Re: [gentoo-user] Re: Full system encryption on Gentoo
Am Donnerstag, 31. Dezember 2015, 00:15:33 schrieb Jeremi Piotrowski: > This will lead to you having to enter the password > twice - once when grub starts and once when the initramfs is setting up /. If, and ONLY if, your /boot is inside your LUKS-encrypted volume, you can also add a keyfile for your LUKS-volume (I used another keyslot for that, but you can also use the password, you use for manual unlocking..) to your crypttab and your dracut-initrd: % cat /etc/crypttab mySSD.cryptUUID=2850e418-f325-47b6-b42b-82a60055a0c6 /root/mySSD.lukskey discard,luks crypttab-format: (Name Path/Spec /path/to/keyoptions) (see man 5 crypttab) % cat /etc/dracut.conf.d/luks.conf install_items+="/etc/crypttab /root/mySSD.lukskey" check if the permissions for your initrd are save, aka only readable for root, dracut automatically sets them to 600 and root:root here, but better save than sorry.. with that setup you do not need to enter the password twice, because your initrd is able to open the luks-device with the keyfile.
[gentoo-user] Re: Full system encryption on Gentoo
Jeremi Piotrowski gmail.com> writes: > On Thu, Dec 31, 2015 at 02:49:42PM +0100, Jeremi Piotrowski wrote: > > I just tried the steps and indeed I forgot to mention a couple > > of things. > And one more: don't format the full disk as luks, because there won't be > any space for grub and grub2-install will error out. Make a single > partition (default should be offset 2048 sectors from the beginning of the > disk) which leaves plenty of space for grub's bootstrap, and format that > as luks. It would be fantastic, if this thread and other updated and relevant information made it's way to the gentoo wiki. My specific interest is similar, but for minimized or embedded gentoo on other hardware platforms (arm64 and other 64 bit chips). Also, here is a linux kernel (not a fork?) that has peaked my curiosity, as I try to ascertain the implications that are relevant to gentoo :: http://www.zdnet.com/article/matthew-garrett-is-not-forking-linux/ Forking of the linux kernel for specific needs has not been necessary in the past, as one would just not choose to use specific features, by natural selection. But now it seems, even some of the lkm devs are asserting that forking to add new/test/biased codes to the linux kernel sources presents a very interesting and viable pathway for tightly focused development of kernel sources. I think others will soon find this an interesting approach for BoF to collect around cleaner kernel sources which are more focused on the needs of a sub-group. As systemd and cluster codes both progress at a rapid pace, there are tons of conflicts related to performance enhancements and lowest level allocation/control of resources that is creating a need for linux kernel forks. Some folks in the Hi Performance Computing communities are already doing so, privately. I have been personally notified by one such group that they are going to 'open source' their work, in detail, hopefully early 2016, but as soon as practical. Speed optimized, dynamic cluster formation and 100% encrypt-able platforms seem to be converging, imho. hth, James
Re: [gentoo-user] Re: Full system encryption on Gentoo
On Thu, Dec 31, 2015 at 02:49:42PM +0100, Jeremi Piotrowski wrote: > I just tried the steps and indeed I forgot to mention a couple of things. And one more: don't format the full disk as luks, because there won't be any space for grub and grub2-install will error out. Make a single partition (default should be offset 2048 sectors from the beginning of the disk) which leaves plenty of space for grub's bootstrap, and format that as luks.
Re: [gentoo-user] Re: Full system encryption on Gentoo
On Thu, Dec 31, 2015 at 10:38:45AM +1000, Hans wrote: > I have a working VM with Gentoo on LVM on top of LUKS. Works fine in > change root, Just can't get it to boot. Probably somewhere missed > something. Will start from scratch using your 10 steps with dracut > instead of genkernel. I just tried the steps and indeed I forgot to mention a couple of things. You should generate the initramfs with dracut before you run grub2-mkconfig - that way grub will find the initramfs. The other issue is that of naming the root partition on the kernel cmdline. When you open the luks partition using `cryptsetup open` you give it a device-mapper name. In some cases grub will save this name in grub.cfg. So grub's kernel cmdline would contain e.g. root=/dev/mapper/crypto dracut will by default open the luks partition with a name of the form luks-. This mismatch will prevent root from mounting. To overcome this and guarantee a predictable name add an /etc/crypttab entry of the form UUID= then generate the initramfs with dracut again, and it will copy this file and use it to name the luks partition upon opening. Just make sure you use the same name during installation and in crypttab - this is not mandatory but it makes things easier. Howver, sometimes grub will generate a cmdline entry of the form `root=UUID=` if it finds an initramfs which will prevent this issue. Also remember that there are two things: the uuid of the encrypted luks partition (this needs to go in crypttab), and the uuid of the decrypted partition inside luks (this needs to go in fstab and the root cmdline). Just make sure everything is consistent.
[gentoo-user] Re: Full system encryption on Gentoo
On 31/12/15 09:15, Jeremi Piotrowski wrote: On Thu, Dec 31, 2015 at 07:45:29AM +1000, Hans wrote: I can't follow Sakaki's_EFI_Install_Guide. The system will run in VirtualBox and only have BIOS. No UEFI, EFI, USB stick as boot or key disk. You should still atleast read the guide to figure out how to get the encryption part right. You can skip the USB stuff and fallback to BIOS equivalents of EFI concepts. I just have to find a way to get the same result using Gentoo with OpenRC and if possible without LVM. Entering the pass phrase several times is no problem. The steps are more or less the following: 1. cryptsetup your whole device 2. mkfs 3. chroot 4. install grub with device-mapper flag 5. install dracut and cryptsetup. 6. add GRUB_ENABLE_CRYPTODISK=y to /etc/default/grub 7. grub2-install 8. set 'hostonly="yes"' in /etc/dracut.conf OR add the output of `dracut --print-cmdline` to GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub 9. grub2-mkconfig -o /boot/grub/grub.cfg 10. dracut --regenerate-all Somewhere between step 3 and 10 you need to build the kernel with atleast the dm_crypt module. This will lead to you having to enter the password twice - once when grub starts and once when the initramfs is setting up /. Check the arch wiki article on the topic [1] for more info, but don't blindly trust the boot loader part because that is specific to arch's initramfs generator. [1]: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system I have a working VM with Gentoo on LVM on top of LUKS. Works fine in change root, Just can't get it to boot. Probably somewhere missed something. Will start from scratch using your 10 steps with dracut instead of genkernel. Have a nice New Year Hans
[gentoo-user] Re: Full system encryption on Gentoo
On Thu, Dec 31, 2015 at 07:45:29AM +1000, Hans wrote: > I can't follow Sakaki's_EFI_Install_Guide. The system will run in > VirtualBox and only have BIOS. No UEFI, EFI, USB stick as boot or key disk. You should still atleast read the guide to figure out how to get the encryption part right. You can skip the USB stuff and fallback to BIOS equivalents of EFI concepts. > I just have to find a way to get the same result using Gentoo with > OpenRC and if possible without LVM. Entering the pass phrase several > times is no problem. The steps are more or less the following: 1. cryptsetup your whole device 2. mkfs 3. chroot 4. install grub with device-mapper flag 5. install dracut and cryptsetup. 6. add GRUB_ENABLE_CRYPTODISK=y to /etc/default/grub 7. grub2-install 8. set 'hostonly="yes"' in /etc/dracut.conf OR add the output of `dracut --print-cmdline` to GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub 9. grub2-mkconfig -o /boot/grub/grub.cfg 10. dracut --regenerate-all Somewhere between step 3 and 10 you need to build the kernel with atleast the dm_crypt module. This will lead to you having to enter the password twice - once when grub starts and once when the initramfs is setting up /. Check the arch wiki article on the topic [1] for more info, but don't blindly trust the boot loader part because that is specific to arch's initramfs generator. [1]: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
[gentoo-user] Re: Full system encryption on Gentoo
I can't follow Sakaki's_EFI_Install_Guide. The system will run in VirtualBox and only have BIOS. No UEFI, EFI, USB stick as boot or key disk. OpenSuse 42.1 boots from a encrypted single LVM volume on a MSDOS drive, single partition, using grub2 as boot manager, and systemd. I just have to find a way to get the same result using Gentoo with OpenRC and if possible without LVM. Entering the pass phrase several times is no problem. Hans On 31/12/15 03:53, Roman Dobosz wrote: On Wed, 30 Dec 2015 07:34:52 +1000 Hans wrote: Is it possible to fully encrypt a Gentoo system as can be done with Fedora, Suse, Arch Linux, Debian and Ubunto without using a unencrypted USB boot stick or unencrypted /boot partition? If yes, where can I find instructions that really work on a BIOS only box without UEFI, EFI, systemd using EXT4 file system? It's definitely possible - for both usb stick or ordinary boot partition, although it's not quite the same as in distros you've mentioned, since it require either custom made initramfs or some utility which would made one for you (like dracut, genkernel etc). There is several guides which might be useful, just google for one. It doesn't have to be gentoo specific, since the install procedure is almost the same, the only difference is the choice of medium for booting up the encrypted system, bootloader and fstab configuration, partition layout (with/without lvm) and so on. One of teh most comprehensive guide about the topic is the Sakaki's EFI Install Guide [1]. Yeah, I know there is "EFI" word, but it doesn't matter - you can just skip the part with efi partition and make your own pendrive (using syslinux) or create unencrypted boot partition :) [1] https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide
[gentoo-user] Re: Full system encryption on Gentoo
On Wed, 30 Dec 2015 07:34:52 +1000 Hans wrote: > Is it possible to fully encrypt a Gentoo system as can be done with > Fedora, Suse, Arch Linux, Debian and Ubunto without using a unencrypted > USB boot stick or unencrypted /boot partition? > > If yes, where can I find instructions that really work on a BIOS only > box without UEFI, EFI, systemd using EXT4 file system? It's definitely possible - for both usb stick or ordinary boot partition, although it's not quite the same as in distros you've mentioned, since it require either custom made initramfs or some utility which would made one for you (like dracut, genkernel etc). There is several guides which might be useful, just google for one. It doesn't have to be gentoo specific, since the install procedure is almost the same, the only difference is the choice of medium for booting up the encrypted system, bootloader and fstab configuration, partition layout (with/without lvm) and so on. One of teh most comprehensive guide about the topic is the Sakaki's EFI Install Guide [1]. Yeah, I know there is "EFI" word, but it doesn't matter - you can just skip the part with efi partition and make your own pendrive (using syslinux) or create unencrypted boot partition :) [1] https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide -- -^- _ something is grinding the emptiness: _ /O)_\// Kohina - 4-Mat - Saturday - C64 (6581r4) (_(|__(_(_) grf. http://www.kohina.com
