| View previous topic :: View next topic |
| Author |
Message |
_Poseidon_
n00b
Joined: 31 Aug 2006
Posts: 44
|
 Posted: Tue Apr 15, 2008 1:13 pm Post subject: DM-Crypt: Loop Device encryption problem at startup with USB |
 |
|
Hi @ all!
I have asked the same question in German few days ago, but I still haven’t an answer. So I hope other people could help me with my problem.
Well, about the topic. I have a problem with dm-crypt. I already have an encrypted loop device which works perfect, but I want that this device should be encrypted at startup. Ok until now it works. Now the problem: The key for the encryption is located on an USB Stick. In the dmcrypt.conf I have the possibility to tell dm-crypt where the key is located. How in the dmcrypt.conf example I tried it out but it didn’t work. Every time the system is searching the USB-Stick I will get an error message like this: “Can’t find the key file. Do you want to about?(yes/no)”. I think this failure occurs because the USB-Stick isn’t still mounted on the file system. The try to encrypt my loop device starts earlier then the USB-Stick will be mounted.
How can I manage, boot process order? Is it possible that so I can fix my problem?
Otherwise I have a bug in my config about the mount line. Dm-crypt says that this is invalid, but I don’t know why. I have tried out many notations without success. What is my fault?
I hope I could get answers about my questions, and I hope that my English is not so bad 
Thank you very much!
Please note my config:
dmcrypt
| Code: |
## Loopback file example
target=media
source='/dev/loop0'
loop_file='/home/sven/crypt.raw'
key='/mnt/usb/key.loop0'
remdev='/dev/sdc1'
mount=/mnt/crypto
|
fstab
| Code: |
/dev/sdb3 /boot ext2 noauto,noatime,nouser 1 2
/dev/sdb4 / ext3 noatime 0 1
/dev/sdb1 none swap sw 0 0
/dev/hda /mnt/dvdrom iso9660 noauto,ro,user 0 0
/dev/hdb /mnt/dvdrw iso9660 noauto,rw,user 0 0
/dev/sdb2 /mnt/daten auto noatime,user,uid=sven 0 0
/dev/sdc1 /mnt/usb auto nodev,nosuid,noauto,user,uid=sven 0 0
/dev/sdc2 /mnt/usb2 auto nodev,nosuid,noauto,user,uid=sven 0 0
#/dev/fd0 /mnt/floppy auto noauto 0 0
/dev/mapper/media /mnt/crypto ext3 noatime,noexec,nodev,noauto,user 0 0
|
Cheers, Sven
Last edited by _Poseidon_ on Sun Apr 20, 2008 9:18 am; edited 1 time in total |
|
| Back to top |
|
 |
shinobi.jack
n00b
Joined: 10 Apr 2008
Posts: 13
Location: Australia
|
| Posted: Wed Apr 16, 2008 2:28 am Post subject: |
|
|
G'day Sven,
How are you booting at startup? Are you using an initrd? I am still in the process of setting up an encrypted hard drive so haven't dealt with a problem like this directly, but I did use an external flash drive to hold my OS for my eeepc. To do this I had to change the initrd so that all the usb and storage drivers were loaded before the drive looked for the root partition. Is it the root partition that is encrypted? If it is not a partition that is required to start your system then I imagine you would not want to decrypt it until the rest of the system is started.
G
_________________
I think I think therefore I possibly am. |
|
| Back to top |
|
|
gnub
n00b
Joined: 12 Dec 2007
Posts: 4
|
| Posted: Sun Apr 20, 2008 12:45 am Post subject: |
|
|
Hello
One thing that looks incorrect is the value for "key" in your dmcrypt[.conf] file. I've found that the init system mounts the usb device and only requires the path information within the usb device to find the file. i.e.: try key='/key.loop0'
My dmcrypt file is at /etc/conf.d/dmcrypt and doesn't contain '.conf'. That may be a problem as well. |
|
| Back to top |
|
|
_Poseidon_
n00b
Joined: 31 Aug 2006
Posts: 44
|
| Posted: Sun Apr 20, 2008 10:03 am Post subject: |
|
|
| shinobi.jack wrote: | G'day Sven,
How are you booting at startup? Are you using an initrd?
|
I know that I can configure initrd commands at startup like framebuffer commands. I'm not sure what do exactly mean. I don't know what for other command I can configure in the initrd. I'm not so familar with the initrd, only with the framebuffer command.
| shinobi.jack wrote: |
To do this I had to change the initrd so that all the usb and storage drivers were loaded before the drive looked for the root partition.
|
Could you tell me how you did this?
| shinobi.jack wrote: | Is it the root partition that is encrypted?
|
No it isn't the root partition, it is only a loop file/device.
| gnub wrote: |
I've found that the init system mounts the usb device and only requires the path information within the usb device to find the file. i.e.: try key='/key.loop0'
|
Ok I will try this out. But do you have any idea why the "mount line" was detected as invalid line? How looks you "mount line"?
| gnub wrote: |
My dmcrypt file is at /etc/conf.d/dmcrypt and doesn't contain '.conf'. That may be a problem as well.
|
That was my fault. The appendix .conf doesn't exist.
Thanks for the answers, cheers Sven |
|
| Back to top |
|
|
_Poseidon_
n00b
Joined: 31 Aug 2006
Posts: 44
|
| Posted: Sun Apr 20, 2008 9:11 pm Post subject: |
|
|
[quote="_Poseidon_"] | shinobi.jack wrote: | G'day Sven,
| gnub wrote: |
I've found that the init system mounts the usb device and only requires the path information within the usb device to find the file. i.e.: try key='/key.loop0'
|
Ok I will try this out. But do you have any idea why the "mount line" was detected as invalid line? How looks you "mount line"?
|
That was my first fault, but the examples in the config tell you that you shoud take the full path to the key. Like this line | Code: | | #key='/full/path/to/tmpkey' |
But the mount line is still invalid, I don't know why. Could somebody help me?
Cheers |
|
| Back to top |
|
|
gnub
n00b
Joined: 12 Dec 2007
Posts: 4
|
| Posted: Mon Apr 21, 2008 5:57 am Post subject: |
|
|
[quote="_Poseidon_"] | _Poseidon_ wrote: | | shinobi.jack wrote: | G'day Sven,
| gnub wrote: |
I've found that the init system mounts the usb device and only requires the path information within the usb device to find the file. i.e.: try key='/key.loop0'
|
Ok I will try this out. But do you have any idea why the "mount line" was detected as invalid line? How looks you "mount line"?
|
That was my first fault, but the examples in the config tell you that you shoud take the full path to the key. Like this line | Code: | | #key='/full/path/to/tmpkey' |
|
Based on my experience with dmcrypt, I have to say the #key='/full/path/to/tmpkey' example is simply wrong.
I don't know the answer to your mount line but here's a guess: comment that line out and specify the mount in your fstab file. You may find a file under /dev/mapper/ named 'media' that you can mount via fstab or manually.
The following is a working example that uses cryptsetup (not loopback).
/etc/conf.d/dmcrypt
| Code: |
swap=swap1
source='/dev/hde1'
swap=swap2
source='/dev/hdf1'
swap=swap3
source='/dev/hdg1'
swap=swap4
source='/dev/hdh1'
target=md2
source='/dev/md2'
key='/keys/aci_md2_key'
remdev='/dev/sda1'
target=md3
source='/dev/md3'
key='/keys/aci_md3_key'
remdev='/dev/sda1'
target=md4
source='/dev/md4'
key='/keys/aci_md4_key'
remdev='/dev/sda1'
|
/etc/fstab
| Code: |
/dev/mapper/swap1 none swap sw,pri=1 0 0
/dev/mapper/swap2 none swap sw,pri=1 0 0
/dev/mapper/swap3 none swap sw,pri=1 0 0
/dev/mapper/swap4 none swap sw,pri=1 0 0
/dev/mapper/md2 /mnt/md2 ext2 noatime 0 2
/dev/mapper/md3 /mnt/md3 ext2 noatime 0 2
/dev/mapper/md4 /mnt/md4 ext2 noatime 0 2
|
More info
| Code: |
> ls -l /dev/mapper/
total 0
lrwxrwxrwx 1 root root 16 Apr 20 20:57 control -> ../device-mapper
brw-rw---- 1 root disk 253, 4 Apr 20 21:01 md2
brw-rw---- 1 root disk 253, 5 Apr 20 21:03 md3
brw-rw---- 1 root disk 253, 6 Apr 20 21:05 md4
brw-rw---- 1 root disk 253, 0 Apr 20 20:57 swap1
brw-rw---- 1 root disk 253, 1 Apr 20 20:57 swap2
brw-rw---- 1 root disk 253, 2 Apr 20 20:57 swap3
brw-rw---- 1 root disk 253, 3 Apr 20 20:57 swap4
> df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/hda2 14882100 3033980 11848120 21% /
udev 10240 280 9960 3% /dev
/dev/mapper/md2 86503040 71032480 11076412 87% /mnt/md2
/dev/mapper/md3 86503232 13809264 68299808 17% /mnt/md3
/dev/mapper/md4 62996980 4119728 55677124 7% /mnt/md4
shm 512876 0 512876 0% /dev/shm
|
Maybe you want to do something like this instead? |
|
| Back to top |
|
|
shinobi.jack
n00b
Joined: 10 Apr 2008
Posts: 13
Location: Australia
|
| Posted: Tue Apr 22, 2008 12:43 am Post subject: |
|
|
I just had a quick look at the init file in an initrd that I created recently while attempting to make a livecd so it is a bit hard to work out how much would be the same as a non-livecd init file. I don't actually use an initrd on my current gentoo installs. My previous messing with the initrd had been done on the eeepc xandros install - not gentoo. I am not sure yet if you actually need to load usb drivers... It seems the assumption is not. I haven't yet played with dmcrypt much beyond some of the initial setup so I can't really comment on that side of the discussion. But if you want to have a look at your initrd and toy with that side of things try the following:
| Code: |
mkdir temp
cd temp
gunzip < ../initramfs-eeepc.img | cpio -i
|
The file you are interested in is called init. The gentoo-livecd init file did actually have some crypt related options, but I haven't yet looked at them too closely, and seemed mostly related to encrypted root or swap partitions. The code you are interested in for loading modules such as USB and Storage drivers will probably look something like this.
| Code: |
# Load modules listed in MY_HWOPTS if /lib/modules exists
if [ -d '/lib/modules' ]
then
good_msg 'Loading modules'
# Load appropriate kernel modules
if [ "${NODETECT}" != '1' ]
then
for modules in $MY_HWOPTS
do
modules_scan $modules
eval DO_`echo $modules | sed 's/-//'`=1
done
fi
# Always eval doload=...
modules_load $MDOLIST
else
for modules in $MY_HWOPTS
do
eval DO_`echo $modules | sed 's/-//'`=1
done
good_msg 'Skipping module load; no modules in the initrd!'
fi
|
I hope to get a bit further with my own dmcrypt setup soon, so I will let you know if I figure anything out that may be helpful.
G
_________________
I think I think therefore I possibly am. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
