Labels

new blog 2.0

2008/04/20

Encrypted root & swap partitions on Gentoo with cryptsetup (LUKS) in less than an hour!

I was sick for two days last week and not having gone to work I finally found some time to play with encrypting Linux partitions using cryptsetup-luks. There is a very good HOWTO on Gentoo-Wiki describing the entire process step by step. Manual installation takes a bit too long and since I need encrypted hard drive on every computer, especially a laptop I wrote a set of scripts and got Gentoo to install on an encrypted root+swap in 10 quick steps. All you need is a Gentoo Minimal Installation CD version 2006.1 or 2007.0 and Internet access. Let's start!

Current version fully supports only the x86 architecture. If you have an 64bit system, make sure you download the right stage3 in the step 0x06!

The installation process:
0. Boot off a Gentoo Mini Install CD
1. Partition your hard drive, so that you have at least 3 partitions: boot, swap and root.
2. wget http://oozie.fm.interia.pl/src/gentoo-crypto.tar.bz2
3. tar xjf gentoo-crypto.tar.bz2
4. cd gentoo-crypto
5. cat README
6. run ./00config.sh and answer the questions
7. run ./0?*.sh files one by one and look for errors.
8. You should finish with setting up root password.
9. You write a basic /boot/grub/menu.lst and install grub onto your hard drive from a chrooted environment on /mnt/gentoo

That's it :)


0. Create a basic config file with 00config.sh :)
Partitions on your disk should be laid out prior to this step!
  1. 01modules.sh - this script loads appropriate cryptographic modules that are necessary for cryptsetup to proceed.
  2. 02crypt_dwnld.sh - downloads the statically liked binary of cryptsetup
  3. 03cryptswap.sh - sets up and encrypts the swap space
  4. 04cryptroot.sh - does the same as the one above, but with the root partition
  5. 05filesystem.sh - creates the root filesystem and mounts it
  6. 06baseinstall.sh - downloads stage3 and portage, extracts them, makes you select a mirror and downloads the kernel source
  7. 07etcfiles.sh - the script edits /etc/fstab and points both root and swap to /dev/mapper/root and /dev/mapper/swap
  8. 08kernelchk.sh - this script checks your kernel config for all required options. This may not be reliable, as the option names may change from one kernel version to another. I attach a simple config for 2.6.24 kernel.
  9. 09initramfs.sh - creation of initramfs takes
  10. 0Abasicsetup.sh - merges a couple of ebuilds, the ones that are crucial for the system to work and those specified in config.crypto EBUILDS variable. Most importantly, it reemerges udev to the newer version, thus letting you emerge device-mapper which is necessary for the /dev/mapper/root device to be recognized in the system*.
Enjoy.

http://luks.endorphin.org/dm-crypt
http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS

* If you neglect re-emerging udev and device-mapper ebuilds you are very likely to see a message like this:
* Checking root filesystem ...
fsck.ext3: No such file or directory while trying to open /dev/mapper/root
/dev/mapper/root:
The superblock could not be read or does not describe a correct ext2
filesystem. If the device is valid and it really contains an ext2
filesystem (and not swap or ufs or something else), then the superblock
is corrupt, and you might try running e2fsck with an alternate superblock:
e2fsck -b 8193

* Filesystem couldn't be fixed :(
Give root password for maintenance
(or type Control-D to continue):

The super block can not be read, because /dev/mapper/ directory is empty, non-existent or contains only the special character device control. You can otherwise fix this message by changing two last fields in /etc/fstab from "0 1" to "0 0", but it's not a real solution - you just prevent the partition from being checked.

2 comments:

shirwa said...

Nice tutotial, thanks alot.

Anonymous said...

Hi, I just ran through this with the latest gentoo minimal install boot cd.
The only issue was that cryptsetup-luks has gone from endorphins.org (in fact the whole luks stuff has gone), but the latest minimals have cryptsetup-luks in them.
They have however put it in /sbin instead of /bin, and being a readonly fs at that point, I just edited the stage that checks for the cryptsetup to look in sbin for the binary. Maybe you'd want to put that in your version too?
Great timesaver besides that. Thanks for taking time to write it