Anmelden


Passwort vergessen?
prijatelji LUGoNSa
gnu.gif
linuxzasve.jpg
hulk.jpg
zextras_logo.png
 
Sie sind hier: Startseite / Uputstva / Gentoo/Exherbo / Startovanje kriptovanog Gentoo Linux sistema preko USB ključa uz pomoć dm-crypt, luks i lvm alata

Startovanje kriptovanog Gentoo Linux sistema preko USB ključa uz pomoć dm-crypt, luks i lvm alata

erstellt von milobit zuletzt verändert: 04.06.2012 03:06
Ovo upustvo ima za cilj da opiše kako da kriptujete kompletan disk (Full Disk Encryption) i da startujete Gentoo Linux sistem pomoću USB ključa i initramfs-a.

ddd

Kernel config za kriptorafiju

Cryptographic API  --->
  [*]   XTS support (EXPERIMENTAL)
...
[*]   AES cipher algorithms
[*]  AES cipher algorithms (x86_64) 
[*] AES cipher algorithms (AES-NI)

Kernel config za LVM

Device Drivers  --->
[*] Multiple devices driver support (RAID and LVM)  --->
...
[*]   Device mapper support
[*]   Crypt target support

cryptsetup luksFormat -c aes-xts-plain -s 256 -y /dev/sda

hexdump -n 256 -C /dev/sda

cryptsetup luksOpen /dev/sda luks

fdisk -l /dev/mapper/luks

Disk /dev/mapper/luks: 500.1 GB, 500107862016 bytes

Disk /dev/mapper/luks doesn't contain a valid partition table

LVM

pvcreate /dev/mapper/luks

vgcreate lvm /dev/mapper/luks

lvcreate -L 250G -n root lvm

mkfs.reiser /dev/lvm/root

reiserfstune -l root /dev/lvm/root



INITRAMS


Struktura direktorijuma

mkdir /usr/src/initramfs

cd /usr/src/initramfs

mkdir -p bin lib dev etc mnt/root proc root sbin sys

Device nodes

cp -a /dev/{null,console,tty,sda1} /usr/src/initramfs/dev/

USE="static" emerge -av busybox

sys-apps/busybox mora biti sa static USE flag-om kompajliran

cp -a /bin/busybox /usr/src/initramfs/bin/busybox

Init

init skript

#! /bin/busybox sh

# Mount the /proc an /sys filesystems.
mount -t proc none /proc
mount -t sysfs none /sys
#mount -t devtmpfs none /dev

# rescue shell
rescue_shell() {
echo "Something went wrong. Dropping you to a shell."
busybox --install -s
exec /bin/sh
}

busybox --install -s
mdev -s
echo /bin/mdev > /proc/sys/kernel/hotplug

sleep 10

echo "Please decrypt your Hard Disk!"
cryptsetup -T 5 luksOpen /dev/sda luks

lvm vgscan
lvm vgchange -a y

# Do your struff here.
echo "This script mounts rootfs and boots it up, nothing more!"

# Mount the root filesystem.
mount -o ro /dev/mapper/lvm-root /new-root || rescue_shell

sync

# Clean up.
umount /proc
umount /sys
#umount /dev

# Boot the real thing.
exec switch_root /new-root /sbin/init

chmod +x /usr/src/initramfs/init

cd /usr/src/initramfs

find . -print0 | cpio --null -ov --format=newc | gzip -9 > /boot/my-initramfs.cpio.gz

Kernel

Linux Kernel Configuration: Enabling the initramfs

General setup  --->
    [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support

 

http://en.gentoo-wiki.com/wiki/Booting_encrypted_system_from_USB_stick

 

Kriptovani "transfer" usb disk

cryptsetup luksFormat -c aes-xts-plain -s 256 -y /dev/sdc1

(odgovoriti sa YES)

quorra ~ # cryptsetup luksFormat -c aes-xts-plain -s 256 -y /dev/sdc1

WARNING!
========
This will overwrite data on /dev/sdc1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
quorra ~ #

 

quorra ~ # cryptsetup luksOpen /dev/sdc1 transfer  
Enter passphrase for /dev/sdc1:
quorra ~ #

 

quorra ~ # mkfs.reiserfs /dev/mapper/transfer
mkfs.reiserfs 3.6.21 (2009 www.namesys.com)

A pair of credits:
Elena Gryaznova performed testing and benchmarking.

Vladimir Saveliev started as the most junior programmer on the team, and became
the lead programmer.  He is now an experienced highly productive programmer. He
wrote the extent  handling code for Reiser4,  plus parts of  the balancing code
and file write and file read.


Guessing about desired format.. Kernel 3.3.3-gentoo is running.
Format 3.6 with standard journal
Count of blocks on the device: 122096112
Number of blocks consumed by mkreiserfs formatting process: 11938
Blocksize: 4096
Hash function used to sort names: "r5"
Journal Size 8193 blocks (first block 18)
Journal Max transaction length 1024
inode generation number: 0
UUID: 390c6beb-4f86-4d27-906e-e9688734b2ee
ATTENTION: YOU SHOULD REBOOT AFTER FDISK!
ALL DATA WILL BE LOST ON '/dev/mapper/transfer'!
Continue (y/n):y
Initializing journal - 0%....20%....40%....60%....80%....100%
Syncing..ok
ReiserFS is successfully created on /dev/mapper/extern.
quorra ~ #

 

quorra ~ # reiserfstune -l transfer /dev/mapper/transfer 
reiserfstune: Journal device has not been specified. Assuming journal is on the main device (/dev/mapper/transfer).

Current parameters:

Filesystem state: consistent

Reiserfs super block in block 16 on 0xfe02 of format 3.6 with standard journal
Count of blocks on the device: 122096112
Number of bitmaps: 3727
Blocksize: 4096
Free blocks (count of blocks - used [journal, bitmaps, data, reserved] blocks): 122084174
Root block: 8211
Filesystem is clean
Tree height: 2
Hash function used to sort names: "r5"
Objectid map size 2, max 972
Journal parameters:
Device [0x0]
Magic [0x6344c53e]
Size 8193 blocks (including 1 for journal header) (first block 18)
Max transaction length 1024 blocks
Max batch size 900 blocks
Max commit age 30
Blocks reserved by journal: 0
Fs state field: 0x0:
sb_version: 2
inode generation number: 0
UUID: 390c6beb-4f86-4d27-906e-e9688734b2ee
LABEL: extern
Set flags in SB:
ATTRIBUTES CLEAN
Mount count: 1
Maximum mount count: 30
Last fsck run: Sun Apr 29 00:34:24 2012
Check interval in days: 180
quorra ~ #

 

quorra ~ # mkdir /mnt/transfer

 

 

mount

quorra / # cryptsetup luksOpen /dev/sdc1 transfer
Enter passphrase for /dev/sdc1:

 

quorra / # cryptsetup status /dev/mapper/transfer
/dev/mapper/transfer is active.
type:    LUKS1
cipher:  aes-xts-plain
keysize: 256 bits
device:  /dev/sdc1
offset:  4096 sectors
size:    976769009 sectors
mode:    read/write
quorra / #

 

quorra / # mount /dev/mapper/transfer /mnt/transfer

 

umount

quorra ~ # umount /mnt/transfer/

ddd

qorra ~ # cryptsetup luksClose transfer



ddd

Artikelaktionen