# [HOWTO] root, swap filesystem encryption for 2.4 and 2.6

## hulk2nd

Latest Additions:

- added 2.6 support

- added swap encryption

- added bootsplash+loop ramdisk support

- added udev support

- added gpg encrypted key support (by Lord Tocharian)

Introduction

hi there,

for the first my thank goes out to chadders, Lord Tocharian, BlackBart, turbobri and everyone i forgot from the original Encrypted Root File System, Swap, etc... thread. They have most of the work done i describe here. I only had a few problems and had to do several changes. also the thread is now 12 pages long so it's a little hard to get everything that is in it and i wanted to summarize what they wrote on several pages.

I had the experience that the old tutorial wasn't gentoo related in that case that it did not work with gentoo related enabled stuff, like the kernel setting to mount devfs at boot (correct me if i'm wrong). Ok, enough introduction!

if you have /dev file system support in your kernel and enabled the option to mount at boot (as it is suggested in the gentoo installation doc) then continue. else have a look at the old tutorial.

Note: since udev requires disabling devfs in the kernel, i updated the tutorial so that it works now with or without devfs. the settings should be the same for 2.4 and 2.6 kernel versions.

Another good 2.4 documentation is the Linux Disk Encryption Howto by David Braun. very detailed but also very complicated, i think.

And it is never wrong to have a look at the loop-AES.readme where you can find many useful informations.

Ok, the tutorial is divided into two, one if you want to encrypt a clean install and one if you want to encrypt your current root partition. the requirements are needed for both!

The steps

1. Requirements

2. Encrypt your current root partition

3. Encrypt your current root partition using a gpg encrypted key

4. Encrypt a clean root partition while installing gentoo

5. Setting up an encrypted swap partition

6. How to merge the bootsplash initrd and the loop-AES initrd into one

7. If something has gone wrong

1. Requirements

- get the latest loop-AES from sourceforge.net. at the moment it is 

loop-AES-v2.0d. have a look at the Sourceforge.net loop-AES Project if the link is broken or to see if a newer version exists.

- get the latest util-linux (at the moment it is util-linux-2.12) from a gentoo mirror or from kernel.org.

util-linux is also in the portage tree but you have to patch util-linux and i dont know if the ebuild of util-linux contains an entry for the patch. haven't tried it yet but you can try it.

- get a knoppix (kde) .iso from one of the mirrors and burn it. i think you can also use gnoppix (gnome).

Note: i experienced that at least the latest gnoppix version does not work, so you have to use knoppix until now!

- decide wether you want to build loop AES as module or to build it directly into the kernel. i would really suggest not to use the module for example because you have to disable loopback device completely in your kernel config if you use the module. If you want to encrypt your root partition with a 2.6 kernel, there is no need to patch the kernel or to build modules, cause it has already built-in cryptoloop support.

2. Encrypt your current root partition

2a) (re)compile your kernel as following:

if you have a 2.4 kernel, choose either to patch the kernel with loop-aes 2a1) or to use the module 2a2)!

If you have a 2.6 kernel continue with 2a3), cause 2.6 has already built-in cryptoloop support!

extract the loop-AES archive in a temporary folder, for example /tmp/enc.

2a1) patching your current 2.4 kernel and rebuilding it

go to the kernel directory, patch the kernel rebuild and install it.

```
cd /usr/src/linux

patch -p1 < /tmp/enc/loop-AES-v2.0d/kernel-2.4.22.diff

make menuconfig
```

Block devices --->

     <*> Loopback device support

      [*]  AES encrypted loop device support

     <*> RAM disk support

     (4096) Default RAM disk size

      [*]  Initial RAM disk (initrd) support

File systems --->

     <*> Minix fs support

      [*]  /proc file system support

      [*]  /dev file system support (EXPERIMENTAL)

      [*]  Automatically mount at boot          

and whatever file systems you want to be supported.

```
mount /boot

make dep && make clean bzImage modules modules_install

cp arch/i386/boot/bzImage /boot
```

you can either reboot now to make sure your kernel works or directly boot from the knoppix cd if you are sure the new kernel DOES work!!! continue with step 2b).

2a2) rebuilding your 2.4 kernel by using the loop.o module 

```
cd /usr/src/linux

make menuconfig
```

Block devices --->

     < > Loopback device support        <---- Note: this HAS to be disabled. M or Y WON'T work here!

     <*> RAM disk support

     (4096) Default RAM disk size

      [*]  Initial RAM disk (initrd) support

File systems --->

     <*> Minix fs support

      [*]  /proc file system support

      [*]  /dev file system support (EXPERIMENTAL)

      [*]  Automatically mount at boot

and whatever file systems you want to be supported.

```
mount /boot

make dep && make clean bzImage modules modules_install

cp arch/i386/boot/bzImage /boot
```

you can either reboot now to make sure your kernel works or directly continue if you are sure the new kernel DOES work!!! continue with step 2b).

2a3) kernel 2.6 instructions with devfs or udev 

```
cd /usr/src/linux

make menuconfig
```

Device Drivers ---> Block devices --->

     <*> Loopback device support

     <*>    Cryptoloop Support

     <*> RAM disk support

     (4096) Default RAM disk size

      [*]  Initial RAM disk (initrd) support

      [*]  Support for Large Block Devices

File systems --->

     <*> Minix fs support

Pseudo filesystems --->

      [*]  /proc file system support

      [*]  /dev file system support (OBSOLETE)        <---- Note: As far as i know, you have to disable this to use the new udev system. you can do this, but look for the modifications at the ramdisk you will create later [choose step 2c2) instead of 2c1)]! I have NOT tested this yet for success, so i suggest to create 2 kernels and two ramdisks (one with devfs and one without) to be sure, that you at least can boot your system with devfs enabled. but i'm very sure that both methods work, cause the difference between the two options are very obvious.

      [*]  Automatically mount at boot          

and whatever file systems you want to be supported.

Cryptographic options --->

     <*> AES cipher algorithms

and whatever encryption algorithms you want to be supported.

```
mount /boot

make clean && make && make modules_install

cp arch/i386/boot/bzImage /boot
```

you can either reboot now to make sure your kernel works or directly boot from the knoppix cd if you are sure the new kernel DOES work!!! continue with step 2b).

2b) install util-linux

you can try to emerge util-linux but as i said at the beginnig there is no guarantee that it will work cause i dunno whether it is patched or not. here is the manual method:

Note: i experienced, that the util-linux from the portage tree doesn't work. you have to install it manually, cause the one from the portage tree does not contain the loop-AES patches.

if you rebooted earlier then mount /boot again.

- extract the util-linux archive into the /tmp/enc/loop-AES-v2.0d/ directory and cd into it (cd /tmp/enc/loop-AES-v2.0d/util-linux-2.12/)

- then type the following commands:

```
patch -p1 <../util-linux-2.12.diff

export CFLAGS=-O2

export LDFLAGS='-static -s'

./configure

make SUBDIRS="lib mount"

cd mount

install -m 4755 -o root mount umount /bin

install -m 755 losetup swapon /sbin

rm -f /sbin/swapoff && ( cd /sbin && ln -s swapon swapoff )

rm -f /usr/share/man/man8/{mount,umount,losetup,swapon,swapoff}.8.gz

install -m 644 mount.8 umount.8 losetup.8 /usr/share/man/man8

install -m 644 swapon.8 swapoff.8 /usr/share/man/man8

rm -f /usr/share/man/man5/fstab.5.gz

install -m 644 fstab.5 /usr/share/man/man5
```

2c) create the ramdisk (and optional the loop module)

cd .. to the loop-AES directory.

if you choosed to use the module [step 2a1)] then do the following two steps, else skip and continue with editing build-initrd.sh [2c1) OR 2c2)]:

```
make LINUX_SOURCE=/usr/src/linux-2.4.22-ac4

cp -p /lib/modules/2.4.22-ac4/block/loop.o /boot/loop-2.4.22-ac4.o
```

replace 2.4.22-ac4 with the kernel version you have.

2c1)creating the ramdisk with devfs enabled in the kernel

- edit build-initrd.sh:

- replace BOOTDEV, BOOTTYPE, CRYPTOROOT, ROOTTYPE and CYPHERTYPE with the things you want i suggest to use AES128 instead of AES256. Because of the fact that 128 isn't to hack with bruteforce, 256 isn't more safe. and 256 is about 25% slower than 128 according to some tutorials and to other people.

do NOT use the normal disk/partition descriptions (/dev/hda1 ...) in BOOTDEV and CRYPTOROOT! you have to use the dev descriptions: so for example if /dev/hda1 is your /boot partition then replace it with BOOTDEV=/dev/discs/disc0/part1 etc ...

- change USEMODULE to 0 if you choosed to patch the kernel or if you encrypt a 2.6 system. leave it at 1 if you choosed to use the module instead of patching.

- change USEPIVOT to 1.

- change USEDEVFS to 1.

- save the file.

- type sh build-initrd.sh

this will build the ramdisk and copy it over (including some tools) to /boot. again, be sure /boot is mounted!!

2c2)creating the ramdisk with devfs disabled in the kernel

- edit build-initrd.sh:

- replace BOOTDEV, BOOTTYPE, CRYPTOROOT, ROOTTYPE and CYPHERTYPE with the things you want i suggest to use AES128 instead of AES256. Because of the fact that 128 isn't to hack with bruteforce, 256 isn't more safe. and 256 is about 25% slower than 128 according to some tutorials and to other people.

in this case you can use the normal disk/partition descriptions (/dev/hda1 ...) in BOOTDEV and CRYPTOROOT.

- change USEMODULE to 0 if you choosed to patch the kernel or if you encrypt a 2.4 or 2.6 system with the kernel loop device. leave it at 1 if you choosed to use the module.

- change USEPIVOT to 1.

- change USEDEVFS to 0.

- save the file.

- type sh build-initrd.sh

this will build the ramdisk and copy it over (including some tools) to /boot. again, be sure /boot is mounted!!

2d) modifying /etc/fstab

- replace your root partition with loop5. for example if you have /dev/hda3 as root, then replace it with /dev/loop5.

2e) modifying your grub.conf

```
title=Gentoo/GNU Linux 1.4 Encrypted ROOT

root (hd0,0)

kernel (hd0,0)/bzImage root=/dev/ram0 init=/linuxrc rootfstype=minix

initrd=/initrd.gz
```

of course, leave other changes that you need as they are. for example if you have hdc=ide-scsi etc in your kernel line leave it where it is.

only one thing: if you have bootsplash at boot enabled and you so have the initrd on your boot partition and the line in your grub.conf then you have to remove it.

Until now i don't know how to load two ramdisks at the same time or how to merge them into one. But let me know if you have a solution for that problem!

2f) encrypting your root partition with the help of knoppix

- reboot now with your earlier burned knoppix cd. you can type knoppix 2 at boot so that X will not be loaded and you'll only get a shell. it is a little bit faster but in fact doesn't matter.

- type the following:

```
losetup -e AES128 -T /dev/loop0 /dev/hda2
```

- replace 128 with the encryption you choosed to use earlier in the build-initrd.sh and hda2 with your root partition.

- then enter a passphrase you want to use.

- then convert your root partition:

```
dd if=/dev/hda2 of=/dev/loop0 bs=64k conv=notrunc
```

don't worry this can last a few hours if your root partition is big so as long as your hdd light flashes, everything goes right.

2g) rebooting and starting with your new encrypted root partition.

- when the convertion process is finished, type reboot, remove the knoppix cd and start with the new encrypted root partition. if everything went well, it will asks you for a password while the boot process.

3.  Encrypt your current root partition using a gpg encrypted key.

 *Lord Tocharian wrote:*   

> I have been playing around with encryption and by using hulk2nd's great guide along with the loop-AES.README I have setup an encrypted root partition using a gpg encrypted key.  I thought I would add on to his guide with how I setup my system.
> 
> All I basically did is put the loop-AES.README into an easier to read format.  I would highly suggest reading the entire thing before attempting to encrypt your hard drive.  Also a current backup of your hard drive definitely helps.   

 

3a) Requirements: 

-loop-AES-v2.0d (same as in 1.  Requirements)

-latest loop-AES patch (loop-AES-v2.0d-20031226.diff.bz2)

-util-linux-2.12 (same as in 1.  Requirements)

-Knoppix / Gentoo LiveCD (same as in 1.  Requirements)

-gnupg-1.2.3

-aespipe-v2.2a

3b)  Recompile Kernel (2.6.x Instructions Only):

```
cd /usr/src/linux

make menuconfig
```

Follow Section 2a3 with the following exceptions:

Extra things to set:

```
CONFIG_MODULES=y

CONFIG_KMOD=y (recommended but not required)

CONFIG_CRAMFS=n(or CONFIG_CRAMFS=m) 
```

Differences:

```
CONFIG_BLK_DEV_LOOP=n
```

This step is VERY important!  As opposed to the other guide loop support cannot be in your kernel at all, even as a module (therefore Cryptoloop Support will not be built into your kernel)!

From the loop-AES.README:

 *Quote:*   

> After building and installing your new kernel, do not attempt to clean kernel tree, or rename path to kernel sources.

 

Follow the end of 2a3 to recompile your kernel and then optionally reboot into your new kernel (if you want to make sure it is working).

3c) Compile loop.o module for your kernel:

```
mkdir /tmp/enc

cd /tmp/enc

tar jxvf loop-AES-v2.0d.tar.bz2

bunzip2 loop-AES-v2.0d-20031226.diff.bz2

patch -p0 <./loop-AES-v2.0d-20031226.diff

make clean

make LINUX_SOURCE=/usr/src/linux-2.6.0-gentoo

```

replace 2.6.0-gentoo with the kernel version you have.

3d) Install util-linux:

Use the instructions in 2b) install util-linux

3e) Setup GPG:

```
cd /tmp/enc/loop-AES-v2.0d

tar zxvf gnupg-1.2.3.tar.gz

cd gnupg-1.2.3

patch -p1 <../gnupg-1.2.3.diff

CFLAGS="-O2" LDFLAGS="-static -s" ./configure --prefix=/usr --enable-static-rnd=linux

make

rm -f /usr/share/man/man1/{gpg,gpgv}.1.gz

make install

chown root:root /usr/bin/gpg

chmod 4755 /usr/bin/gpg
```

3f) Test loop-AES:

```
cd /tmp/enc/loop-AES-v2.0d

make tests
```

From the loop-AES.README:

 *Quote:*   

> Makefile will display "*** Test results ok ***" message if tests are
> 
> completed successfully. If tests fail, do not use the driver as it is
> 
> broken.
> ...

 

3g) Build aespipe program:

```
CFLAGS="-O2" LDFLAGS="-static -s" ./configure

make

make tests

cp -p aespipe /boot
```

3h) Copy kernel version specific loop.o or loop.ko (depends on your kernel version)  to /boot/modules-KERNELRELEASE/

```
mkdir /boot/modules-2.6.0-gentoo

cp -p /lib/modules/2.6.0-gentoo/block/loop.*o /boot/modules-2.6.0-gentoo/
```

replace 2.6.0-gentoo with the kernel version you have.

3i) Create 64 random encryption keys and encrypt those keys using gpg.

```
umask 077

head -c 2880 /dev/random | uuencode -m - | head -n 65 | tail -n 64 | gpg --symmetric -a >/boot/rootkey.gpg
```

3j) Build /boot/initrd.gz

Follow the bottom part of 2c) create the ramdisk to setup and execute your build-initrd.sh with the following changes:

-change USEGPGKEY to 1

-leave USEMODULE set to 1

I would note that I have used both AES128 and AES256 on the same system at different times and in my desktop usage I noticed no difference between the two as far as slow down.

3k) Modify /etc/fstab

Use the same procedure as in 2d) modifying /etc/fstab

3l) Edit grub.conf / lilo.conf

Use the same procedure as in 2e) modifying your grub.conf

NOTE: if you use lilo read the top of build-initrd.sh for instructions on how to setup lilo

3m) Do the actual encryption using some sort of bootable CD:

First reboot onto Knoppix/Gentoo LiveCD or some other form of bootable CD so your root partition will not be mounted.  Then do the following steps:

```
mkdir /mnt/tempboot

mount -r -t ext2 /dev/hda1 /mnt/tempboot
```

Replace /dev/hda1 with whatever your boot partition is, and change the type as well.

Finally encrypt your hard drive, this may take several hours depending on the size of your hard drive:

```
dd if=/dev/hda2 bs=64k \

            | /mnt/aespipe -e AES128 -K /mnt/rootkey.gpg -G / \

            | dd of=/dev/hda2 bs=64k conv=notrunc
```

Replace /dev/hda2 with whatever your root partition is.

Unmount and reboot onto new encrypted partition!

```
umount /mnt/tempboot

sync

reboot
```

Note: The whole step 3) has not been tested by myself, but since Lord Tocharian sucessfully used this method, before he wrote this update here, there is no doubt that it should work this way! Thanks to Lord Tocharian for writing this addon.

4. Encrypt a clean root partition while installing gentoo

installing gentoo and encrypting root from the knoppix cd

- boot your pc with the knoppix cd (type knoppix 2 at boot to get a console only).

- bring up your network and enable hdparm (optional) like it is described in the installation doc, then create your partitions and the filesystems you want.

- create your boot, swap and root partitions

- type the following:

```
losetup -e AES128 -T /dev/loop0 /dev/hda3
```

- replace 128 with the encryption you want to use and hda3 with your root partition and then enter a passphrase you want to use.

- format your root partition with the filesystem you want to use.

```
mkfs /dev/loop0
```

- format your boot and swap partition

- swapon /dev/hda2 (if you choosed to create a swap partition this is the point to mount it. replace hda2 with your actual swap partition)

- do mkdir /mnt/gentoo

- mount /dev/loop0 /mnt/gentoo

- mkdir /mnt/gentoo/boot

- mount /dev/hda1 /mnt/gentoo/boot (replace hda1 with your actual boot partition)

- continue with Step "8. Stage tarballs and chroot" from the Gentoo Installation doc.

- when you get to "15. Modifying /etc/fstab for your machine" in the gentoo install doc, go up be sure to add the changes that were mentioned in:

2d) modifying /etc/fstab

- when you get to "16. Installing the kernel and system logger", be sure to add the modifications that were meant in:

2a) (re)compile your kernel as following:

- after you did the whole "16. Installing the kernel and system logger" step, do the following steps from this doc:

2b) install util-linux

2c) create the ramdisk (and optional the loop module) 

- after that, continue with step "17. Installing miscellaneous necessary packages" from the gentoo doc until you get to step "23. Configure a Bootloader".

- follow the instructions from the gentoo doc and add the changes from

2e) modifying your grub.conf

- do the end of the gentoo installation doc and everything should work after you reboot.

5. Setting up an encrypted swap partition

- first you need to swapoff your current swap partition. i will always write /dev/hda3 for the swap partition so replace hda3 with your actual partition, as usual.

```
swapoff /dev/hda3
```

- now add "loop=/dev/loop6" and "encryption=AES128" to the swap line in your /etc/fstab. for example:

```
/dev/hda3   none   swap   sw,loop=/dev/loop6,encryption=AES128   0 0
```

- if there is old unencrypted data on the swap partition, run the following commands

```
dd if=/dev/zero of=/dev/hda3 bs=64k conv=notrunc

mkswap /dev/hda3
```

That should it be. If everything went right, you should now be able to reboot and enjoy your newly encrypted root and swap partition!!!

6. How to merge the bootsplash initrd and the loop-AES initrd into one

i finally got it working to use both, the bootsplash AND the loop-AES ramdisk.

- First, mount /boot and create the bootsplash ramdisk as explained in the howto.

- i would suggest to backup both ramdisks so that you can go back to the old state when something goes wrong.

- cd /boot ant type ls to double check that the initrd-1280x1024 (bootsplash) and the initrd.gz (loop-AES) ramdisks exist.

- extract the loop-AES ramdisk and merge it with the bootsplash ramdisk into one:

```
gunzip initrd.gz

cat initrd-1280x1024 >>/boot/initrd

rm initrd-1280x1024

```

- edit your grub.conf and change initrd=/initrd.gz to initrd=/initrd to make sure that it points to your newly created ramdisk.

- umount /boot and reboot, to see the wonder of the new ramdisk   :Very Happy: 

7. If something has gone wrong

you always have the possibility to access your (already encrypted) root drive:

- boot the knoppix cd

- type 

```
losetup -e AES128 /dev/loop0 /dev/hda2
```

- as always, replace AES128 with the encryption you chosed and hda2 with your root partition

- enter the passphrase you choosed the first time

- mkdir /mnt/gentoo and mount /dev/loop0 /mnt/gentoo

- mount /dev/hda1 /mnt/gentoo/boot (or whatever your boot partition is) 

- chroot /mnt/gentoo /bin/bash

now you can check all the steps you've done again if something has gone wrong, cause you have access to your boot and your root partition.

I hope i did not forget something and you understand what i wrote. again, thanks to the guys from the other encryption thread. suggestions, comments, critics etc... are welcome!

greets,

hulk

----------

## Boris27

Great guide! Don't have the guts to try it out though.

----------

## hulk2nd

added 2.6 kernel support, swap partition encryption support and bootsplash-ramdisk+loop-AES-ramdisk support.

greets,

hulk

----------

## Sh4d0w

I'm almost certain I got all the steps correct, but on bootup I now get:

RAMDISK: Compressed image found at block 0

Freeing initrd memory: 2k freed

VFS: Mount root (minix filesystem) readonly

Freeing unused kernel memory: 112k freed

Warning: unable to open an initial console.

flushing ide devices: hda hdc

System hhalted.

Any ideas?

----------

## hulk2nd

did you made a clean install or did you encrypt your part. afterwards? and which kernel are you using?

greets,

hulk

----------

## Sh4d0w

 *hulk2nd wrote:*   

> did you made a clean install or did you encrypt your part. afterwards? and which kernel are you using?
> 
> greets,
> 
> hulk

 

That was a quick response  :Razz:  Want to log onto msn maybe?

few days old install, 2.4.23 kernel compiled in, not as a module.

----------

## hulk2nd

sure, why not!

two things:

did you the bootsplash/loop ramdisk merging thing? and double check your grub.conf. especially for the init-parts

kernel (hd0,0)/bzImage root=/dev/ram0 init=/linuxrc rootfstype=minix 

initrd=/initrd.gz

if that does not help, check if you include support for every file system you use in your kernel. also look for devfs and mount devfs at boot.

greets,

hulk

----------

## Sh4d0w

No, I didnt do the merging part.

This is my grub.conf:

```

default 0

timeout 5

title=Linux

root (hd0,0)

kernel (hd0,0)/boot/bzImage root=/dev/hda3

title=Linux

root (hd0,0)

kernel (hd0,0)/bzImage root=/dev/ram0 init=/linuxrc rootfstype=minix

initrd=/initrd.gz

```

----------

## Sh4d0w

Just rebooted and couldnt see anything about devfs,  alot of it went by far too quickly though to see. Gotta run for a bit ,back in 45.

----------

## hulk2nd

be sure to add these options to your kernel:

[*] /dev file system support (EXPERIMENTAL)

[*]   Automatically mount at boot

----------

## Sh4d0w

 *hulk2nd wrote:*   

> be sure to add these options to your kernel:
> 
> [*] /dev file system support (EXPERIMENTAL)
> 
> [*]   Automatically mount at boot

 

Whoops, after enabling that everything seems to be working great. Good tutorial  :Smile: 

----------

## BarryJ

Great tutorial!  Gonna try this when I get the nerve.

P.S. Richard Dean Anderson is awesome!  Did you know about Young Macgyver?  Unfortunately the WB didn't pick it up   :Crying or Very sad:  .

----------

## hulk2nd

 *BarryJ wrote:*   

> P.S. Richard Dean Anderson is awesome!  Did you know about Young Macgyver?  Unfortunately the WB didn't pick it up   .

 

hi there,

no i've actually never heard of the young macgyver. i would really like to see a picture. but i hardly can belive that he is able do invent that many incredible machines like "the old macgyver" is able to. and that he can beat every enemy while staying THAT polite!!!!   :Very Happy: 

greets,

hulk

----------

## Qweasda

I'm probably going to try this on my new computer when all it's parts arrive.

A question though. I read a bit about encryption and apprently it keeps everything in RAM encrypted, and decrypts it in RAM as it's being used. Does this process take up memory? How much about? Does it slow things down, or will it not be noticible?

----------

## hulk2nd

i bet it does slow down things, but unitl now i don't have experienced speed differences between before and after encryption. as far as i know, only the ram disk is in ram but that is only a few kb. it really doesn't matter. but im not 100% sure about that.

greets,

hulk

----------

## femtotech

AFAIK, the data in RAM is not encrypted.  Data on the hard drive and data written to swap is encrypted but the RAM access is handled normally.  This is not much of a problem though since the RAM is cleared at power off and old data isn't recoverable.

As far as the speed goes, my system is basically as fast as before encryption.  Programs load as fast, games run the same.  The only time you notice the encryption is in transferring large files between drives -- there is about a 25% processor usage (2GHz Athlon, transferring between u160 SCSI drives).

A cool thing to do if you have a USB bootable motherboard is have your /boot partition on a USB pen drive, then 

everything on your hard disks would be encrypted (as opposed to an unencrypted boot on the drive).  Unfortunately, my nForce 2 board does not have this feature.

----------

## Qweasda

Sorry, made a typo, meant to say that everything on the hard drive (not RAM) is encrypted and it decrypts it in RAM.

If I do this, it will be for a home server (web, ftp, file and other) that will be up 24/7. Will the RAM get more clogged as time goes on or does it compensate? It will only have 256mb of pc100 RAM per node, which brings me to another question. It's a 4u setup with 4 SBC motherboards with 733mhz P3's. 3 of these will be diskless thin clients to one fat client with a 180gb HD. These clients won't have any troubles will they? (btw, I'm going to use openMosix clustering also, if that matters)

Thanks.

----------

## femtotech

I haven't read the code to figure out exactly what the encryption utilities are doing, but it's probably using a minimal amount of RAM to decrypt your data which is then stored (decrypted) in memory as normal.  

On my personal box I've had no noticable differences in memory usage when using loopback 256bit AES as compared to no encryption(uptimes up to a month, 512MB).  My IDS box running snort, ACID, apache, and ssh had a  163 day uptime until I rebooted for a kernel upgrade yesterday, and it was still running as quick as ever (1GB).  

I doubt you'd see any real memory usage increases on your cluster.  The only thing to keep in mind is the increased processor usage when transferring large files across a fast link, but even this is fine for the added security.

----------

## deadaim

Pardon me for asking the "noob" question, but what are the benefits of encrypting your swap filesystem?  Is it recommended to do this?

Thanks in advance.

----------

## hulk2nd

as you know, even if cou can't boot a computer cause you don't have the root or the user password, you can connect the hard drive to another computer and read the data from there. with an encrypted filesystem this is impossible unless you know the encryption password etc ...

and if the encryption is high or/and secure enough, you can't hack it by bruteforce or other methods.

of course, the way i describe it here is not the safest possible one. but there is a point where you have to think if more security steps are really needed.

i personally own a laptop and thats the reason why i encrypted my partitions cause i don't want other people to be able to read my data if i lose my laptop or if it gets stolen.

greets,

hulk

----------

## deadaim

 *hulk2nd wrote:*   

> as you know, even if cou can't boot a computer cause you don't have the root or the user password, you can connect the hard drive to another computer and read the data from there. with an encrypted filesystem this is impossible unless you know the encryption password etc ...
> 
> and if the encryption is high or/and secure enough, you can't hack it by bruteforce or other methods.
> 
> of course, the way i describe it here is not the safest possible one. but there is a point where you have to think if more security steps are really needed.
> ...

 

Sweet, I'm going to buy a laptop soon...now I know to encrypt the partitions.  Thanks!

----------

## S_aIN_t

an interesting topic came up on the linux-crypto mailing list.

 *Quote:*   

> 
> 
> > Is there a point to using loop-AES with kernel-2.6? CryptoAPI is in the kernel.
> 
> > Why not just use it?
> ...

 

So, this means that even if you're running kernel  2.6 you still should patch it with loop-AES. I haven't tried patching 2.6 with the new loop-AES. But it is possible. This is the announcement from the linux-crypto mailing list:

 *Quote:*   

> 
> 
> loop-AES changes since previous release:
> 
> - Fixed util-linux patch so it compiles on boxes where C library is compiled
> ...

 

----------

## hulk2nd

this sounds very interesting. i will try that and update the tutorial. big thanks for that information!

btw, i dunno why, but they removed version c. there is onle b and d in http://loop-aes.sourceforge.net/ciphers/ and in http://loop-aes.sourceforge.net/loop-AES/

greets,

hulk

----------

## hulk2nd

ahh, there is no need to patch the kernel. first, the archive isn't a patch anyway, it just builds the module. and second, this only updates serpent, twofish and blowfish encryption, i think. cause it builds only loop_twofish.o, loop_blowfish.o and loop_serpent.o. and since we use aes, i don't think we need to build these modules.

greets,

hulk

----------

## Death Valley Pete

Holy wow.

I tried it (with 256-bit encryption because I'm a tad OCD) with kernel 2.6.0 final. It works. I've been waiting for a guide to come out for a couple of months now, and hulk2nd, thank you very much.

I've already upgraded loop-aes (basically, repeat steps 2b and 2c) from 2.0c to 2.0d.

I'm thinking that when I upgrade my kernel (down the road) it will just be a matter of repacing the bzImage and that's it. Does that sound right?

Now I just need to figure out how to make this work with a gpg key on a usb stick... when and if I get the money for that I'll probably give it a shot. If anybody wanted to write a howto for that that would be even cooler.

I'm not sure I have the expertise to write an ebuild for the modified util-linux, but if I (or somebody) did would it be an appropriate thing to put into portage?

Perhaps you should submit the whole clean install onto an encrypted partition procedure to the alternative install guide.

Anyway, good work!

----------

## discomfitor

Have you tested it with udev?

----------

## hulk2nd

 *Death Valley Pete wrote:*   

> Holy wow.
> 
> I tried it (with 256-bit encryption because I'm a tad OCD) with kernel 2.6.0 final. It works. I've been waiting for a guide to come out for a couple of months now, and hulk2nd, thank you very much.
> 
> I've already upgraded loop-aes (basically, repeat steps 2b and 2c) from 2.0c to 2.0d.
> ...

 maybe i will add gpg and the usb stick thing to the howto. i already have some experience with that.

greets,

hulk

----------

## Gentoo Server

this is power of gentoo 

one helps other 

 :Razz: 

----------

## Lord Tocharian

First thanks a lot for your guide, it was very helpful.  I have all of my partitions encrypted with the exception of /boot and I really don't notice any slowdown at all.  

I know I would also greatly appreciate it if you added some information about working with gpg/a usb stick.  I don't think there is as much information about that on the internet and I am trying to figure out what is the correct way to do it.  Thanks   :Very Happy: 

----------

## hulk2nd

you are welcome!

yesterday i ordered a sony memory stick on ebay (cause my vaio has a memory stick reader). and guess why i bought it  :Razz:  as soon as it will arrive and as i got it working, i will give a message here. it is not hard at all, i think!

greets,

hulk

----------

## Lord Tocharian

I have been playing around with encryption and by using hulk2nd's great guide along with the loop-AES.README I have setup an encrypted root partition using a gpg encrypted key.  I thought I would add on to his guide with how I setup my system.

All I basically did is put the loop-AES.README into an easier to read format.  I would highly suggest reading the entire thing before attempting to encrypt your hard drive.  Also a current backup of your hard drive definitely helps.   :Very Happy:  

7.  Encrypt your current root partition using a gpg encrypted key.

7a) Requirements: 

-loop-AES-v2.0d (same as in 1.  Requirements)

-latest loop-AES patch (loop-AES-v2.0d-20031226.diff.bz2)

-util-linux-2.12 (same as in 1.  Requirements)

-Knoppix / Gentoo LiveCD (same as in 1.  Requirements)

-gnupg-1.2.3

-aespipe-v2.2a

7b)  Recompile Kernel (2.6.x Instructions Only):

```
cd /usr/src/linux

make menuconfig
```

Follow Section 2a3 with the following exceptions:

Extra things to set:

```
CONFIG_MODULES=y

CONFIG_KMOD=y (recommended but not required)

CONFIG_CRAMFS=n(or CONFIG_CRAMFS=m) 
```

Differences:

```
CONFIG_BLK_DEV_LOOP=n
```

This step is VERY important!  As opposed to the other guide loop support cannot be in your kernel at all, even as a module (therefore Cryptoloop Support will not be built into your kernel)!

From the loop-AES.README:

 *Quote:*   

> After building and installing your new kernel, do not attempt to clean kernel tree, or rename path to kernel sources.

 

Follow the end of 2a3 to recompile your kernel and then optionally reboot into your new kernel (if you want to make sure it is working).

7c) Compile loop.o module for your kernel:

```
mkdir /tmp/enc

cd /tmp/enc

tar jxvf loop-AES-v2.0d.tar.bz2

bunzip2 loop-AES-v2.0d-20031226.diff.bz2

patch -p0 <./loop-AES-v2.0d-20031226.diff

make clean

make LINUX_SOURCE=/usr/src/linux-2.6.0-gentoo

```

replace 2.6.0-gentoo with the kernel version you have.

7d) Install util-linux:

Use the instructions in 2b) install util-linux

7e) Setup GPG:

```
cd /tmp/enc/loop-AES-v2.0d

tar zxvf gnupg-1.2.3.tar.gz

cd gnupg-1.2.3

patch -p1 <../gnupg-1.2.3.diff

CFLAGS="-O2" LDFLAGS="-static -s" ./configure --prefix=/usr --enable-static-rnd=linux

make

rm -f /usr/share/man/man1/{gpg,gpgv}.1.gz

make install

chown root:root /usr/bin/gpg

chmod 4755 /usr/bin/gpg
```

7f) Test loop-AES:

```
cd /tmp/enc/loop-AES-v2.0d

make tests
```

From the loop-AES.README:

 *Quote:*   

> Makefile will display "*** Test results ok ***" message if tests are
> 
> completed successfully. If tests fail, do not use the driver as it is
> 
> broken.
> ...

 

7g) Build aespipe program:

```
CFLAGS="-O2" LDFLAGS="-static -s" ./configure

make

make tests

cp -p aespipe /boot
```

7h) Copy kernel version specific loop.o to /boot/modules-KERNELRELEASE/

```
mkdir /boot/modules-2.6.0-gentoo

cp -p /lib/modules/2.6.0-gentoo/block/loop.*o /boot/modules-2.6.0-gentoo/loop.o
```

replace 2.6.0-gentoo with the kernel version you have.

7i) Create 64 random encryption keys and encrypt those keys using gpg.

```
umask 077

head -c 2880 /dev/random | uuencode -m - | head -n 65 | tail -n 64 | gpg --symmetric -a >/boot/rootkey.gpg
```

7j) Build /boot/initrd.gz

Follow the bottom part of 2c) create the ramdisk to setup and execute your build-initrd.sh with the following changes:

-change USEGPGKEY to 1

-leave USEMODULE set to 1

I would note that I have used both AES128 and AES256 on the same system at different times and in my desktop usage I noticed no difference between the two as far as slow down.

7k) Modify /etc/fstab

Use the same procedure as in 2d) modifying /etc/fstab

7l) Edit grub.conf / lilo.conf

Use the same procedure as in 2e) modifying your grub.conf

NOTE: if you use lilo read the top of build-initrd.sh for instructions on how to setup lilo

7m) Do the actual encryption using some sort of bootable CD:

First reboot onto Knoppix/Gentoo LiveCD or some other form of bootable CD so your root partition will not be mounted.  Then do the following steps:

```
mkdir /mnt/tempboot

mount -r -t ext2 /dev/hda1 /mnt/tempboot
```

Replace /dev/hda1 with whatever your boot partition is, and change the type as well.

Finally encrypt your hard drive, this may take several hours depending on the size of your hard drive:

```
dd if=/dev/hda2 bs=64k \

            | /mnt/aespipe -e AES128 -K /mnt/rootkey.gpg -G / \

            | dd of=/dev/hda2 bs=64k conv=notrunc
```

Replace /dev/hda2 with whatever your root partition is.

Unmount and reboot onto new encrypted partition!

```
umount /mnt/tempboot

sync

reboot
```

----------

## hulk2nd

wow, this is awesome!

thanks for these additions! of course i will update the howto with these informations (btw, thank you for keeping the same "layout" as the original howto, this makes it much easier).  i'm sure several people are very interested in this!

so big thanks again for the great work you have done here!!

greets,

hulk

----------

## innocentbeats

Hi, thank you for this interesting guide.

I have another question, I just want to encrypt one partition or filesystem, where I can "host" the home directory for example. 

I used the search function, but I did not find good results for the 2.6. kernel. I have the cryptoloop function compiled in. What steps do I have to take?

CU

Chris

----------

## hulk2nd

as far as i know you can even encrypt only one directory. but i haven't done this yet. have a look at the loop-aes readme or try to google.

greets,

hulk

----------

## innocentbeats

Searching google, it found this little how to:

http://www.ece.cmu.edu/~rholzer/cryptoloop_mini_howto.html

which is exactly what I was looking for, but when I typ this command

losetup -e aes-256 /dev/loop0 /dev/sda1

I get the error, that the cipher is unknown, althought it is definetely compiled into the kernel and it can be seen in /proc/cryp as well.

CU

Chris

----------

## hulk2nd

either boot with knoppix or do step 2b). the util-linux from the portage tree does not work with aes until you have patched it.

greets,

hulk

----------

## Lord Tocharian

I wanted to post an update regarding encryption using a gpg encrypted key.  After some reading I have not found a way to use the key to encrypt swap with.  Therefore it seems that swap is encrypted the same way as normal (step 4) in hulk2nd's guide, which works fine.

----------

## hulk2nd

have a look at this: http://www.sdc.org/~leila/usb-dongle/readme.html#doc_chap8. i actually could not what it does. maybe you can see it. the guide seems to be incomplete but at least the swap encryption part looks complete.

greets,

hulk

----------

## ZaCi

Is it possbile to easily encrypt other non root or boot partitions? How?

----------

## hulk2nd

sure, have a look at the link innocentbeats posted before.

http://www.ece.cmu.edu/~rholzer/cryptoloop_mini_howto.html

this should suit your needs.

greets,

hulk

----------

## hulk2nd

so i'm right back from holidays and finally got my memory stick, but unfortunatly i can't boot from it. obviously i can't boot from any external device like an usb stick. that is really bad but that's how it is, so no update for the howto in this case at least from my side.

greets,

hulk

----------

## TPC

I messed it up  :Sad: 

I must have made the same typo twice while entering the pass-phrase because it doesn't work. I tried all common typos of that password that I can think of. I just can't get access to the root partition.

I probably have to re-install... but I'm just making sure that there isn't somtething I can do.

----------

## hulk2nd

hmm, that is strange cause you have to type the passphrase twice if you used the parameter 'T' in the losetup command. what error do you get? does it also not work with the knoppix cd? (maybe there is another keyboard layout)

maybe you had caps lock or num enabled?

----------

## TPC

oh, you're right! a different keyboard layout! why didn't I think of that? thanks!

----------

## hulk2nd

no problem!

have a look at the build-initrd.sh. you can enable the option to use another keyboard layout. it's not hard at all. just enable that option and copy the layout over to your /boot partition and you are done.

greets,

hulk

----------

## phlef

 *Lord Tocharian wrote:*   

> I have been playing around with encryption and by using hulk2nd's great guide along with the loop-AES.README I have setup an encrypted root partition using a gpg encrypted key.  I thought I would add on to his guide with how I setup my system.
> 
> All I basically did is put the loop-AES.README into an easier to read format.  I would highly suggest reading the entire thing before attempting to encrypt your hard drive.  Also a current backup of your hard drive definitely helps.   
> 
> 7.  Encrypt your current root partition using a gpg encrypted key.
> ...

 

Is there a way that the encrypted Root FS does not need a password?  For instance, I already have my gpg Private Key on floppy,  is there a way that the boot process verifies that the floppy in the drive has the proper gpg key and decrypts the FS w/o user intervention enabling me to unlock the FS by inserting the floppy before PowerOn? Thus allowing me to restart the Server remotely as long as the floppy is in the Server's Drive?

----------

## braindead0

You'll find that the gpg key on your floppy is your private key and encrypted using your passphrase.

otherwise, anybody that has the floppy could access your system.. not good security.

----------

## viperlin

i've got cryptoloop set up  :Smile: 

but when mounting my backup DVD's (yes correct password, i have correct cipher set  :Smile: )

```

$ mount /mnt/ecd

Password: 

mount: wrong fs type, bad option, bad superblock on /dev/loop0,

       or too many mounted file systems

       (could this be the IDE device where you in fact use

       ide-scsi so that sr0 or sda or so is needed?)

$

```

sadly "auto" filesystem does not seem work with cryptoloop anymore.

fstab entry:

```

/dev/sr0                /mnt/ecd        udf            defaults,user,noauto,encryption=aes-256,itercountk=100 0 0

```

EDIT:

latest fstab entry:

```

/dev/sr0                /mnt/ecd        auto            defaults,user,noauto,encryption=aes-256          0 0

```

seems better but now i get:

```

mount: /dev/loop0: can't read superblock

```

----------

## braindead0

I followed the instructions and double checked everything, after the ramdisk loads I get an error that VFS can't open /dev/ram0

RAMDISK: Compressed image found at block 0

VFS: Cannot open root device "ram0" or ram0

Please append a correct "root=" boot option

I tried without the root=/dev/ram0 option, and with root=/dev/loop5, with no luck on that front.  I double checked my kernel config (2.6.1) and I've got all the options specified, triple checked ram disk support and initrd support, both are as they should (with automount option).

Could this have anything to do with that I'm running SCSI drives?

Any suggestions?  Luckily I'm going this on my laptop

**** Scratch all that above, found the problem.  In my grub.conf I had incorrectly specified minux filesystem, instead of minix!   :Wink: .

typed linux way too many times I think...  Booting up like a champ now.  Perhaps this message will help somebody else..

----------

## braindead0

Which leads to another question, how come /dev/loop/5 is shown twice when running mount (or df for that matter)?

I've only got one line in fstab mounting it... should that be removed because the initrd does the mount?

----------

## hulk2nd

hi there,

i'm terribly sorry, but my gentoo is broken atm, so i can't answer some question. you know, nearly almost you have to sit in front of your computer to understand a problem and that is sadly impossible for me atm. hopefully there's somebody else out there who can help you.

@viperlin

for me this looks like as if you forgot either to include the filesystem of your root partition or devfs support. i would check the kernel config and the build-initrd.sh again. which method did you chose?

greets,

hulk

----------

## viperlin

erm, none, if you read the post you would know i'm trying to read an encrypted DVD, i can read other DVD's so i have filesystem support.

i have no initrd as i dont use encrypted filesystems for harddrives on this PC, only my old backups.

trying not to sound insultive but, well.   :Rolling Eyes: 

----------

## hulk2nd

oh indeed, sorry about that!

ok then did you have a look at this tutorial? i saw it once so maybe this could help you!

greets,

hulk

----------

## viperlin

 *hulk2nd wrote:*   

> oh indeed, sorry about that!
> 
> ok then did you have a look at this tutorial? i saw it once so maybe this could help you!
> 
> greets,
> ...

 

yep it gave me the original idea , but thanks  :Smile:  i'll keep experimenting

----------

## revoohc

I need some help.  I followed the instructions for building a clean encrypted system.  I have used a 2.6 kernel (gentoo-dev-sources) and everything seemed to go well.  However, when I try to boot into gentoo, it does not accempt my password.  Any ideas what might be going on?  I can boot back into Knoppix and am able to load the encrypted root file system w/o a problem

Any advice would be appreciated.

Thanks,

revoohc

----------

## hulk2nd

maybe you used another keyboard layout in knoppix than the default one that is chosen when booting into gentoo?

what is the exact error message you get?

greets,

hulk

----------

## kritip

The latest util-linux in portage, util-linux-2.12-r4.ebuild, has the following references:

```
IUSE="crypt nls static pam selinux"
```

```
CRYPT_PATCH_P="${P}-cryptoapi-losetup"

SELINUX_PATCH="util-linux-2.12-selinux.diff.bz2"

DESCRIPTION="Various useful Linux utilities"

SRC_URI="mirror://kernel/linux/utils/${PN}/${P}.tar.gz

        ftp://ftp.cwi.nl/pub/aeb/${PN}/${P}.tar.gz

        crypt? ( mirror://gentoo/${CRYPT_PATCH_P}.patch.bz2 )"

HOMEPAGE="http://www.kernel.org/pub/linux/utils/util-linux/"

```

If i have crypt in my global use flags, then will the encryption patch be applied to the install, or is this something different?? 

I may be starting to encrypt my PC, so i may give the standard portage util-linux a go unless anyone corrects me, and this is to do with something completly different??!!

Cheers,

Kristian

[/code]

----------

## hulk2nd

i'm nearly sure that is not the needed patch. you can try that easily: emerge util-linux and then type losetup. keep the output in your mind or on another console and then install util-linux after the tutorial (by hand) and type losetup. if the one installed by hand gives you another output (a few more options and a few more lines) then it is still needed to install it by hand. otherwise use the one from the portage tree.

greets,

hulk

----------

## kritip

 *hulk2nd wrote:*   

> i'm nearly sure that is not the needed patch. you can try that easily: emerge util-linux and then type losetup. keep the output in your mind or on another console and then install util-linux after the tutorial (by hand) and type losetup. if the one installed by hand gives you another output (a few more options and a few more lines) then it is still needed to install it by hand. otherwise use the one from the portage tree.
> 
> greets,
> 
> hulk

 

Yep, i think you are correct, so i have gone ahead and manually patched and installed it.  Got a quick question though, at present i have the following entry in grub.conf:

```
title Gentoo Testing (2.6.1-mm5)

root    (hd0,0)

kernel  (hd0,0)/boot/2.6.1-mm5 root=/dev/hde3 vga=792

```

and the guide states to change it to:

```
title=Gentoo/GNU Linux 1.4 Encrypted ROOT

root (hd0,0)

kernel (hd0,0)/bzImage root=/dev/ram0 init=/linuxrc rootfstype=minix

initrd=/initrd.gz
```

so do i omit the /boot/2.6.1-mm5 and just change it to /bzImage??

I presume the kernel is the one i have built but will not be mounted under /boot so should i have /2.6.1-mm5 ??

IE. To this: 

```
title Gentoo Testing Encrypted (2.6.1-mm5)

root    (hd0,0)

kernel  (hd0,0)/2.6.1-mm5 root=/dev/ram0 init=/linuxrc rootfstype=minix

initrd=/initrd.gz

```

Cheers for your help, and please forgive my lack of knowledge, i just want to check that im gonna do this right!!  :Wink: 

Cheers,

Kristian

----------

## hulk2nd

i think you can leave the kernel part as it is. i assume you use genkernel? i have no experience with that, but if you compile your kernel on your own, it is always kernel (hd0,0)/bzImage or kernel (hd0,0)/boot/bzImage. it does not make any difference if you have the /boot in the line or not.

so, i think it is ok the way it is already. changes according to the place of your kernel are not needed for the whole encryption thing.

greets,

hulk

----------

## kritip

 *hulk2nd wrote:*   

> i think you can leave the kernel part as it is. i assume you use genkernel? i have no experience with that, but if you compile your kernel on your own, it is always kernel (hd0,0)/bzImage or kernel (hd0,0)/boot/bzImage. it does not make any difference if you have the /boot in the line or not.
> 
> so, i think it is ok the way it is already. changes according to the place of your kernel are not needed for the whole encryption thing.
> 
> greets,
> ...

 

Ok, cheers. I don't use genkernel but i manualy compile it, and then rename it to the kernel version and patch level, hence the name of it. I think i have it sorted, i shal probably know by tommorrow.

As another question, when you use knoppix, the only special program is losetup, so could you not just boot off any rescuse cd, mount /boot which is home to losesetup that was compiled and copied during the install, and just use that insted??

Kristian

----------

## hulk2nd

yes, it should be possible to use the losetup binary in combination with every other rescue cd, but i have not tested it.

greets,

hulk

----------

## kritip

Well, i found a Knoppix CD lying about v3.3 so i used that in the end. After running the DD command, it stated:

```
I/O error

30623+1 records in

30623+1 records out...

```

it listed the duration (about 30 minns) and  it then said it was successul or something along those lines, great i thought.

Upon rebooting, the kernel begins to load, loads my drivers, mounts /dev, then says freeing space form kernl (157K) or something like that, and hangs.

I does state it found a ram disk and a compressed image at 0 and seems to uncompress it. I get no prompt for a password as it hangs though  :Sad: 

Now im not sure if its something i've done or to do with the error that was liseted when i ran dd ......

I guess i will have to fiddle tommorrow to try and fix it. Any ideas would be more than  welcome though   :Smile: 

Cheers,

Kristian

----------

## lghman

Just wanted to say thanks hulk2nd.  Freakin excellent job on the howto, worked like a damn charm for me!   :Wink: 

--sonik

----------

## hulk2nd

 *kritip wrote:*   

> 
> 
> ```
> I/O error
> 
> ...

 

i don't remember that i/o error ...

in fact it doesn't look very well. i'm very sorry about that, i have no idea what to do ...

hope you backupped the important data ...

sorry

@sonikntails

glad to hear that. you're welcome   :Very Happy: 

----------

## franklin

Have you look the file /etc/conf.d/crypto-loop?

Could I have more info about it, since the link to it is down.

And, where can I find build-initrd.sh?

----------

## kritip

 *hulk2nd wrote:*   

>  *kritip wrote:*   
> 
> ```
> I/O error
> 
> ...

 

Very odd, i poseted a big reply yesterday and it is nowhere to be seen!! Perhaps i hit preview and then closed the browser!!???

Anyway, the I/O error seemed to be no problem as i am now running unencrypted again after not being able to successfully boot. I tried rebuilding my kernel twice, checking all the options, rebuilding losetup with the aes patch twice, messing around with boot commands in grub, all to no avail!!! I even read in build-initrd.sh that i shouldn't use the root= line in grub as i use devfs and 2.6 kernel, so i ran rdev /kerenl-version /dev/ram0 and removed the root= line, but it did exactly the same!

It just hung on freeing kernel memory!

I have given up for now, the only thing it think i could be is the HPT374 controller my drives sit on, although it is compiled into my kernel, or that in buil-inintrd.sh i specified /dev/discs/disc0/part3 whereas my mount command gives me /dev/ide/host2/bus0/target0/lun0/part3, both exist though!!??

Cheers anyway for the great guide, it was an experience, and i will try again in a few weeks,

Kristian

----------

## kritip

 *franklin wrote:*   

> Have you look the file /etc/conf.d/crypto-loop?
> 
> Could I have more info about it, since the link to it is down.
> 
> And, where can I find build-initrd.sh?

 

build-initrd.sh will be in your /tmp/enc/loop-AES-v2.0d/ directory, or whever you exxtracted it.

Kristian

----------

## TheCoop

so does the current util-linux-2.12-r4 work properly so you can run an encrypted root, or do you still need to install your own version? why doesnt util-linux just include the patch you patch yourself?

----------

## franklin

Since it is not recommended to use a journaling filesystem, I would like to know what type of filesystem you use on your encrypted root partition.

----------

## kritip

 *franklin wrote:*   

> Since it is not recommended to use a journaling filesystem, I would like to know what type of filesystem you use on your encrypted root partition.

 

I belive it is not any type of journalled file system, just certain ones, depending on how they write data to the disk. I believe that Reiserfs and XFS are OK in the way they order the data in their default configuration, but i do not have any references to hand, so don't solely rely on my information. I persoanlly tried it with Reiserfs 3.6 and succesfully encrytpted, used, and then decryted my root partition.

Kristian

----------

## franklin

 *kritip wrote:*   

>  *franklin wrote:*   Since it is not recommended to use a journaling filesystem, I would like to know what type of filesystem you use on your encrypted root partition. 
> 
> I belive it is not any type of journalled file system, just certain ones, depending on how they write data to the disk. I believe that Reiserfs and XFS are OK in the way they order the data in their default configuration, but i do not have any references to hand, so don't solely rely on my information. I persoanlly tried it with Reiserfs 3.6 and succesfully encrytpted, used, and then decryted my root partition.
> 
> Kristian

 

Thx for the info, I will try it with Reiserfs

----------

## nx12

One question: somebody have working software suspend on encrypted swap?

I'm going to try it out, but can't find any materials about that. On swsusp.sourceforge.net they write that it's supported but I could not find anything neither in google nor in their mailing archives.   :Crying or Very sad: 

So it could be great if someone posted his experiences with encrypted swsusp.  :Rolling Eyes: 

----------

## gmoney

Just a word of advice, if you're doing this with the 2.6 kernel and your modules end with .ko instead of .o, you need to change the build-initrd.sh script so that it will look for loop.ko instead of loop.o (if you're using the loop module and not the in-kernel crypto).  I've been stumped on this for an hour but it's working fine now.  I was using the loop-aes 2.0d so maybe they've fixed this in the latest version but if not, just change line 389.  Other that that, fantastic guide and great work to the loop-aes guys.  I owe you a beer if you're ever in Santa Barbara, CA, USA.

----------

## sciwhiz007

Two things, a question and a word of advice.

Where does it say that journalling file systems are not recommended for our purposes? If you read through the loop-AES readme, it specifically states this:

 *Quote:*   

> 2.2. Use of journaling file systems on loop device
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Don't use a journaling file system on top of file backed loop device, unless
> ...

 

What this means is that you can have a journalling file system on a loop device that's backed by a device, such as /dev/hda1 or /dev/sda1, but it is not recommended to have a journalling file system on a file backed loop device, such as one you create by typing this in.

```
dd if=/dev/zero of=loop.img bs=1k count=65536      

losetup -e AES128 -S XXXXXX -T /dev/loop1 loop.img   

mke2fs /dev/loop1                         

mount -t ext2 /dev/loop1 /mnt/loop               

```

Now for my tip, which may not be useful to most people. But just in case you've been trying to patch the hardened-sources kernel with the loop-AES patch and haven't had much success, you could try what I did. Essentially what I'm doing is removing the cryptoloop patch applied to the hardened-sources kernel and then patching it with loop-AES.

```
cd /usr/src

cp /usr/portage/distfiles/patches-2.4.22-hardened.tar.bz2 ./

tar -xjvpf patches*.bz2

wget http://aleron.dl.sourceforge.net/sourceforge/loop-aes/loop-AES-v2.0e.tar.bz2

tar -xjvpf loop-A*.bz2

cd linux

patch -Rp1 -i ../2.4.22-hardened/70_crypto*.patch      # Remove the patch

patch -Np1 -i ../loop-A*/kernel-2.4.24.diff            # Apply the new patch

rm -rf ../*.bz2 ../2.4.22-hardened ../loop*

make menuconfig

```

Of course, I make a number of assumptions in the above code. I assume that you're patching hardened-sources-2.4.22 (any release), that your /usr/src/linux symlink correctly points to /usr/src/linux-2.4.22-hardened and that your portage distfiles are located at /usr/portage/distfiles. If any of this doesn't apply to you, you'll obviously have to change the code to suit your needs. Also, if you want to see whether a patch applies successfully, you can use the --dry-run switch with patch.

Hope that helps!

----------

## nx12

Hi there.

I still dream about suspend to loop device. But the only one thing I've found is a patch for 2.6.0 kernel supposed to work only with built-in swsusp, not the one from swsusp.sourceforge.net.

You can try it out there.

But even so it doesn't compile with kernel-2.6.1. It exits with error.  :Sad: 

May be someone has any ideas how to encrypt swsusp?  :Rolling Eyes: 

Currently I'm using encrypted root filesystem with absolutely unencrypted suspend to disk. And it's really a stupid thing...  :Twisted Evil:   :Twisted Evil: 

----------

## Phrenic

first of all, thanks hulk2nd, great guide.  Very simple to use.  I have one question that I"m still a little confused about.  I already encrypted my root and swap, but I was wondering if I could encrypt another hard drive as well.  I read the http://www.ece.cmu.edu/~rholzer/cryptoloop_mini_howto.html

 but am still confused.  Do I have to use a different loop device from my root partition, or can I just run a command to convert it to the same cryptography as the root drive?  It'd be nice if my root encryption password would unlock everything.  Do I do it more like the swap space where you don't have to run losetup?  Thanks.

----------

## sciwhiz007

I recently decided to put a system of mine that was lying around to some good use and hence decided to set up Gentoo on it as well, but with an encrypted root partition and read-only boot partition on CD-ROM. Using hulk2nd's amazing guide, I got through it quite successfully. Well, almost. The problem arises when I boot the system. Essentially what happens is when it displays the message "Encrypted root filesystem...", it encounters an error and prints 

```
Command "/lib/losetup -e AES128 -S XXXXX /dev/loop/0 /dev/discs/disc0/part1" returned error.
```

It then continues to do this 5 times and then halts the system. Now, I've checked and rechecked the seed, so there's nothing wrong there. I'm also positive about the /dev/discs.. entry, because my root partition is /dev/hda1. I realize this information is a bit vague, so I'll try to give more information. I'm running kernel 2.4.22-hardened and util-linux 2.12 with loop-AES 2.0e. Running file on losetup returns 

```
file losetup

losetup: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.4.1, statically linked, stripped
```

.

My isolinux.cfg is as follows: 

```
DEFAULT vmlinuz initrd=initrd.gz root=/dev/ram0 rootfstype=minix init=/linuxrc 
```

The relevant options in build-initrd.sh are as follows: 

```
BOOTDEV=/dev/cdroms/cdrom0

BOOTTYPE=iso9660

CRYPTROOT=/dev/discs/disc0/part1

ROOTTYPE=reiserfs

CIPHERTYPE=AES128

PSEED="-S XXXXXX"

USEMODULE=0

USEPIVOT=1

INITRDONLY=0

ROOTLOOPINDEX=0

TEMPLOOPINDEX=7

USEDEVFS=1

USEROOTSETUP=0
```

For obvious reasons, I replaced the real seed with XXXXXX for displaying purposes. If there's any other information you would like me to provide, please feel free to ask. Note that I can freely access the partition as normal when I use Knoppix. My system has been unbootable (if there is such a word) for the past few days and this really is very frustrating. Thanks in advance for any help or insight you can provide!

----------

## gmoney

A new version of loop-aes will be out soon to address the problems of having a loop.ko instead of a loop.o like build-initrd.sh expects.  One other problem I ran across is that on my highly tweaked ~x86 system, any initrd I built would fail.  I tried a few different things and it turns out that enabling dietlibc support (DIETLIBC=1) in build-initrd fixed my problems.  Just make sure to emerge dietlibc first or you'll get some complaints.  This works for both devfs and udev enabled kernels.

One problem I haven't fixed yet is having / mounted twice.  I haven't dug around too much yet but if anyone else gets something similar to 

/dev/loop/5 on / type ext3 (rw,noatime)

/dev/loop5 on / type ext3 (rw,noatime)

and they have a fix, I would love to hear it.

----------

## braindead0

I think there's something missing in:

"4. Encrypt a clean root partition while installing gentoo"

The first step is to boot with knoppix cd, then several steps later ' continue with Step "8. Stage tarballs and chroot" from the Gentoo Installation doc.'

How can you install stage tarballs and stuff, when booted up on the knoppix cd???

----------

## hulk2nd

you can install gentoo with mostly every linux live cd. there is no need to use the gentoo cds. 

of course, the stage tarballs are not included in a knoppix iso, so you have to get it from somewhere else (from the net, from your lan, or from any other storage device) but since you need internet access to install gentoo at all, i can't see any differences.

greets,

hulk

----------

## braindead0

Yeah, I suppose once you've got a stage tarball you're good to go.. I usually use the one on the CD as I want to rebuild everything....

Just seems that there could be some mention of this  :Wink: 

----------

## Gentoo Server

this howto has somebugs with 2.6 so i post the right stuff to save somebody else time

all part i paypack to gentoo community

1) add as usual cryptloop , cipher etc to your kenrnel

check cipher with

cat /proc/crypto 

name         : blowfish

module       : blowfish

type         : cipher

blocksize    : 8

min keysize  : 4

max keysize  : 56

 if you cant losetup with cipher not found or something like that emerge losetup new (emerge linux-util)  2.12 then losetup works

new losetup has new syntax

losetup -e blowfish-128  /dev/loop0 /dev/md0

you have to add the keysize after the cipher

so to make a encrypted drive 

1) start drive e.g. raidstart /dev/md0

2) add crypt losetup -e blowfish-128  /dev/loop0 /dev/md0 (you can enter the password only one time)

3) make filesystem mkreiserfs /dev/loop0

4) add fstab

/dev/md0                /mnt/crypt      reiserfs        noauto,noatime,loop,encryption=blowfish-128     0 0

now you can mount your crypt drive with mount /mnt/crypt

each start you need to start raid in my example

raidstart /dev/md0

then mount cour crypt mount /mnt/crypt

enter pass

if your pass is is ok you can use your crypt drive

use blowfish-128 with is 100% secure and less cpu demand then other cipher

please add that stuff to this howto to save time for other people!

----------

## echo6

 *Gentoo Server wrote:*   

> if you cant losetup with cipher not found or something like that emerge losetup new (emerge linux-util)

 Shouldn't that be emerge util-linux ?

----------

## Gentoo Server

 *echo6 wrote:*   

>  *Gentoo Server wrote:*   if you cant losetup with cipher not found or something like that emerge losetup new (emerge linux-util) Shouldn't that be emerge util-linux ?

 

yes

typo

----------

## TheCoop

I'm thinking about an encrypted raid setup with reiser4 as the fs, am i just taking my life into my own hands here?

----------

## compuboy86

I'm certainly not an authority on this but it seems to me that encrypting a raid array wouldn't allow for rebuilding the array (should a drive go down)  Software raid might work.  Any thoughts?

----------

## Gentoo Server

 *TheCoop wrote:*   

> I'm thinking about an encrypted raid setup with reiser4 as the fs, am i just taking my life into my own hands here?

 

when you are using encryption anyway your performance is low

use reiser3 then

when your files are cached you will have good speed

----------

## bluephile

I'm having trouble getting this to work. I'm trying to use method number 6 (with a GPG key). When I run "make tests," I get this about 15 seconds into the test:

```
md5sum test-file1 >test-file2

echo "cb38b603f96f0deac1891d423983d69c  test-file1" | cmp test-file2 -

cmp test-file3 test-file4

make[1]: Leaving directory `/tmp/enc/loop-AES-v2.0e'

make test-part2 CT=AES128 ITER=0 HF=sha256 GK="-K gpgkey2.asc -G test-dir1" MD=f9825b79873f5c439ae9371c1a929a6c TF=test-file1 PSW=12345678901234567890

make[1]: Entering directory `/tmp/enc/loop-AES-v2.0e'

echo 12345678901234567890 | /sbin/losetup -p 0 -e AES128 -H sha256 -C 0 -K gpgkey2.asc -G test-dir1 /dev/loop7 test-file1

ioctl: LOOP_MULTI_KEY_SETUP: Invalid argument

make[1]: *** [test-part2] Error 1

make[1]: Leaving directory `/tmp/enc/loop-AES-v2.0e'

make: *** [tests] Error 2

```

I'm not sure what other info you might need. I am doing this with loop-AES-v2.0e, but I had identical problems with f. I'm hesitent to go back too many versions for fear of what other bugs might be in them.

Thank you very much for all the time and effort you've put into this tutorial!

Cheers,

Bluephile

----------

## yottabit

Can't seem to figure out how to setup swap part with GPG key. I've done this:

```
losetup -e AES256 -K /mnt/floppy/rootkey.gpg /dev/loop6 /dev/hda2
```

I guess this encrypts /dev/loop6 -> /dev/hda2 to my GPG key. It asks for my password, so I guess it worked.

And then I've made the guide-recommended changes to my /etc/fstab, but when I mount /dev/hda2 I get this:

```
# mount /dev/hda2

Password:

ioctl: LOOP_SET_FD: Device or resource busy
```

Any ideas?

Cheers,

J

----------

## yottabit

Okay, it works... I did what I said in the previous post and then just rebooted...

Still not sure why I had to reboot though...

J

----------

## Gentoo Server

as cryptapi seems to be bugy and broken and its replaced with dm-crypt i suggets rebuild this howto with dm-crypt its pretty easy

cryptapi is dead and will be deleted soon from kernel!

----------

## MrPrez

I tried to encrypt my root partition. But after reboot and type in my password the computer reboots again  :Sad:  There are no entries in /var/log/messages or /var/log/kern.log

My Configuration:

build-initrd.sh

```
BOOTDEV=/dev/hda8

BOOTTYPE=ext2

CRYPTROOT=/dev/hda6

ROOTTYPE=ext3

CIPHERTYPE=AES128

LOINIT="-I 0"

USEGPGKEY=0

GPGKEYFILE=rootkey.gpg

EXTERNALGPGFILES=0

EXTERNALGPGDEV=/dev/fd0

EXTERNALGPGTYPE=ext2

USEMODULE=0

USEPIVOT=1

INITRDONLY=0

SOURCEROOT=

DESTINATIONROOT=

DESTINATIONPREFIX=/boot

INITRDGZNAME=initrd.gz

ROOTLOOPINDEX=5

TEMPLOOPINDEX=7

LOOPMODPARAMS=""

USEDEVFS=0

LOADNATIANALKEYB=0

INITIALDELAY=0

TOOLSPROMPT=0

USEROOTSETUP=0

USEDIETLIBC=1
```

lilo.conf:

```
menu-scheme=Wb

boot = /dev/hda

disk=/dev/hda

  bios=0x80

  cylinders=15017

  heads=255

  sectors=63

prompt

append="apm=on,power_off"

map = /boot/System.map

lba32

timeout=200

delay = 50

vga = 791

image = /boot/bzImage-2.6.4

append = "init=/linuxrc rootfstype=minix"

initrd = /boot/initrd.gz

root = /dev/ram0

label = crypted

read-only
```

fstab:

```
/dev/hda1               /win            ntfs            defaults                                                 0 0

/dev/loop5              /               ext3            defaults                                                 0 0

/dev/hda4               /data            ext3            defaults,loop=/dev/loop2,encryption=aes-128              0 0

/dev/hda8               /boot           ext2            defaults                                  0 0

/root/.crypto           /root/crypted   ext2            defaults,noauto,loop=/dev/loop3,encryption=aes-256         0 0

#Swap

/dev/hda7               none            swap            sw,loop=/dev/loop4,encryption=aes-128                    0 0
```

I can't find any fault, I dont't know why it doesn't work  :Sad: 

----------

## MrPrez

I tried it with "/dev file system support" and it works. But this configuration isn't what I want. Any idea why it won't work without?

----------

## Mr Evil

many thanks to hulk2nd and Lord Tocharian ! this guide definately rocks !

as i am in the process of installing a new system which i want fully encrypted , i got to the following question : how usefull (or contra productive) is it to use losetup seeding together with gpg keys ? 

couldnt find any documentation on that .

as i understand it , the key passed to losetup is passed on to pgp , which will use the key to decrypt the real keys which are used for the multikey hd encryption ?

adding seed to losetup would then 

a) change (salt/seed) the key passed on to pgp ? OR :

b) change (salt/seed) the key(s) from pgp used for en/decryption ?

so in my oppinion adding seed would not really have any effect , since the key's given back by pgp should already be dictionary attack safe ? (in both cases) (given that the pgp keys were generated randomly , as described in the tutorial)

sorry for so many questions  :Wink: 

----------

## MrPrez

 *MrPrez wrote:*   

> I tried it with "/dev file system support" and it works. But this configuration isn't what I want. Any idea why it won't work without?

 

I forgot to create the necessary device node files on the new file system:

```
# mknod -m 660 /dev/console c 5 1

# mknod -m 660 /dev/null c 1 3
```

----------

## GentooBox

I just followed this guide, and not i cant start my system normal.

I have a 2.6 kernel and i installed linux-utils with the patch from loop-AES.

When i startup my kernel then it shows kernel messages (it boots), but then a error comes up:

 *Quote:*   

> 
> 
> Unable to mount hda1 on /lib
> 
> system halted
> ...

 

:S i dont know what to do, i cant figure out WHY it wants to mount my boot partition at /lib.

in build-initrd.sh from loop-AES it also mounts my boot partition at /lib - its in the script.

help me getting my system back.   :Rolling Eyes: 

----------

## Takker

Hi!

For weeks I'm reading this guide now trying around and today i`ve found the time to end it

Well, I'd liked one special partition (which is SATA -> sda6 over here) crypted. The key should be entered once after a reboot, no USB Key Stick or that stuff.

Thx to Gentoo Server post above it worked for me with the 2.6:

 *Quote:*   

> 
> 
> this howto has somebugs with 2.6 so i post the right stuff to save somebody else time 
> 
>  all part i paypack to gentoo community 
> ...

 

I just followed the steps ... changed them a bit for my system here. So I did something like this (doesn't exactly remind but should be allright in general)

Remind to enable the cryption you like and cryptoloop in kernel  :Smile: 

1) add crypt losetup -e blowfish-128 /dev/loop0 /dev/sda6 (you can enter the password only one time) 

2) make filesystem mkreiserfs /dev/loop0 

3) I added the following line to fstab

```

/dev/sda6 /opt/glftpd/site/crypt reiserfs noauto,users,noatime,loop,encryption=blowfish-128 0 0

```

Well, crypting works as I have to enter a password when I mount the drive (wrong pw -> error with filesystem).

However, mounting /dev/sda6 is confusing me a bit, don't I have to mount /dev/loop0 (which actually doesn't work).

Has somebody a small explanation or maybe anybody has some more tips etc?

----------

## tracker

In no particular order:

 *TheCoop wrote:*   

> I'm thinking about an encrypted raid setup with reiser4 as the fs, am i just taking my life into my own hands here?

 

Let us all know how that goes/went.  Be sure to throw some LVM in as well for good measure.  Oh, and do it on an Opteron box.

 *compuboy86 wrote:*   

> I'm certainly not an authority on this but it seems to me that encrypting a raid array wouldn't allow for rebuilding the array (should a drive go down)  Software raid might work.  Any thoughts?

 

RAID (1,3,4,5) bases it's parity data on the low-level contents of the partition, rather then the actual high-level contents (files and folders) of your filesystem, so encrypting the blocks your filesystem sits on really doesn't matter one way or the other to a RAID controller (it will calculate the parity for the encrypted data instead).  On top of that, you COULD run a software RAID on some cypher-loops, and then run the resulting /dev/md* through a cypher-loop, but .... don't do that.

 *Gentoo Server wrote:*   

> when you are using encryption anyway your performance is low 
> 
> use reiser3 then 
> 
> when your files are cached you will have good speed

 

Reading from the HD is several orders of magnitude more time consuming then manipulating data in RAM and usually when intense filesystem activity is going on, the CPU and RAM arenât being utilized fully (theyâre waiting on the FS operation to complete).  Itâs been a while since my last thesis on this, but as I remember, block cipher operations are pretty much O(n) (as compared to block compression operations, thank you NTFS), so you can sneak an encryption/decryption operation into a block device without too much of a hit to your CPU/RAM (which is fine, since theyâre usually not the bottleneck anyways).

According to Hans Reiser, v4 is âthe fastest filesystemâ.  http://www.namesys.com/benchmarks.html

File caching is nice if you have the RAM, but usually people have more space on disk then they do RAM.

/replies

I'm deploying a server into a hostile physical environment.  It's all old hardware, so I'm really not too worried about someone hitting it with a truck or otherwise lighting it on fire, but to facilitate several key functions of this server, it has passwordless SSH keys that handle unmanned logins to some fairly important servers, keys I donât want falling into the wrong hands, like those of a kid with a Knoppix CD for example.

Iâve been looking into encryption of the root partition (the only partition besides boot and swap, is 2G in size and currently has ~600M used with a full portage tree and kernel sources sitting in /usr/src.  Filesystem is ReiserFS btw).  Due to the possibility for abuse, the node will be headless (possibly even hidden in a ceiling); and itâs fairly hard to enter a password when thereâs no keyboard attached.

I decided to follow Option 3 of the howto, encryption with a gpg key.  The following are my setup notes.

Hardware:

AMD-K6, 400mhz processor (64K cache)

64M,16M RAM

WDC AC22500L 2.5G running in udma2 mode

Kernel: Linux 2.6.5-love4

In 3i

```
 umask 077 

head -c 2880 /dev/random | uuencode -m - | head -n 65 | tail -n 64 | gpg --symetric -a >/boot/rootkey.gpg
```

Changed --symmetric to --store.  I donât want a password on this encryption key.

In 3j -> 2c2

```
*****************************************************************

***  This script was configured to build linuxrc using        ***

***  dietlibc, but it appears that dietlibc is unavailable.   ***

***  Script aborted.                                          ***

*****************************************************************
```

Apparently dietlibc should be in the requirements as well, I emerged it and continued on.

In 3m

```
 dd if=/dev/hda2 bs=64k \ 

            | /mnt/aespipe -e AES128 -K /mnt/rootkey.gpg -G / \ 

            | dd of=/dev/hda2 bs=64k conv=notrunc
```

Shouldnât /mnt/aespipe be /mnt/tempboot/aespipe?  same for /mnt/rootkey.gpg.

Note: The current version of Loop-AES (v2.0g) recognizes âkoâ as being the proper kernel module extension for the 2.6 series.  Had to change âloop.oâ to âloop.koâ.

After several runs through Knoppix, I got it working.  On to performance testing.

```
 # hdparm -tT /dev/hda

/dev/hda:

 Timing buffer-cache reads:   124 MB in  2.04 seconds =  60.78 MB/sec

 Timing buffered disk reads:   26 MB in  3.01 seconds =   8.64 MB/sec
```

The performance hit for running âcat /dev/loop/5 > /dev/nullâ was CPU usage ranging from 50% to 75% by the âloop5â kernel process, and a pretty much solid 99% overall system CPU usage.  So decrypting data coming from the drive at 8.64M/s was at par or too much for a 400mhz K6 processor.  Interestingly enough, while running âupdatedbâ the loop5 processes stayed around 5-15% proc usage.

```
 # time dd if=/dev/zero of=./testfile bs=1024k count=100 ; time sync

100+0 records in

100+0 records out

real    0m13.770s

user    0m0.000s

sys     0m3.880s

real    0m11.033s

user    0m0.000s

sys     0m0.240s 
```

Time required to create a 100M file, and flush all data to the drives.  I suppose I should have done a control test with ReiserFS on an unencrypted partition â¦. oh well.

So far so good, one thing I am eyeing pretty carefully is:

```
# dmesg

â¦.

is_leaf: free space seems wrong: level=1, nr_items=21, free_space=0 rdkey

vs-5150: search_by_key: invalid format found in block 97760. Fsck?

vs-13070: reiserfs_read_locked_inode: i/o failure occurred trying to find stat data of [34361 35781 0x0 SD]

â¦.
```

Iâm not sure what thatâs all about, but if it keeps working through multiple reboots, Iâll try not to worry about it.

One other thing Iâm going to continue looking into is loosing the password prompt from the initrd.  It would be nice if loop-aes could detect if the gpg key presented is in fact password protected before asking for one.  After reading through the loop-AES readme file though, it would seem that the gpg key is never examined by losetup or mount (just passed along to gpg) so I suppose Iâll have to look into using the -p option in losetup, and piping /dev/null or something into it.

Final note, Iâve been having random seg faults coming from emerge and runscript (possibly other apps) while running an encrypted root partition.  Iâm going to compile a stock 2.6 kernel to rule out love-sources as being the cause.  Iâll post again assuming I succeed in getting it stable.

----------

## Gruffi

What happens if the filesystem gets corrupted?  What happens if the system goes down unexpectedly?  As far as i know when you encrypt something all it takes is 1 damaged bit to lose everything...  Will only open files be lost or the entire partition?

----------

## Guest

I am using the following versions:

linux-2.6.5-mm6

loop-AES-v2.0g

util-linux-2.12a

I am unable to compile as usual and have gone back to a 2.6.3 kernel.  What precisely does one have to edit in order to get the above to work?

----------

## twiggy

I'm wondering if i can change the encryption after i already have encrypted it with aes128? (without any loss)

And is aes the best way to go? And thanks for the docs   :Cool: 

I was a bit afraid in the beginning but it went just fine.

----------

## hulk2nd

hmm, i havent tested it yet but theoretically it should be possible to pipe the already encrypted files trough another loop device with another cipher enabled ...

maybe you can test this with a file or some removable storage devices first?

greets,

hulk

----------

## twiggy

Thanks for the answer but i think i'll just stay with aes128 for now.

Anyway you wouldn't have anything else as cool as this to play around with on a saturday would ya?   :Laughing: 

----------

## d4h0od

i tried doing "3. Encrypt your current root partition using a gpg encrypted key" and everything worked great (i think, no errors or such) until i rebooted and then i got error msg with something like 

```
insmod /lib/modules-2.6.5-gentoo-r1/loop.ko no such file or device
```

i guess i have done something wrong... maybe missed or did something wrong when i edited build-initrd.sh cuz its not finding the module...

then i turned to step "7. If something has gone wrong", i booted up knoppix cd and tried mounting the encrypted filesystem to go through the steps i did previously but i cant mount it ;(

first i just tried following the instructions exactly but after thinking a bit i thought about that those steps didnt say anything about uncrypting my filesystem using the gpg-key i used to encrypt it

so i mounted boot partion containing my gpg-key and added the option -K to losetup command. (is that correct ?)

```
losetup -e AES256 -K /mnt/tempboot/rootkey.gpg /dev/loop0 /dev/hda3
```

and then supplied the password i wrote earlier when i encrypted the partion with gpg (it seems to work cuz if i supply wrong password it says "Error: gpg key file decryption failed")

but when im doing

```
mount /dev/loop0 /mnt/gentoo
```

i get error msg that it cant mount it ;(

```
FAT: bogus logical sector size 40229

VFS: Can´t find a valid FAT filesystem on dev 07:00.

mount: you must specify the filesystem type
```

so then i of course try adding -t ext3 to mount command (cuz thats the fs o root partion  :Wink: 

but get another error msg then

```
VFS: Can´t find ext3 filesystem on dev loop(7,0).

mount: wrong fs type, bad option, bad superblock on /dev/loop0,

or too many mounted file systems
```

think i have messed something up really bad and think im gonna try starting over but wanted to hear first if someone else maybe knows what i did wrong and/or how i can fix it.

another question regarding "4. Encrypt a clean root partition while installing gentoo" cuz if im gonna start all over i will try to encrypt etc before i install gentoo but i still wanna use gpg but there isnt any info regarding gpg in step 4. (guessing cuz there isnt any place to store gpg-keys when encrypting filesystem cuz the filesystem isnt there yet)

is it hard to add the extra layer of security with gpg afterwards or must i follow and make step 3 work if i want to use gpg+encryption ?

----------

## hulk2nd

this looks for me as if you forgot kernel support for something. could be several things. but i think it should be possible to do that right from the beginning of an installation. tomorrow i'll have a look at it, cause it's 1:30am and i hardly can keep my eyes open   :Shocked: 

so g'nite everyone,

greets,

hulk

----------

## hulk2nd

hmm i am not sure on how to encrypt a clean partition with gpg but maybe you should have a look at point 7.5 on http://loop-aes.sourceforge.net/loop-AES.README and compare it with this cause they also described it with gpg and maybe there is something wrong (or outdated) with the method described here.

thanks in advance for feedback!

greets,

hulk

----------

## revoohc

I need some help.

I followed the instructions last night to encrypt my root partition with AES128.  However, when I reboot my system with the new encrypted partition I get:

VFS: Mounted root (minix filesystem) readonly.

Mounded devfs on /dev

Freeing unused kernel memory: 152k freed

Mounting /dev/hda1 as /lib failed

System halted.

What did I do wrong?  I'm running 2.6.5-gentoo-r1 and followed the steps for encrypting a pre-existing root partition using 2.6 with devfs.

thanks for any help,

Chris

----------

## Jayh

Hi Guys,

I was wondering if anyone would know how to encrypt a second hard disk (or even a third)...

Can I just take (for example) /dev/loop1 and encrypt the disk and use /dev/loop1 in /etc/fstab and so on using the root partition method to encrypt the disks?

Sorry for being a little vague but it's 3:22AM and i'm kinda tired   :Cool: 

(p.s. wonderful faq Hulk! thanks  :Smile: 

----------

## hulk2nd

have a look at this:

http://tldp.org/HOWTO/Cryptoloop-HOWTO/index.html

greets,

hulk

----------

## RinkyDinks_RJ

You should add the shred command to your guide. It is used to overwrite anything previously on the drive (data can remain on drive even if you reformat), (use for clean install/swap drives only)

shred /dev/hdaX

the default number of overwrites shred uses is 25. you can use -n X to specify a different number, though default is good enough.

Using shred -z /dev/hdaX will overwrite everything with zeroes.

Obviously, you only need to use this if you are concerned that previously unencrypted data on your hard disk may remain available to attack even after a format. (Yes, sometimes data can still hang on)

----------

## Jayh

Allrite, I've managed to use the loop devices to encrypt a whole new hd.

For those interested, read this little howto:

First if you don't have enough /dev/loop devices, the best way to increase it is just to recompile your kernel.

Lookup the /usr/src/linux-2.4.25/drivers/block/loop.c and replace obviously the linux-2.4.25 with your kernelversion.

Edit it in your favourite editor and change the following:

```
static int max_loop = 16;
```

change the 16 into how many loop devices you want.

After reboot, check /dev/loop/ to see if the loop devices are there. If they're not, use the mknod utility to create them. Read the man-page about that because I don't know how to make them via mknod  :Wink: 

Now you can use the same setup as with encrypting the root partition.

```
/sbin/losetup -e AES256 /dev/loopX /dev/hdX

dd if=/dev/hdX of=/dev/loopX bs=64k conv=notrunc
```

mount it and you're off!

you can use any loop device you want though I recommend you start with loop device 7 or 8 (you can make up to 64 loop devices anyway).

Now my question   :Cool: 

I want to create a LVM using the loop devices in order to encrypt it.

Ok, followed the howto's, install/readme files etc and it was no problem setting it up using the /dev/loop devices. Kernel LVM driver was up to date so no recompiling was necessary.

Now the problem, I needed to make a filesystem on the LVM. I created reiserFS on it and also no problems (though I was a little uncomfortable to create a new filesystem on my already encrypted disks).

when I checked df -h, my mounted loop devices were 16T (Yea, 16 Terabytes) so I thought to unmount them and remount to see if they were still working. Then I got an Segmentation fault while trying to unmount the loop device (How nice) but the LVM was still active.

So I deactivated it and tried to remove the encryption on the loop device using losetup but the following error command keeps coming back:

```
ioctl: LOOP_CLR_FD: Device or resource busy
```

Anyone an idea to kill the loop device or to disconnect it properly?

Only this is mounted:

```

Filesystem            Size  Used Avail Use% Mounted on

/dev/loop/5            37G  891M   36G   3% /

/dev/root              11K  8.0K  3.0K  73% /initrd

/dev/ide/host0/bus0/target0/lun0/part1

                       48M   36M   12M  75% /boot

none                  126M     0  126M   0% /dev/shm

```

LVM has been shut down and I can't see any more links to an active session with the loop devices.

Hope u guys have an answer!

See Ya,

Jayh

----------

## hulk2nd

@RinkyDinks_RJ

cool, thank you for that. of course i will add that! you can never be secure enough can't you  :Wink: 

but why do you mean this should be used for swap partitions only and why only when installing on a clean drive?

@Jayh

losetup -d /dev/loopX ?

greets,

hulk

----------

## Jayh

hulk2nd,

That's the command I used to remove the loop devices and got the error

```
ioctl: LOOP_CLR_FD: Device or resource busy
```

 while I couln't see any reason why the loop devices would be in use.

I've now realized after a reboot that the encrypted partition has been destroyed after the repartitioning the LVM.

So I'm thinking of trying to make the LVM and after the partitioning to create a loop device in order to encrypt the lvm  :Smile: 

----------

## d4h0od

Not sure if this is really worht mentioning and i dont want to complain on the guide cuz i think its really nice.

But one thing that caused problems for me the first time i tried the guide following step 3 was that I couldnt boot my system.

I got an error that it couldnt find /lib/modules-2.6.5-gentoo-r1/loop.ko (atleast I think that was the error msg). Then I remebered that in step 3h) in the guide i copy the module loop.ko to /boot and name it to loop.o. I tried renaming it back to loop.ko and the next time i rebooted i didnt get the error msg  :Wink: 

is there anyone else that has had the same problem and maybe did the same thing as me? maybe its just a typo in the guide?

----------

## hulk2nd

 *d4h0od wrote:*   

> Not sure if this is really worht mentioning and i dont want to complain on the guide cuz i think its really nice.
> 
> But one thing that caused problems for me the first time i tried the guide following step 3 was that I couldnt boot my system.
> 
> I got an error that it couldnt find /lib/modules-2.6.5-gentoo-r1/loop.ko (atleast I think that was the error msg). Then I remebered that in step 3h) in the guide i copy the module loop.ko to /boot and name it to loop.o. I tried renaming it back to loop.ko and the next time i rebooted i didnt get the error msg 
> ...

  yes, thank you for that, could be indeed problematic. changed it   :Smile: 

greets,

hulk

----------

## d4h0od

got my system up and running with encrypted root fs now  :Wink: 

thanx a lot for this excellent guide... without it i dont think i ever would have had the time/energy to try to do it

now i only need to encrypt the swap partion aswell but that seems to be quite easy... is it really just to change the line in fstab and then all data written to swap partion is encrypted  :Wink: ?

----------

## RinkyDinks_RJ

Typing shred /dev/hdax will clean everything off the part. Also, there is a way to make it just wipe the clear areas on the part; I believe it uses /dev/zero. not sure, so I go check it out...

----------

## abeowitz

Question.  

Right now, I'm just doing an encrypted swap partition...

But loop.ko, if setup in /etc/modules.autoload.d/kernel-2.6 tends to load AFTER the swap partition is mounted.

How do I load this module BEFORE swap gets loaded?

BTW, it does work if I do a

```
swapoff -a

swapon -a

losetup -a

/dev/loop/7: [000c]:1812 (/dev/hda3) offset=4096 encryption=AES128 multi-key

```

Thanks

----------

## CB2206

hi,

i'm using a 2.6er kernel with cryptoloop support and i'm just wondering whether it would be possible to get back to bootpslash silent mode after typing in the password for my encrypted home partition.

does anyone know a solution for this?

----------

## jeffrice

I'm having some trouble getting this to work from my USB drive.  I put the pause in the build-initrd.sh script so that the USB hub and drive have a chance to initialize.  But right after, I get the error

```
/dev/sda1 failed to mount as /lib
```

So... what do I do?  The message from the USB modules says it found my USB drive at sda1 and of course it is working because I boot from the USB up to that point.  Am I specifying the device that should be mounted as /lib wrongly?  There isn't a great deal of error message to work with!

Jeff

----------

## markymarc

Im trying to install the util-linux in 2b. But when I come to make SUBDIRS="lib mount". I get a lot of errors, the same if I just do a make in mount. Which result in no new mount umount etc etc.

I don't now if its related but when I applied the fix util-linux-2.12.diff it cant find the loop.h file. Is this normale?

Is im missing something or ?????

----------

## jeffrice

 *jeffrice wrote:*   

> I'm having some trouble getting this to work from my USB drive.  

 

Alternatively, has anyone gotten this to work using an unencrypted boot with the gpg key on usb?  It seems to work fine if my key is on CD, but that isn't quite what I want.

It still says it can't mount my usb... all the drivers are compiled into the kernel, so the problem isn't clear to me.

Jeff

----------

## markymarc

By the way, this is what I get when I run the fix:

```
 Perhaps you used the wrong -p or --strip option?

Skip this patch? [y]

> The text leading up to this was:

> --------------------------

> |diff -urN util-linux-2.12a/mount/loop.h util-linux-2.12a-AES/mount/loop.h

Hunk #3 FAILED at 128.

> |--- util-linux-2.12a/mount/loop.h      Wed Jul 16 23:06:02 2003

> |+++ util-linux-2.12a-AES/mount/loop.h  Fri Mar  5 18:48:49 2004

> --------------------------

> File to patch:

> Skip this patch? [y]

> Skipping patch.

> 3 out of 3 hunks ignored

> patching file mount/losetup.8

> Hunk #1 FAILED at 1.

> Hunk #2 FAILED at 30.

> Hunk #3 FAILED at 128.

> 3 out of 3 hunks FAILED -- saving rejects to file mount/losetup.8.rej

> patching file mount/loumount.c

> patching file mount/mount.8

> Hunk #2 succeeded at 270 (offset -1 lines).

> Hunk #3 FAILED at 321.

> Hunk #4 succeeded at 1686 (offset -29 lines).

> 1 out of 4 hunks FAILED -- saving rejects to file mount/mount.8.rej

> patching file mount/mount.c

> Hunk #2 FAILED at 114.

> Hunk #3 succeeded at 189 (offset -3 lines).

> Hunk #4 succeeded at 199 (offset -3 lines).

> Hunk #5 succeeded at 563 (offset -3 lines).

> Hunk #6 succeeded at 588 (offset -3 lines).

> Hunk #7 FAILED at 605.

> Hunk #8 FAILED at 664.

> Hunk #9 FAILED at 1478.

> 4 out of 9 hunks FAILED -- saving rejects to file mount/mount.c.rej

> patching file mount/rmd160.c

> patching file mount/rmd160.h

> patching file mount/sha512.c

> patching file mount/sha512.h

> patching file mount/swapon.8

> patching file mount/swapon.c

```

And this is what I get when I run "make SUBDIRS="lib mount""

```
mount.c:213: error: initializer element is not constant

mount.c:213: error: (near initialization for `string_opt_map[10]')

mount.c:214: error: initializer element is not constant

mount.c:214: error: (near initialization for `string_opt_map[11]')

mount.c:215: error: initializer element is not constant

mount.c:215: error: (near initialization for `string_opt_map[12]')

mount.c: In function `loop_check':

mount.c:594: error: `loopOffsetBytes' undeclared (first use in this function)

mount.c:594: error: (Each undeclared identifier is reported only once

mount.c:594: error: for each function it appears in.)

mount.c:594: error: `loopSizeBytes' undeclared (first use in this function)

mount.c:594: error: `loopEncryptionType' undeclared (first use in this function)

mount.c:611: error: `offset' undeclared (first use in this function)

mount.c:611: error: `opt_offset' undeclared (first use in this function)

mount.c:612: error: `opt_encryption' undeclared (first use in this function)

make[1]: *** [mount.o] Error 1

make[1]: Leaving directory `/tmp/env/loop-AES-v2.1a/util-linux-2.12pre/mount'

make: *** [all] Error 1

```

----------

## markymarc

Solved with some great help from hulk2nd. Insted of using the util-linux packed from kernel.org, him pointed me at this one:

http://gentoo.oregonstate.edu/distfiles/util-linux-2.12.tar.gz

And It just works like a charm. 

 :Very Happy: 

----------

## hulk2nd

 *jeffrice wrote:*   

> I'm having some trouble getting this to work from my USB drive.  I put the pause in the build-initrd.sh script so that the USB hub and drive have a chance to initialize.  But right after, I get the error
> 
> ```
> /dev/sda1 failed to mount as /lib
> ```
> ...

 maybe a little bit too late but im sure i know what your problem is/was:

you typed /dev/sda1 in the build-initrd.sh, right? it should have been /dev/discs/disc0/part1 if you have devfs enabled.

(replace disc0 with the actual disk. dunno which one sda is ...)

greets,

hulk

----------

## jeffrice

 *Quote:*   

> maybe a little bit too late but im sure i know what your problem is/was:
> 
> you typed /dev/sda1 in the build-initrd.sh, right? it should have been /dev/discs/disc0/part1 if you have devfs enabled.
> 
> 

 

Thanks, but my system is pure udev so I don't think that is the problem.  (good thought though)

But now I'm on to a new problem.  I put my key an a CD (/dev/hdd works in the build_initrd, so I assume /dev/sda1 should have.) and went from there.  But now I end up with pivot_root failing.  The error says something about older kernels not including pivot, but that seems to be a default error.  I'm using 2.6.4-ck2, which should be fine.

Very glad I copied my root to another HD!  

Jeff

----------

## jeffrice

 *Quote:*   

> I'm using 2.6.4-ck2, which should be fine.
> 
> 

 

Hmm, I'm baffled.  If I boot from my backup root, I can decrypt and manually pivot to the new root.  So the problem is neither a corrupted partition or a kernal that can't pivot.  So... I'm not sure what to try next.  build_initrd.sh doesn't copy /sbin/pivot_root to /boot but it looks like it makes its own version against dietlibc.

Doh.  I wish I got a little more useful error messages on boot.

Jeff

----------

## hulk2nd

must have something to do with the ramdisk.

the error sounds familiar to me but atm i dont remeber what it was

----------

## kswtch

i followed your instruction to encrypt my existing root partition with devfs. After rebooting i get this message:

```

RAMDISK: Compressed image found at block 0

VFS: Mounted root (minix filesystem) readonly.

Mounted devfs on /dev

.

.

EXT3-fs: mounted filesystem with ordered data mode.

insmod: can't read '/lib/modules-2.6.6-mm5/loop.ko': No such file or directory

Command "/lib/insmod /lib/modules-2.6.6-mm5/loop.ko " returned error

Shutdown: hda

System halted.

```

edit:

I had a typo in build_initrd.sh.

Now I get an error after entering my passphrase.

```

VFS: Can't find ext3 filesystem on dev loop5.

Looks like you didn't say the magic word. Mounting /dev/loop/5 failed

```

edit:

i had to load a special keymap file to make my passphrase work. 

This is how to load your default keymap you are using.

make sure /boot is mounted

```
mount /boot
```

open your build_initrd.sh script and set LOADNATIONALKEYB=1

you have to copy an uncompressed keyboard layout file to /boot/default.kmap

you can use dumpkeys to do so. (This will copy the current keyboard layout to /boot/default.kmap)

```

dumpkeys >/boot/default.kmap

```

build a new initrd file

```

sh /tmp/enc/loop-AES-<version>/build_initrd.sh

```

reboot.

----------

## jeffrice

 *hulk2nd wrote:*   

> must have something to do with the ramdisk.
> 
> the error sounds familiar to me but atm i dont remeber what it was

 

Aha!  Got it... because I was running build-initrd from a root other than the one I was trying to pivot to, an empty but crucial directory was missing.  Pivot_root takes 2 arguments:  the new root to mount, and the mount point for the old root, relative to the new root.  There was no place to mount my old root, so it failed.

Mounting the new root and creating /initrd was all it took.

(edit)

That, and changing my /sbin/rc to mount /dev/ram1 on /mnt/.init.d rather than /dev/ram0, since that was already in use.  RC really should make sure the ramdisk isn't already in use before it tries to use it.

Now to get it to read my key off the USB drive...

(/edit)

----------

## jeffrice

 *jeffrice wrote:*   

> 
> 
> Now to get it to read my key off the USB drive...
> 
> 

 

Figured this out finally... my USB drive is vfat, and I had that fs as a module so the kernel was failing to load it.  Putting right in the kernel solved it.

J

----------

## Gruffi

Thanks for your guide!!  :Very Happy: 

in step "2c1)creating the ramdisk with devfs enabled in the kernel" i also had to tell the config file not to use GPG or i couldn't boot. (USEGPGKEY=0)

I suppose their is no way to load the keyboard driver before asking for the pasword? I don't have a querty keyboard.

I had a really, really, really hard time entering my password phrase!!   :Laughing: 

----------

## jeffrice

 *Baron FrostFire wrote:*   

> Thanks for your guide!! 
> 
> in step "2c1)creating the ramdisk with devfs enabled in the kernel" i also had to tell the config file not to use GPG or i couldn't boot. (USEGPGKEY=0)
> 
> I suppose their is no way to load the keyboard driver before asking for the pasword? I don't have a querty keyboard.
> ...

 

There is certainly a way!  I use a dvorak keyboard and it takes me a long time to get my passphrase entered using qwerty!

In build_initrh.sh, set the option

```
LOADNATIONALKEYB=1
```

Then copy your keymap to /boot/default.kmap.  Note that this file must not be zipped!  So if you use the one in /usr/share/keymaps, unzip it!  An easy way to get around this is to use dumpkeys after your layout is loaded.

```
dumpkeys > /boot/default.kmap
```

 In fairness, I should point out that kswtch already said this, which I just noticed.  Not trying to steal his/her thunder!   :Wink:  

----------

## eigen

Sorry to bog down this thread with a probably trivial question. But I have encounterd the following problem. When I attempt to run sh build-initrd.sh(last step in 2c2) I receive one of the two following errors.

1.tmp-c-4118.c: In function `main':

tmp-c-4118.c:331: warning: label `fail5' defined but not used

15+0 records in

15+0 records out

ioctl: LOOP_SET_FD: Device or resource busy

and the script fails.I am at a total loss as to how to work around this //edit figured it out.

2.Or sometimes the script returns  "makefs.minix  no such file or directory".

I understand(from the loop-aes readme) that there is mkminix directory in util-linux but the included documentation did not helo me with how to install or what ever needed to be done. This now where I am stuck.

Any help would be appreciiated (try to be explicit ,linux user for approx. 3 days : ] )

I am using the following Kernel=2.6.5. with devfs not enabled

 :Question: 

----------

## Gruffi

 *Baron FrostFire wrote:*   

> What happens if the filesystem gets corrupted?  What happens if the system goes down unexpectedly?  As far as i know when you encrypt something all it takes is 1 damaged bit to lose everything...  Will only open files be lost or the entire partition?

 

Just for your information, this is what some1 called "spider" replied to me on the security mailinglist:

 *Quote:*   

> To note here is that when you talk about encrypted filesystems, You are in fact talking about encrypted block devices. The filesystem resides inside the encrypted block, so any damage on the filesystem level, will only damage files in the filesystem, it will not auto-corrupt the whole filesystem. (unless you get severe damage to the filesystem, and that'd be just as bad with as without the encryption)
> 
> True, encrypted devices are more sensitive to hardware errors, things like a loose cable, a faulty sector, will corrupt a block (Most encryptions are block ciphers based on 512 or larger blocks of data) which will then corrupt a bit more data than otherwise.
> 
> However, in practice this is less likely to be an issue, since if you care enough to encrypt your partitions, You already care enough to make regular backups in encrypted format, right? 

 

----------

## Gruffi

Is there a way to mount different partitions with the same password without having to type the pasword multiple times?

----------

## jeffrice

 *eigen wrote:*   

> 
> 
> 2.Or sometimes the script returns  "makefs.minix  no such file or directory".
> 
> 

 

Did you remember to enable minix filesystems in your kernel?  It may be complaining it can't find makefs.minix in /sbin.

 *Quote:*   

> 
> 
> Any help would be appreciiated (try to be explicit ,linux user for approx. 3 days : ] )
> 
> 

 

Wow, you really like to hit the ground running, don't you!

J

----------

## eigen

^^ jeffrice

 You were right about mkfs.minix not being in /sbin , however I do have Minix fs support enabled.  Could I get around this by using the included src code in util-linux

specifically in either .. /util-linux/disk-utils or /uitil-linux/mk-minix-0.1.

The loop-aes readme alludes to this stating 

     " build-initrd.sh script depends on having minix file

      system support in the kernel and working mkfs.minix program binary.

      Util-linux includes source for mkfs.minix if you don't have it and need to

      build it yourself." 

The included docs just don't seem to help me with installation.Any help would be appreciated

----------

## jeffrice

Ah.  Okay, first  emerge util-linux.  Then follow the instructions for patching and installing the components that loop-aes needs.  Most of the components in the ebuild don't need patching, so I found it easier to emerge it and then download the source and patch mount and the couple other proggies that needed it.

J

----------

## jeffrice

In case anyone is looking for a good encryption system for Windows, Cross-Crypt is an open-source AES and Twofish-enabled system that will also easily use your GPG keys if GPG is installed.  Encrypted containers are mounted as drives.  A GUI is also available, although I don't think it supports GPG keys.

Jeff

----------

## gaboonal

Is it possible to encrypt the /tmp partition in a similar way to the swap partition - a new random key is generated each time you boot?

My fstab entry for the swap partition is: 

```
/dev/hda2               none            swap            sw,loop=/dev/loop7,encryption=AES256    0 0
```

Simply adding "loop=/dev/loop7,encryption=AES256" to my /tmp options doesn't work. It asks me for a password at start-up.

I do not have an encrypted root file system so encrypting it with a non-random key and then piping the password to losetup at start-up is not an option because the password file would not be encrypted. I already have an encrypted /home partition so typing two different very long passwords in would be annoying.

I suppose it would be possible to create a small encrypted partition with the passwords to my /home and /tmp partition on and then pipe the passwords to losetup from there. This seems like a good idea, especially since I am thinking of encrypting /var as well but I am not sure if this will work with the /etc/init.d/localmount script. Would I have to remove /home and /tmp from fstab, then change localmount to something like:

```
# Mount local file systems in /etc/fstab.

        ebegin "Mounting local filesystems"

        mount -at nocoda,nonfs,noproc,noncpfs,nosmbfs,noshm >/dev/null

        eend $? "Some local filesystem failed to mount"

cat /encryption/password-tmp.txt | losetup -p 0 -e AES256 -K /encryption/keyfile-tmp.gpg /dev/loop6 /dev/hda10

mount -o noatime,notail /dev/loop6 /tmp

cat /encryption/password-home.txt | losetup -p 0 -e AES256 -K /encryption/keyfile-home.gpg /dev/loop5 /dev/hda8

mount -o noatime,notail /dev/loop5 /home
```

Also is there a way to make it so you are asked for your password again if you type it in wrong instead of carrying on with the boot process? Asking for it again a maximum of 3 times would be useful.

Finally, for anyone who uses a multi-key gpg key file you will not be able to access your data from a KNOPPIX CD because it uses an older version of losetup. According to the loop-aes readme file, "Setting up multi-key gpg key-file and using that key-file with old single-key only aware losetup/mount programs is *dangerous*."

----------

## Gruffi

 *gaboonal wrote:*   

> Is it possible to encrypt the /tmp partition in a similar way to the swap partition - a new random key is generated each time you boot?
> 
> 

 

I guess you would have to create a new filesytem on the /tmp device each time.

----------

## Gruffi

How do i UNencrypt the filesytem?

Set up the loop device with the right password

```
losetup -e AES256 /dev/loop0 /dev/hda3
```

En then what "dd" command do i use?

----------

## gaboonal

I just thought I would mention that in the UK, "It remains a criminal offence under the Act (s.53), punishable with up to two years imprisonment, to fail to surrender an encryption key. The Act places the onus on the recipient of the notice to show why any encryption key cannot be surrendered." -http://hamiltons-solicitors.co.uk/archive-docs/combat-cybercrime2.htm

This is quite frightening because you are guilty until proven innocent. If you can't prove that you have genuinely lost your key then you are in trouble. IANAL but I think that if you were to encrypted your /tmp partition with a random key at each boot and your init scripts reflected this you would be OK.

Steganography seems the only viable solution to making sure that no one else will be able to read your data. StegFS is a steganographic file system for Linux - http://stegfs.sourceforge.net/ Unfortunately it does not have support for 2.4/2.6 kernels at this point in time. StegHide (in portage) is good for hiding individual files, especially for sending them over the internet.

----------

## angelacb

Hi,

I'm experiencing a very weird problem. I've successfully encrypted my root, swap, etc...

I've been running this machine for 3 months already. I haven't experienced any problems. However, today i try to extract a very large tar file. There's twelve 50 MB rar files within this huge tar file. There's also a checksum file that comes with the tar file in which it will validates all 12 of these large 50 MB rar files.

I've tried to extract these files many different times. Every time after I extracted these rar files from the huge tar file, I check it with the checksum file. And every single time, it gives errors but on different rar files.

The odd thing is, every time I extract from the tar file, different rar files gets corrupted. Therefore, i want to know if this has anything to do with encrypted file system, or is there something I might have done that may cause this error.

Just for the record, I run reiserfs on the loopback device backed by /dev/sdaX.

Best Regards,

----------

## markymarc

 *jeffrice wrote:*   

> I'm having some trouble getting this to work from my USB drive.  I put the pause in the build-initrd.sh script so that the USB hub and drive have a chance to initialize.  But right after, I get the error
> 
> ```
> /dev/sda1 failed to mount as /lib
> ```
> ...

 

I get the same error when I try to boot from USB. I follow the guide abort gpg encyrption. And it works fin when BOOTDEV in build-initrd.sh is /dev/discs/disc0/part1 and boot is on the harddrive. But when I put me boot pation on me USB, and sets the BOOTDEV to /dev/discs/disc1/part1 I get the same error as Jeff. Have tryed the same as Jeff with pause no help.

PLS HELP

----------

## hulk2nd

 *jeffrice wrote:*   

>  *jeffrice wrote:*   
> 
> Now to get it to read my key off the USB drive...
> 
>  
> ...

 

u have the fs of your usb drive in kernel?

----------

## markymarc

I have made me usb drive ext2. So yes ther is support for it in the kernel. Also befor I encrypted the root pation, I mount the usb drive fine.

----------

## jeffrice

 *markymarc wrote:*   

> 
> 
> I get the same error when I try to boot from USB. I follow the guide abort gpg encyrption. And it works fin when BOOTDEV in build-initrd.sh is /dev/discs/disc0/part1 and boot is on the harddrive. But when I put me boot pation on me USB, and sets the BOOTDEV to /dev/discs/disc1/part1 I get the same error as Jeff. Have tryed the same as Jeff with pause no help.
> 
> 

 

Hmm, well my situation was a little different.  First, I use Udev so the drive IDs are different.  But my problem mostly was the fact that I had a fat32 USB drive but compiled vfat as a module.  Once I put it in the kernel, everything was fine.

J

----------

## angelacb

 *angelacb wrote:*   

> Hi,
> 
> I'm experiencing a very weird problem. I've successfully encrypted my root, swap, etc...
> 
> I've been running this machine for 3 months already. I haven't experienced any problems. However, today i try to extract a very large tar file. There's twelve 50 MB rar files within this huge tar file. There's also a checksum file that comes with the tar file in which it will validates all 12 of these large 50 MB rar files.
> ...

 

I've tested it with other compression utils and compressing the same set of files and decompressing them on the encrypted file system:

ZIP/UNZIP: no corruptions

RAR/UNRAR: no corruptions

GZIP/UNGZIP: no corruptions

TAR/UNTAR: random corruptions on uncompressed files

TAR+BZIP2/UNTAR+UNBZIP2: random corruptions

I'm wondering if there's something special about tar/untar i have to worry about when i'm working with loop-AES encrypted file systems. Maybe someone experiences similar issues?  :Question: 

Best Regards,

----------

## markymarc

 *markymarc wrote:*   

> 
> 
> ```
> /dev/sda1 failed to mount as /lib
> ```
> ...

 

Fix the first problem now. Just put bootdev to /dev/discs/disc0/part1.

Now I got a new error, this is the output when I boot on me new initrd:

```
VFS: Mounted root (minix filesystem) readonly.

Mounted devfs on /dev

Freeing unused kernel memory: 220k freed

Command "/lib/insmod /lib/modules-2.6.5-gentoo-r1/loop.ko" returned error

System halted
```

Why is this ? 

I have tryed all the steps from the gpg howto, and got it to work. When I put boot on hda1. 

Do I have to put some speciel thing in the /boot/ patition or in the build-initrd??

SORRY it was not at loop-AES error. Just me stupidede, forgot to compile all the right stuff in the kernel, for initrd to read from USB drive  :Embarassed: 

----------

## Sh4d0w

I followed this guide back with 2.4 and now I'm trying to upgrade my kernel to 2.6.

I've compiled in all the modules listed, but when I try to boot with my 2.6 kernel I get:

 *Quote:*   

> 
> 
> Mounted devfs on /dev
> 
> Freeing unused kernel memory: 104k freed
> ...

 

Any suggestions on what I may need to do?

----------

## Duty

Someone in Gentoo Chat tipped me off to this warning in the help blurb for the 'cryptoloop' module:

 *Quote:*   

> WARNING: This device is not safe for journaled file systems like ext3 or Reiserfs. Please use the Device Mapper crypto module instead, which can be configured to be on-disk compatible with the cryptoloop device.

 

Is this something to worry about?

----------

## jeffrice

 *Duty wrote:*   

> Someone in Gentoo Chat tipped me off to this warning in the help blurb for the 'cryptoloop' module:
> 
>  *Quote:*   WARNING: This device is not safe for journaled file systems like ext3 or Reiserfs. Please use the Device Mapper crypto module instead, which can be configured to be on-disk compatible with the cryptoloop device. 
> 
> Is this something to worry about?

 

I dunno... AESLoop on Reiser4 has been working flawlessly.

Jeff

----------

## hulk2nd

 *Duty wrote:*   

> Someone in Gentoo Chat tipped me off to this warning in the help blurb for the 'cryptoloop' module:
> 
>  *Quote:*   WARNING: This device is not safe for journaled file systems like ext3 or Reiserfs. Please use the Device Mapper crypto module instead, which can be configured to be on-disk compatible with the cryptoloop device. 
> 
> Is this something to worry about?

 

also reiserfs hasnt made any probs (at least in my case)

----------

## QuizMasta

I think it's been mentioned before, but to quote the loop-AES.README:

 *Quote:*   

> Don't use a journaling file system on top of file backed loop device. Device
> 
> backed loop device can be used with journaling file systems as device backed
> 
> loops guarantee that writes reach disk platters in order required by
> ...

 

In short: If you're encrypting an entire device (/dev/hda3 for instance) it's safe to use journaled filesystems (ReiserFS, ETX3 and so on).

----------

## QuizMasta

Will the instructions on the first page cover the newer loop-AES (v2.1c)?

Specifically: Do I need the newest pacth for loop-AES in step 3c?

----------

## chadders

Um, as the creator of one of the first "How to encrypt root, etc" Howto's in these forums, and spending a LOT of time messing around with the loop device driver, loopAES, the cryptoAPI yada yada...

I recommend that people think about using the new device mapper based stuff instead and NOT loop device based stuff.  Why? Because it is more righteous, because it works better, because it has a future, and MOSTLY because the whole loop device implementation is one huge ugly kernel hack.  There are some dm-crypt how-to's in the Gentoo forums that tell you how to do it.  TRY IT YOU WILL BE GLAD YOU DID. 

The device manager is a layer of code in 2.6 kernels that lets virtual layers of block devices be created on top of real devices.  It is used by stuff like the logical volume managers (LVM and EVMS).  It is the RIGHT place to put filesystem encryption.

SOOOOO.... flame away, but thats what *I* think.

Chadders   :Very Happy: 

----------

## hulk2nd

well hello chadders, chief encrypter!

that sounds quite interesting besides ive never heard of it. maybe you can describe the whole thing more detailed or provide some links or even write a tutorial since you now best what you are talking about.

as i wrote at the beginnig of the tutorial, this is mainly the same like your old guide, its just more detailed and from time to time i added some extras but the core consists of your guide so it would be really nice if we could keep this up to date.

greets,

hulk

----------

## chadders

Hi Hulk2nd!

I really liked your howto and this thread.  I kind of lurk around sometimes and see what people are doing.  You and watersb and steeledan and some other guys make this stuff cool and really make me think, so THANKS! 

It is pretty trivial to make dm-crypt work on a encrypted root.  Basically the idea is about the same as what Jari Rusuu did with loop-AES.  That is to get a kernel loaded, put some stuff in a initrd that makes the real root file system mountable, mount it, and then chroot or pivot root to it.  You can put the setup stuff in a program or a script and on ram device or on the boot partition (I like boot partition scripts better because it is lots more flexible and I can fix it easier when I mess up which I do alot).

There is a pretty close Gentoo dm-crypt howto that steeledan did here.

I used it as the starting point on my stuff.  I haven't written everything down because usually I just keep hackin away until I understand it and then when I understand it I remember it, then I forget to write it down.  I know that doesnt make too much sense but hey thats me!  I will make another encrypted root system from the beginning sometime and will take good notes then and put it on here if anyone wants it.  

The only tricky part is to make sure you have the libraries on the boot partition that are needed to run whatever is going to get the passphrase, cryptsetup, and mount to run (I put other stuff there too like libraries needed for vi so that I can fix stuff without having to boot up all of knoppix, heh).

Also, there is some good stuff on dm-crypt that Christophe Saout did here.  

The thing about dm-crypt thats so good is that it runs as part of the device mapper layer.  So it doesn't have to do weird stuff that fakes out VFS or has to worry about what order blocks are written to the disk (like if you are using an encrypted filesystem backed by a journalled file system), and doesn't get real messy with a bunch of kernel patches. 

Chadders  :Very Happy: 

----------

## dh003i2

Err...first, does the new util-linux ebuilds have the loop-aes patches? I looked through the ebuild, and it mentions stuff about a losetup patch. 

Also, I'm having problems compiling he loop.ko modules for the kernel. I type downloaded loop-AES-v2.2b.tar.bz2 into /tmp/enc and then did the following:

```
cd /tmp/enc

tar jxvf loop-AES-v2.2b.tar.bz2

patch -p0 ./loop-AES-v2.2b/loop.c.-2.2.diff
```

After I try that, it says

```
can't find file to patch at input line 3

Perhaps you used the wrong -p or --strip option?

The text leading up to this was:

--------------------------------

|--- loop.c-2.2.original        Mon Sep 16 21:50:11 2002

|+++ patched-loop.c        Thu Jan 8 17:49:11 2004

--------------------------------
```

Err, what's going on here?

----------

## echto

/dev/loop6 was still active - from when you used it to encrypt the partition - and you probably tried to use the same loop device in your /etc/fstab to mount the newly encrypted partition.   I bet if you would have done a 

ps aux | grep loop

before rebooting you would have seen [loop6] in the output.

Next time try

losetup -d /dev/loop6

to release the loop device before mounting.   :Smile: 

echto

 *yottabit wrote:*   

> Can't seem to figure out how to setup swap part with GPG key. I've done this:
> 
> ```
> losetup -e AES256 -K /mnt/floppy/rootkey.gpg /dev/loop6 /dev/hda2
> ```
> ...

 

----------

## echto

dd if=/dev/loop0 of=/dev/hda3 bs=64k conv=notrunc

 *Gruffi wrote:*   

> How do i UNencrypt the filesytem?
> 
> Set up the loop device with the right password
> 
> ```
> ...

 

----------

## schachti

Hi.

 *hulk2nd wrote:*   

> 
> 
> - get the latest loop-AES from sourceforge.net. at the moment it is 
> 
> loop-AES-v2.0d. have a look at the Sourceforge.net loop-AES Project if the link is broken or to see if a newer version exists.
> ...

 

After doing this, I wasn't able to mount my exisiting encrypted partitions any more (which were created by using the unpatched version of util-linux), I get the error

```

mount: wrong fs type, bad option, bad superblock on /dev/loop0,

       or too many mounted file systems

```

After doing

```

emerge util-linux

```

everything works fine again. I use the following code to mount the partitions:

```

        losetup -e aes-256 /dev/loop0 /dev/hda4

        losetup -e aes-256 /dev/loop1 /dev/hdc1

        losetup -e aes-256 /dev/loop2 /dev/hdd1

        mount -t ext2 /dev/loop0 /mnt/storage0

        mount -t ext2 /dev/loop1 /mnt/storage1

        mount -t ext2 /dev/loop2 /mnt/storage2

```

Any idea what might be wrong? I even tried with -e aes256 and so on, but it didn't work...

----------

## echo6

Has anyone got any observations relating to vulnerabilities with cryptoloop ?

http://lwn.net/Articles/67216 Andrew Morton will soon be deprecating this in favour of dm-crypt,  device mapper http://www.saout.de/misc/dm-crypt/

----------

## trent casternovas

ok, i followed the part 3, encrypting your root with gpg right to the tee. but after ive encrypted the root partition and reboot im getting the following error:

Command "/lib/insmod /lib/modules/2.6.7/loop.ko" returned errors

anyone know how this is fixed?

ive tried creating a /lib directory on the /boot partition and copying insmod to that location but that didnt work.  any ideas would be very appreciated.

----------

## Warped_Dragon

EDIT: Deleted post, was my own stupid mistake...

----------

## alexander-m

Hi

i have some problems with the step where one shoot use a knoppix cd to boot and then encrypt its partitions. 

Shouldn't this boot cd have loopaes support included or how is it possible to encrypt with a "knoppix cd".

Do I have tu use a special version of knoppix cd?

Is disc encryption with loopaes (with current patches available on such an "knoppix cd" ?)

Thanks for your answer and the great guide

Alexander

----------

## Takker

 *schachti wrote:*   

> 
> 
> - get the latest util-linux
> 
> After doing this, I wasn't able to mount my exisiting encrypted partitions any more (which were created by using the unpatched version of util-linux), I get the error
> ...

 

Had this one right now. A world update is was the problem. There is a new use flag "old-crypt". Add it to your make.conf, then

```
# emerge util-linux
```

After that you'll find a new mount command for mounting your cryptoloop drive in /sbin:

```
# mount-old-crypt /mnt/crypt
```

Read the util-linux ebuild for more infos:

 *Quote:*   

> * This version of util-linux includes crypto support
> 
> * for loop-aes instead of the old cryptoapi.
> 
> * If you need the older support, please re-emerge
> ...

 

@Hulk you should add this to your howto and maybe add an information that cryptoloop is "replaced" by dm-crypt.

----------

## meuk

Hi All,

Recently I had some problems making loop-AES 3.0b work with kernel 2.4.27. It seems that you need to remove the loop.o and loop.h files from the kernel in order to make losetup work during the boot process.

The loop.o file can be found in linux/drivers/block inside the kernel source and loop.h in include/linux.

Maybe an idea to put this in the tutorial? Saves some people alot of headaches  :Wink: 

Laters

----------

## Hans P.

Hi,

I'm trying to build a root encrypted system with kernel 2.6.10. Compiling of gnupg fails like this:

```

# cd gnupg-1.4.0 

# patch -p1 <../gnupg-1.4.0.diff 

# CFLAGS="-O2" LDFLAGS="-static -s" ./configure --prefix=/usr --enable-static-rnd=linux 

# make 

[...] 

Making all in tools 

make[2]: Entering directory `/home/hans/gnupg-1.4.0/tools' 

gcc  -O2 -Wall  -static -s -o bftest  bftest.o ../cipher/libcipher.a ../mpi/libmpi.a ../util/libutil.a      -ldl   -lreadline 

 ../cipher/libcipher.a(idea-stub.o)(.text+0x2d): In function `load_module': 

: warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(complete.o)(.text+0xde1): In function `rl_username_completion_function': 

: warning: Using 'getpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(tilde.o)(.text+0x2db): In function`tilde_expand_word': 

: warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(shell.o)(.text+0x102): In function`sh_get_home_dir': 

: warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(complete.o)(.text+0xdd3): In function `rl_username_completion_function': 

: warning: Using 'setpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(complete.o)(.text+0xe7f): In function `rl_username_completion_function': 

: warning: Using 'endpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x72b): In function `rl_redisplay': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x1b3a): In function `update_line': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x235b): In function `_rl_move_cursor_relative': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x23f6): In function `_rl_move_cursor_relative': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x2495): In function `_rl_move_vert': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x24e0): more undefined references to `tputs' follow 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x282b): In function `insert_some_chars': 

: undefined reference to `tgoto' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x2840): In function `insert_some_chars': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x28b7): In function `delete_chars': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x28db): In function `delete_chars': 

: undefined reference to `tgoto' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x28f0): In function `delete_chars': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x2926): In function `cr': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x2e7a): In function `_rl_clear_screen': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x2fa6): In function `_rl_redisplay_after_sigwinch': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x2fe4): In function `_rl_redisplay_after_sigwinch': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x27f5): more undefined references to `tputs' follow 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0xdd): In function `_rl_get_screen_size': 

: undefined reference to `tgetnum' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x152): In function `_rl_get_screen_size': 

: undefined reference to `tgetnum' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x264): In function `_rl_init_terminal_io': 

: undefined reference to `PC' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x34e): In function `_rl_init_terminal_io': 

: undefined reference to `BC' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x354): In function `_rl_init_terminal_io': 

: undefined reference to `UP' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x3cf): In function `_rl_init_terminal_io': 

: undefined reference to `tgetent' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x3ff): In function `_rl_init_terminal_io': 

: undefined reference to `tgetstr' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x429): In function `_rl_init_terminal_io': 

: undefined reference to `PC' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x452): In function `_rl_init_terminal_io': 

: undefined reference to `UP' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x45a): In function `_rl_init_terminal_io': 

: undefined reference to `BC' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x465): In function `_rl_init_terminal_io': 

: undefined reference to `tgetflag' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x4b9): In function `_rl_init_terminal_io': 

: undefined reference to `tgetflag' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x511): In function `_rl_init_terminal_io': 

: undefined reference to `tgetflag' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x523): In function `_rl_init_terminal_io': 

: undefined reference to `tgetflag' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x856): In function `_rl_backspace': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x929): In function `rl_ding': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x976): In function `_rl_enable_meta_key': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x9ae): In function `_rl_control_keypad': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0xa03): In function `_rl_set_cursor': 

: undefined reference to `tputs' 

collect2: ld returned 1 exit status 

make[2]: *** [bftest] Error 1 

make[2]: Leaving directory `/home/hans/gnupg-1.4.0/tools' 

make[1]: *** [all-recursive] Error 1 

make[1]: Leaving directory `/home/hans/gnupg-1.4.0' 

make: *** [all] Error 2

```

It works without the LDFLAGS - but then I can't expect a statically linked binary...

Please heeeeeeelp!

Hans

----------

## Hans P.

Hi,

I'm trying to build a root encrypted system with kernel 2.6.10. Compiling of gnupg fails like this:

```

# cd gnupg-1.4.0 

# patch -p1 <../gnupg-1.4.0.diff 

# CFLAGS="-O2" LDFLAGS="-static -s" ./configure --prefix=/usr --enable-static-rnd=linux 

# make 

[...] 

Making all in tools 

make[2]: Entering directory `/home/hans/gnupg-1.4.0/tools' 

gcc  -O2 -Wall  -static -s -o bftest  bftest.o ../cipher/libcipher.a ../mpi/libmpi.a ../util/libutil.a      -ldl   -lreadline 

 ../cipher/libcipher.a(idea-stub.o)(.text+0x2d): In function `load_module': 

: warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(complete.o)(.text+0xde1): In function `rl_username_completion_function': 

: warning: Using 'getpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(tilde.o)(.text+0x2db): In function`tilde_expand_word': 

: warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(shell.o)(.text+0x102): In function`sh_get_home_dir': 

: warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(complete.o)(.text+0xdd3): In function `rl_username_completion_function': 

: warning: Using 'setpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(complete.o)(.text+0xe7f): In function `rl_username_completion_function': 

: warning: Using 'endpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x72b): In function `rl_redisplay': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x1b3a): In function `update_line': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x235b): In function `_rl_move_cursor_relative': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x23f6): In function `_rl_move_cursor_relative': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x2495): In function `_rl_move_vert': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x24e0): more undefined references to `tputs' follow 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x282b): In function `insert_some_chars': 

: undefined reference to `tgoto' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x2840): In function `insert_some_chars': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x28b7): In function `delete_chars': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x28db): In function `delete_chars': 

: undefined reference to `tgoto' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x28f0): In function `delete_chars': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x2926): In function `cr': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x2e7a): In function `_rl_clear_screen': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x2fa6): In function `_rl_redisplay_after_sigwinch': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x2fe4): In function `_rl_redisplay_after_sigwinch': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(display.o)(.text+0x27f5): more undefined references to `tputs' follow 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0xdd): In function `_rl_get_screen_size': 

: undefined reference to `tgetnum' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x152): In function `_rl_get_screen_size': 

: undefined reference to `tgetnum' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x264): In function `_rl_init_terminal_io': 

: undefined reference to `PC' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x34e): In function `_rl_init_terminal_io': 

: undefined reference to `BC' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x354): In function `_rl_init_terminal_io': 

: undefined reference to `UP' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x3cf): In function `_rl_init_terminal_io': 

: undefined reference to `tgetent' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x3ff): In function `_rl_init_terminal_io': 

: undefined reference to `tgetstr' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x429): In function `_rl_init_terminal_io': 

: undefined reference to `PC' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x452): In function `_rl_init_terminal_io': 

: undefined reference to `UP' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x45a): In function `_rl_init_terminal_io': 

: undefined reference to `BC' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x465): In function `_rl_init_terminal_io': 

: undefined reference to `tgetflag' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x4b9): In function `_rl_init_terminal_io': 

: undefined reference to `tgetflag' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x511): In function `_rl_init_terminal_io': 

: undefined reference to `tgetflag' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x523): In function `_rl_init_terminal_io': 

: undefined reference to `tgetflag' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x856): In function `_rl_backspace': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x929): In function `rl_ding': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x976): In function `_rl_enable_meta_key': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0x9ae): In function `_rl_control_keypad': 

: undefined reference to `tputs' 

/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/../../../libreadline.a(terminal.o)(.text+0xa03): In function `_rl_set_cursor': 

: undefined reference to `tputs' 

collect2: ld returned 1 exit status 

make[2]: *** [bftest] Error 1 

make[2]: Leaving directory `/home/hans/gnupg-1.4.0/tools' 

make[1]: *** [all-recursive] Error 1 

make[1]: Leaving directory `/home/hans/gnupg-1.4.0' 

make: *** [all] Error 2

```

It works without the LDFLAGS - but then I can't expect a statically linked binary...

Please heeeeeeelp!

Hans

----------

## TheRelevator

 *Takker wrote:*   

> 
> 
> Had this one right now. A world update is was the problem. There is a new use flag "old-crypt". Add it to your make.conf, then
> 
> ```
> ...

 

Will my / encryption still work after

```

emerge util-linux

```

or do I have to change something in the initial ramdisk?

----------

## janne_oksanen

I just finished encrypting my / partition and now when I boot it says my password is no good. I figured it might be a keymap issue so I went back and enebled the keymap option using knoppix. I also copied the default.kmap to /boot as instructed in the build.something script (I forget). Now when I boot it says 

```
Loading /lib/default.kmap

loadkeys: /lib/default.kmap:7: cannot open include file qwerty-layout

Command "/lib/loadkeys/ /lib/dafault.kmap" returned error
```

And still it won't let me in. Any ideas before I make a new install?

EDIT:

Here's the error that I get when I'm booting and after I supply my password:

```
Error: unable to open /lib/rootkey.gpg for reading

Command "/lib/losetup -e AES128 -I 0 -K /lib/rootkey.gpg -G /lib /dev/loop5 /dev/hda3" returned error

```

----------

## s3ntient

Hi!  I just had a slight problem, I encrypted my root partition but forgot something so my system won't boot.  No big problem, just boot back into knoppix and mount the partition:

losetup -e AES128 /dev/loop0 /dev/hda4

mount /dev/loop0 /mnt/hda4

the problem is it tells me tha I must specifiy the filesystem, if I put -t reiserfs it tells me wrong fs, bad option, or bad superblock on /dev/loop0 ...

what can I do to get it mounted?

----------

## chadders

Um, that is the symptom that happens when the passphrase is wrong, or when the incorrect encryption algorithm is on the mount (like AES126 when the file system was encrypted with AES256, or blowfish, or whatever).

Not good knews.  When that happened to me I messed up the pass phrase when encrypting, I had to restore from a backup and CAREFULLY reencrypt the partition.  Sorry.

Chadders  :Very Happy: 

P.S. You might think about using the device mapper dm-crypt instead of loop-AES.  Other threads can tell you why.

----------

## yaneurabeya

Dang, that's a long tut (and quite detailed). I'll try that out someday when security becomes a serious issue wherever I work/use PCs  :Smile: .

----------

## Apropos

First, if I understand the security howto's correctly, one should password protect their BIOS and boot from an internal hard drive to prevent a user from popping in a CD or floppy and booting their own system.  If I had a laptop and some nefarious individual got a hold of it they could easily wipe by nice encrypted system from my hard drive.  They could probably circumvent the BIOS too but it adds a layer of security and I'm paranoid  :Shocked:  .

Same is true I suppose for a locked desktop PC.  So what is wrong with this or is there a better way to protect the data then boot from USB/CD/Floppy?

Next, I've found a link in all the howto's that states the dm-crypt and cryptoloop are not good methods until kernel 2.6.10 or greater.  http://mareichelt.de/pub/texts.cryptoloop.php

Does anyone have anymore info on this or a second source?  

BTW, I havn't yet encrypted my file system I'm just trying to lay it all out first and then charge ahead.

Thanks for any help.

----------

## Base

Password protection in bios are utterly worthless as a security measure for other people than like your 10 year old brother or mother.

The only thing you can do to really protect yourself from someone whiping your disks is to remove your cd/dvd and diskdrive + using a thick steelcase with padlocks.

The main point with encryption is not to prevent other people from whiping your info but to prevent them to getting access to it so they can see what your store on your disks.

If you encrypt your disks with a strong crypto/approach you should have a good protection against everything(accesswise) except someone breaking in thorugh your network connection.

----------

## Base

Im no encryption expert and have been checking around myself and this is what i can find out.

Cryptoloop is a nohope solution securitywhipes, atleast for those that lack uberlinux skills(and perhaps can avoid some of the vulnerabilitys otherwise).

dm-crypt is a big questionmark. Ive read some about a patch that can be used with dm-crypt by using certain commands at install. This patch salts dm somehow making it more secure agains watermark.Some kind of ESSIV story.

Loop-aes seems to be the only really renowned secure solution atm(with multikeys), but seems to be a bitch to get working. 

Tried to get more opinions about the dm-crypt voulnerability issue, but no luck so far.

I am kinda fresh at using linux(except for my webserver, but any dufus are probably able to install a apache/php/mysql solution today) and prefer to get an easy solution to this. But installing encryption that isnt moderatly safe is to me like making something not working, totally pointless. So would be nice with more input.

----------

## Sigmatador

I have a problem with my passphrase, recently i have use one that have 'A' and 'M' characters. So what's the problem ? well, when i'm taping my passphrase under knoppix, my keyboard is 'azerty', but once i boot my crypted root, my initrd seems to be in 'qwerty'. Is there a way to tell initrd that i'm using an 'azerty' keyboard ?

----------

## dripton

Thanks for the HOWTO.

I've been encrypting an existing root filesystem, on amd64, with udev.  Just different enough that none of the docs quite match.  :->

1. cryptoloop and dm_crypt are currently deprecated for lack-of-security reasons.  You will find that the options to turn them on are disabled in recent 2.6 kernels.  So loop-AES is defintitely the way to go.

2. The ldd in recent versions of Gentoo (and other bleeding-edge distros) changed its output format, which breaks loop-AES's build_initrd.sh script.  There is a one-line patch here:

http://mail.nl.linux.org/linux-crypto/2005-04/msg00054.html

Just in case that link breaks:

```

--- ../loop-AES-v3.0c/build-initrd.sh   Sat May  8 10:36:31 2004

+++ ./build-initrd.sh   Sun Apr 24 21:37:28 2005

@@ -740,7 +740,7 @@

 for x in ${z} ; do

     echo Copying ${SOURCEROOT}${x} to ${DESTINATIONROOT}${DESTINATIONPREFIX}

     cp -p ${SOURCEROOT}${x} ${DESTINATIONROOT}${DESTINATIONPREFIX}

-    y=`ldd ${SOURCEROOT}${x} | perl -ne 'if(/ => ([^ ]*) /){print "$1\n"}'`

+    y=`ldd ${SOURCEROOT}${x} | perl -ne 'if(/([^ ]*) \(0x/){print "$1\n"}'`

     for a in ${y} ; do

         echo Copying ${SOURCEROOT}${a} to ${DESTINATIONROOT}${DESTINATIONPREFIX}

         cp -p ${SOURCEROOT}${a} ${DESTINATIONROOT}${DESTINATIONPREFIX}

```

----------

## hadees

does this guide still ring true? it is sort of old.  I am looking at doing this right now my self.  However I wish Trusted Gentoo wasn't just vapor ware because i could have used my tcpa chip for storing the keys.

----------

## dripton

 *Quote:*   

> does this guide still ring true? it is sort of old.

 

I would read this guide, but use http://loop-aes.sourceforge.net/loop-AES.README as the primary source, since it's more authoritative and up-to-date.  The multi-key-v3 setup is more secure than the older single-key configurations.

I did Example 5, Encrypting Root Partition.  Encrypting a non-root partition is easy -- I recommend doing that first for practice before moving on to the harder cases.  (If you don't have a spare partition, you can always disable swap and then mess around with your swap partition.)  The root is a pain because of having to set up initrd, make sure the necessarily devices are visible early enough in the boot process, make sure things are compiled statically so they work without /usr/lib available, etc.  Anything you do wrong usually hangs the system and renders it unbootable, and then it's back to Knoppix or the Gentoo livecd.

Never did get it working correctly with udev -- I had to revert my system to devfs, which has explicit support instructions.  Not saying udev can't be made to work, just that I couldn't get it working before running out of patience.

I used the latest versions of loop-AES, aespipe, util-linux, and gpg, all built by hand under /usr/src rather than using portage.  For dietlibc I just used the ebuild.

Other than the one-line patch to build-initrd.sh to work around ldd's output changing in recent glibc versions (see my other post), there were no big surprises.  It's just a matter of getting all the little steps right at the same time.

----------

## Logician

Anyone who knows enough about this bit, this question is directed to you - my roommate told me, at one point, not to emerge and update my bin-utils EVER.  But the version I use is no longer in portage.  Is there a real reason I can't update, or should I be good to go?

----------

## kanaesin

 *Logician wrote:*   

> Anyone who knows enough about this bit, this question is directed to you - my roommate told me, at one point, not to emerge and update my bin-utils EVER.  But the version I use is no longer in portage.  Is there a real reason I can't update, or should I be good to go?

 

I wouldn't do it. I haven't updated them and haven't run into problems... yet...

So if it ain't broke don't fix it.

----------

## gnjf

very interesting howto, thanks for all the great work.

i intent to encrypt my notebook's partitions using aes-loop but i have one question:

would it ...

...be technically possible to use a TPM chip (trusted platfrom module) to create and store the encryption key?

...make any sense securitywise? as the key would be stroed in the TPM instead on an unencrypted partition

please tell me if this is complete bull****, aside from the fact that tpm's aren't very popular with the open-source-crowd.

greetings gnjf

----------

## Metalheadws

Just my 2 cent:

I've encrypted my root partition following the steps in this howto, everything worked  :Smile: 

I'm using udev (configuration as in "without devfs" comments in build-initrd.sh), portage loop-aes, util-linux (with crypt and static) useflag, aespipe (static useflag) and gpg (compiled myself, since it doesn't have a static useflag).

There's one caveat though: the aespipe version marked as stable in portage (2.2a) doesn't support multi-keys. After I initially encrypted my partition, I wasn't able to mount it (got losetup'ed properly though). I just piped the data on the disk back through aespipe to decrypt (which worked like a charm), emerged ~x86 aespipe and re-encrypted the data. I suppose this might also be the reason for most of the "wrong fs type" errors posted in this thread.

Lars

----------

## Gotterdammerung

Fine tut! I was looking for something like this for some time. I'll try it on a virtual machine before diving on my real PC.

----------

## unixtroll

 *Quote:*   

> 1. cryptoloop and dm_crypt are currently deprecated for lack-of-security reasons. You will find that the options to turn them on are disabled in recent 2.6 kernels. So loop-AES is defintitely the way to go. 

 

Cryptoloop IS deprecated, but dm_crypt ?? There's no mentioning of any security risks in the 2.6 Kernel, and it's definately not deprecated. It WAS susceptible to watermarking attacks with the old public-IV mode, but since ESSIV got introduced with 2.6.10 that issue was erased. I'm just a layman, but if I understand correctly, ESSIV in dm-crypt is the equivalent (security wise) to multi-key mode in loop-AES. Further information here.

So regarding security issues, both seem to be  on the same level.

Nevertheless I have gotten the perception from reading mailing lists & other forums about this topic, that dm-crypt in combination with LUKS is considered superior to loop-AES, mainly because of its key management & especially design issues.

----------

## dtmf

The doc was nice and easy to follow, but I must of missed something. I have encrypted the Drive and setup the ramdisk and all the kernel stuff. When the Kernel starts loading it Stops half way, and says:

```
VFS: Mounted root (minix filesystem) readonly

Freeing unusded kernel memory: 260k freed

Warning: unable to open initial console.

Shutdown: hda

System halted.

```

I am not sure what to do I can get in to the encrypted drive just fine in knoppix. But it doesn't look like boot on it's own is working.

----------

## redhook

 *Apropos wrote:*   

>  If I had a laptop and some nefarious individual got a hold of it they could easily wipe by nice encrypted system from my hard drive.  They could probably circumvent the BIOS too but it adds a layer of security and I'm paranoid  .

 

Moden laptop BIOS passwords cannot be reset. You have to send the laptop in to a service center to have this done (requires BIOS replacement).

----------

