I use opensuse 11.3.
I have attached some notes which are a modification of those posted much
earlier on the opensuse website, which by the way don't work.
I'm using kernel 2.6.34.7-0.5-default. It can read and write to USB 3.
It is curious that the computer does boot, it just can't find the /,
swap, and /home directories.
Even with the USB 2, the system runs faster than the windows machines
(until it has to use swap).
It would be nice if the system could automatically select the right
driver even when the proprietary drivers are extant. But, I see no
difficulty in providing the option at boot time to select this or that.
Regarding hardware keylogging. Yes, on an unknown machine this could be
a problem.
-Don
-Don
On 02/28/2011 02:27 PM, Ted Smith wrote:
> On Mon, 2011-02-28 at 14:06 -0500, Don Schmadel wrote:
>> Anyone interested in helping with the remaining issues?
>
> I have no interest in working with non-free software (the Nvidia
> drivers), but your setup is very interesting for me and I'd like to try
> to figure out how to get it to work on more "host" computers.
>
> Do you have any documentation for setting this up? What distro are you
> using?
>
> Thanks,
>
> - Ted Smith
ENCRYPT ROOT FILE SYSTEM
NOTE: Current system is:
/dev/disk/by-id/usb-WD_My_Passport_070A_575837314132303935313434-0:0
/dev/disk/by-id/usb-WD_My_Passport_070A_575837314132303935313434-0:0-part1
/dev/disk/by-id/usb-WD_My_Passport_070A_575837314132303935313434-0:0-part2
/dev/disk/by-id/usb-WD_My_Passport_070A_575837314132303935313434-0:0-part3
/dev/disk/by-id/usb-WD_My_Passport_070A_575837314132303935313434-0:0-part4
#------------------------------------------------------------------------------
# Install OpenSUSE 11.1 from DVD
# ------------------------------------------------------------------------------
NOTE: where /dev/sda... use dev/disk/by-id/... Sometimes YAST doesn't give the
option of using by-id. In that case accept as is and then reopen dialog using
"edit" to get the opportunity. Note by-label doesn't work perhaps because the
label is stored in the encrypted area and therefore not availabel prior to
decryption.
Partition Setup:
+ Custom Partitioning (for experts) (use device ID
- Delete all existent partitions
- Create primary partition (sda1), ext3, 400 MB,
mount point '/boot', check make bootable (probably automatic for /boot)
- Create primary partition (sda2), swap, 4 GB,
mount point '/swap'
- Create primary partition (sda3), ext4, 40 GB,
mount point '/home', journal
- Create extended partition <remaining>
- Create primary partition (sda5)), ext4, remaining GB,
mount point '/', journal
Boot:
Check only "Boot from partition" (select /dev/sda1)
Check "write generic code to MBR"
Check settings in summary list afterward.
Software:
rsync, gedit, locate, ddrescue, mc, default kernel (not desktop),
libpng12, fvwm, afterstep, pmount
Runtime: 2
Users: add myself: audio, cdrom, disk, floppy, haldeamon, pmount, lp, polkit
user
Run update to get latest kernel. "mkinitrd" does not always work if it is
updated after root encryption.
# ------------------------------------------------------------------------------
# backup boot files, i.e. initial ramdisk, etc.
# ------------------------------------------------------------------------------
mkdir /BACKUP
cp -ax /boot/* /BACKUP
mv /BACKUP /boot
# ------------------------------------------------------------------------------
# create an encrypted swap partition
# ------------------------------------------------------------------------------
NOTE: may be necessary:
modprobe dm-mod
modprobe dm-crypt
modprobe aes
modprobe sha256
modprobe sha1
----------------------
swapoff /dev/disk/by-id/...2
dd_rescue /dev/urandom /dev/disk/by-id/...2
NOTE: Takes a long time so only do this for small partitions that can not
easily be filled afterward.
cryptsetup -v --key-size 256 luksFormat /dev/disk/by-id/
cryptsetup -v luksDump /dev/disk/by-id/...2
cryptsetup -v luksOpen /dev/disk/by-id/...2 swap
mkswap /dev/mapper/swap
swapon /dev/mapper/swap
-----------------
NOTE: check with command "free"
---------------------
# ------------------------------------------------------------------------------
# create an encrypted file system for the new root partition
# ------------------------------------------------------------------------------
umount /dev/disk/by-id/...3
--------------
NOTE: instead of using:
dd_rescue /dev/urandom /dev/disk/by-id/...3
it's faster to just write dummy files into the partition later after the system
is set up and then erase them. This shuld prevent watermarking.
--------------
cryptsetup -v --key-size 256 luksFormat /dev/disk/by-id/...3
cryptsetup luksDump /dev/disk/by-id/...3
cryptsetup luksOpen /dev/disk/by-id/...3 root
/sbin/mkfs.ext4 -O dir_index,resize_inode /dev/mapper/root
mkdir /mnt/root
mount /dev/mapper/root /mnt/root
--------------
NOTE: "cryptsetup luksClose /dev/disk/by-id/...3" (or root) to close
---------------
# ------------------------------------------------------------------------------
# copy files from old to new root partition
# ------------------------------------------------------------------------------
rsync -AHSXax / /mnt/root
--------------------
NOTE: use "rsync -AHSXax --delete / /mnt/root" if other stuff around.
------------------
# ------------------------------------------------------------------------------
# create an encrypted file system for the new home partition
# ------------------------------------------------------------------------------
umount /dev/disk/by-id/...4
--------------
NOTE: instead of using:
dd_rescue /dev/urandom /dev/disk/by-id/...3
it's faster to just write files into the partition later after the system is
set up and then erase them.
--------------
cryptsetup -v --key-size 256 luksFormat /dev/disk/by-id/...4
cryptsetup luksDump /dev/disk/by-id/...4
cryptsetup luksOpen /dev/disk/by-id/...4 home
mkdir /mnt/home
mount /dev/mapper/home /mnt/home
--------------
NOTE:
cryptsetup luksClose /dev/disk/by-id/...4
or
cryptsetup luksClose home
to close
---------------
# ------------------------------------------------------------------------------
# copy files from old to new root partition
# ------------------------------------------------------------------------------
rsync -AHSXax / /mnt/root
--------------------
NOTE: use "rsync -AHSXax --delete / /mnt/root" if other stuff around.
------------------
# ------------------------------------------------------------------------------
# update /etc/fstab
# ------------------------------------------------------------------------------
cp /etc/fstab /etc/fstab.ORIG
vi /etc/fstab
NOTE: vi commands :w :q
---
/dev/mapper/swap none swap defaults 0 0
/dev/mapper/root / ext3 acl,user_xattr 1 1
/dev/sda1 /boot ext3 acl,user_xattr 1 2
/dev/sda4 /home ext3 acl,user_xattr 1 2
proc /proc proc defaults 0 0
sysfs /sys sysfs noauto 0 0
debugfs /sys/kernel/debug debugfs noauto 0 0
usbfs /proc/bus/usb usbfs noauto 0 0
devpts /dev/pts devpts mode=0620,gid=5 0 0
---
cp /etc/fstab /mnt/root/etc/
# ------------------------------------------------------------------------------
# edit /boot
# ------------------------------------------------------------------------------
mount /dev/sda1 /boot
NOTE: it is necessary to mount /boot whenever doing any updating that might
involve the kernel.
cp initrd-2.6.34-12-desktop initrd-2.6.34-12-desktop_original
Use this in original menu entry as shown below.
Edit /boot/grub/menu.lst
###Don't change this comment - YaST2 identifier: Original name: linux###
title openSUSE 11.3 - 2.6.34-12 1stEncrypted
root (hd0,0)
kernel /vmlinuz-2.6.34-12-default root=/dev/mapper/root
luks_root=/dev/disk/by-id/usb-WD_My_Passport_070A_575837314132303935313434-0:0-part3
luks_swap=/dev/disk/by-id/usb-WD_My_Passport_070A_575837314132303935313434-0:0-part2
luks="root swap" resume=/dev/mapper/swap splash=silent quiet showopts vga=0x31a
initrd /initrd-2.6.34-12-default
###Don't change this comment - YaST2 identifier: Original name: linux###
title Desktop -- openSUSE 11.3 - 2.6.34-12
root (hd0,0)
kernel /vmlinuz-2.6.34-12-default
root=/dev/disk/by-id/usb-WD_My_Passport_070A_575837314132303935313434-0:0-part4
resume=/dev/disk/by-id/usb-WD_My_Passport_070A_575837314132303935313434-0:0-part2
splash=silent quiet showopts vga=0x31a
initrd /initrd-2.6.34-12-default_original
# ------------------------------------------------------------------------------
# create a new initial ram disk
# ------------------------------------------------------------------------------
mkinitrd -v -d /dev/mapper/root -f "dm luks"
---------------
NOTE: rename the initrd to "initrd-2.6.34-12-defaultEncrypted"
----------------
# ------------------------------------------------------------------------------
# reboot
# ------------------------------------------------------------------------------
# check that everything is working ...
# free --> swap space
# suspend-to-disk
# ...
--------------
# ------------------------------------------------------------------------------
# encrypt the 'home' partition (and delete the up to now original root
partition)
# --> good luck, this is the point of no return ;-)
# ------------------------------------------------------------------------------
umount /dev/sda4
dd_rescue /dev/urandom /dev/sda4
cryptsetup -v --key-size 256 luksFormat /dev/sda4
cryptsetup luksOpen /dev/sda4 home
/sbin/mkfs.ext4 -O dir_index,resize_inode /dev/mapper/home
mount /dev/mapper/home /home
# ------------------------------------------------------------------------------
# update /etc/fstab
# ------------------------------------------------------------------------------
emacs /etc/fstab
---
/dev/mapper/swap swap swap defaults 0 0
/dev/mapper/root / ext3 acl,user_xattr 1 1
/dev/sda1 /boot ext3 acl,user_xattr 1 2
/dev/mapper/home /home ext3 acl,user_xattr 1 2
proc /proc proc defaults 0 0
sysfs /sys sysfs noauto 0 0
debugfs /sys/kernel/debug debugfs noauto 0 0
usbfs /proc/bus/usb usbfs noauto 0 0
devpts /dev/pts devpts mode=0620,gid=5 0 0
---
# ------------------------------------------------------------------------------
# edit /boot
# ------------------------------------------------------------------------------
mount /boot
NOTE: It is necessary to "mount /boot" whenever doing any updating that might
involve the kernel.
Edit /boot/grub/menu.lst
###Don't change this comment - YaST2 identifier: Original name: linux###
title openSUSE 11.3 - 2.6.34-12 encrypted
root (hd0,0)
kernel /vmlinuz-2.6.34-12-default root=/dev/mapper/root
luks_root=/dev/disk/by-id/usb-WD_My_Passport_070A_575837314132303935313434-0:0-part3
luks_swap=/dev/disk/by-id/usb-WD_My_Passport_070A_575837314132303935313434-0:0-part2
luks_home=/dev/disk/by-id/usb-WD_My_Passport_070A_575837314132303935313434-0:0-part4
luks="root swap home" resume=/dev/mapper/swap splash=silent quiet showopts
vga=0x31a
initrd /initrd-2.6.34-12-default
# replace entries in '/boot/grub/menu.lst' by:
###Encrypted root###
title openSUSE 11.1 - encrypted
root (hd0,0)
kernel /vmlinuz-2.6.27.7-9-pae root=/dev/mapper/root luks_root=/dev/sda3
luks_swap=/dev/sda2 luks_home=/dev/sda4 luks=root,swap,home vga=0x317
resume=/dev/mapper/swap splash=silent showopts
initrd /initrd-2.6.27.7-9-pae
###Encrypted root failsafe###
title Failsafe -- openSUSE 11.1 - encrypted
root (hd0,0)
kernel /vmlinuz-2.6.27.7-9-pae root=/dev/mapper/root luks_root=/dev/sda3
luks_swap=/dev/sda2 luks_home=/dev/sda4 luks=root,swap,home ide=nodma apm=off
noresume nosmp maxcpus=0 edd=off powersaved=off nohz=off highres=off
processor.max_cstate=1 x11failsafe vga=0x317 showopts
initrd /initrd-2.6.27.7-9-pae
NOTE: if you change to a new drive enclosure then it is necessary to rename the
drive partitions in device.map and menu.lst to the name delivered by the new
enclosure. Find this new name by mounting plugging the drive and enclosure into
a working system and checking /dev/disk/by-id...
# ------------------------------------------------------------------------------
# reboot and have fun ;-)
# ------------------------------------------------------------------------------
