Re: PCLinuxOS KDE 2011.6 is now available for download > encryption

[menotu]

Has anyone used encryption (for drives/partitions) during the install of 2011-06?

[AS]

Has anyone used encryption (for drives/partitions) during the install of 2011-06?

I'm going to test this feature (or similar/equivalent) in virtualbox, will let you know about .. as soon as possible. 

AS

[AS]

Partial success on using encrypted partitions:  

At a first try had setup a single encrypted partition '/', successfully installed the system, failing at first reboot:
clearly grub is failing to recognize an encrypted partition ... test terminated with failure.

The above failure may be a good reason to setup a different /boot filesystem, allowing to start the kernel / initrd from a not encrypted partition and mounting the encrypted '/' later, at least I was thinking so.

I tried a second install, this time using a plain /boot (unencrypted), at time of disk partitioning had realized that I was not allowed to encrypt a /boot filesystem or a '/' filesystem.
(There is a glitch in diskdrake, that allow you to encrypt the partition and then assign it to /boot, but if you firstly choose the mount point, the encrypt check box become grayed out, so the developer intentions are clear: you are not allowed to encrypt '/' and '/boot' filesystems ...may be others but didn't check about).

Continuing in the disk setup, I choose to encrypt the 'swap', and the '/home' filesystem and performed the system installation.

At first reboot, the system will ask for filesystem encryption password, this is actually causing a minor issue:
- plymouth screen is 'blocked' from password requests
- until you press ESC to terminate plymouth, you don't see the password request.

Pressed ESC, (plymouth terminate), inserted the required password, boot process proceed as expected until it come the time to activate the swap, which actually fails, but the system continue the boot process later requesting about keyboard and time setup.

In this second test, the system is fully working (except the encrypted swap and the issue related to plymouth).

this is the resulting /etc/fstab:

Code: [Select]

# Entry for /dev/sda5 :
UUID=661ce798-79bb-4e22-9d94-c41a565a36f6 / ext4 acl,relatime 1 1
# Entry for /dev/sda1 :
UUID=66fbc96a-b06d-4625-a1cd-c20b94e6cff5 /boot ext2 acl,relatime 1 2
/dev/mapper/crypt_sda7 /home ext4 noatime 0 0
none /proc proc defaults 0 0
/dev/mapper/crypt_sda6 swap swap noatime 0 0
none /dev/pts devpts defaults 0 0

the following is the output of df:

Code: [Select]

Filesystem            Size  Used Avail Use% Mounted on
/dev/sda5             9.0G  1.8G  6.7G  22% /
/dev/sda1             312M   13M  283M   5% /boot
/dev/mapper/crypt_sda7
                      9.9G  162M  9.7G   2% /home

AS

EDIT: the swap appear to be activated correctly, see message #8 below:
http://www.pclinuxos.com/forum/index.php/topic,93730.msg788014.html#msg788014

[Just17]

At first reboot, the system will ask for filesystem encryption password, this is actually causing a minor issue:
- plymouth screen is 'blocked' from password requests
- until you press ESC to terminate plymouth, you don't see the password request.

Could be regarded as an extra security feature 

[AS]

Performed a third test, by encrypting the root filesystem '/' while maintaining unencrypted only '/boot': Success  

Had tweaked a little the boot parameters removing the option quiet and changing splash=silent to splash=verbose to overcome the plymouth issue, resulting in a perfectly clean boot.

This time no swap at all.

The system added itself a boot parameter root=/dev/mapper/crypt_sda5 directing the mounting of root filesystem.
However, may be not so good idea to encrypt the root filesystem, will only result in a (small) performance penalty,
the result is however interesting, meaning that kernel/initrd are already ready to support encrypted partitions.

... testing to be continued ...  

AS

[gseaman]

This information about encryption should be in a separate post for everyone. I'm very interested in your progress, AS.

Galen

[AS]

@Galen,

you are right, tomorrow I will copy/move the info to "Hard drive installation" section, thanks for the reminder.  
EDIT: our admins are always faster! Thank you Neal   You win an extra coffee!  

Continued a bit of testing, and tried to crash the system (that is simply a turning off the virtual machine without shutdown    ),
upon reboot a filesystem check is automatically performed, like any unencrypted partition.

But what if I want to perform a fsck or access the encrypted partition starting from a liveCD ? you never know ...  
That's a bit different, and require a couple of additional statements, (yes, I spent a bit of time to find this info):

cryptsetup luksOpen /dev/sdaN crypt_sdaN
<password requested here>

the above statements will create an entry /dev/mapper/crypt_sdaN which correspond to the unencrypted block device.

You can force an fsck by using fsck -f /dev/mapper/crypt_sdaN or mount the partition using mount /dev/mapper/crypt_sdaN /mount_point

... the fun continue ...  

AS

[xbask]

It's quite correct that one needs to have a seperate /boot which holds the kernel, initrd and grub menu stuff when one wants to have system encryption - of root /.

Aside from other issues, one reason I've moved to PCLOS is that it can use already set-up LUKS partitions with more secure parameters than the standard default. That is, not just doing a normal install onto an ordinary partitioned hdd and  when choosing the partitions in DiskDrake ticking the "encrypt" option.

Some other distros can avoid the standard 'cbc-essiv' LUKS default setup but can't let you tweak the LUKS options or perhaps not let you use already prepared LUKs parts.

The approaches depend on having up-to-date version of cryptsetup or at least the same version is used to set up the partitions as is going to be used for the install.

With the older LIVE-CD I had to do a Synaptic update for cryptsetup and some related packages. The latest LIVE-CDs have latest cryptsetup and related so just go ahead with setting the hdd as you want. Then what you do is:

modprobe dm-crypt  aes sha256  xts

cryptsetup xxxx luksFormat /dev/yyyyyy

where  xxxx are required options   and yyyyy is chosen partition (repeated as needed for swap, home)

You then need to open the newly encrypted partitions:

cryptsetup luksOpen /dev/sdroot  root
cryptsetup luksOpen /dev/sdhome  home
cryptsetup luksOpen /dev/sdswap swap

obviously the /dev/sdxxx  parts are the actual correct sda numbers for your choice.

Make sure that PCLOS doesn't automount them. In a terminal run command 'mount' and if you see any 'dev/mapper/xxxxx mounted....'  then use the 'umount /dev/mapper/xxxxx' as required. NB same with any normal /sda, make sure none are mounted prior to install. I found that caused problems sometimes.

When the Install is run and DiskDrake appears change to 'Custom partitioning' and also 'Expert mode', it's just a matter of clicking on the partition block and choosing the 'Mount point'. The LUKS ones have little padlock icons. DiskDrake automatically "knows" about the swap and you don't need to tell it about that. When you click on the LUKS swap part there's no 'mount point' choice and no need to click on any other option for that part.

A good idea is to have a piece of paper with your chosen hdd layout, sizes and names and numbers and note the password for LUKS. A major plus is that if you choose the same password for all the LUKS parts then the initrd when it boots and gives you a small window to input the password, will know to apply it to all the LUKS parts. I found that using 3 or more LUKS parts with all different passwords caused some problems but YMMV as they say.

[AS]

Hi xbask,

thank you about your additions.

A good idea is to have a piece of paper with your chosen hdd layout, sizes and names and numbers and note the password for LUKS. A major plus is that if you choose the same password for all the LUKS parts then the initrd when it boots and gives you a small window to input the password, will know to apply it to all the LUKS parts. I found that using 3 or more LUKS parts with all different passwords caused some problems but YMMV as they say.

just for testing have tried again to setup a system using swap and home encrypted, using different passwords:
at time of initrd, the first password requested is that one related to swap partition, however I haven't see any "window" for input the password, but only a text line, like shown below for "home".
EDIT: saw the password windows, probably it's working using some but not all plymouth themes.

Differently from what initially reported, the swap partition is activated correctly, still a message about a failure is shown during boot:



About multiple password, the system look like to store any password you provide, and then check all them against each encrypted filesystems, i.e. I have provided the 'home password' initially when the swap password was requested, resulting in a second password request, this time I provided the correct password; later at time of 'home' mounting the system didn't requested the password, because it was already known.

[AS]

the windows for password input:

[gseaman]

Any chance when you've finished exploring this topic that you might condense it to a magazine article?

Galen

[exploder]

Thanks for posting the screenshot as. I have never tried encrypting my drives but it is an interesting topic.

[AS]

Any chance when you've finished exploring this topic that you might condense it to a magazine article?

Galen

I was thinking at something like that, provided someone may revise my English!  

Mostly I'm exploring this topic because I want to setup my notebook in a secure way, sometimes I leave the notebook in my car, or in other places, and I'm always worried about a possible theft.  

Another couple of days, and I think I will be ready to prepare something a little more clean than this thread.

AS

[gseaman]

Fantastic! Don't worry, you express yourself very clearly in English!

Galen

[djohnston]

Any chance when you've finished exploring this topic that you might condense it to a magazine article?

Galen

I was thinking at something like that, provided someone may revise my English!  

AS

AS, I'd be glad to do the edits. Your English is pretty good, actually.