# HOWTO: Use the new baselayout for filesystem-encryption

## Master One

The latest (~x86) baselayout has fs-encryption included, which renders most of the existing guides & scripts for this purpose obsolet.

Here is a quick and dirty howto concerning swap-partition encryption:

Necessary kernel-options:

```
Device-Drivers -> Multi-device support (RAID and LVM) -> 

        [*] Multiple devices driver support (RAID and LVM)

        <*>   Device mapper support

        <*>     Crypt target support

Cryptographic options ->

        <*>   AES cipher algorithms (i586)
```

If you are running a "x86" system, you need to:

```
echo "=app-shells/bash-3.0-r8" >> /etc/portage/package.keywords

echo "=sys-apps/baselayout-1.11.9-r1" >> /etc/portage/package.keywords

echo "=sys-apps/sysvinit-2.86" >> /etc/portage/package.keywords

echo "=sys-libs/readline-5.0-r2" >> /etc/portage/package.keywords
```

Now get the necessary items:

```
emerge baselayout cryptsetup
```

After updating your config-files (I always use dispatch-conf, take care not to simply overwrite your settings), edit /etc/conf.d/cryptfs to show

```
swap=crypt-swap

source='/dev/hda2'
```

(my swap is on hda2, so if you have it somewhere else, replace this properly)

At last edit the line for the swap-partition in your /etc/fstab to show

```
/dev/mapper/crypt-swap  none            swap            sw                      0 0
```

That's it! Reboot and have your swap encrypted.

(OT Now I need help for making swsusp2 + encrypted swap possible please see this thread)

EDIT1: Corrected typo in '/etc/confd/cryptfs'

----------

## Cintra

A quick additional question or 2.. 

Does one need to emerge sha1 with its huge emacs dependency? ref. 

```
# If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom
```

NB there's a small typo ref /etc/conf.d/cryptfs

regards

Edit: Well I went ahead regardless of sha1. everything looked OK during bootup

No news may be good news, but I'm looking for clear signs that all is well.

Qtparted shows partition type for hda5 as 'unknow' which I guess is a good sign  :Wink: 

And I see there is a /dev/mapper containing crypt-swap and control, so all is looking pretty good!

```
# cat /proc/swaps

Filename                                Type            Size    Used    Priority

/dev/mapper/crypt-swap                  partition       1044184 0       -1

```

----------

## Master One

 *Cintra wrote:*   

> does one need to emerge sha1 with its huge emacs dependency? ref. 
> 
> ```
> # If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom
> ```
> ...

 

No, sha1 is not necessary at all, because on one hand with 'sha1' the kernel crypto module is meant, not the sha1 package (I assume), and on the other hand the use of the '-d' options disables the '-h' option. This is what I could read on the homepage of cryptsetup, looks like it is a redundancy in the scripts.

 *Cintra wrote:*   

> NB there's a small typo ref /etc/conf.d/cryptfs

 

Thank's, is already corrected (I was kind of in a hurry).

----------

## kimchi_sg

Looks good! Can we use this trick to encrypt non-swap partitions as well?  :Very Happy: 

----------

## Master One

Yes, just have a look into /etc/conf.d/cryptfs, it has examples for swap, /tmp and /home.

----------

## Cintra

Here is the cryptsetup home page and wiki

http://www.saout.de/tikiwiki/tiki-index.php

http://www.saout.de/misc/dm-crypt/

regards & thanks Master One

----------

## Morimando

Think i shouldn't even consider doing that, since i just did a new Gentoo-installation (running pure udev // emerge -C devfsd  :Wink:  )

But does it work with encrypting 

a) the whole disc

b) both discs

c) Reiser4 partitions..

?

am i right in guessing that the answer is a clear "no"?

----------

## Master One

 *Morimando wrote:*   

> Think i shouldn't even consider doing that, since i just did a new Gentoo-installation (running pure udev // emerge -C devfsd  )

 

That has nothing to do with it at all, you can simply swap over to the new baselayout also on your new installation, it will not cause any harm (as long as you don't blindly overwrite your config files). The new baselayout is really considered to be very stable, and also should get the "x86" status soon now, as I have read somewhere else (especially also due to the included wireless support).

 *Morimando wrote:*   

> But does it work with encrypting 
> 
> a) the whole disc

 

No, because therefore you will have to use an initrd, if you also want to encrypt your / partition.

 *Morimando wrote:*   

> b) both discs

 

Don't understand that, but you can simply encrypt any other partitions on other harddiscs using this method without problem.

 *Morimando wrote:*   

> c) Reiser4 partitions..

 

I didn't try it (also I use Reiser4), but I don't see a point, why this encryption matter should depend on any filesystem-type.

----------

## markandrew

how does this work in practice, exactly? do you have to specify a password, or enter the root password at some point during boot? Or am I misunderstanding how this works?

----------

## Teh Penguin D00d

Curious...what's the speed hit taken for encrypting FS?

Seems like as it hits large files, there's going to be a performance hit as it decrypts the file as it's loaded...

----------

## Master One

 *AES Help Page wrote:*   

> AES cipher algorithms (FIPS-197). AES uses the Rijndael
> 
> algorithm.
> 
> Rijndael appears to be consistently a very good performer in
> ...

 

Since swap gets hardly used nowadays on decent machines, you will not see any difference in performance at all, and even with full swap action, you should not see any noteable speed hit.

----------

## Master One

 *markandrew wrote:*   

> how does this work in practice, exactly? do you have to specify a password, or enter the root password at some point during boot? Or am I misunderstanding how this works?

 

You can provide a key-file, if you want, but without it, /dev/urandom gets used, and you will not have to enter a password during boot anyway. This encryption menthod has nothing to do with restricting access, but to have data stored encrypted on you harddrive, so it can not get extracted by someone, who is not able to start your computer (using bios boot-passwd), or who is not able to login.

----------

## Cintra

Hei Master One

Ref my edited post above where I mentioned the swap partition having become type 'unknow' in Qtparted.. cfdisk btw shows the partition type as Linux swap/Solaris, just like my other disk's swap partitions.

But, I regularly use Acronis True Image on XP to backup both my disks, and find now that I am unable to backup the whole hda drive, because True Image doesn't recognize the encrypted partition.. I have to 'ignore' that partition, then the rest of the disk backs up OK. 

I'm concerned of course about the day I HAVE to do a full disk Restore rather than individual partitions, something I remember having had to do in the past, and now my chosen way of restoring as it goes so fast anyway.

My question: would you expect the partition type to be changed, as well as the contents encrypted, by the method in this thread?

Mvh

----------

## j-m

You are backing up the contents of swap partition? Why? It is totally useless.  :Confused: 

----------

## Cintra

 *j-m wrote:*   

> You are backing up the contents of swap partition? Why? It is totally useless. 

 Thank you, I am aware of that.. but backing up the whole disk does more than backup individual partitions, as I understand it. I am trying to find out why/whether the partition type should change as it has, not whether or not I should backup the swap partition itself as such.

mvh

----------

## Master One

I also only can suggest not to back up a swap partition. When I did my tests with swap encryption, I also could see, that swsusp2 didn't find the swap id (or something like this) any more, so it may be possible that the partition type gets changed. But this really should not matter, I'd use another backup method (I don't like dual boot machines no more).

----------

## tuxophil

 *Cintra wrote:*   

> I am trying to find out why/whether the partition type should change as it has,

 

AFAIK the partition type, as set by fdisk, is a single byte stored in the partition table, whereas mkswap (which needs to be run before swapon) adds some kind of signature or whatever to the partition. But since your swap partition is encrypted, that signature can of course not be found when it's accessed without the correct device-mapper mapping.

Hope that helps.

----------

## Cintra

Thanks for your answers Master One and tuxophil. 

Now I know the probable reason, I'll do a whole disk restore to make sure all goes well..

ref. using another backup/restore method, my system is not just dual boot but quadruple+1

and my current method is both simple to use, and very fast when restoring complete disks  :Wink: 

Mvh

----------

## chrism

 *Master One wrote:*   

> You can provide a key-file, if you want, but without it, /dev/urandom gets used, and you will not have to enter a password during boot anyway. This encryption menthod has nothing to do with restricting access, but to have data stored encrypted on you harddrive, so it can not get extracted by someone, who is not able to start your computer (using bios boot-passwd), or who is not able to login.

 

Assuming I use this method for encrypting my home partition.

What happends if someone it chrooting in, or if someone just stole your hardrive? Would he/she be able to gain access to the data stored on the harddrive?

Thanks,

Chris

----------

## Master One

 *yellowhippy wrote:*   

>  *Master One wrote:*   You can provide a key-file, if you want, but without it, /dev/urandom gets used, and you will not have to enter a password during boot anyway. This encryption menthod has nothing to do with restricting access, but to have data stored encrypted on you harddrive, so it can not get extracted by someone, who is not able to start your computer (using bios boot-passwd), or who is not able to login. 
> 
> Assuming I use this method for encrypting my home partition.
> 
> What happends if someone it chrooting in, or if someone just stole your hardrive? Would he/she be able to gain access to the data stored on the harddrive?

 

Ok, the info given before was not complete, because the examples in /etc/conf.d/cyryptfs for partition-encryption are only about swap and /tmp, which get formated before they can be used by the script (and only that's why /dev/urandom can be used). Encryption of something like /home is mentioned to work with a loopback file this way, and of cource you need a key therefore. I am not a crypto-expert, so if you are interested in encrypting whatever you need, you will have to dig deeper by yourself. If you only want to encrypt your swap or /tmp, using the new baselayout just works out of the box (I mounted /tmp in tmpfs, so I don't have a need to encrypt that).

----------

## chrism

Thanks a lot.

Chris

----------

## D1g1talS0ul

This is the method I used to preserve a partitions contents across reboots and secures that data with a passphrase.

## fdisk output

/dev/hda6            2691       30515   223504281   83  Linux

## shred

shred -n1 -v /dev/hda6

Another tutorial recommended using shred to randomize the data.

## cryptsetup

cryptsetup -y -c aes -h sha1 create crypt-share /dev/hda6

cryptsetup will now ask for the passphrase.

## format

mkfs.ext3 /dev/mapper/crypt-share

## /etc/conf.d/cryptfs

mount=crypt-share

source='/dev/hda6'

## /etc/fstab

/dev/mapper/crypt-share /var/share      ext3            noatime                 0 0

Now when you boot, cryptfs will ask for the passphrase you entered when you ran cryptsetup.

----------

## christianbarth

I tried to encrypt my swap, but something is still wrong. I added the descriped kernel-options:

```
Device-Drivers -> Multi-device support (RAID and LVM) -> 

        [*] Multiple devices driver support (RAID and LVM)

        <*>   Device mapper support

        <*>     Crypt target support

Cryptographic options ->

        <*>   AES cipher algorithms (i586)
```

then I run:  *Quote:*   

> emerge bash -av

 

the output is: 

```
 Calculating dependencies ...done!

[ebuild   R   ] app-shells/bash-3.0-r11  -bashlogger -build -debug +nls 0 kB

Total size of downloads: 0 kB

```

next I checked the baselayout:  *Quote:*   

> emerge baselayout -av

 

the output is:

```
Calculating dependencies ...done!

[ebuild   R   ] sys-apps/baselayout-1.11.12-r4  -bootstrap -build -debug -static -unicode 0 kB

Total size of downloads: 0 kB

```

after that I checkedsysvinit:  *Quote:*   

> emerge sysvinit -av

 

the output is:

```
Calculating dependencies ...done!

[ebuild   R   ] sys-apps/sysvinit-2.86  -bootstrap -build -debug (-selinux) -static 0 kB

Total size of downloads: 0 

```

last I looked for readline  *Quote:*   

> emerge sys-libs/readlinet -av

 

the output is:

```
These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild   R   ] sys-libs/readline-5.0-r2  0 kB

Total size of downloads: 0 kB

```

All the dependencys are newer than the required:

 *Quote:*   

> echo "=app-shells/bash-3.0-r8" >> /etc/portage/package.keywords
> 
> echo "=sys-apps/baselayout-1.11.9-r1" >> /etc/portage/package.keywords
> 
> echo "=sys-apps/sysvinit-2.86" >> /etc/portage/package.keywords
> ...

 

After checking the dependencys I emerge "cryptsetup"

```
Calculating dependencies ...done!

[ebuild   R   ] sys-fs/cryptsetup-0.1-r1  0 kB

Total size of downloads: 0 kB
```

Finally my /etc/conf.d/cryptfs:

```
cat /etc/conf.d/cryptfs

# /etc/conf.d/cryptfs

# $Header: /var/cvsroot/gentoo-x86/sys-fs/cryptsetup/files/cryptfs.confd,v 1.2 2005/05/21 06:10:25 vapier Exp $

# Note regarding the syntax of this file.  This file is *almost* bash,

# but each line is evaluated separately.  Separate swaps/mounts can be

# specified.  The init-script which reads this file assumes that a

# swap= or mount= line starts a new section, similar to lilo or grub

# configuration.

# Note when using gpg keys and /usr on a separate partition, you will

# have to copy /usr/bin/gpg to /bin/gpg so that it will work properly.

# See http://bugs.gentoo.org/90482 for more information.

# Swap partitions. These should come first so that no keys make their

# way into unencrypted swap.

# If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom

# If no makefs is given then mkswap will be assumed

swap=cryptswap

source='/dev/hda2'

```

and the /etc/fstab

```
cat /etc/fstab

# /etc/fstab: static file system information.

# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/fstab,v 1.14 2003/10/13 20:03                                             :38 azarah Exp $

#

# noatime turns off atimes for increased performance (atimes normally aren't

# needed; notail increases performance of ReiserFS (at the expense of storage

# efficiency).  It's safe to drop the noatime options if you want and to

# switch between notail and tail freely.

# <fs>                  <mountpoint>    <type>          <opts>                 <                                             dump/pass>

# NOTE: If your BOOT partition is ReiserFS, add the notail option to opts.

/dev/hda1               /boot           ext2            noauto,noatime         1                                              1

/dev/hda3               /                  xfs             noatime                    0                                              0

#/dev/hda2              none          swap            sw                           0                                              0

/dev/mapper/cryptswap   none    swap            sw                           0                                              0

/dev/cdroms/cdrom0      /mnt/cdrom      iso9660         noauto,ro,user         0                                    0

# NOTE: The next line is critical for boot!

none                    /proc           proc            defaults               0                                              0

# glibc 2.2 and above expects tmpfs to be mounted at /dev/shm for

# POSIX shared memory (shm_open, shm_unlink).

# (tmpfs is a dynamically expandable/shrinkable ramdisk, and will

#  use almost no memory if not populated with files)

# Adding the following line to /etc/fstab should take care of this:

none                    /dev/shm        tmpfs           defaults               0                                              0

```

(sorry for the bad formating)

Finnaly I rebooted, but now if I 

 *Quote:*   

>  cb-m300 ~ # cat /proc/swaps
> 
> cb-m300 ~ #

 

there is no swap.

Can please someone tell me what I did wrong.

Thx Christian

----------

## Master One

Quite strange, everthing you did seems to be ok. When you boot the machine, have a look what messages it shows concerning the crypt-swap-activation (if something goes wrong there, you should see the red [!!] sign).

"cat /proc/swaps" shows /dev/hda2 here, you can also use "swapon -s" to check.

----------

## curantil

Is there a way to automaticly answer the passphrase (for non-swap-partitions)? I use a external-harddisk and I only need it encrypted for if I carry it to somewhere else. So it is not really a problem if the passfrase needs to be stored on hard-disk. But ofcourse I prefer if it could be stored encrypted.

----------

## christianbarth

I recently r-emerged baselayout (same version) and now everything is working fine

 :Very Happy: 

----------

## tfh

Hello all, this new baselayout seems very interesting. 

I actualy use encryption with dm_crypt on an headless machine, so typing in a passphrase is not possible. 

Right now i store my key on a cdrom, that way if my comp is booted up without the cdrom in then my custom init script won't find the keyfile and won't mount the encrypted partition. 

Plus regarding lawenforcement it's better to not even know the key.  That way you can't give it up :p. 

So does anyone know if it's possible to store the key on an external media with the new baselayout ? 

tfh

----------

## Nimo

I've got swap encrypting working as it should using normal sysvinit, but when using initng "swapon -s" gives no output. What should I do to enable it in initng?

----------

## kmbarr

I just did a fresh build last week using the 2.6.11-gentoo-r11 stage 3 build and was having the same problem as christianbarth, all the required packages were installed with the latest versions, my /etc/conf.d/cryptfs and /etc/fstab files were updated [very similar to Christian's], but the device was not getting built in /dev/mapper. I could build the device manually with cryptsetup, mkswap, and swapon and it would work.

Following Christian's advice, I re-emerged baselayout [and cryptsetup while I was at it]. This left me with 40 files in /etc that needed to be updated; so the next step was `etc-udpate`. I had to work through the files manually  :Mad: --most of the files could be replaced with the new versions, but in a few cases this would've overwritten important configuration infomration. Thanks for pointing me the right direction, Christian.

 I think the critical issues were in /etc/init.d/localmount and /etc/init.d/checkfs...a number of other scripts in /etc did not appear to be the latest version [besides a lot of changes to 40 files, many of the existing files carried 2004 copyright dates], even though emerge reported that I was re-emerging the same version of baselayout. I think this is a problem with the current 2005.0 builds.

(edit) It looks like a recommendation to upgrade baselayout has been added in the appropriate place in the documentation.

----------

## Massimo B.

swap encryption works fine. But is there an HowTo for encrypting /home with the baselayout? HowTos like  Encrypt a filesystem in a loopback file via dm_crypt  don't use the baselayout.

----------

## lirel

 *christianbarth wrote:*   

> I tried to encrypt my swap, but something is still wrong. I added the descriped kernel-options:
> 
> --*snip*--
> 
> Finally my /etc/conf.d/cryptfs:
> ...

 

you should correct this like(crypt[dash]swap):

```
nano -w /etc/conf.d/cryptfs

swap=crypt-swap

source='/dev/hda2'

```

regards lirel

----------

