Startovanje kriptovanog Gentoo Linux sistema preko USB ključa uz pomoć dm-crypt, luks i lvm alata
ddd
Kernel config za kriptorafiju
Cryptographic API --->
[*] XTS support (EXPERIMENTAL)
...
[*] AES cipher algorithms
[*] AES cipher algorithms (x86_64)
[*] AES cipher algorithms (AES-NI)
Kernel config za LVM
Device Drivers --->
[*] Multiple devices driver support (RAID and LVM) --->
...
[*] Device mapper support
[*] Crypt target support
cryptsetup luksFormat -c aes-xts-plain -s 256 -y /dev/sda
hexdump -n 256 -C /dev/sda
cryptsetup luksOpen /dev/sda luks
fdisk -l /dev/mapper/luks
Disk /dev/mapper/luks: 500.1 GB, 500107862016 bytes
Disk /dev/mapper/luks doesn't contain a valid partition table
LVM
pvcreate /dev/mapper/luks
vgcreate lvm /dev/mapper/luks
lvcreate -L 250G -n root lvm
mkfs.reiser /dev/lvm/root
reiserfstune -l root /dev/lvm/root
INITRAMS
Struktura direktorijuma
mkdir /usr/src/initramfs
cd /usr/src/initramfs
mkdir -p bin lib dev etc mnt/root proc root sbin sys
Device nodes
cp -a /dev/{null,console,tty,sda1} /usr/src/initramfs/dev/
USE="static" emerge -av busybox
sys-apps/busybox mora biti sa static USE flag-om kompajliran
cp -a /bin/busybox /usr/src/initramfs/bin/busybox
Init
init skript
#! /bin/busybox sh
# Mount the /proc an /sys filesystems.
mount -t proc none /proc
mount -t sysfs none /sys
#mount -t devtmpfs none /dev
# rescue shell
rescue_shell() {
echo "Something went wrong. Dropping you to a shell."
busybox --install -s
exec /bin/sh
}
busybox --install -s
mdev -s
echo /bin/mdev > /proc/sys/kernel/hotplug
sleep 10
echo "Please decrypt your Hard Disk!"
cryptsetup -T 5 luksOpen /dev/sda luks
lvm vgscan
lvm vgchange -a y
# Do your struff here.
echo "This script mounts rootfs and boots it up, nothing more!"
# Mount the root filesystem.
mount -o ro /dev/mapper/lvm-root /new-root || rescue_shell
sync
# Clean up.
umount /proc
umount /sys
#umount /dev
# Boot the real thing.
exec switch_root /new-root /sbin/init
chmod +x /usr/src/initramfs/init
cd /usr/src/initramfs
find . -print0 | cpio --null -ov --format=newc | gzip -9 > /boot/my-initramfs.cpio.gz
Kernel
Linux Kernel Configuration: Enabling the initramfs
General setup ---> [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
http://en.gentoo-wiki.com/wiki/Booting_encrypted_system_from_USB_stick
Kriptovani "transfer" usb disk
cryptsetup luksFormat -c aes-xts-plain -s 256 -y /dev/sdc1
(odgovoriti sa YES)
quorra ~ # cryptsetup luksFormat -c aes-xts-plain -s 256 -y /dev/sdc1
WARNING!
========
This will overwrite data on /dev/sdc1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
quorra ~ #
quorra ~ # cryptsetup luksOpen /dev/sdc1 transfer
Enter passphrase for /dev/sdc1:
quorra ~ #
quorra ~ # mkfs.reiserfs /dev/mapper/transfer
mkfs.reiserfs 3.6.21 (2009 www.namesys.com)
A pair of credits:
Elena Gryaznova performed testing and benchmarking.
Vladimir Saveliev started as the most junior programmer on the team, and became
the lead programmer. He is now an experienced highly productive programmer. He
wrote the extent handling code for Reiser4, plus parts of the balancing code
and file write and file read.
Guessing about desired format.. Kernel 3.3.3-gentoo is running.
Format 3.6 with standard journal
Count of blocks on the device: 122096112
Number of blocks consumed by mkreiserfs formatting process: 11938
Blocksize: 4096
Hash function used to sort names: "r5"
Journal Size 8193 blocks (first block 18)
Journal Max transaction length 1024
inode generation number: 0
UUID: 390c6beb-4f86-4d27-906e-e9688734b2ee
ATTENTION: YOU SHOULD REBOOT AFTER FDISK!
ALL DATA WILL BE LOST ON '/dev/mapper/transfer'!
Continue (y/n):y
Initializing journal - 0%....20%....40%....60%....80%....100%
Syncing..ok
ReiserFS is successfully created on /dev/mapper/extern.
quorra ~ #
quorra ~ # reiserfstune -l transfer /dev/mapper/transfer
reiserfstune: Journal device has not been specified. Assuming journal is on the main device (/dev/mapper/transfer).
Current parameters:
Filesystem state: consistent
Reiserfs super block in block 16 on 0xfe02 of format 3.6 with standard journal
Count of blocks on the device: 122096112
Number of bitmaps: 3727
Blocksize: 4096
Free blocks (count of blocks - used [journal, bitmaps, data, reserved] blocks): 122084174
Root block: 8211
Filesystem is clean
Tree height: 2
Hash function used to sort names: "r5"
Objectid map size 2, max 972
Journal parameters:
Device [0x0]
Magic [0x6344c53e]
Size 8193 blocks (including 1 for journal header) (first block 18)
Max transaction length 1024 blocks
Max batch size 900 blocks
Max commit age 30
Blocks reserved by journal: 0
Fs state field: 0x0:
sb_version: 2
inode generation number: 0
UUID: 390c6beb-4f86-4d27-906e-e9688734b2ee
LABEL: extern
Set flags in SB:
ATTRIBUTES CLEAN
Mount count: 1
Maximum mount count: 30
Last fsck run: Sun Apr 29 00:34:24 2012
Check interval in days: 180
quorra ~ #
quorra ~ # mkdir /mnt/transfer
mount
quorra / # cryptsetup luksOpen /dev/sdc1 transfer
Enter passphrase for /dev/sdc1:
quorra / # cryptsetup status /dev/mapper/transfer
/dev/mapper/transfer is active.
type: LUKS1
cipher: aes-xts-plain
keysize: 256 bits
device: /dev/sdc1
offset: 4096 sectors
size: 976769009 sectors
mode: read/write
quorra / #
quorra / # mount /dev/mapper/transfer /mnt/transfer
umount
quorra ~ # umount /mnt/transfer/
ddd
qorra ~ # cryptsetup luksClose transfer
ddd
Document Actions