# Hard-drive encryption and switching distro's

## SnowCrashv5

I currently run OpenSuse 10.3 and used Yast to encrypt a 200MB hard-drive.  I'm pretty certain yast just acted as a front end to dm-crypt.  I personally am pretty thankful for the front end tool as at the time I couldn't have been bothered learning dm-crypt inside and out.

The problem I have now is, I would really like to try Gentoo out but I continue to need access to this disk and would like to keep my setup (prompt at boot for the passphrase to unlock the key).   Anyone familiar with dm-crypt enough to know if  I can do this?

----------

## frostschutz

Hard to answer this question if you don't even know what Yast uses exactly for encryption. But no worries, if it's really just 200MB, it's easy to copy the data somewhere and just set up a new encrypted drive in Gentoo. If you actually meant 200GB it works just the same. Encryption or not, you should have a backup either way; if you don't and the hard drive dies, then your data was not important. Especially not if it was encrypted.

Here is an example of how an encrypted system can work with Gentoo:

http://www.gentoo-wiki.com/Booting_encrypted_system_from_USB_stick

If you don't want to change/touch the drive, the first step that you should do, is find out exactly what kind of encryption you are currently using. Then, boot a Gentoo LiveDVD, and see if you can unlock and mount it from there, using whatever crypt tool you need. If you can mount it from the Live system, you can mount it from the Gentoo you are going to install.

----------

## SnowCrashv5

Apologies, I did mean 200GB and upon double checking, i believe yast does use dm-crypt.  Problem I have is the lack of space to move 200GB of data anywhere.  I have another 200GB drive (not encrypted), but that one too, is almost full.  I'll give the live disc a shot.  Thanks.

----------

## Napalm Llama

My advice would be to find out where YaST (or however it's capitalised these days) keeps its config files, and see if you can make sense of them.

Checking out this wiki page, it seems that cryptsetup has come on a bit since I set up my encrypted partitions a couple of years back.  As far as I can tell, you might be able to simply enter this command:

cryptsetup luksOpen /dev/sda1 name

where /dev/sda1 is your encrypted partition and name is what you want the unencrypted device to appear as in /dev/mapper/ .  Cryptsetup should then prompt you for your password.  Alternatively, you may need to append --key-file /path/to/rootkey to the command if YaST set up your encryption to use a keyfile instead of a straight password.  Obviously you'll have to find out where YaST hid the keyfile if that's the case.

Once you've got through the encryption, you just have to mount the filesystem:

mount /dev/mapper/name /mnt/name/

...and all your files appear under /mnt/name/

Of course I may have missed something - alarm bells are ringing in my head that no administrative task on Gentoo should ever be that easy!

[edit:]

Offtopic, but if you want another two of my cents I would strongly advise you to obtain space capable of holding the contents of that drive, and all other drives you consider important.  It has been said that there are two types of computer user: those that keep backups, and those that have never had a hard disk fail.  Storage space is stupidly cheap these days, so you'd really be doing yourself a favour to keep your partitions backed up on, say, a USB or eSATA hard disk which you keep unplugged except for when you're using it.

----------

## SnowCrashv5

Thank you all for your help in this matter,  I got it to mount on the Gentoo Live DVD just fine, but now that I have Gentoo installed, it's not mounting.

I've done a make menuconfig and added the following bits into the kernel

```
Linux Kernel Configuration: Device Mapper

Device Drivers --> 

[*] Multiple devices driver support (RAID and LVM)

 <*> Device mapper support

 <*> Crypt target support

Then you must enable the cipher (aes):

Cryptographic API --> 

 <*> AES cipher algorithims (i586)

```

As well as all the SHA encryption algorithms.  Then of course the make && make modules_install

then upon attempting to mount it, i get the following:

```
# cryptsetup luksOpen /dev/hdc1 hdc1

Enter LUKS passphrase:

Failed to setup dm-crypt key mapping.

Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/hdc1 contains at least 133 sectors.

Failed to read from key storage

Command failed: No key available with this passphrase.

```

And I'm 100% certain I have the passphrase correct and I didn't see anything in the make menuconfig that specified "aes-cbc-essiv:sha256 cipher".  I find it odd it mounted in the live disc just fine, but not the install.  I never specified for luks in Suse/Yast to use a keyfile anywhere, and if there was one automagically created by Yast, it shouldn't have been picked up by the Gentoo Live Disc as I didn't have any drives mounted except for the encrypted drive itself.Last edited by SnowCrashv5 on Wed Jun 18, 2008 3:03 pm; edited 1 time in total

----------

## scottso

tyi6tiy5ru

----------

## frostschutz

aes-cbc-essiv:sha256 is not one thing but a combination, i.e. you need to add support for aes as well as cbc as well as sha256 as well as probably essiv, whatever that is.

I use aes-xts-plain:sha1 cipher, so I had to enable aes and xts in the kernel crypto and sha1.

----------

## SnowCrashv5

i think essiv is my problem, i can't find it anywhere in the menuconfig

----------

## deathcon1

 *SnowCrashv5 wrote:*   

> i think essiv is my problem, i can't find it anywhere in the menuconfig

 

Menuconfig has a search feature, just type '\' (backslash) and it'll prompt you for what you're looking for.

----------

## SnowCrashv5

^

Good to know  :Smile: , but i got it to mount without that.   I was making a stupid mistake of rebuilding the kernel and not telling the machine to use the newly created on.

/walks off feeling amateur.

----------

## frostschutz

 *deathcon1 wrote:*   

>  *SnowCrashv5 wrote:*   i think essiv is my problem, i can't find it anywhere in the menuconfig 
> 
> Menuconfig has a search feature, just type '\' (backslash) and it'll prompt you for what you're looking for.

 

Searching usually / or in GUIs alt/crtl-F/S  (alt or control + find or search), not a backslash.

----------

## Napalm Llama

 *SnowCrashv5 wrote:*   

> /walks off feeling amateur.

 

Heh, don't worry - you can stop being a newbie but you never stop making silly mistakes now and then (or at least I don't)  :Smile: 

Glad to hear you got it sorted - could you add [SOLVED] to the subject line of your original post please?

----------

