System encryption on Debian Etch

Posted by goeb on Mon 14 Aug 2006 at 06:21

In this article I will describe how to setup a nearly complete encrypted system using Debian Etch and cryptsetup with LUKS. The goal is: encrypt all partitions except /boot. The user should enter a password at boot time or provide a keyfile on an USB device to decrypt the root partition. Keyfiles for additional partitions are located on the root, so the user does not need to enter a password for every partition.

Before we start...

Note that there is already some support for encrypted partitions in Etch, and if you choose to do a new installation you may download a daily build of the Etch CD image and encrypt your partitions during the installation process. Look at PartmanCrypto for some more details. However, partman-crypto is still pre-beta and I had some problems with it, so I decided to do it manually.

Update: On August 11th the Etch beta 3 installer was announced, it contains partman-crypto, so you do not need to use a daily built image. I did not test the beta 3 installer, maybe it works a bit better than some weeks ago.

I will describe the necessary steps of the encryption based on a new minimal installation of Debian Etch, though you may also encrypt a working system.

Important: Before you begin, do yourself a favour and create a backup of your data. Though I tested this guide several times I can not guarantee that it works for you and that nothing can happen to your data or your system. Please read this guide to the end, and if you have any questions ask before you start.

Some more things before we start...

What you will need during the process:

  • a partition big enough to backup the data of the partitions you want to encrypt, it is not possible to encrypt the data on the fly with LUKS
  • a live cd that supports cryptsetup (I prefer a Kubuntu live cd, maybe Knoppix will do the job, too)
  • a separate partition for /boot
  • an internet connection
  • some experience with linux in general, and some experience with writing shell scripts could also be useful

During the installation I chose the following partitioning scheme:

/boot    /dev/hda1    (will not be encrypted)
/        /dev/hda5    (will be encrypted)
/home    /dev/hda6    (will be encrypted)
swap     /dev/hda7    (will be encrypted)
All partitions will get an ext3 file system. Of course, you may change this to whatever you want, just keep in mind that you need a separate boot partition and that you need to change some commands during this guide according to your settings. (Note: There is no extra partition for the backups available in my setup. Instead, I let the installer create an ext3 filesystem on /dev/hda7 and use my future swap partition for this task.)

Note: Since I have no experience using LVM or RAID stuff, this guide will only explain how to achive our goal with a normal partition setup. Also, suspend to disk will not work with this guide (though it should not be to difficult for you to implement if you want to).

Just one more note: I installed a 2.6.16-2-686 kernel using a daily built installation image from this page, it may work with some older 2.6 kernels, too. But it will definitely not work with a 2.4 kernel!

Now let's begin with the real work!

First, you need to install cryptsetup:

root@test:~# apt-get install cryptsetup

Make sure you can load the modules that are required for the encryption:

root@test:~# modprobe dm_crypt
root@test:~# modprobe sha256
root@test:~# modprobe aes_i586

You should check if everything works as expected. First, there should be a /dev/mapper/control device:

root@test:~# ls -L /dev/mapper/control
/dev/mapper/control
Now check if aes and sha256 are available:
root@test:~# cat /proc/crypto
[...]
name          : sha256
driver        : sha256-generic
module        : sha256
[...]
name          : aes
driver        : aes-i586
module        : aes_i586
[...]
If everything is ok, you are ready to go on.

Preparing the initramfs...

In order to boot your system from an encrypted root partition, you need to create an initial ram disk (initramfs) that contains all information and all necessary programs and modules to decrypt your root at boot time. There are two tools to create the initramfs: initramfs-tools (which is the default tool in Debian) and yaird. I prefer to use yaird, so you need to install it for this guide:

root@test:~# apt-get install yaird

Now you need to configure yaird, you will find the configuration files in /etc/yaird/. These files are well documented, take some time to read the comments, maybe you will need some more configuration as explained here. First, edit /etc/yaird/Default.cfg. The default settings should be fine, but you need to include the modules mentioned above in your initramfs, so add the following lines (there are already two MODULE lines, put yours below them):

MODULE    dm_crypt
MODULE    sha256
MODULE    aes-i586
Additionally, if you want to be able to decrypt your system with a keyfile on an USB stick, you need to include the modules that are required to access it. Plug in your USB stick and watch the messages you get (in my case there is a line saying "new full speed USB device using uhci_hcd") and check what additional modules are loaded using lsmod, you may, for example, need to include the following:
MODULE    uhci_hcd
MODULE    sd_mod
MODULE    usb_storage
Don't forget to add the vfat module if your stick's file system is FAT, and you will also need the correct codepages to mount it (mount your stick and use lsmod to find out what you need):
MODULE    vfat
MODULE    nls_cp437
MODULE    nls_iso8859_1

Important: These are only examples that work for me, make sure you include the modules you need on your system if you want to use the key file on USB option!

Now /etc/yaird/Templates.cfg, there's a bit more to do. Let's start with the prologue template. In the first part of this template several files that should be included in the image and directories that should be created are listed. Add the following lines to that part of the configuration:

FILE "/sbin/cryptsetup"
FILE "/sbin/halt"
DIRECTORY "/tmp"
If you need to load a keymap for your keyboard to work properly, add:
FILE "/bin/gunzip"
FILE "/bin/loadkeys"
Now find out what keymap is required on your system. Look in the directory /usr/share/keymaps/[arch]/[layout] and select the keymap you need, include it in the configuration with
FILE "/usr/share/keymaps/[arch]/[layout]/[file]
Now you need to open the keymap to find out which other files are required by it (in Midnight Commander you can simply press F3 to view it). There should be one or more include "[another_keymap]" lines. The files specified can be found in the /usr/share/keymaps/[arch]/include directory with the suffix .inc.gz. You need to include these in your initramfs, too. And there may be even more include directives in the included files, so you need to get a bit recursive and include all these files. I'm using a german keyboard layout, here's what I need to include:
FILE "/usr/share/keymaps/i386/qwertz/de-latin1.kmap.gz"
FILE "/usr/share/keymaps/i386/include/qwertz-layout.inc.gz"
FILE "/usr/share/keymaps/i386/include/linux-with-alt-and-altgr.inc.gz"
FILE "/usr/share/keymaps/i386/include/linux-keys-bare.inc.gz"

After that part of the template the first part of the init script is defined. This script is responsible for decrypting and mounting our root. First, look for the part that parses the kernel options. With our modifications it should look like this (the lines you need to insert are marked with "**", do not add that "**" to the configuration file!):

	!ro=-r
	!ip=
	!nfsroot=
	!noresume=
	!resume=
	!resume2=
	!init=/sbin/init
    **	!keyfile=root.key
    **	!waitusb=0
	!for i in $(cat /proc/cmdline)
	!do
	!	case "$i" in
	!	init=*)
	!		init=${i#init=}
	!		;;
	!	ro)
	!		ro=-r
	!		;;
	!	rw)
	!		ro=
	!		;;
	!	ip=*|nfsaddrs=*)
	!		ip="$ip $i"
	!		;;
	!	nfsroot=*)
	!		nfsroot="$i"
	!		;;
	!	noresume)
	!		noresume=1
	!		;;
	!	resume=*)
	!		resume=${i#resume=}
	!		;;
	!	resume2=*)
	!		resume2=${i#resume2=}
	!		;;
	!	ydebug)
	!		INIT_DEBUG=yes
    **	!		;;
    **	!	key=*)
    **	!		keyfile=${i#key=}
    **	!		;;
    **	!	waitusb=*)
    **	!		waitusb=${i#waitusb=}
    **	!		;;
	!	esac
	!done
The few added lines are responsible for reading the parameters key and waitusb from the kernel command line, both will be explained later on.

Now scroll down. Notice that there are two cryptsetup templates. yaird will automatically detect if your root partition is encrypted and include the appropriate template in your init script. However, currently we do not have an encrypted root and yaird will only include the mount template. If you want to create a new initramfs and your root is encrypted, yaird will include the cryptsetup_luks template, too. Since we do not need this with the modifications below, you need to change cryptsetup_luks template to:

TEMPLATE cryptsetup_luks
BEGIN
END TEMPLATE

Now scroll further down and replace the mount template with the following to decrypt and mount your root:

TEMPLATE mount
BEGIN
  SCRIPT "/init"
  BEGIN
    !ROOTDEV=/dev/hda5
    !/bin/loadkeys de-latin1.kmap.gz
    !if ( /sbin/cryptsetup isLuks $ROOTDEV 2>/dev/null ); then
    !  NOTOPEN=1
    !  echo "waiting $waitusb seconds for usb..."
    !  /bin/sleep $waitusb
    !  for DEV in a b c d; do
    !    if [ "$NOTOPEN" != "0" ]; then
    !      if [ -f /sys/block/sd${DEV}/sd${DEV}1/dev ]; then
    !        mkbdev /dev/sd${DEV} sd${DEV}
    !        mkbdev /dev/sd${DEV}1 sd${DEV}/sd${DEV}1
    !        mount -n /dev/sd${DEV}1 /tmp
    !        if [ -f /tmp/$keyfile ]; then
    !          /sbin/cryptsetup --key-file /tmp/$keyfile luksOpen $ROOTDEV root
    !          NOTOPEN=$?
    !        fi
    !        umount /tmp
    !      fi
    !    fi
    !  done
    !  if [ "$NOTOPEN" != "0" ]; then
    !    /sbin/cryptsetup luksOpen $ROOTDEV root
    !    NOTOPEN=$?
    !  fi
    !  if [ "$NOTOPEN" != "0" ]; then
    !    echo "FATAL: could not open root, shutting down..."
    !    /bin/sleep 5
    !    /sbin/halt -n -d -f -p
    !  else
    !    /bin/mount -n $ro -t ext3 -o 'errors=remount-ro' /dev/mapper/root /mnt
    !  fi
    !else
    !  /bin/mount -n $ro -t ext3 -o 'errors=remount-ro' $ROOTDEV /mnt
    !fi
  END SCRIPT
END TEMPLATE
Note: leave out the loadkeys line if you do not need to load another keymap, if you need to, insert your keymap's name. Also, replace /dev/hda5 with your root partition.

The code we just inserted does the following: check if root is encrypted, if not, just mount it and go on to the next part. If it is encrypted, wait as many seconds as given by the waitusb kernel parameter and then check if an USB device is present as sda, sdb, sdc or sdd (we do this since there may be more than one USB device attached and the correct device may not be known at boot time).

Important: This assumes that your USB devices can be accessed as /dev/sda, /dev/sdb etc. If this is not the case, you need to change the code.

If an USB device is available, mount the first partition to /tmp and check if the keyfile (root.key or the name given by the key kernel parameter) exists on that drive. If yes, try to decrypt root with that key. If not or if it was not the correct keyfile go on with the next device until the last (sdd) was checked.

If the partition was successfully decrypted, there is nothing more to do than mounting it, if not, give the user the chance to provide a password. cryptsetup will ask up to three times for the password, if the user does not enter a valid one, shut down.

Note: If you want to test your script you may add a /bin/dash line wherever you want, you will then get a shell at boot time, though some common commands like ls are not available (if you need some more commands you can include them with the FILE option, see above).

That's it, now create the initramfs in /boot:

root@test:~# yaird -o /boot/yaird.initramfs

Note: If you want to check the contents of the initramfs before you reboot, you can do so by executing
root@test:~# yaird -f directory -o ~/yaird
This will create a directory yaird in your home that contains all files that will be included in the initramfs. If you want to change something in this directory and want to build an initramfs with the modified contents of that folder, do the following:
root@test:~# cd ~/yaird
root@test:~# find . | cpio --quiet -o -H newc | gzip -9 > /boot/yaird.initramfs

Now you need to create a new entry in Grub's configuration to boot the system using your initramfs. Add an entry like this to your /boot/grub/menu.lst:

title        Debian GNU/Linux, kernel 2.6.16-2-686 ENCRYPTED
root         (hd0,0)
kernel       /vmlinuz-2.6.16-2-686 root=/dev/hda5 ro
initrd       /yaird.initramfs
savedefault
boot
Of course, change the settings according to your system.

Now it's time to do a little test, just reboot your system. As mentioned above, the init script will notice that your root is not encrypted and simply mount it. It's just a little test to see that there are no errors in the init script, though the important part will actually be skipped. (Change the test for the encryption to something like "if [ 1 ]; then" if you want to test it before you continue, this may be useful to see if your USB stick can be mounted.)

Now change the / entry in your /etc/fstab to:

/dev/mapper/root    /    ext3    defaults,errors=remount-ro    0    1
and create an entry in your /etc/crypttab:
root    /dev/hda5    none    luks

The encryption of /...

Now you are ready to encrypt your partition. Boot your Kubuntu Live CD and open a terminal. First, copy all data on your root partition (in my case hda5) to your backup partition (in my case hda7):

ubuntu@ubuntu:~# sudo mkdir /mnt/hda5 /mnt/hda7
ubuntu@ubuntu:~# sudo mount /dev/hda5 /mnt/hda5
ubuntu@ubuntu:~# sudo mount /dev/hda7 /mnt/hda7
ubuntu@ubuntu:~# cd /mnt/hda5
ubuntu@ubuntu:/mnt/hda5# sudo cp -ax * /mnt/hda7
ubuntu@ubuntu:/mnt/hda5# cd
ubuntu@ubuntu:~# sudo umount /dev/hda5

Since cryptsetup is not included, you need to install it (with the new Kubuntu Desktop CD you first need to enable the universe repository in /etc/apt/sources.list and update your package list):

ubuntu@ubuntu:~# sudo apt-get install cryptsetup

Load the modules:

ubuntu@ubuntu:~# sudo modprobe dm_crypt
ubuntu@ubuntu:~# sudo modprobe sha256
ubuntu@ubuntu:~# sudo modprobe aes_i586

If you want to be on the safe side, you can overwrite your root with random data before creating the encrypted partition. Note that this may take a long time, depending on the size of your partition:

ubuntu@ubuntu:~# sudo dd if=/dev/urandom of=/dev/hda5

Now all you need to do is format your partition using LUKS, create a new filesystem and copy back your data:

ubuntu@ubuntu:~# sudo cryptsetup -c aes-cbc-essiv:sha256 -y luksFormat /dev/hda5
ubuntu@ubuntu:~# sudo cryptsetup luksOpen /dev/hda5 root
ubuntu@ubuntu:~# sudo mke2fs -j /dev/mapper/root
ubuntu@ubuntu:~# sudo mount /dev/mapper/root /mnt/hda5
ubuntu@ubuntu:~# cd /mnt/hda7
ubuntu@ubuntu:/mnt/hda7# sudo cp -ax * /mnt/hda5

Now you should reboot and hope that everything works as expected. cryptsetup should ask you for the password you entered in the previous step to decrypt your root partition at boot time and then continue the boot process like before the encryption.

Get rid of that password query...

If you want to use the USB key file method, you may now create the key file and add it to the key store. I use the following commands to create a nice key file:

root@test:~# apt-get install sharutils
root@test:~# head -c 2880 /dev/urandom | uuencode -m - | head -n 65 | tail -n 64 > ~/root.key
root@test:~# cryptsetup luksAddKey /dev/hda5 ~/root.key
Now copy root.key to your USB stick. I do not need to say that you should never give away this key file, since any person with a copy of this file can decrypt your data. However, if you should loose it, make sure remove the key file from your key store, see man cryptsetup for this and some more options.

Now reboot with your USB stick plugged in. In Grub's boot menu press E and add the following to the kernel line:

waitusb=3
Press Enter and B. Your system should now boot and wait 3 seconds before the script checks for the presence of USB devices. If your system needs more time for the USB device to be available, use a higher value for waitusb. You may even test it with a value of 2 or even 1, maybe it will work for you, on my test systems 3 is the minimum. If waitusb is set to a high enough value your system should boot with the USB stick plugged in without asking you for the password. You should now add the waitusb parameter to your /boot/grub/menu.lst file. If you do not have the key file with you you will still be able to boot by providing a correct password.

Note: If you want to rename your key file you may provide the parameter key=[filename] at boot time or change the init script accordingly.

Some more partitions to encrypt...

Now all we need to do to finish the process is to encrypt the remaining partitions, in my case /home and swap. You may be able to do this from within your running system, but in general it is recommended that you boot your live disk again. Before you do this, do not forget to modify your /etc/fstab and /etc/crypttab files accordingly, e.g fstab:

/dev/mapper/home    /home    ext3    defaults    0    2
/dev/mapper/swap    none     swap    sw          0    0
and crypttab:
home    /dev/hda6    none    luks
swap    /dev/hda7    none    luks
I did not include the swap option (luks,swap) since I could not get it to work with that, and it is not required to use the swap partition.

The encryption process is the same as for your root partition, just repeat the steps you did before for all of your remaining partitions (of course, except /boot).

After all your partitions are encrypted boot your system. You will need to enter the password for each encrypted partition. To avoid this, create key files for every partition as described above, create a /etc/cryptkeys directory, put the files in there and chmod them to 600 so only root can read them. Add the key files to your partition's key slots and change the key file option in your /etc/crypttab:

home    /dev/hda6    /etc/cryptkeys/home.key    luks
swap    /dev/hda7    /etc/cryptkeys/swap.key    luks

That's it...

Now reboot again and enjoy your encrypted system.

 

 


Posted by wuzzeb (70.225.xx.xx) on Mon 14 Aug 2006 at 22:38
[ Send Message ]
For swap partition, you are better off doing something like the following in /etc/crypttab
swap /dev/sda2 /dev/random swap

and then in /etc/fstab

/dev/mapper/swap none swap sw 0 0

This will use a random key for swap, which will be different every time you boot. This way, your swap space is just like real memory... once the system shuts down, the random key used for the swap partition is long gone, and no one (not even you) can recover any data. Because the key is completly random, a brute force of the key would also be infeasable.


Also, if you are interested in using LVM, after running cryptsetup

# sudo cryptsetup luksOpen /dev/hda5 root
# pvcreate /dev/mapper/root
# vgcreate vgroot /dev/mapper/root
# lvcreate -s 10G -n root vgroot
# mkfs.ext3 /dev/mapper/vgroot-root
# mount /dev/mapper/vgroot-root ...
# lvcreate -s 30G -n home vgroot
# mkfs.ext3 /dev/mapper/vgroot-home

Notice that the initrams-tools version in unstable has support for crypt and LVM (and LVM over crypt) (actually, the cryptsetup package has the support files), and should automaticly detect all your settings (if /etc/crypttab and /etc/fstab are set up correctly)

[ Parent | Reply to this comment ]

Posted by goeb (84.184.xx.xx) on Mon 14 Aug 2006 at 23:46
[ Send Message | View Weblogs ]
There are some reasons I did not use /dev/random as key for the swap partition, the main reason is that with a static key you may be able to use suspend to disk, which will obviously not work with a random key. I have not tested it but it should be possible (and maybe not even too difficult to implement). And as mentioned in the article using the swap option caused an error on two test systems (one was VMware, the other one my Laptop) and no swap partition at all was available. This could be an error in combination with the luks option, in fact, I used the /dev/random as key on an encrypted Sarge system and it worked (there's no luks in Sarge available).

Regarding LVM: I currently do not need it, but looking at what you wrote it seems to be easy to setup.

initramfs-tools should support encryption not only in unstable, also in testing, since partman-crypto is an official part of the Etch Beta 3 installer and allows you to encrypt your partitions during the installation. This should also work with LVM. yaird should support encrypted LVMs, too. But both require encrypted partitions/LVM before the initramfs is created. And with yaird it is not sufficient to create the entries in fstab and crypttab, the mapper devices actually must exist for yaird to configure it.

And, of course, isn't it much more fun to do this manually :-)

[ Parent | Reply to this comment ]

Posted by wuzzeb (70.225.xx.xx) on Tue 15 Aug 2006 at 02:21
[ Send Message ]
I am currently using everything in my message... posting from a computer with everything except /boot encrypted.

The swap partition is set up with a random key. I am pretty sure the luks and swap options probably don't work together, but the swap by itself works fine.

As for initramfs-tools, to autoconfigure it also needs the partitons to be mounted. On the other hand, you can pass all the options on the kernel command line in grub.

root=/dev/mapper/zeuslvm-root
cryptops="target=cryptroot,source=/dev/sda4,lvm=zeuslvm-root "

then this is used instead of whatever the mkinitramfs script found, so could be used the first time you boot before mkinitramfs can run correctly.

The lvm option tells the initramfs script to test the partiton created by the cryptmap for lvm, and if so configure it... the root= option then uses the lvm partition found. If you didn't have lvm, you could just use something like (I haven't tested this, but it should work)

root=/dev/mapper/cryptroot
cryptops="target=cryptroot,source=/dev/sda4"

As for the installer, what I did is created a 2G swap partition, and installed debian (basic) into the swap partition. I then created the crypt partition and set up lvm and everything, and then used debootstrap to install. After it was installed and booting, I tured the swap partiton back into a swap partiton.

[ Parent | Reply to this comment ]

Posted by Anonymous (216.58.xx.xx) on Sat 26 Aug 2006 at 03:20
I'm trying to just encrypt my swap space. I was wondering if you might tell me the commands you used to format your swap space. Are they different from the commands used in the article because you're setting up your swap space so that it uses a random password each time rather than a pre-defined password? Thanks.

[ Parent | Reply to this comment ]

Posted by wuzzeb (72.1.xx.xx) on Sat 26 Aug 2006 at 05:50
[ Send Message ]
Putting

swap /dev/sda2 /dev/random swap

into /etc/crypttab is enough. This is because the last field on that line is "swap", which tells the /etc/init.d/cryptdisks script (Really the /lib/cryptsetup/init_functions script) to format and set up the partition for use as swap space. It will do that every time it starts, so after cryptdisks is run the partition is always ready for use as swap space.

John

[ Parent | Reply to this comment ]

Posted by Anonymous (86.56.xx.xx) on Wed 28 Mar 2007 at 13:57
And of course you'll have to change the fstab entry to something like

/dev/mapper/swap none swap sw 0 0

[ Parent | Reply to this comment ]

Posted by Anonymous (82.51.xx.xx) on Sat 26 Aug 2006 at 13:18
What about the performance?
I will buy a new laptop and i'm interested in using this fs but i'm worried about the performance issue.
I will use the laptop (intel duo,1Gb ram) expecially for system administration work.

[ Parent | Reply to this comment ]

Posted by goeb (84.184.xx.xx) on Wed 30 Aug 2006 at 14:24
[ Send Message | View Weblogs ]
I'm currently using it on an 2.4GHz Pentium 4 laptop, and I think all modern systems should be fast enough so you won't see a huge impact on performance. And if you use your laptop for system administration work I assume you should be fine with an encrypted setup.
Of course, every data that is read from or written to disk will need some processor time, which may be an issue if you plan to do something like audio/video-encoding or such things. But I have not made any benchmarks, maybe someone reading this can suggest some simple benchmark commands, I'm currently installing a new desktop system which is not yet encrypted, so I can do some before/after tests.

I don't know if it's a good test, but maybe it helps:

goeb@mobile:~$ time dd if=/dev/zero of=zeros bs=1024k count=1024

real    1m44.114s
user    0m0.038s
sys     0m12.278s


(This was done on an 5400rpm disk, dma enabled. My 2.4GHz CPU (it's no mobile, just a normal desktop Pentium 4) ran most of the test time with 0.9 GHz, some spikes at 2.4GHz (using the ondemand governor it's at 0.3 GHz with no load).

Maybe this helps, too:

mobile:~# hdparm -tT /dev/hda

/dev/hda:
 Timing cached reads:    544 MB in  2.00 seconds = 271.60 MB/sec
 Timing buffered disk reads:    54 MB in 3.02 seconds =  17.86 MB/sec


So if anyone can tell me if these benchmarks are good enough for a conclusion I will run them on my desktop system to provide some before/after figures.

Well, if you are buying a new laptop you can just try it, if it don't work for you it's a simple task to do a reinstall or backup your data, run mke2fs or whatever to "unencrypt" the partitions and copy your data back (basically, there are some more things to do depending on your setup, kernel etc.).

[ Parent | Reply to this comment ]

Posted by mjh (169.200.xx.xx) on Mon 11 Dec 2006 at 21:53
[ Send Message ]
maybe someone reading this can suggest some simple benchmark commands, I'm currently installing a new desktop system which is not yet encrypted, so I can do some before/after tests.
I did some tests of performance using bonnie++ (apt-get install bonnie++). Here's what I got on the same LV both with and without luks encryption:
Version  1.03      ------Sequential Output------ --Sequential Input- --Random-
                    -Per Chr- --Block-- -Rewrite- -Per Chr- --Block-- --Seeks--
Machine        Size K/sec %CP K/sec %CP K/sec %CP K/sec %CP K/sec %CP  /sec %CP
crypt devA       1G 10944  49 18673  12  9732   7 11181  62 18105   9 274.5   0
clear devA       1G 19369  92 56520  48 22559   5 19162  79 51171   3 287.4   0
                    ------Sequential Create------ --------Random Create--------
                    -Create-- --Read--- -Delete-- -Create-- --Read--- -Delete--
files:max:min        /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP  /sec %CP
crypt devA       16 30243  98 +++++ +++ +++++ +++ 30313  97 +++++ +++ +++++ +++
clear devA       16 29820  99 +++++ +++ +++++ +++ 30051  96 +++++ +++ 29238  87
It's a pretty big difference. Character reads/writes are about 2x faster when unencrypted. Block reads/writes are about 3x faster when unencrypted. Seeks and creates are roughly the same. 50% and 66% performance hits are nothing to sneeze at.

These tests were done on a pair of EIDE 100 drives, in a RAID1 mirror setup, with LVM and ext3 filesystem. Setup:

# lvcreate -n test --size 4G vg0
For Encryption test:
# cryptsetup luksFormat /dev/mapper/vg0-test
# cryptsetup luksOpen /dev/mapper/vg0-test test
# mkfs.ext3 /dev/mapper/test
# mount /dev/mapper/test /mnt
# cd /mnt
# chmod 777 .
# bonnie++ -u nobody
For Clear test:
# mkfs.ext /dev/mapper/vg0-test
# mount /dev/mapper/vg0-test /mnt
# cd /mnt
# chmod 777 .
# bonnie++ -u nobody

[ Parent | Reply to this comment ]

Posted by Anonymous (24.203.xx.xx) on Fri 19 Jan 2007 at 18:14
Has anyone seen a howto on how to add an ssh server to the boot process so the key could be remotely entered?
(A couple of friends did this a while back with a custom init replacement but ...)

This is very useful when you have a computer in a rack at your ISP but you still want this computer to be secure. Or when you laptop's screen dies ;-)

[ Parent | Reply to this comment ]

Posted by Anonymous (88.77.xx.xx) on Mon 9 Apr 2007 at 16:31
How can a crypted file-container be mounted automatically on login as $HOME ??? This also must work with ssh. THANKS!

[ Parent | Reply to this comment ]

Posted by Anonymous (62.94.xx.xx) on Mon 9 Apr 2007 at 16:49
consider the pam_mount module for PAM authentification...
(apt-get install libpam-mount) it allows you to mount (encrypted) filesystems automatically at user-login...

[ Parent | Reply to this comment ]

Posted by Anonymous (204.10.xx.xx) on Tue 17 Apr 2007 at 18:47
can anyone modify some of this for initramfs? Debain etch works well but is missing the usb stuff which i would like. ive found the file and place in the file on where to edit, by scripting is lacking.

[ Parent | Reply to this comment ]

Posted by Anonymous (88.76.xx.xx) on Fri 20 Apr 2007 at 13:42
well,m I think it shoud be possible, but I can not find anything... how can one change the password of an encrypted device?

Otherwise a really neat Tutorial, thanks and please keep up the good work!

[ Parent | Reply to this comment ]

Posted by goeb (217.81.xx.xx) on Fri 20 Apr 2007 at 14:33
[ Send Message | View Weblogs ]
You need to create a new key first:
cryptsetup luksAddKey <device>
and then remove the old key:
cryptsetup luksDelKey <device> <key slot number>

[ Parent | Reply to this comment ]

Posted by Anonymous (62.163.xx.xx) on Sat 28 Apr 2007 at 16:50

A faster way to pre-fill your partition with random bits (which is only to hide the information of which sectors are encrypted and which are not; but it generally advised to do so if you are serious about the encryption) is to create a temporary random key and then fill the resulting device with zeroes.

Also, passing a larger block size to dd helps a LOT :p

For example,

dd if=/dev/urandom of=/dev/hde10
gives me a speed of 1.5 MB/s (and 100% cpu usage).

While

head -c 64 /dev/urandom | cryptsetup create encrypted /dev/hde10
dd bs=4096 if=/dev/zero of=/dev/mapper/encrypted
writes with 20 MB/s.

Another tip, if your dd is running for a long time and you want to know what it is doing - send it a SIGUSR1 from another terminal and it will print how much it has written so far and at what speed.

Carlo Wood

[ Parent | Reply to this comment ]

Posted by Anonymous (88.134.xx.xx) on Wed 16 May 2007 at 15:42
Hello!

I tried your guide and it worked fine until I booted the new entry in the grub menu.

I got this error:
[1.450597]kernel panic - not syncing: no init found. try passing init= option to kernel.

Can you help me and tell me what I made wrong?

[ Parent | Reply to this comment ]

Posted by Anonymous (217.81.xx.xx) on Wed 16 May 2007 at 19:31
Maybe (or, most likely) your root filesystem can not be decrypted and/or mounted. Hard to say what went wrong without some more information, especially any cryptsetup messages would be useful.

[ Parent | Reply to this comment ]

Posted by Anonymous (88.134.xx.xx) on Wed 16 May 2007 at 21:56
Well,

first the system is not encrypted yet. I made the yaird.initramfs and the config in the grub menu.lst.

Both without errors.

Then I wanted to test it and tried to boot this, but I got that error.

Some more information about my system:
The harddrive is a sata drive and resides under /dev/sda
The partitons are:
/boot sda1
/ sda3
swap sda2

My usbstick is sdb

The grub menu.lst looks like this:

...
title crypto
root (hd0,0)
kernel /vmlinuz-2.6.20-15-server root=/dev/sda3 ro
initrd /yaird.initramfs
boot
...

And in the etc/yaird/Templates.cfg I entered as my harddrive /dev/sda3:
TEMPLATE mount
BEGIN
SCRIPT "/init"
BEGIN
!ROOTDEV=/dev/sda3
...


Do you have an idea why I get this error?

[ Parent | Reply to this comment ]

Posted by goeb (217.81.xx.xx) on Thu 17 May 2007 at 12:15
[ Send Message | View Weblogs ]

OK, there are some things to check:

  • The file system. The script in the article uses ext3, you need to change the mount command if you use another one.
  • The kernel. Check that all modules you need are available or included in the kernel.

And, quoting myself:

Note: If you want to test your script you may add a /bin/dash line wherever you want, you will then get a shell at boot time, though some common commands like ls are not available (if you need some more commands you can include them with the FILE option, see above).

I suggest you add /bin/dash in the mount template right before the mount command itself and try to mount your root partition by hand, maybe you get some useful information.

Also note that this guide was written several months ago, maybe something has changed since then, but I will reinstall my notebook within the next weeks and take a look at this.

I can't think of anything else that could cause the problems right now, but I'll keep it in mind.

PS: If it doesn't work for you, you may let the installer encrypt your partitions, only the USB key file feature will not be available then.

[ Parent | Reply to this comment ]

Posted by Anonymous (88.134.xx.xx) on Fri 18 May 2007 at 18:44
Well,

I checked the filesystem and it is ext3.
Now the kernel modules. I put a lot of modules from which I thought I could need them in the /etc/yaird/Default.cfg

But it still does not work. Is there a way how I can determine which modules I will need?

And is it possible, that it does not work, because of my sata drive? You used a pata, right?

In addition, I added some echo lines at different positions in the script to see where an arror occures, but no of my lines was printed. So I believe, that the error occures before the /init script is processed.

And another question:
If I do not enter a quiet option in the menu.lst file from grub I get a lot of messeges, but after I get the kernel panic, I can't scroll up to see all the messeges. Is there a possibility to read the messegaes by doing a break or slowing the output?

Do you have an idea, what there could be wrong?

[ Parent | Reply to this comment ]

Posted by Anonymous (88.134.xx.xx) on Mon 21 May 2007 at 15:42
Hi,

I found the error. It was realy realy stupid :-)

I copied the /etc/yaird/Templates.cfg to my USB Stick to insert the long code snippets on my other computer (a Windows machine). On my linux there is no GUI and no browser.

And when I opened the file and saved it on windows again to the USB Stick, the wordpad inserted some /r/n as newline.

On linux, these newline chars panicked the kernel....
With my file editor (i use "ne") I did not see these chars. A friend tried to help me and opended the file in the midnight commander and there where these /r/n chars...

We used dos2unix to clean the file and voila... it worked.

So, now I can go on with your guide. And thx for your help.

I'm very happy, that it works now.

[ Parent | Reply to this comment ]

Posted by goeb (217.81.xx.xx) on Fri 25 May 2007 at 15:31
[ Send Message | View Weblogs ]
I would have never thought of that :-) Anyway, watch out for the USB detection code, since you have SATA discs you may change the code
! for dev in a b c d; do
in something like
! for dev in b c d e; do
depending on the number of discs (it will still work without any changes if your USB stick is sd[bcd] at boot time, just a note).

[ Parent | Reply to this comment ]

Posted by Anonymous (62.206.xx.xx) on Wed 8 Aug 2007 at 23:40
Hello,

I tried to avoid typing my passphrase more than once by your suggestions with a keyfile above.
I have three encrypted partitions on my lenny system: root, swap and custom. Having created key-files for swap and custom, I added the keys to a slot of the according device and edited the /etc/crypttab.
After that I rebooted my computer and it asked for the passphrase of root as expected. Unfortunately another question for the swap-passphrase appears after that while lateron the custom partition is mounted automatically using the slot with the keyfile.

Is there a special trick to get the keyfile working for swap? I used the Debian-Netinst-CD to create the encrypted devices so maybe there was something added that forces me to use the manual passphrase? Only to mention it: swap is a real partition, root and custom are encrypted partitions on top of lvm-partitions.
I aready tried changing swap to /dev/random keyfile with the same result, a question at boot time. Additionally I tried some permutations of crypttab-options with "swap", "luks" or "luks,swap" with no other result.

Would be nice if someone can give me a clue what might went wrong. Please ask for additional information if I was too stupid to provide everything necessary. This is my first try with encrypted volumes. ;)

thanks, worb

[ Parent | Reply to this comment ]

Posted by Anonymous (71.201.xx.xx) on Thu 16 Aug 2007 at 19:09
Excellent tutorial! Thank you.

This is my first time attempting HDD encryption and I'm a Linux noob. Using Etch with KDE. Here's what I did.

1. Encrypted /root according to instructions... NO PROBLEM.
2. Continued tutorial and encrypted /home and /swap... NO PROBLEM.
3. Followed exact same instructions to encrypt /usr /var /tmp... PROBLEM!!!

On boot... After I enter /root LUKS passphrase... then enter /home LUKS passphrase... then swap mounts and I get to /usr LUKS passphrase,I get the following error:

udevd-event[1349]: run_program: exec of program '/usr/lib/hal/hal-unmount.sh' failed

Then it goes on to ask for passphrases for /var and /tmp and does go through to the KDE login screen. I enter user password and it recycles right back to login screen. And it will just keep looping back. I've entered the user password 9 times and it just keep coming back to the login screen.

Also got "Superblock last mount time is in the future: FIXED!" It did this every time for /usr /var /tmp... on every boot. But I changed partition name sequence in /etc/crypttab to be in same order partition numbers go (it was /root /home /swap /usr /var /tmp and I made it /root /usr /var /tmp /swap /home) and that eliminated the error. Hope that helps someone.

Anyone have any idea how to get my error from #3 above, resolved? I'd really appreciate the help. Thank you.

[ Parent | Reply to this comment ]

Posted by Anonymous (84.57.xx.xx) on Sun 2 Sep 2007 at 12:58
hello,
i'm using debian etch stable. now i'd like to upgrade from 2.6.18-4-686 to kernel2.6-18.5.686. so i have to make a new initramfs with yaird. my problem is, that yaird always puts the old kernel.2.6-18.4.686 modules in the initramfs. and i cannot boot in the new kernel and and try to rum yaird with the new kernel running due to the encryption.

adding th kernel version to he yaird command

yaird -o /boot/yaird.initramfs-2.6.18-5-686 2.6.18-5-686

also puts the 2.6-18.4.686 modules in the initramfs.

thanks for help.

[ Parent | Reply to this comment ]

Posted by Anonymous (85.207.xx.xx) on Sun 23 Sep 2007 at 14:06
I've created howto document explaining what steps you need to take to have this done via initramfs-tools (which is the default mkinitrd frontend on Debian).

You can find the howto here:

http://wejn.org/how-to-make-passwordless-cryptsetup.html

-- Michal S.

[ Parent | Reply to this comment ]

Posted by Anonymous (80.99.xx.xx) on Sun 23 Dec 2007 at 21:58
Hi all,

can someone just tell me why there are those heads and tails in the password generation line? (I guess the uuencode is to create an ascii password from binary, but the rest?).

[ Parent | Reply to this comment ]

Posted by goeb (77.185.xx.xx) on Mon 24 Dec 2007 at 00:00
[ Send Message | View Weblogs ]

The last head and tail is used to strip the header (begin-base64 644 -) and footer (====) from the base64 encoded (uuencode -m) output.

[ Parent | Reply to this comment ]

Posted by Crazyguy (91.156.xx.xx) on Thu 15 May 2008 at 16:56
[ Send Message ]
I'm trying to modify this to be able to be able to do some complicated mounting stuff...

What I need to do is open ssh-session FROM the initramfs (to get keyfile from another computer) but it says "PRNG is not seeded" and /dev/random and /dev/urandom isn't there.

Do I have to load some kernel module or something to get /dev/random or is it something else?

[ Parent | Reply to this comment ]

Posted by goeb (77.185.xx.xx) on Thu 15 May 2008 at 17:11
[ Send Message | View Weblogs ]
No devices are present unless you create them. You could try to use the shell functions defined in the init script, add one of these lines (or both) before the line where the devices are required:
mkcdev /dev/random mem/random
mkcdev /dev/urandom mem/urandom
this is untested, if it doesn't work, use the mknod command directly:
/bin/mknod /dev/random c 1 8
/bin/mknod /dev/random c 1 9
Regards, gœb

[ Parent | Reply to this comment ]

Posted by goeb (77.185.xx.xx) on Thu 15 May 2008 at 17:14
[ Send Message | View Weblogs ]
Mh, this site apparently doesn't like unicode...

[ Parent | Reply to this comment ]

Posted by goeb (77.185.xx.xx) on Fri 16 May 2008 at 07:12
[ Send Message | View Weblogs ]
Damn, the last mknod command should be for /dev/urandom...

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

Which init system are you using in Debian?






( 1068 votes ~ 7 comments )