| Author |
Message |
|
|
Post subject: Wiki article about full disc encryption
 Posted: Jul 20, 2008 - 05:28 PM
|
|
Joined: Oct 11, 2007
Posts: 33
Location: Germany, Franken
Status: Offline
|
|
|
|
|
 |
|
|
|
Post subject: Wiki article about full disc encryption
Posted: Aug 04, 2008 - 08:32 PM
|
|
Joined: Jun 17, 2007
Posts: 522
Location: Buchholz i.d.N.
Status: Offline
|
|
Hi,
first of all: I tried your HOWTO and what can I say? It works .... 
Now some notes ...
Code:
dd if=/dev/urandom of=/home/sidux/sda3Keyfile bs=1024 count=4
and
Code:
cryptsetup luksAddKey /dev/sda3 /home/sidux/Desktop/sda3Keyfile
You see the difference? (/home/sidux/... and /home/sidux/Desktop/....).
You create bootSda1 with
Code:
mkdir LVhome LVvar LVusr cryptRoot bootSda1
and copy the initrd to it with
Code:
mv /media/cryptRoot/boot/initrd.img /media/bootsda1/initrd.img-2.6.25-9,slh.1-sidux-686
but you do not mount /dev/sda1 to /media/bootsda1 in your HOWTO. You should add a mount line.
I think I have to add cryptdisks-early via rcconf. May that be possible?
The keyfile
Code:
mv /home/sidux/Desktop/sda3Keyfile /media/cryptRoot/root/
has wrong permissions.
It needs to be root:root with 0400 like this one:
Code:
-r-------- 1 root root 4096 4. Aug 20:43 /root/cryptkeyfile
For more information on this point have a look at the README.Debian.gz:
/usr/share/doc/cryptsetup/README.Debian.gz wrote:
3. Insecure mode/owner for keys
-------------------------------
Any key that is stored somewhere to be used with cryptsetup should have the
mode 400 (-r--------) and owner/group root. This way only root has permissions
to read the file. 'chown root.root keyfile' and 'chmod 400 keyfile' will do
the trick for you.
|
_________________
- stell @ jabber.crashmail.de -
[blog.crashmail.de] [last.fm-Profil]
|
| |
|
|
|
|
|
|
|
Post subject:
Posted: Aug 05, 2008 - 12:40 AM
|
|
Joined: Oct 11, 2007
Posts: 33
Location: Germany, Franken
Status: Offline
|
|
Thanks Steve!
The insecure file permissions are now fixed.
I will change the other bugs tomorrow. |
|
|
| |
|
|
|
|
|
|
|
Post subject:
Posted: Aug 05, 2008 - 06:38 AM
|
|
Joined: Dec 04, 2006
Posts: 379
Location: Kraichgau
|
|
I think there are also some typos in the path of the keyfile, sometimes it's "/home/sidux/Desktop/", somtetimes it's "/home/sidux/".
Holger |
_________________
Dignus est intrare (Acidix Hydrochloridrix)
|
| |
|
|
|
|
|
|
|
Post subject:
Posted: Aug 05, 2008 - 10:34 AM
|
|
Joined: Jun 17, 2007
Posts: 522
Location: Buchholz i.d.N.
Status: Offline
|
|
|
H-Cl wrote:
I think there are also some typos in the path of the keyfile, sometimes it's "/home/sidux/Desktop/", somtetimes it's "/home/sidux/".
Yes, as I mentioned above  |
_________________
- stell @ jabber.crashmail.de -
[blog.crashmail.de] [last.fm-Profil]
|
| |
|
|
|
|
|
|
|
Post subject:
Posted: Oct 01, 2008 - 09:04 PM
|
|
Joined: Jun 17, 2007
Posts: 522
Location: Buchholz i.d.N.
Status: Offline
|
|
This HOWTO works for me with Erebos but it does not work with Ourea.
I can enter the password for /dev/sda2, but /dev/sda3 is not loaded. I setup the keyfile and tried without a keyfile (just password) - it does not work.
Code:
/dev/sda1: clean, 37/76304 files, 42786/305200 blocks
fsck.ext3: No such file or directory while trying to open /dev/mapper/cryptVG-LVhome
It also does not work if I try it without lvm2 (only cryptsetup).
Any hints whats wrong here? |
_________________
- stell @ jabber.crashmail.de -
[blog.crashmail.de] [last.fm-Profil]
|
| |
|
|
|
|
|
|
|
Post subject:
Posted: Oct 02, 2008 - 03:25 AM
|
|
Joined: Jun 17, 2007
Posts: 522
Location: Buchholz i.d.N.
Status: Offline
|
|
BTW: After boot fails I can enter the root password for maintainance mode. After that I'm able to enter:
Code:
cryptsetup luksOpen /dev/sda3 cryptSda3
vgscan
vgchange -a y
exit
and the boot process continues normally. |
_________________
- stell @ jabber.crashmail.de -
[blog.crashmail.de] [last.fm-Profil]
|
| |
|
|
|
|
|
|
|
Post subject:
Posted: Oct 02, 2008 - 08:14 AM
|
|
Joined: Oct 11, 2007
Posts: 33
Location: Germany, Franken
Status: Offline
|
|
| I will look into it as soon as possible. |
|
|
| |
|
|
|
|
|
|
|
Post subject:
Posted: Oct 03, 2008 - 10:25 PM
|
|
Joined: Aug 27, 2007
Posts: 37
Status: Offline
|
|
|
|
|
|
|
|
|
Post subject:
Posted: Oct 21, 2008 - 01:08 PM
|
|
Joined: Oct 19, 2008
Posts: 5
Status: Offline
|
|
|
|
|
|
|
|
