sidux.com
Web Site, Forum, Wiki & Manual Suggestions - Wiki article about full disc encryption
capone - Jul 20, 2008 - 05:28 PM
Post subject: Wiki article about full disc encryption
Hello sidux leader and user,
security is a rather sensitive topic, so i feel its better to publish the article here first, before i link it to "System Administration - Installation".
Full disc encryption for your laptop with luks + using LVM2 (during installation)
If noone finds any big flaws or dangers to the concept i will link it to System Administration in a few days.
Steve` - Aug 04, 2008 - 08:32 PM
Post subject: Wiki article about full disc encryption
Hi,
first of all: I tried your HOWTO and what can I say? It works .... 
Now some notes ...
Code:
dd if=/dev/urandom of=/home/sidux/sda3Keyfile bs=1024 count=4
and
Code:
cryptsetup luksAddKey /dev/sda3 /home/sidux/Desktop/sda3Keyfile
You see the difference? (/home/sidux/... and /home/sidux/Desktop/....).
You create bootSda1 with
Code:
mkdir LVhome LVvar LVusr cryptRoot bootSda1
and copy the initrd to it with
Code:
mv /media/cryptRoot/boot/initrd.img /media/bootsda1/initrd.img-2.6.25-9,slh.1-sidux-686
but you do not mount /dev/sda1 to /media/bootsda1 in your HOWTO. You should add a mount line.
I think I have to add cryptdisks-early via rcconf. May that be possible?
The keyfile
Code:
mv /home/sidux/Desktop/sda3Keyfile /media/cryptRoot/root/
has wrong permissions.
It needs to be root:root with 0400 like this one:
Code:
-r-------- 1 root root 4096 4. Aug 20:43 /root/cryptkeyfile
For more information on this point have a look at the README.Debian.gz:
/usr/share/doc/cryptsetup/README.Debian.gz wrote:
3. Insecure mode/owner for keys
-------------------------------
Any key that is stored somewhere to be used with cryptsetup should have the
mode 400 (-r--------) and owner/group root. This way only root has permissions
to read the file. 'chown root.root keyfile' and 'chmod 400 keyfile' will do
the trick for you.
capone - Aug 05, 2008 - 12:40 AM
Post subject:
Thanks Steve!
The insecure file permissions are now fixed.
I will change the other bugs tomorrow.
H-Cl - Aug 05, 2008 - 06:38 AM
Post subject:
I think there are also some typos in the path of the keyfile, sometimes it's "/home/sidux/Desktop/", somtetimes it's "/home/sidux/".
Holger
Steve` - Aug 05, 2008 - 10:34 AM
Post subject:
H-Cl wrote:
I think there are also some typos in the path of the keyfile, sometimes it's "/home/sidux/Desktop/", somtetimes it's "/home/sidux/".
Yes, as I mentioned above 
Steve` - Oct 01, 2008 - 09:04 PM
Post subject:
This HOWTO works for me with Erebos but it does not work with Ourea.
I can enter the password for /dev/sda2, but /dev/sda3 is not loaded. I setup the keyfile and tried without a keyfile (just password) - it does not work.
Code:
/dev/sda1: clean, 37/76304 files, 42786/305200 blocks
fsck.ext3: No such file or directory while trying to open /dev/mapper/cryptVG-LVhome
It also does not work if I try it without lvm2 (only cryptsetup).
Any hints whats wrong here?
Steve` - Oct 02, 2008 - 03:25 AM
Post subject:
BTW: After boot fails I can enter the root password for maintainance mode. After that I'm able to enter:
Code:
cryptsetup luksOpen /dev/sda3 cryptSda3
vgscan
vgchange -a y
exit
and the boot process continues normally.
capone - Oct 02, 2008 - 08:14 AM
Post subject:
I will look into it as soon as possible.
gerd - Oct 03, 2008 - 10:25 PM
Post subject:
saw this thread after i opened a new hread. have the same problem.
http://www.sidux.com/PNphpBB2-viewtopic-t-12846.html
MasterOne - Oct 21, 2008 - 01:08 PM
Post subject:
FYI This installation method has been superseded by Installing sidux on an encrypted harddrive (full harddisk encryption - the Debian way).