dm-crypt

2016-11-05
, , , , , , , , , , ,

TODO - tested and working, though my most recent Lubuntu experimentation has problems I'm still troubleshooting.

At best, my computer hangs when prompting for a password. I think this is related to the 4.4.14 kernel but have not confirmed this.

Projects >

dm-crypt
https://gitlab.com/cryptsetup/cryptsetup
https://www.fsl.cs.sunysb.edu/docs/cryptfs/cryptfs.html

These instructions are a lot easier than they seem, and a smart and patient beginner will be able to follow them!

  • These notes were made from instructions from Slackware "current", as of 2016-11-05, and have been tested on Slackware 14.2, and 14.2 32bit.

  • These notes were made on an everyday system with one hard drive which I completely formatted for this purpose.

    • If you are a new user, it is strongly recommended that you remove all hard drive's your using and do this on a spare unused/empty drive.

  • This concept and these notes build a full-disk Slackware installation which also uses LVM. You can safely ignore the entire LVM post and just follow this one.

Table of Contents [hide]

Before we begin

  • I refer to my experimental drive as /dev/sdx.

    • In my usage, I had /dev/sda because I only had one drive.
    • You can double-check what you have with ls /dev/sd*.
    • intermediate: Be absolutely certain you differentiate it from a USB stick. You must not get this wrong. Perhaps you should mount it somewhere and look at its contents to verify it.

  • I refer to the main two partitions I use as /dev/sdx1 and /dev/sdx2. Modify these instructions accordingly based on what your /dev/sdx becomes.

Spoiler
These instructions can be easily modified to have this encrypted Slackware setup happily coexist with existing operating systems.

Partitioning is straightforward, and the Slackware setup sees and automatically configures LILO to boot Windows, and LILO is very easy to hand-edit as needed.

If you insist on using a drive which has data, or booting into a system that has another drive that has data which you're too stubborn to disconnect, always back up your data before experimenting like this. Also double-check that all your data is being backed up properly and also that you definitely know how to access and restore that data.

intermediate: Partitioning

  • For drives 2TB and under, you can use fdisk, but I prefer cfdisk.

  • For hard drives over 2TB, you can use gdisk, but I prefer cgdisk.

Instructions have not been given here for how to use these tools. Sorry, beginners, you will have to look elsewhere for their usage.

Small unencrypted partition

Making the unencrypted /boot.

TODO - reproduce and use the correct lingo.

  • Create a small unencrypted partition (~100 MB). In this documentation we are calling it /dev/sdx1.

  • If a small empty partition is automatically created at the beginning of your disk, ignore it.

    • intermediate: It is created for "partition alignment". It recommended you leave it alone and don't try to use it.
    • advanced: Partition Alignment has my (very) rough notes on this topic.
  • fdisk/cfdisk will suggest you mark this as type 82 (Linux data).

  • With gdisk/cgdisk you will need to mark this as type 8200 (Linux data).

    • TODO - confirm

  • You do not need to format this partition at this time. This will be done for you during the setup process.

Large to-be-encrypted partition

Creating your "everything" large partition. This will become the encrypted LVM Volume Group.

  • Create a second large partition.

    • In my testing I used the rest of the available space.
    • In this documentation we are calling it /dev/sdx2.
  • For fdisk/cfdisk, set this partition's type to 8e (Linux LVM).
  • For gdisk/cgdisk, set this partition's type to 8e00 (Linux LVM).

  • You do not need to format this partition at this time. This will be done for you during the setup process.

Encryption

Preparation

Making /dev/sdx2 an encrypted partition.

  • Initialize /dev/sdx2 with random data:

    • It does take time.
    • Although this step can be skipped, it is highly recommended, for security reasons.
partition=/dev/sdx2
\dd  if=/dev/urandom  of=$partition
Spoiler
You could mount it and do something like cat /dev/urandom >> file.random, which is a resumable way of filling the drive with random data.
Spoiler
As I understand it, /dev/random would be better, but just isn't practical. Boy is it slow. I mean slow.

Setup

Setting up the encryption on the data partition.

partition=/dev/sdx2
\cryptsetup  -s 256  -y luksFormat  $partition

Unlocking

Unlocking the data partition.

partition=/dev/sdx2
\cryptsetup  luksOpen  $partition  slackluks

The above command is something you'll have to remember or write down if you ever want to manually unlock your partition.

LVM

Setup

Setting up LVM to create targets for your various mountpoints.

This is done in the usual way.

Here is a suggested layout:

physical_volume=/dev/mapper/slackluks
volume_group=cryptvg

pvcreate                 $physical_volume
vgcreate  $volume_group  $physical_volume
lvcreate  -L 15G       -n root  $volume_group
lvcreate  -L 4G        -n home  $volume_group
lvcreate  -L 4G        -n swap  $volume_group
lvcreate  -l 100%FREE  -n data  $volume_group
mkswap /dev/$volume_group/swap
Spoiler
More advanced users might make targets for /usr, /etc and perhaps /var.
Spoiler
The size of the swap partition is debatable, but the (double your RAM size) is false.
  • 4GB of RAM and under would be fine with 2GB of swap.

  • Over 4GB would be fine with 4GB of swap.

A swap is only relevant if you use a lot of your memory, and most Linux computers don't even come close. It's still a good idea to have it, just in case.

Hibernation (suspend to disk) may have specific requirements, but I don't know enough to advise.

I've read that a swap file (not partition) is not supported on Btrfs but I haven't confirmed that.

Mounting/Using

This is done automatically by Slackware's setup.

TODO - how do I do this manually?

Slackware's setup

FIXME - exactly describe these steps

  • Run Slackware's setup
  • Swap - select swap

  • Select your mount points.

    • Manually assign /mnt/sdx1 for /boot and format it ext4.
    • root for /
    • home for /home
    • data mounted perhaps at /data
    • Don't touch any other entry, like /dev/mapper/*
Spoiler
The Slackware wiki says:

Whilst LILO works well with any file system format that is compatible with the FIBMAP ioctl (required to map files to block numbers), you are likely to have issues when /boot is located on XFS, Btrfs or Nilfs2. You can avoid this by making an ext2 /boot partition or using a different bootloader." and so I would recommend using ext4 for this to-be-unencrypted partition.

  • Complete Slackware's packages installation.

  • Continue on to the liloconfig dialog.

    • FIXME - these instructions need reproducing
    • Install lilo to the MBR. Choose "expert lilo configuration" with the option "Install to Master Boot Record (MBR)".
    • Assign the partition /dev/sdx1 to a /boot filesystem.
    • Select /dev/cryptvg/root as the root partition to boot.
    • You may see an error message stating that the "installation failed". Ignore this in this step. It may say something like:
Warning: "/proc/partitions' does not match '/dev' directory structure.
    Name change: '/dev/dm-0' -> '/dev/mapper/cryptroot'
Warning: Name change: ... etc.

FIXME - exactly quote the message I get.

  • Complete your use of Slackware's setup, but do not reboot yet!

chroot 

chroot  /mnt
Spoiler
TODO - Slackware 12.0 has errata which use bindpoints. Are these necessary?

This is if Fatal: Illegal 'root' specification: /dev/mapper/cryptroot is seen.

mkinitrd

Learning about your system

Remember that you are still in a chroot.

For the following mkinitrd command, you can get the relevant information from:

/usr/share/mkinitrd/mkinitrd_command_generator.sh -r

An example of output is:

mkinitrd -c -k 4.4.14-smp -m ext4 -f ext4 -r /dev/cryptvg/root -C /dev/sdx2 -L  -h /dev/cryptvg/swap

TODO - exactly quote from my attempt.

The resulting output should be double-checked with the following instructions:

mkinitrd script

Remember that you are still in a chroot.

The script will look something like:

filesystem=ext4       # Or perhaps you use btrfs
kernel='4.4.14-smp'   # The default Slackware 14.2 SMP kernel
volume_group=cryptvg
# language_code='-l nl'  # A Dutch-language keyboard.

\mkinitrd \
  -c \
  -k $kernel \
  -m $filesystem \
  -f $filesystem \
  -r /dev/$volume_group/root \
  -C /dev/sdx2 \
  -L \
  -h /dev/$volume_group/swap \
  $language_code

intermediate: As the above is a complex script, you should save it into a file, mark it executable and place it in your /mnt. This way you can access it from within your chroot.

Spoiler
If you use a non-US keyboard, append your language code with -l <code> That's an l as in "ell".

e.g. the Dutch (nl) keyboard would append -l nl to the mkinitrd command.

Configure LILO

(LILO)

Remember that you are still in a chroot.

  • Edit /etc/lilo.conf

    • Nano is not available.
    • intermediate: You'll have to use vi. Ugh. In vi, you press i to begin editing.

  • Look for "Linux bootable partition config"

    1. Add a line for the initrd.
    2. Change the filename of the kernel to be used. We will need to use a generic kernel.
      - If you aren't sure what to put here, you can run /usr/share/mkinitrd/mkinitrd_command_generator.sh -r to get the string. (intermediate: You can also ls --color /boot)

TODO - exactly quote this block of text and provide my entire lilo.conf.

It should look somewhat like this:

image = /boot/vmlinuz-generic-smp-4.4.14-smp
  initrd = /boot/initrd.gz
  root = /dev/cryptvg/root
  label = Linux
  append = "vt.default_utf8=0 resume=/dev/cryptvg/swap"
  read-only

  • When satisfied, save the changes to this file.

    • intermediate: In vi you would press escape then :wq

  • Run lilo

    • Lilo will issue a couple of warnings concerning a difference in what /proc/partitions reports and what lilo thinks are available partitions, but it is safe to ignore these.

TODO - exactly quote the warning I get

Spoiler
We also need to change the kernel file to a generic kernel, because LILO is unable to combine the 'huge' kernels in Slackware 14.2 with an initrd image - it will complain if you try a 'huge' kernel: 
Warning: The initial RAM disk is too big to fit between the kernel and the 15M-16M memory hole.
It will be loaded in the highest memory as though the configuration file specified "large-memory"
and it will be assumed that the BIOS supports memory moves above 16M.

When you use an initrd file for your box (a requirement for installing Slackware to LVM or LUKS partitions) you will notice that there is a maximum to the size of the kernel you use with it.

The 'huge' kernels are not meant for day-to-day use anyway. They are meant to install Slackware on a wide range of computers and that is why they are 'huge'. Either you compile your own custom kernel, or use one of the generic kernels with an initrd.

Exit the chroot 

exit

Completion

  • Reboot by typing reboot.

    • Be patient, as this may take several seconds.

  • You will be presented with a "Enter passphrase: " prompt.

    • This is where my computer always freezes.
    • After entering the passphrase which unlocks your encrypted partition, the system will boot into Slackware. You will be able to work as usual, and when you shut the machine down (or suspend to disk using the swap partition) all your data (including swap) will be encrypted when stored on disk.

You are done!

Usage and troubleshooting

Mount/Unmount

dm-crypt--01-unlock.sh
dm-crypt--02-lock.sh

Notes

TODO - USB keyboards

TODO - While I presume this is included in the default kernel used in this page's example, I think maybe this is the problem I've had all along!

If you have set up an encrypted root partition, you will need to have access to your keyboard in order to type the passphrase. This may require you to add the 'uhci-hcd' and 'usbhid' modules to your initrd image if you have a USB keyboard.

Custom kernels

If you want to compile your own custom kernel to work with LUKS encrypted partitions, you need to enable at least the following two options in your kernel configuration:

Multiple devices driver support (RAID and LVM) --->
 <*> Device mapper support
 <*> Crypt target support

This is equivalent to the following options in your .config file:

CONFIG_BLK_DEV_DM=y
CONFIG_DM_CRYPT=y

Do not compile these as module! They are required in your kernel.

Hide the encrypted volume appearing on desktops

You probably will not want your encrypted volume to appear on the desktop of e.g. KDE or Xfce as a mountable device, so something like this should prevent that from occurring:

# cat /etc/udev/rules.d/99-ignore-luksdevs-on-desktop.rules
KERNEL=="sdx2", ENV{UDISKS_IGNORE}="1"

Additional passphrases, and keyfiles

http://ftp.slackware.com/pub/slackware/slackware-current/README_CRYPT.TXT

under "Additional passphrases, keyfiles"

Last updated 2022-06-05 at 18:43:26

Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

  • Use <code> to display raw HTML codes.
  • WordPress is configured to not store your IP.
  • Comments here apply only to this post, you may want to contact me directly.

This site uses Akismet to reduce spam. Learn how your comment data is processed.