x86-3.3.8-gentoo root=/dev/ram0
> crypt_root=/dev/sda3 initrd
> /boot/initramfs-genkernel-x86-3.3.8-gentoo 
> ----------------------------------------------- (I read not to use
> real_root, but crypt_root instead?)
> 
> Then I emerged grub as usual (also: # cat /proc/mounts > etc/mtab )
> and did: # grub-install --no-floppy /dev/sda
> 
> Still as usual. Now it is downloading plymouth (to have some cool
> things) + dracut (easiest way as I read in wiki).
> 
> I also had to expand /etc/make.conf (not /etc/portage/make.conf ???
> Is this a mistake in handbook?):
> 
> ----------------------------------------------- 
> DRACUT_MODULES="crypt_gpg plymouth" 
> -----------------------------------------------
> 
> Now I really hope, that after I installed dracut on it, that I can
> boot it and the initrd will be updated. It needs at least some
> kernel modules (e.g. dm_crypt, ext4, sha512_generic, aes_generic)
> plus gpg and cryptsetup tools to actually decrypt the hard drive.
> 
> Regards, Roland
> 

I thin you need to add crypt as a dracut module since crypt_gpg is
afaik just an extension to crypt.

The output from equery seems to support my assumption:

...
dracut_modules_crypt         : Decrypt devices encrypted with
cryptsetup/LUKS
dracut_modules_crypt-gpg     : Support for GPG-encrypted keys for
crypt module
...

WKR
Hinnerk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQRmFOAAoJEJwwOFaNFkYc4eoH/0TthI9pSRXF/AKTp1fYFiwM
qFPW7ZvvQVVX3QctL+h/NiPceWw6G5WGjc+eqiTput1A8B9ledi87OGvT13JFb40
vMfRWrlqrn89dtL/pkLQUHrT1FtjP4/jp6oY98XN1fcODKItQ8+F6TZN0/wrTzrJ
CPJtdPdR8X2U+40zBUU8pxkm1doIbiMGmsU0hAf8aq2GC65Eer4rOCqPcLsTvMnz
9zUYzTFxSq4rj34apuGrS8RxEsj9uABi4JpfMD+k3nzmI6D2ya1wOHJUMYtgiAoe
itsuJxRsi5j0gZNwHz4XqF7iBTzMHHbKcQ2qtfSpJ/hx0LrMCXGeIALHylPeU+Q=
=F+nL
-----END PGP SIGNATURE-----

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Neil Bothwick]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 04 Sep 2012 19:37:16 +0200, Hinnerk van Bruinehsen wrote:

> In theory grub2 is able to open a luks-encrypted volume though it
> seems to have some disadvantages: you'll need to enter the passphrase
> (or pass the keyfile) two times, because grub itself needs to decrypt
> the volume to get the later stages from the encrypted volume and
> afterwards the decryption in the bootprocess itself takes place.

You don't need to mount /boot as part of the boot process, only when you
want to install a new kernel or reconfigure the bootloader.


- -- 
Neil Bothwick

What do you call a dead bee? - A was.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)

iEYEARECAAYFAlBGYWoACgkQum4al0N1GQPiEgCdE2ZCKHSAe7fmZOuLxt/7QSWX
QbEAniwZxHfxfOpyYrdNKNhGcpfWbPOW
=fft+
-----END PGP SIGNATURE-----

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 740 bytes --]

Am 04.09.2012 21:40, schrieb "Roland Häder":
>> 1. Maybe it would be a good idea to use an ASCII-only random string, for
>> example by piping it through `base64 -w 0`. That way you don't loose any
>> entropy (the key just gets longer) but it is easier to type the keyfile
>> manually, in case you ever need to. You also don't have to worry about
>> odd behavior of password prompts anymore.
> I think that is now to late for? I have already formated it and added ext4 on it plus installed some packages already (was a long way).
> 

Well, if you want, you can just change the pass phrase. Or even create
another one. LUKS supports multiple "key slots". Use `cryptsetup
luksAddKey` and friends.

Regards,
Florian Philipp



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 719 bytes --]

Am 04.09.2012 22:14, schrieb Neil Bothwick:
> On Tue, 04 Sep 2012 20:59:34 +0200, Florian Philipp wrote:
> 
>> I just have to make sure to leave nothing private on root, /usr or /etc.
> 
> Like your passwd and shadow files?
> 
> 

*g*, good point. However, I'm willing to take the risk on just these
two: passwd doesn't contain anything of considerable interest. shadow
contains exactly two passwords, both as sha256-sums (or similar, did not
really check). The passwords themselves are in excess of 90 bit entropy,
depending on how you estimate it.

Most of the rest which might be of interest and is usually in /etc can
be symlinked there from a safe location in /var.

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 1074 bytes --]

Am 04.09.2012 22:09, schrieb Neil Bothwick:
> On Tue, 04 Sep 2012 10:53:38 -0500, Dale wrote:
> 
>> If you are using hibernate/suspend thingys then that is different. 
>> Isn't that when it has to be at least as much swap as you have ram? 
> 
> Not necessarily because the data is compressed before saving, but you
> can't know how much it is going to compress, so only if your RAM is all
> used up with incompressible data (an unlikely scenario) will you need
> that much.
>

I think the capability of compressing hibernate images is still limited
to sys-kernel/tuxonice-sources.

> Not that hibernating a system with 16GB is ever going to be fast enough
> to be worth bothering with. As Alan has discovered, it can take longer
> than a cold boot.
> 

Yes but (at least with tuxonice) you don't need to repopulate your
in-memory disk cache which might again save you time. However, I find it
easier to just suspend. In my experience it is more stable and many
modern laptops can easily survive a week in suspension.

Regards,
Florian Philipp



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 982 bytes --]

On Tue, 04 Sep 2012 22:45:07 +0200, Florian Philipp wrote:

> >> I just have to make sure to leave nothing private on root, /usr
> >> or /etc.  
> > 
> > Like your passwd and shadow files?

> *g*, good point. However, I'm willing to take the risk on just these
> two: passwd doesn't contain anything of considerable interest. shadow
> contains exactly two passwords, both as sha256-sums (or similar, did not
> really check). The passwords themselves are in excess of 90 bit entropy,
> depending on how you estimate it.
> 
> Most of the rest which might be of interest and is usually in /etc can
> be symlinked there from a safe location in /var.

I used to do that, but as the number of sensitive directories grew -
samba, wicd, etc. - I decided it was less hassle to set up an encrypted /
and forget about it.


-- 
Neil Bothwick

When you go to court you are putting yourself in the hands of 12 people
that were not smart enough to get out of jury duty.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Samurai]

[-- Attachment #1: Type: text/plain, Size: 1804 bytes --]

To add my 2¢:
I have 3 working setups almost done by this http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS guide which results in either unencrypted /boot on drive or booting from stick resulting layout is following:
/dev/sda1 /boot
/dev/sda2 dm-crypt container with lvm vg atop of it
In vg is: vg-root vg-swap vg-home

All you need is build initram and pass it as a argument to pre configured kernel (with needed encryption and hash algorithms built in) 

Initram scripts are on github here https://github.com/tokiclover/mkinitramfs-ll 


Hope it helps if not contact me (first time I needed to reinstall the system three times before successful boot but that time I was complete noob in gentoo) 
S

Neil Bothwick <neil@digimed.co.uk> wrote:

>On Tue, 04 Sep 2012 22:45:07 +0200, Florian Philipp wrote:
>
>> >> I just have to make sure to leave nothing private on root, /usr
>> >> or /etc.  
>> > 
>> > Like your passwd and shadow files?
>
>> *g*, good point. However, I'm willing to take the risk on just these
>> two: passwd doesn't contain anything of considerable interest. shadow
>> contains exactly two passwords, both as sha256-sums (or similar, did
>not
>> really check). The passwords themselves are in excess of 90 bit
>entropy,
>> depending on how you estimate it.
>> 
>> Most of the rest which might be of interest and is usually in /etc
>can
>> be symlinked there from a safe location in /var.
>
>I used to do that, but as the number of sensitive directories grew -
>samba, wicd, etc. - I decided it was less hassle to set up an encrypted
>/
>and forget about it.
>
>
>-- 
>Neil Bothwick
>
>When you go to court you are putting yourself in the hands of 12 people
>that were not smart enough to get out of jury duty.

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

[-- Attachment #2: Type: text/html, Size: 2610 bytes --]

Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

["Roland Häder"]

[-- Attachment #1: Type: text/html, Size: 901 bytes --]

Re: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Michael Mol]

On Wed, Sep 5, 2012 at 12:04 PM, "Roland Häder" <r.haeder@web.de> wrote:
> To add my 2¢:
> All you need is build initram and pass it as a argument to pre configured
> kernel (with needed encryption and hash algorithms built in)
>
> Initram scripts are on github here
> https://github.com/tokiclover/mkinitramfs-ll
> Can I also use dracut? Or won't it setup initrd? I I didn't setup LVM just
> encryption, on top of it LUKS and then mkfs.ext4 /dev/mapper/envVol

dracut and genkernel will both set up initrd.


-- 
:wq

Aw: Re: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

["Roland Häder"]

> dracut and genkernel will both set up initrd.
Okay, thank you. :)

Now I hang with this:

-------------------------------------------
>>> Emerging (1 of 203) dev-db/oracle-instantclient-basic-10.2.0.3-r1
 * Fetching files in the background. To view fetch progress, run
 * `tail -f /var/log/emerge-fetch.log` in another terminal.
-------------------------------------------
How can I disable it? I don't want to have an Oracle client or so. In my /etc/make.conf I already said "-oracle" but it still shows up. Can I somehow find out which package requires it?

Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

[Florian Philipp]

[-- Attachment #1: Type: text/plain, Size: 775 bytes --]

Am 05.09.2012 20:18, schrieb "Roland Häder":
>> dracut and genkernel will both set up initrd.
> Okay, thank you. :)
> 
> Now I hang with this:
> 
> -------------------------------------------
>>>> Emerging (1 of 203) 
>>>> dev-db/oracle-instantclient-basic-10.2.0.3-r1
> * Fetching files in the background. To view fetch progress, run * 
> `tail -f /var/log/emerge-fetch.log` in another terminal. 
> -------------------------------------------
> 
> How can I disable it? I don't want to have an Oracle client or so. In
> my /etc/make.conf I already said "-oracle" but it still shows up. Can
> I somehow find out which package requires it?
> 


Try `emerge -pvT $foo`. With whatever package $foo you are trying to
install.

Regards,
Florian Philipp


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

["Roland Häder"]

> Try `emerge -pvT $foo`. With whatever package $foo you are trying to
> install.
That is already solved (I had selected it somehow) by simply deselecting it.

But is now a little OT. I now try to compile x11-libs/libxcb, and dev-python/elementtree is not installed on my system.

 
> Regards,
> Florian Philipp
Regards,
  Roland

Aw: Re: [gentoo-user] dm-crypt + ext4 = where will the journal go?

["Roland Häder"]

> That is already solved (I had selected it somehow) by simply deselecting it.
> 
> But is now a little OT. I now try to compile x11-libs/libxcb, and dev-python/elementtree is not installed on my system.

There is hope for this matter, see my forum posting:
http://forums.gentoo.org/viewtopic-p-7133700.html#7133700

In short:
USE="*build* foo bar"
That >build< was wrong and has disabled a lot required python modules (including _elementtree, gdbm, curses, ...).

Roland