| View previous topic :: View next topic |
| Author |
Message |
opentaka
l33t
Joined: 18 Feb 2005
Posts: 840
Location: Japan
|
 Posted: Mon Jan 02, 2006 10:54 am Post subject: |
 |
|
pretty cool howto,
just don't forget to autoload it duh 
cheers,
_________________
"Being defeated is often a temporary condition. Giving up is what makes it permanent" - Marilyn vos Savant
|
|
| Back to top |
|
 |
friendsfan
n00b
Joined: 29 Apr 2006
Posts: 1
|
| Posted: Sat Apr 29, 2006 11:57 am Post subject: |
|
|
i am using your excellent script now for 195 days without problems. But by now it was time to do a restart of it. But as it seems, during the time, some things got a little borked. Thats what i get when i try restart it:
| Code: | /etc/init.d/swap-encryption restart
* Restarting swap encryption ...
* Restoring encrypted swap devices ... [ ok ]
* Restoring /dev/mapper/swapdev-hda2040(deleted) as /dev/hda2040(deleted)
swapoff: /dev/mapper/swapdev-hda2040(deleted): No such file or directory
dm_task_set_name: Device /dev/mapper/swapdev-hda2040(deleted) not found
Command failed
/dev/hda2040(deleted): No such file or directory
swapon: cannot stat /dev/hda2040(deleted): No such file or directory [ !! ]
* WARNING: "swap-encryption" has already been started. [ ok ] |
A look at the swap itself gives me that:
| Code: | cat /proc/swaps
Filename Type Size Used Priority
/dev/mapper/swapdev-hda2\040(deleted) partition 1052248 1052248 0 |
I tried to zap the script and start it again. That works without an error when starting up. I still end up with the same error when i do a restart again though. Also i seem to have a "new" hda20 partion due to that now:
| Code: | mount /dev/hda2
hda2 hda20 |
I cannot really access it of course, as its not really there i guess. I also tried to create a "normal" swap space on my swap partition (hda2), which only gave me a "device busy" due to the fact, that swap-encryption still has control about it.
So i'm kinda clueless on how to restart the swap script without actually restarting my box (which isn't really an option  ) and would appreciate some good ideas...
friendsfan |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Thu May 25, 2006 5:48 pm Post subject: |
|
|
| friendsfan wrote: | i am using your excellent script now for 195 days without problems. But by now it was time to do a restart of it. But as it seems, during the time, some things got a little borked. Thats what i get when i try restart it:
| Code: | /etc/init.d/swap-encryption restart
* Restarting swap encryption ...
* Restoring encrypted swap devices ... [ ok ]
* Restoring /dev/mapper/swapdev-hda2040(deleted) as /dev/hda2040(deleted)
swapoff: /dev/mapper/swapdev-hda2040(deleted): No such file or directory
dm_task_set_name: Device /dev/mapper/swapdev-hda2040(deleted) not found
Command failed
/dev/hda2040(deleted): No such file or directory
swapon: cannot stat /dev/hda2040(deleted): No such file or directory [ !! ]
* WARNING: "swap-encryption" has already been started. [ ok ] |
A look at the swap itself gives me that:
| Code: | cat /proc/swaps
Filename Type Size Used Priority
/dev/mapper/swapdev-hda2\040(deleted) partition 1052248 1052248 0 |
I tried to zap the script and start it again. That works without an error when starting up. I still end up with the same error when i do a restart again though. Also i seem to have a "new" hda20 partion due to that now:
| Code: | mount /dev/hda2
hda2 hda20 |
I cannot really access it of course, as its not really there i guess. I also tried to create a "normal" swap space on my swap partition (hda2), which only gave me a "device busy" due to the fact, that swap-encryption still has control about it.
So i'm kinda clueless on how to restart the swap script without actually restarting my box (which isn't really an option ) and would appreciate some good ideas...
friendsfan |
A bit late, but you could always remove the device mapper map with "dmsetup remove /dev/mapper/swapdev-hda2".
The problem most likely started with the new cryptsetup-luks. I'll take a look at it...
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
|
| Back to top |
|
|
orange_juice
Guru
Joined: 16 Feb 2006
Posts: 588
Location: Athens - Greece
|
| Posted: Tue Jun 13, 2006 4:48 pm Post subject: |
|
|
Hallo!
I am using your nice script for at least one year now. The last time I downloaded the file was called
swap-encryption-latest.tar.bz2 and it was a couple of months ago. Works great.
Now I have downloaded swap-encryption-r14 for a fresh gentoo box and I receive the following error:
| Code: |
* Enabling swap encryption... [ok]
* Found swap device
* Generating key [ok]
* Encrypting device as
usage: swapoff [-hV]
swapoff -a [-v]
swapoff [-v] special...
Command failed: Block device required
/dev/mapper/swap: No such file or directory
swapon: cannot stat /dev/mapper/swap: No such file or directory [!!] |
After rebooting having deactivated the encryption, I receive:
| Code: | * Activating (possibly) more swap... [!!]
swapon: /dev/hda6: Invalid argument |
Which disappears if I mkswap again...
What seems to be wrong?
kind_regards,
orange_juice |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Tue Jun 13, 2006 10:30 pm Post subject: |
|
|
| orange_juice wrote: | Hallo!
I am using your nice script for at least one year now. The last time I downloaded the file was called
swap-encryption-latest.tar.bz2 and it was a couple of months ago. Works great.
Now I have downloaded swap-encryption-r14 for a fresh gentoo box and I receive the following error:
| Code: |
* Enabling swap encryption... [ok]
* Found swap device
* Generating key [ok]
* Encrypting device as
usage: swapoff [-hV]
swapoff -a [-v]
swapoff [-v] special...
Command failed: Block device required
/dev/mapper/swap: No such file or directory
swapon: cannot stat /dev/mapper/swap: No such file or directory [!!] |
After rebooting having deactivated the encryption, I receive:
| Code: | * Activating (possibly) more swap... [!!]
swapon: /dev/hda6: Invalid argument |
Which disappears if I mkswap again...
What seems to be wrong?
kind_regards,
orange_juice |
Oh, sorry, I missed that thing. But I've fixed it now:
http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r15.tgz
http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r15.tgz.md5
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
|
| Back to top |
|
|
orange_juice
Guru
Joined: 16 Feb 2006
Posts: 588
Location: Athens - Greece
|
| Posted: Wed Jun 14, 2006 11:00 am Post subject: |
|
|
Howdy my friend!
Thank you very much! It works great.
Kind regards,
orange_juice |
|
| Back to top |
|
|
slick
Bodhisattva
Joined: 20 Apr 2003
Posts: 3495
|
| Posted: Tue Jun 20, 2006 12:06 pm Post subject: |
|
|
I simply use this out of the box:
/etc/fstab
| Code: | | /dev/hda1 none swap sw,loop=/dev/loop7,encryption=AES128 0 0 |
I think its enough for the swap. |
|
| Back to top |
|
|
orange_juice
Guru
Joined: 16 Feb 2006
Posts: 588
Location: Athens - Greece
|
| Posted: Tue Jun 20, 2006 4:48 pm Post subject: |
|
|
Sounds interesting.
Although you need to enable Cryptoloop support in the kernel as /var/log/genkernel.log reads:
| Code: | | Cryptoloop Support (BLK_DEV_CRYPTOLOOP) [N/m/y/?] n |
However, I have created a new post called Swap encryption with cryptoloop? [solved] because I think it would probably be out of subject to discuss this issue at this post.
Kind regards,
orange_juice
Last edited by orange_juice on Thu Jun 22, 2006 9:19 pm; edited 1 time in total |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Tue Jun 20, 2006 7:29 pm Post subject: |
|
|
| slick wrote: | I simply use this out of the box:
/etc/fstab
| Code: | | /dev/hda1 none swap sw,loop=/dev/loop7,encryption=AES128 0 0 |
I think its enough for the swap. |
That is pretty cool and almost makes my script obsolete. Unfortunatly, that method is not safe, unless you know you're never going to remove/add/change partitions, or connect the HD to another cable. It'll simply overwrite anything that might exist on the partition, even if it contained a perfectly legit Ext3 FS. Don't get me wrong, I'm not against what you suggested, it's just that it only works on purely "static" systems, where one doesn't fiddle around too much with the partitions (one might forget to change fstab when partitioning).
But I'll add it to the main post of this thread. Most will probably prefer that simple solution.
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
orange_juice
Guru
Joined: 16 Feb 2006
Posts: 588
Location: Athens - Greece
|
| Posted: Mon Jun 26, 2006 1:51 pm Post subject: |
|
|
I am affraid that cryptoloop is much inferior to dmcrypt as an encrypting method. This is known from 2004...
Kind regards,
orange_juice |
|
| Back to top |
|
|
orange_juice
Guru
Joined: 16 Feb 2006
Posts: 588
Location: Athens - Greece
|
| Posted: Fri Jul 07, 2006 11:26 am Post subject: |
|
|
Hallo!
Do you think it is possible to setup swap-encryption to work with
| Code: | | sys-fs/cryptsetup-luks |
Actually, I am trying to install ivman for automounting my dvs and this application uses cryptsetup-luks which is being blocked by cryptsetup.
Just a question!
Kind regards,
orange_juice |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Fri Jul 07, 2006 2:22 pm Post subject: |
|
|
| orange_juice wrote: | Hallo!
Do you think it is possible to setup swap-encryption to work with
| Code: | | sys-fs/cryptsetup-luks |
Actually, I am trying to install ivman for automounting my dvs and this application uses cryptsetup-luks which is being blocked by cryptsetup.
Just a question!
Kind regards,
orange_juice |
Yep. Just uninstall cryptsetup and install cryptsetup-luks. It works just fine...
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
orange_juice
Guru
Joined: 16 Feb 2006
Posts: 588
Location: Athens - Greece
|
| Posted: Fri Jul 07, 2006 7:57 pm Post subject: |
|
|
I just did it and while everything worked fine previously, now I receive the following error:
| Code: | * Caching service dependencies ... [ ok ]
* Enabling swap encryption ... [ ok ]
* Found swap device /dev/hda6
* Encrypting device as dev-hda6, priority -5
Command failed: Invalid argument
/dev/mapper/swapdev-hda6: No such file or directory
swapon: cannot stat /dev/mapper/swapdev-hda6: No such file or directory [ ok ]
|
I have the latest version installed: swap-encryption-r16.
Although the encryption is initialized, I have no swap memory...
Kind regards,
orange_juice |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Sat Jul 08, 2006 8:16 am Post subject: |
|
|
Which version of cryptsetup-luks do you have? I'm currently using 1.0.1-r1, but I'll try out the latest one now...
Edit: Well it worked with 1.0.3-r2 for me. I'll continue working on the issue.
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Sat Jul 08, 2006 8:29 am Post subject: |
|
|
Could you do me a favor and add the following to line 127, just before cryptsetup is run? | Code: | | echo \"$CIPHER\" \"$DM_NAME$2\" \"$1\" |
And please reply to this post with the output you get...
It should look something like this: | Code: | * Enabling swap encryption ... [ ok ]
* Found swap device /dev/hda2
* Encrypting device as dev-hda2, priority -8
"aes" "swapdev-hda2" "/dev/hda2" [ ok ] |
You could also make sure that aes is available by doing the following: Which should output something like this: | Code: | name : aes
driver : aes-generic
module : aes
priority : 100
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
|
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Sun Jul 09, 2006 10:42 am Post subject: |
|
|
Hmm... Still haven't been able to replicate the problem. Please try the latest version and see if it works for you.
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
orange_juice
Guru
Joined: 16 Feb 2006
Posts: 588
Location: Athens - Greece
|
| Posted: Sun Jul 09, 2006 12:47 pm Post subject: |
|
|
Hallo!
I apologise for the delay, I had to be out (of the computer...) for a while.
New release seems to be working great, thank you!!!
| Code: | # /etc/init.d/swap-encryption start
* Caching service dependencies ... [ ok ]
* Enabling swap encryption ... [ ok ]
* Found swap device /dev/hda6
* Encrypting device as dev-hda6, priority -1 [ ok ] |
A couple of info I should have answered earlier...
My cryptsetup-luks version is the latest:
| Code: | | sys-fs/cryptsetup-luks-1.0.3-r2 |
| Code: |
cat /proc/crypto
name : aes
driver : aes-i586
module : kernel
priority : 200
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : md5
driver : md5-generic
module : kernel
priority : 0
type : digest
blocksize : 64
digestsize : 16
name : twofish
driver : twofish-generic
module : kernel
priority : 0
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
|
Just an observation:
At the beggining of the howto...
| Sachankara wrote: |
$ tar xvfj swap-encryption-r17.tgz |
Should be changed to | Code: | | tar xvfz swap-encryption-r17.tgz |
Thank you for your help and your valuable support.
Kind regards,
orange_juice |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Sun Jul 09, 2006 2:21 pm Post subject: |
|
|
| orange_juice wrote: | Hallo!
I apologise for the delay, I had to be out (of the computer...) for a while.
New release seems to be working great, thank you!!!
| Code: | # /etc/init.d/swap-encryption start
* Caching service dependencies ... [ ok ]
* Enabling swap encryption ... [ ok ]
* Found swap device /dev/hda6
* Encrypting device as dev-hda6, priority -1 [ ok ] |
A couple of info I should have answered earlier...
My cryptsetup-luks version is the latest:
| Code: | | sys-fs/cryptsetup-luks-1.0.3-r2 |
| Code: |
cat /proc/crypto
name : aes
driver : aes-i586
module : kernel
priority : 200
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
name : md5
driver : md5-generic
module : kernel
priority : 0
type : digest
blocksize : 64
digestsize : 16
name : twofish
driver : twofish-generic
module : kernel
priority : 0
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
|
Just an observation:
At the beggining of the howto...
| Sachankara wrote: |
$ tar xvfj swap-encryption-r17.tgz |
Should be changed to | Code: | | tar xvfz swap-encryption-r17.tgz |
Thank you for your help and your valuable support.
Kind regards,
orange_juice |
Well, thank you (and everyone else), for helping me making the script better. And thanks for the heads up on the mistake in the guide/instructions. I hope the script will continue to work for a long time.
I'm going to add more functionality in the comming days. I think it could be some pretty useful things, but I don't want to say what it is, just in case I'm unsuccessful at implementing it... 
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Sun Jul 09, 2006 3:32 pm Post subject: |
|
|
New version released:
http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r18.tgz
http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r18.tgz.md5
A very short description of the new functionality:
| Quote: | # This feature has been made so that encrypted swap parti-
# tions are created dynamically when the script starts. It
# requires that one uses LVM2 and that there already are one
# or more valid volume groups. Example:
#
# DYNAMIC_VG="volumegroup1 volumegroup2"
# DYNAMIC_SIZE="1G"
#
# This would dynamically create two encrypted swap parti-
# tions, one in each of the listed volume groups, at a size
# of 1G (1024M). Both will be removed and recreated when
# restarting the script.
# Default: DYNAMIC_VG=""
# DYNAMIC_SIZE=""
DYNAMIC_VG=""
DYNAMIC_SIZE="" |
I think there is more than enough functionality for now. I don't want it to become too complex. Instead I'll concentrate on fixing small problems and clean up the script a bit.
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Last edited by Sachankara on Sun Jul 09, 2006 3:54 pm; edited 1 time in total |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
|
| Back to top |
|
|
WildChild
Apprentice
Joined: 14 Sep 2003
Posts: 171
|
| Posted: Wed Jul 19, 2006 4:14 pm Post subject: |
|
|
A much easier way is to use /etc/conf.d/cryptfs and /etc/fstab. Here is my configuration:
In /etc/conf.d/cryptfs:
swap=crypt-swap
source='/dev/hda2'
In /etc/fstab:
/dev/mapper/crypt-swap none swap sw 0 0
Gentoo then mount the swap very early in the boot process!
_________________
Codito, Ergo Sum |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Fri Jul 21, 2006 1:06 am Post subject: |
|
|
| WildChild wrote: | A much easier way is to use /etc/conf.d/cryptfs and /etc/fstab. Here is my configuration:
In /etc/conf.d/cryptfs:
swap=crypt-swap
source='/dev/hda2'
In /etc/fstab:
/dev/mapper/crypt-swap none swap sw 0 0
Gentoo then mount the swap very early in the boot process! |
Well, that method is unfortunatly not safe. It'll not care if the device is a valid swap device or not. So pretend for a while that you keep your swap on another harddrive and then swap it with another without thinking about removing the line in /etc/conf.d/cryptfs - it'll destroy any content that might exist on the other drive. The swap-encryption script will not encrypt devices unless they're valid swap devices, or unless it told to do static encryptions. So you can use that method if you are always sure that you won't change the drive layout or similar, but if you're not, then better be safe than sorry, as they say... 
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
|
Documentation, Tips & Tricks
