[SOLVED] LUKS, crypt. root, dracut: wrong authentication.

[324874]

Hi!

Quick request:
Can anyone provide a tutorial explaining how to load a UEFI image that decrypts (LUKS) the root filesystem?

Introduction:
I tried to install Gentoo once again (note). I learn programming and I wish to build secure softwares so I installed an hardened system.

Context: (boot, root file system encrypted, UEFI without bootloader)

I encrypted the root filesystem using LUKS and I built an initramfs with dracut. I read wiki articles (cf. ref) and the dracut manual.
The dracut manual says using the shell (rd.shell) to decrypt needed partitions or make the glue (write a script).
I don't know how to write the script so I added the rd.shell in the dracut configuration file: /etc/dracut.conf.
Finally, I created the initramfs and I embeded this one in the kernel.

Issue: (password prompt instead of key file)

I encrypted the partitions (LUKS) using a key file. However, I have to enter a password to unlock the root file system (boot).
I tried to add a password to access the encrypted storage and I used this password but the password didn't work (luksAddKey).

I don't understand well the dracut parameters or the needed kernel parameters:

I added dm, crypt, base, rootfs, usrmount, bash, kernel-modules, udev-rules, etc. (conf. file), --hostonly --no-compress initramfs (cmd line).
I hadn't try add_device+="..." and /etc/crypttab -- I added rd.shell and I used /etc/conf.d/dmcrypt (although I don't know how to use it).

ref:

• Dracut
  
• Dm-crypt: full disk encryption
  
• Dm-crypt
  
• Sakaki EFI install guide

Location of the thread:
I posted this message in this forum because I have succeeded several times the Gentoo installation and because I have another unrelated question.
A part of the system is in the testing branch (musl: experimental). Is is better to switch the system to the testing branch (~amd64)?

Note: I installed Gentoo different ways (meta-distribution). I didn't know what I wanted first times or how to get what I wanted.

Best regards, feng.

[Roman_Gruber]

[324874]

Hi, Roman_Gruber! I thank you for the answer. I used a key file because the entropy is higher (random data). [1]
I don't use LVM with LUKS: "Be aware that if you add LVM into the mix, things can get very complicated." [2]

I found some errors/misunderstandings after I remembered the cryptsetup FAQ. I used the LUKS master key instead of the LUKS slot keys, in the dracut configuration file. [3]

Moreover, I remembered the shell (rd.shell) is launched when something goes wrong. However, I believe the process happened well.

I'm going to modify the configuration file to see if it works and I'm going to read again the cryptsetup FAQ because the presentation is clear.

Notes:
The first time, my purpose was to use plain dm-crypt. However, I haven't understood how to use it although I read the Arch Linux wiki articles about plain dm-crypt.
This method isn't promoted except for "security experts" (according to the maintainer(s) of the cryptsetup FAQ).

I find genkernel easier than dracut but I find that dracut is more suited for an advanced configuration.

[1] Source: https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions (section 5.9 Is LUKS secure with a low-entropy (bad) passphrase?)
[2] Source: idem. (section 2.2 LUKS on partitions or raw disks?)
[3] I sometimes "unmerge" dracut but the configuration file was protected so I kept the wrong configuration. I added luks.key... ="<LUKS master key>" instead of a LUKS slot key.

Best regards, feng.

[axl]

[axl]

[324874]

Hi axl!

Thank you for your explanation. I read again the cryptsetup FAQ and I learned that the encryption of the root is not what I want.

[irenicus09]

Hmm from what I see luks with lvm isn't that hard. I've a gentoo setup with luks + encryption and boot partition on USB.

Wasn't that hard to setup in my opinion, I did it the first time I installed Gentoo, but you just need to figure out the correct settings for grub config, update fstab with sdb1 (removable drive) and when installing grub use --removable flag.

What I'm more interested in is to try the patch for grub, that allows you to remove the luks header from your drive and migrate it to the boot partition on your USB drive. That way you would have plausible deniability in case someone seizes your laptop, and there would be no trace of encryption of any sort on the hard disk.

But I don't want to mess up my current install and I don't have much time these days, so I plan on experimenting with that at a later stage.

If anyone had success with that feel free to let me know

[finalturismo]

[Atha]

I just stumbled upon this thread.

What there is to say is that encryption is a very complicated thing. And, yes, a nice tutorial would certainly be very helpful.

GRUB2 just learned to open LUKS2 encrypted partitions. There has to be a way to use a) a keyfile from an USB pen drive, or b) a password, that will open an encrypted /boot directory in which GRUB will find a second grub.cfg file to load, along with all the linux kernels and initrds. This way there would be a grub.cfg on the ESP, in order to load an alternative operating system (Windows) and to decrypt the real_boot partition, and go along with a second stage grub.cfg from there. The keyfiles for / (root) and anything else would be stored encrypted on the /boot partition...

That's what I've been trying to get working for some time, but gave up. GRUB2 wouldn't let me decrypt /boot, and I was also unable to open two individual encrypted partitions holding a RAID0 (mirroring) btrfs as root (/), because GRUB2 with crypt_root= and root= would only allow for one such partition, leading to btrfs failing as well (the second partition is then missing)...

For now I'm using the Debian default LVM encrypted / with an unencrypted /boot partition. Not satisfactory, but at least it works.
_________________
Think for yourself and let others enjoy the privilege of doing so too. – Voltaire