# [mini-HOWTO] Encrypting root file system with dm-crypt

## veezi

There're probably many threads out there on how to encrypt your root file system. And I'm probably a n00b, but anyway, here is my mini-contribution. Make sure you backup your system first, and if you trash it (highly probable!) then don't blame me  :Smile: 

Assumptions:

1. Kernel 2.6.6: disk driver builtin, ext2/reiserfs filesystem drivers builtint, device mapper/encryption modules dm-crypt/dm-mod builtin, aes builtin, ramdisk and initial ramdisk (initrd) builtin.

2. Boot partition on /dev/hda1 filesystem is ext2.

3. Root partition on /dev/hda2 filesystem is reiserfs.

4. You will be prompted for encryption passphrase at boot time.

5. You are using udev.

6. You are using grub boot loader.

7. You're logged in as root.

Requirements:

1. You'll need to emerge device-mapper:

```

emerge device-mapper

```

2. You'll need to download and install cryptsetup available at http://www.saout.de/misc/dm-crypt/:

```

tar jxvf cryptsetup-0.1.tar.bz2

cd cryptsetup-0.1

./configure

make && make install

```

Note: cryptsetup is now in portage. Just emerge cryptsetup instead of the above!

Creating initrd image:

Now we need to create our initrd, I'll call it myinitrd. It's a simple task once you played around a bit with it. I highly recommed playing with initrd's before you go actually and encrypt your root (last step in this mini-howto)  :Smile: 

First create the image, I'm using a 4MB initrd but feel free ot expand that if you need more, just remember to set the option in your kernel configuration for the maximum ramdisk size properly.

```

touch myinitrd

dd if=/dev/zero of=myinitrd bs=1024k count=4

losetup /dev/loop0 myinitrd

mke2fs /dev/loop0

mkdir /mnt/initrd

mount /dev/loop0 /mnt/initrd

```

Now populate the image with required directories and files:

```

cd /mnt/initrd

mkdir etc dev lib bin proc new

touch linuxrc

chmod +x linuxrc

```

linuxrc is where the action will be. It's a script file to be loaded by linux on initial boot, more below.

Now you need to copy necessary files into bin and lib. For bin, copy the following from your current system:

```

/bin/sh

/bin/cat

/bin/mount

/bin/umount

/bin/mkdir

/bin/chroot

/usr/bin/cryptsetup

/sbin/pivot_root

```

For lib, you'll need to find out which lib files are needed by each of the binaries above. The way to do it is to run 'ldd' for each file above and copy the required libs over. Example

```

ldd /bin/mount

        linux-gate.so.1 =>  (0xffffe000)

        libc.so.6 => /lib/libc.so.6 (0x4002e000)

        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

cp /lib/libc.so.6 /mnt/initrd/lib/

cp /lib/ld-linux.so.2 /mnt/initrd/lib/

```

And so on for the rest of the binaries. 

Now, we need to create necessary devices under dev directory:

```

mknod /mnt/initrd/dev/console c 5 1

mknod /mnt/initrd/dev/null c 1 3 

mknod /mnt/initrd/dev/hda2 b 3 2

mknod /mnt/initrd/dev/tty c 4 0

mkdir /mnt/initrd/dev/mapper

mknod /mnt/initrd/dev/mapper/control c 10 63

```

Finally we need to create our linuxrc script. The script should setup dm-crypt and mount root on it, then start the real init of the system. Here's it is:

```

#!/bin/sh

export PATH=/bin

# Get cmdline from proc

mount -t proc proc /proc

CMDLINE=`cat /proc/cmdline`

umount /proc

# Mount real root and change to it

cryptsetup create root /dev/hda2

mount /dev/mapper/root /new

cd /new

mkdir initrd

pivot_root . initrd

# Start init and flush ram device

exec chroot . /bin/sh <<- EOF >dev/console 2>&1

umount initrd

rm -rf initrd

blockdev --flushbufs /dev/ram0

exec /sbin/init ${CMDLINE}

EOF

```

Done with initrd. Test all bin files in it by chrooting and running them one by one. You should get no error messages about missing libraries:

```

chroot /mnt/initrd /bin/sh

/bin/chroot --help

/bin/mkdir --help

....

```

Unmount initrd and copy it over to /boot. Since I'm using bootsplash I've appended my bootsplash initrd to it. Note that you can still mount/unmount the image and play with it event after cat'ing bootsplash image to it. mount knows it's start and end.

```

umount /mnt/initrd

mount /boot

cat /boot/bootsplash-initrd >> myinitrd

cp myinitrd /boot/

umount /boot

```

Modifying fstab and grub.conf :

We need to modify /etc/fstab to point to our new root. Here's my new fstab:

```

/dev/mapper/root   /   reiserfs   noatime   0 1

/dev/hda1   /boot   ext2 noauto   0 0

/dev/hda4   none   swap   sw   0 0

none   /proc   proc   defaults   0 0

none   /dev/shm   tmpfs   defaults   0 0

```

And here's my new grub.conf:

```

default 1

timeout 5

splashimage=(hd0,0)/grub/splash.xpm.gz

title=Gentoo Linux (2.6.6)

        root (hd0,0)

        kernel (hd0,0)/vmlinuz-2.6.6 video=mtrr,vesa:1024x768 vga=0x317 splash=verbose root=/dev/ram0 rw init=/linuxrc

        initrd (hd0,0)/myinitrd

```

Encrypting the filesystem:

Now to encrypting the file system (make sure you have backup!!!). How you encrypt it depends on you. Here I'm assuming you've enough space in hda3, and you've a linux boot CD or linux installed on a another partition, and you've booted from that:

```

mkdir /mnt/partition2 /mnt/partition3

mount /dev/hda2 /mn/partition2

mount /dev/hda3 /mnt/partition3

cp -r -p -v /mnt/partition2/* /mnt/partition3/

umount /mnt/partition2

cryptsetup create root /dev/hda2

--> enter passphrase when prompted

mkreiserfs /dev/mapper/root

mount /dev/mapper/root /mnt/partition2

cp -r -p -v /mnt/partition3/* /mnt/partition2

```

The above simply copies your current root to another partition, sets up an encrypted filesystem there (accessible through /dev/mapper/root from now on), and copies back files to it.

Next, we need to create necessary devices which will be needed at the initial phase of booting before the real system starts and udev takes over. It's important.

```

mknod /mnt/partition2/dev/console c 5 1

mknod /mnt/partition2/dev/null c 1 3 

```

That's it! Unmount all.

Notes:

1. If you can't find a bootable CD with all ingredients in to encrypt your root, no problem! Just change your grub.conf line above to 'init=/bin/sh'. Now when you boot you'll get a nice little shell inside a ram disk that you can work from. Of course you'll need all necessary tools in the initrd image (e.g. mkreiserfs, fdisk, etc.).

2. If you have the default gentoo behaviour of saving '/dev' at reboot and restoring it at boot, make sure that your '/dev/mapper' directory contains a 'root' entry with major 254 minor 0 (mknod /dev/mapper/root b 254 0) just before your last reboot into the new encrypted root. Otherwise, it'll fail at boot time.

3. If you're running a modular kernel, no problem! Add a modules directory to myinitrd, say '/mod'. Copy the modules you'll need to it. Copy 'insmod' and requited libs to '/bin' and '/lib' and that's it. Just don't forget to modify 'linuxrc' to insert the modules before 'cryptsetup' line. Example, 'insmod /mods/dm-mod.ko' .. and so on.

Reboot, and cross your fingers.  :Smile: Last edited by veezi on Mon Oct 25, 2004 7:05 pm; edited 4 times in total

----------

## GentooBox

Nice guide  :Smile: 

but you posted it the wrong place.

----------

## veezi

Why wrong place?! Encryption is security .. right?   :Shocked: 

----------

## Souperman

Indeed it is, but it's a howto, not a support question and thus belongs in Documentation, Tips and Tricks.  I've reported it.

edit: hot damn! already moved!  :Wink: 

----------

## pjp

 *vzeidat wrote:*   

> Why wrong place?! Encryption is security .. right?  

 Encryption is security related, but the Documentation, Tips & Tricks forum is for "howtos" and other similar documentation.

Moved from Networking & Security.

----------

## chadders

Vzeidat I am glad you posted your how to and thanks.  

I like device mapper crypto alot and have been using it for awhile.  I think it is better and cleaner than loop device driver based stuff (especially for encrypting root file system).  

Chadders  :Very Happy: 

----------

## veezi

No problem. Glad I could help.

I made some modifications (since I've written it without actually trying it  :Laughing:  )

- added '/bin/cat' to myinitrd

- added '/etc' to myinitrd

- added 'root=/dev/ram0 rw' to grub.conf line

- added '/dev/tty' to myinitrd

- added notes.

Cheers

----------

## rajl

Can you post up how I could safely encrypt my swap using device-mapper?  Also, what about people who have more than just a root partition?

For example: my /etc/fstab is:

```

/dev/hda1               /boot           ext2            noauto,noatime          1 1

/dev/hda4               /home           xfs             noatime                 0 0

/dev/hda2               none            swap            sw                      0 0

/dev/hda3               /               reiserfs        noatime                 0 0

```

I basically want to encrypt my root, home, and swap partitions.  Will you please expand upon your guide?

----------

## veezi

I don't know much about encrypting swap. You may want to look around for an answer.

As for other partitions, well, if you can encrypt the root partition, then you can encrypt anything else  :Smile:  . For the home partition, I just add the following to my '/etc/conf.d/local.start'

```

/usr/bin/cryptsetup create home /dev/whatever

/bin/mount /home

```

Of course, you'll need to have the corresponding entry in /etc/fstab:

```

/dev/mapper/home       /home        reiserfs       noatime,noauto       0 0 

```

Notice that the home partition isn't accessed by the init boot scripts. That's why it's easy to leave it to the last stage (through local.start). If you have other partitions which need to be mounted earlier, you might want to mount them inside your linuxrc script.

Notice also the 'noauto' option in /etc/fstab. You'll need to have that in there to prevent the init scripts from automatically mounting those partitions.

Hope that helps,

Cheers,

----------

## chingo

Thanks for the guide veezi, along with this RootCryptoraid guide it helped me get it all working great.

rajl, here's how I set it up with multiple partitions and encrypted swap. I had problems compiling cryptsetup-0.1 statically which means it needs /usr mounted, so I set up all the devices with linuxrc first then copy them to /dev after pivot_root. When i get cryptsetup compiled statically, I'll change it to set up other partitions in the initscript rather than in linuxrc.

My key is encrypted on a usb flash drive, as described by mossmann in this thread, but I can't get the usb stick booting (yet) so /boot is left unencrypted on the hard drive, which has this layout:

```

/dev/hda1       /boot

/dev/hda2       /

/dev/hda3       /usr

/dev/hda5       /usr/local

/dev/hda6       /var

/dev/hda7       /var/tmp

/dev/hda8       /home

/dev/hda9       swap

```

I added the following to my initrd:

Directories:

```

bin dev/mapper lib/modules mnt/{root,usb} proc sbin usr/lib

```

Contents of initrd directories:

```

bin

cat chroot cryptsetup dmesg mount sh sleep umount

sbin

insmod losetup pivot_root rmmod

lib

ld-linux.so.2 libc.so.6 libdl.so.2 libm.so.6 libnsl.so.1 libpthread.so.0 librt.so.1

usr/lib

libgcrypt.so.11 libgpg-error.so.0 libpopt.so.0

dev

console hda hda1 hda2 hda3 hda4 hda5 hda6 hda7 hda8 hda9 loop0 null random sda sda1 tty

dev/mapper

control

```

In dev add a device file for all your encrypted partitions, in my case hda1 to 9. I also need sda1 for the usb stick and loop0 to use losetup.

Add any modules you need to lib/modules (or wherever), in my case loop, sd_mod & usb_storage.

Here's my linuxrc, which mounts the loopback key on usb, and after checking the passphrase sets up the data partitions with that key (/dev/mapper/bootkey), and recreates swap with /dev/random. It just checks the passphrase by tring to mount root, if the passphrase is wrong then there'll be no mapped filesystem to mount.

```

#!/bin/sh

PATH=/bin:/sbin

dmesg -n 1 

# halt on error

stop_init () {

 crypsetup remove bootkey 2>/dev/null

 losetup -d /dev/loop0 2>/dev/null

 umount -n /mnt/usb 2>/dev/null

 umount -n /mnt/root 2>/dev/null

 count=0

 while [ "$count" = 0 ]; do

  sleep 60

 done

}

mount -n -t proc none /proc 2>/dev/null

if [ ! -e "/proc/devices" ]; then

 echo "procfs not found, halting."

 stop_init

fi

CMDLINE=`cat /proc/cmdline`

echo "Loading modules..."

insmod /lib/modules/loop.ko

insmod /lib/modules/sd_mod.ko

insmod /lib/modules/usb-storage.ko

# give usb time to sort itself

sleep 4

# mount keyfile on usb device

mount -r -n -t ext2 /dev/sda1 /mnt/usb 2>/dev/null

if [ ! -e "/mnt/usb/keys/laptop_key" ]; then

 echo "Can't continue boot sequence, halting."

 stop_init

fi

losetup /dev/loop0 /mnt/usb/keys/laptop_key

# check passphrase

count=0

while [ "$count" -lt 3 ]; do

 cryptsetup create bootkey /dev/loop0 # prompts for passphrase

 cryptsetup -d /dev/mapper/bootkey create rootfs /dev/hda2

 mount -r -n -t ext2 /dev/mapper/rootfs /mnt/root 2>/dev/null

 if [ "$?" = 0 ]; then

  echo "Root mounted, preparing filesystems..."

  break

 else

  cryptsetup remove rootfs

  cryptsetup remove bootkey

  let count=$count+1

  if [ "$count" -ge 3 ]; then

   echo "Halting."

   stop_init

  fi

 fi

done

cryptsetup -d /dev/mapper/bootkey create usrfs /dev/hda3

cryptsetup -d /dev/mapper/bootkey create localfs /dev/hda5

cryptsetup -d /dev/mapper/bootkey create varfs /dev/hda6

cryptsetup -d /dev/mapper/bootkey create vartmpfs /dev/hda7

cryptsetup -d /dev/mapper/bootkey create homefs /dev/hda8

cryptsetup -d /dev/random create swapfs /dev/hda9

echo "Unmounting usb storage..."

cryptsetup remove bootkey

losetup -d /dev/loop0

umount -n /mnt/usb

rmmod loop.ko

rmmod usb-storage.ko

rmmod sd_mod.ko

umount -n /proc

echo "Switching to full system..."

cd /mnt/root

pivot_root . initrd

exec chroot . /bin/sh -c 'exec /sbin/init ${CMDLINE}' \

        <dev/console >dev/console 2>&1

```

As you can see initrd doesn't get unmounted yet, that means the devices created with cryptsetup in linuxrc can be copied from /initrd/dev/mapper/ to /dev/mapper/ proper once the main init starts.

After backing up the system, encrypting the partitions with my key from boot media and copying everything back over (I used a ramdisk with cryptsetup added), I mounted root then the other partitions and chrooted in to update fstab and grub.conf, add the initscript below to the boot runlevel, and create the /initrd partition (to mkdir it from linuxrc root has to be mounted rw).

fstab now looks like this:

```

/dev/hda1               /boot           ext2

/dev/mapper/rootfs      /               ext2

/dev/mapper/usrfs       /usr            ext2

/dev/mapper/localfs     /usr/local      ext2

/dev/mapper/varfs       /var            ext2

/dev/mapper/vartmpfs    /var/tmp        ext2

/dev/mapper/homefs      /home           ext2

/dev/mapper/swapfs      none            swap

```

relevant bit of grub.conf:

```

title=gentoo-2.6.7

root (hd0,0)

kernel /bzimage-2.6.7 root=/dev/ram0 init=/linuxrc

initrd /initrd

```

And the dm-crypt initscript I'm using:

```

#!/sbin/runscript

crypt_part="rootfs usrfs localfs varfs vartmpfs homefs swapfs"

start() {

 ebegin "Setting up encrypted filesystems"

 for i in $crypt_part; do

  if [ ! -e "/dev/mapper/${i}" ]; then

   cp -a /initrd/dev/mapper/${i} /dev/mapper/

  fi

 done

 

 einfo "Creating encrypted swap..."

 mkswap /dev/mapper/swapfs 1>/dev/null

 einfo "Unmounting initrd & flushing ram..."

 umount -n /initrd

 blockdev --flushbufs /dev/ram0

 eend $?

}

```

(edited the initscript, / doesn't need mounting rw there as /dev is on a different filesystem.. doh.)

The initscript has to be run before checkroot, which is the first thing run in the boot runlevel. /sbin/rc has a list of critical services which are run first regardless of depends etc... to get the dm-crypt script running first, create the file /etc/runlevels/boot/.critical and add the following line:

```

dm-crypt checkroot hostname modules checkfs localmount

```

And that's it. Woo-hoo! Now, if I can just get a usb stick to boot.  :Very Happy: 

----------

## rajl

Thanks for the help.  Much appreciation.  My gcc and xfree/xorg decided not too play nice this weekend (some stupid error involving the hardened toolchain that just won't fix) so I'll probably use this as a great excuse to encrypt my linux drive in the process.

----------

## GroennDemon

Thank you for the very nice and useful howto.

Encryption of my root parition works without any problems, but /initrd doesn't get deleted.

I always get "rm: operation not permitted" error messages at startup.

Furthermore, encrypting my swap partition with /dev/random as keyfile doesn't seem to work - the call to cryptsetup takes ages to complete. Strangely, it exits after a few seconds when I hold down the Ctrl key...

Any help would be appreciated.

----------

## fbettag

i have the problem that cryptsetup tells me

kackmaul ~ # cryptsetup create root /dev/hda3

Command failed: Invalid argument

if someone can tell me why :)

[edited] sorry i am so stupid and tried it from a rescue system withouth crypt-dm drivers! sorry [/edited]

----------

## Seather

When trying to run:

```
cryptsetup create data /dev/hdb1
```

I get the following after typing in the passphrase:

```
Command failed: Invalid argument
```

And this shows up in logs:

```
Nov 24 12:27:15 roxy kernel: device-mapper: error adding target to table
```

Anyone know why this might be?

----------

## chadders

Hi

Do you have kernel Device Drivers ->  Multi-device support (RAID and LVM) ->  Device Mapper Support and Crypt Target Support enabled in your kernel?

Chadders  :Very Happy: 

----------

## Seather

yes. tried compiling them in stock or as modules

----------

## Seather

I have now tried on another gentoo box, the same versions of everything, the same procedure and exactly the same kernel configuration and it worked?

----------

## Seather

Sorry, after checking, the commands work if I run it on my usb flash disk, /dev/sda but not on my standard ide drive /dev/hdb or its partition /dev/hdb1. Why would this be?

----------

## Seather

I am going to kick myself

Apologies all round, for some reason didn't notice that the drive was mounted 20 times in a row!

Sorry, working perfectly now thank you

----------

## Seather

Once again me, I have done everything now, however, when I reboot, it does not ask for passphrase or anything, it just flashes the kernel messages past and at the end I get:

```
UDF-fs: No partition found(1)

Kernel panic - not syncing: VFS: Unable to mount root fs on unkown-block(1,0)
```

Any ideas what I might be able to try?

What I did try to do, was copy /bin/sleep into myinitrd together with its libraries, and added "sleep 10" at various places in linuxrc file to be able to see whats happening but it didn't take effect at all, so my guess is my initrd isn't read?

Update:

I changed from grub to lilo and now it boots and asks for my passphrase (just before this, it gives: warning: can't open /etc/fstab: No such file or directory, is this okay?). After entering my passphrase, it outputs some text about reiserfs, finding partition etc.

Then however, at "Checking root filesystem" it stops:

```
Failed to open the device '/dev/mapper/root': No such file or directory

Warning... fsck.reiserfs for device /dev/mapper/root exited with signal 6.

 * Filesystem couldn't be fixed :(

Give root password for maintenance

(or type Control-D for normal startup):
```

Where to go from here?

If I do type in my root password, and do a ls /dev/mapper/ it doesn't show the "root" entry, only "control"

However, when trying: cryptsetup status root, I do get:

```
/dev/mapper/root is active:
```

----------

## ross8653

Thanks for the guide, i've been fighting with it for about a week now and dont know what next step to take

Also i have suggestions to the guide and it might fix other people's problems

1. When creating the initrd image i was a little confused since i never did much with loops. You should add a "cd /mnt" as the first step

2. When I first copied files to the ram drive i just pasted your commands. But off the gentoo live cd cryptsetup is located in "/bin/" instead of "/usr/bin" like you suggest

3. when you "mknod /mnt/initrd/dev/hda2 b 3 2 " you should say if you are using another partition like hda3 the major/minor numbers are 3 3 (if that's true?)

4. your grub kernel line wraps on my screen (either that or you hit enter) and when i copy/pasted I had problems

5. when encrypting the FS, you should call cryptsetup with -y to verify that you got the password right. Typing the password once when setting it can cause problems with long complex passwords, or fat fingers

6. when i compiled device mapper in the kernel and i booted off the ram disk, /proc/devices lists device-mapper as a major of 253, not sure if that matters

well anyway my problem is when i run cryptsetup i get

```
Command failed: Invalid argument
```

now i got that error at first when i boot off the gentoo live cd and try to encrypt the system, i found out that dm_crypt wasnt loaded so a quick modprobe fixed that. but i compiled  everything needed in i think, and on boot up i see device mapper is loaded

```
md: md driver 0.90.0 MAX_MD_DEVS=256, MD_SB_DISKS=27

device-mapper:4.3.0-ioctl (2004-09-30 initialized: dm-devel@redhat.com
```

I know i have this problem because i set linuxrc to "exec /bin/sh" and i manually run the commands. I get the error above when i get to cryptsetup. I can also boot off the live cd, run modprobe dm_crypt, and then decrypt the device and chroot so i know that works. 

Here are the things that ARE set, i deleted the ones that weren't to save space

```
livecd linux # grep -i crypt /usr/src/linux/.config

CONFIG_DM_CRYPT=y

CONFIG_CRYPTO=y

CONFIG_CRYPTO_HMAC=y

CONFIG_CRYPTO_NULL=y

CONFIG_CRYPTO_MD5=y

CONFIG_CRYPTO_SHA256=y

CONFIG_CRYPTO_SHA512=y

CONFIG_CRYPTO_BLOWFISH=y

CONFIG_CRYPTO_AES_586=y

```

the kernel i'm using is linux-2.6.9-gentoo-r9

...so what should i look at?[/code]

----------

## westboy21

I'm also getting a "command failed" error message.  If I pass init=/bin/sh and manually type in the command

```
cryptsetup -v create root /dev/hda2
```

I get command failed: device mapper ioctl error.  Don't quote me on exactness of this error message, I don't have it in front of me, but it was an ioctl error with the letters 254 in it.  So I'm thinking this has to do with the major number of the control device.  So, I booted into a live cd, and created a new control device which matched the major/minor numbers of the device created by the live cd.  I then chrooted into the initrd drive, and ran cryptsetup.  It worked perfect.  Humm...

When I reboot with this setup, it fails. So I boot into the ram drive again, and 

```
cat /proc/devices
```

 I'm informed that device-mapper is 253,0.  Humm...  So I reboot into the live cd and re-run 

```
mknod ./control c 253 0
```

.  this time when I boot up I get the same error message about command failed.  Also if I chroot into the initrd from the live cd with this new control device 253,0 I get a command failed error as well.

So .... I know this error message is due to the wrong /dev/mapper/control device.  How do I fix this?

Anyone out there with great wisdom have any idea?

----------

## westboy21

OK.  I seem to have fixed my issue.  The author might want to amend his howto and include the devmap_mknod.sh script in the /bin directory of the myinitrd ram drive.  Not all systems use the same major and minor device numbers for the /dev/mapper/control device.  I altered the linuxrc file and added a line to run this script before unmounting the proc.

I also had issues with an error message telling me that /dev/mapper/root couldn't be mounted, and that I had to specify the type of filesystem.  I just altered the mount line in the linuxrc file to include the type.

I'm still getting the can't find fstab error.  I assume I should just ignore this, since my system boots up ok despite that message.

----------

## Lokheed

Added to wiki: http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt

----------

## benjamin.choi

If for some reason I damaged my system horribly such that it cannot boot (e.g. by setting default runlevel to 0), I often can repair it using a boot disk such as Knoppix or the Gentoo LiveCD. However, with an encrypted root partition, how can I access it to work on it? Any idea how to make a boot disk capable of reading/writing to my encrypted partition?

----------

## westboy21

This is the beauty of the dm-crypt module and the cryptsetup program.  Any live cd with crypto support and the cryptsetup program can create the map to the encrypted filesystem with the command

```
cryptsetup create root /dev/hd**
```

then you can just mount the /dev/mapper/root device anywhere in the livecd ram filesystem.  Whalla.

----------

## ross8653

westboy21 can you post your devmap_mknod.shLast edited by ross8653 on Wed Jan 19, 2005 3:17 pm; edited 1 time in total

----------

## westboy21

Well ... looks like I need to log into here every now and then.  Sorry about missing the PM by about a month.  Here is my dev_mknod script

```
#! /bin/sh

# Startup script to create the device-mapper control device

# on non-devfs systems.

# Non-zero exit status indicates failure.

# These must correspond to the definitions in device-mapper.h and dm.h

DM_DIR="mapper"

DM_NAME="device-mapper"

set -e

DIR="/dev/$DM_DIR"

CONTROL="$DIR/control"

# Check for devfs, procfs

if test -e /dev/.devfsd ; then

        echo "devfs detected: devmap_mknod.sh script not required."

        exit

fi

if test ! -e /proc/devices ; then

        echo "procfs not found: please create $CONTROL manually."

        exit 1

fi

# Get major, minor, and mknod

MAJOR=$(sed -n 's/^ *\([0-9]\+\) \+misc$/\1/p' /proc/devices)

MINOR=$(sed -n "s/^ *\([0-9]\+\) \+$DM_NAME\$/\1/p" /proc/misc)

if test -z "$MAJOR" -o -z "$MINOR" ; then

        echo "$DM_NAME kernel module not loaded: can't create $CONTROL."

        exit 1

fi

mkdir -p --mode=755 $DIR

test -e $CONTROL && rm -f $CONTROL

echo "Creating $CONTROL character device with major:$MAJOR minor:$MINOR."

mknod --mode=600 $CONTROL c $MAJOR $MINOR

```

Here is my linuxrc script

```

#!/bin/sh

export PATH=/bin

mount -t proc proc /proc

CMDLINE=`cat /proc/cmdline`

devmap_mknod.sh

umount /proc

if [ -L /dev/mapper/root ] ; then

        rm -f /dev/mapper/root

fi

if [ -b /dev/mapper/root ] ; then

        rm -f /dev/mapper/root

fi

cryptsetup create root /dev/hda4

mount -t reiser4 /dev/mapper/root /new

cd /new

mkdir initrd

pivot_root . initrd

exec chroot . /bin/sh <<- EOF >/dev/console 2>&1

umount initrd

rm -rf initrd

blockdev --flushbufs /dev/ram0

exec /sbin/init ${CMDLINE}

EOF
```

Maybe this can help someone else in the future.  :Smile: 

----------

## QuizMasta

I've run in to a problem following this guide (and another one for that matter). My root partition is encrypted and the linuxrc script mounts the root just fine. After typing the passphrase my root is mounted (together with my swap?) and I get this:

```
Give root password for maintence

(or type Control-D for normal start up):
```

If I type ctrl+d the damn thing restarts   :Sad: 

If I login using the root pass I get my normal root shell. Snooping around in there only adds to the confusion:

1) Mount reports that the root device is /dev/hda7 (and not /dev/mapper/cryptroot)

2) /dev/mapper/cryptroot does not exist. Only /dev/mapper/control

3) When looking at dmesg, these are the last entries:

```
ReiserFS: dm-0: found reiserfs format "3.6" with standard journal

ReiserFS: dm-0: using ordered data mode

ReiserFS: dm-0: journal params: device dm-0, size 8192, journal first block 18, max trans len 1024, max batch 900, max commit age 30, max trans age 30

ReiserFS: dm-0: checking transaction log (dm-0)

ReiserFS: dm-0: Using r5 hash to sort names

Adding 506008k swap on /dev/hda5.  Priority:-1 extents:1
```

And is far as I know, mounting swap is part of the actual init, not the ramdisk init - or am I wrong?

And why would ReiserFS report the device to be dm-0 when I've named it cryptroot?

ANY help/input is greatly appreciated!

----------

## westboy21

Man ... I wish I could help you out on this one.  Just last week I tried another gentoo installation using this guide and ended up with the same problems as you.  Let me guess.  Right before you get the prompt asking for your root password for maintence, you probably got some error saying that the root device couldn't be checked or something to that effect.

My problem was that /dev/mapper/root was getting created but once udev started up, it was removing everything in /dev and repopulating it.

I didn't use to have this issues.  Anyone have this issue?  Seems to be an LVM naming issue.  I've researched most of the posts I can find relating to LVM and UDEV, but can't find any substantial answer that WORKS.

I finally gave up.  Please post anything else you may find!

----------

## westboy21

Try this post!

https://forums.gentoo.org/viewtopic.php?t=283948&highlight=

----------

## schachti

Does someone know what I have to do in a different way if I'm not using udev?

----------

## schachti

 *veezi wrote:*   

> 
> 
> Now to encrypting the file system (make sure you have backup!!!). How you encrypt it depends on you. Here I'm assuming you've enough space in hda3, and you've a linux boot CD or linux installed on a another partition, and you've booted from that:
> 
> 

 

Where can I get a boot CD that supports cryptsetup? I tried a recent version of knoppix, it does not.  :Crying or Very sad: 

----------

## ross8653

gentoo live cd universal 2004.3 has it

----------

## Coper

Hi I trid to mount my USB stick in my linuxrc file, but it just say that the device don't exists.

I have make /dev/uba1 b 180 1 

any idees? runing 2.6.10

----------

## ross8653

i have been playing with swap encryption and can not get udev to do what i want so i've just created the swap in /etc/conf.d/local.start

the wiki entry is updated with info about my quick solution.

Also for people that are having problems with creating the mapping to swap taking ages check the wiki. The problem is your /dev/random runs out of entropy, you can move the mouse around or use /dev/urandom.

http://en.wikipedia.org/wiki//dev/random

----------

## mahatmah

I have encrypted my root filesystem with dm-crypt. Instead of standard cryptsetup i preferred cryptosetup-luks. In my opinion a little bit better because it supports more than one key...

i have created my root partition with the following Parameters:

```
cryptsetup -c aes-cbc-essiv:sha356 -s 128 luksFormat /dev/hda3
```

Everything working fine, only my hard drive throughput is really bad. Gkrellm shows up 2,5M (mbyte/s) it isn't really funny to copy something from or to my unencryptet second disk.

I have a 2,8GHZ P4, cpu is up to 99%, ram usage is low (512 mb, around 150mb used).

I don't think it is because i choose cryptsetup-luks instead of crypsetup because only the handling of the passphrase is different (i think).maybe because i choose "essiv" instead of the standard "plain". i have choosen essiv because i read it helps a lot against watermark attacks. 

So, my question is, is it normal that the hard drive performance is that poor?

----------

## ross8653

assuming you're not on a laptop and using a 7200 rpm ide/sata drive no it should be a bit better. Here's an example with my craptastic 4200rpm laptop harddrive and a p3 500mhz. using AES and 256bit key. /dev/mapper/root maps to /dev/hda3

```

taptap linux # hdparm -t /dev/mapper/root /dev/hda3

/dev/mapper/root:

 Timing buffered disk reads:   26 MB in  3.11 seconds =   8.37 MB/sec

/dev/hda3:

 Timing buffered disk reads:   40 MB in  3.13 seconds =  12.77 MB/sec

```

say your partition that is encrypted is /dev/hda3 and your devicemap to that partition is /dev/mapper/root

you can check the difference encryption has on the speed of your drive by

```

hdparm -t /dev/hda3 /dev/mapper/root

```

run that a few times, also on your second drive to make sure that is not holding anything up. If it is still slow due to encryption you can check if using cryptsetup-luks has anything to do with it by making a map with cryptsetup and testing cryptsetup's performance. This shouldnt hurt any data since you are only read testing, but to be sure you can do this to your swap partition (after shutting off swap of course)

say hda2 is swap

```

swapoff /dev/hda2

free          (check if swap is gone)

cryptsetup -d /dev/urandom create testmap /dev/hda2

(now create a map from /dev/hda2 using your cryptosetup-luks with the same algorithm and key size that you normally use)

```

now you should have two encrypted maps to the same partition /dev/hda2 (testmap, and the one you created). lets run hdparm again

```

hdparm -t /dev/hda2 /dev/mapper/testmap /dev/mapper/YOURMAPHERE

```

whare are the results?

----------

## mahatmah

 *Quote:*   

> 
> 
> Code:	
> 
> taptap linux # hdparm -t /dev/mapper/root /dev/hda3 
> ...

 

Oh my goodness, so silly, i have forgotten to include my settings for dma into the kernel. i'm sorry. 

but i didn't know the dma -t testing thing. Here is my output after finally enabling dma

```

nozomi ftp # hdparm -t /dev/mapper/root /dev/hda3

/dev/mapper/root:

 Timing buffered disk reads:   60 MB in  3.07 seconds =  19.53 MB/sec

HDIO_DRIVE_CMD(null) (wait for flush complete) failed: Inappropriate ioctl for device

/dev/hda3:

 Timing buffered disk reads:  160 MB in  3.04 seconds =  52.62 MB/sec

```

not that bad i think, it is really great  :Smile: 

thanks for your response, i didn't even think about dma, i thought it can only be the encryption...

----------

