You are not logged in.

#51 2012-11-10 01:16:41

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: [solved] Switching to encrypted disk

Strike0 wrote:
hunterthomson wrote:

.. or put them in "Plain Text" in /etc/crypttab.

That used to be - plaintext passwords are not supported anymore by crypttab.

Realy. That is interesting? Well, anything other then the location of a keyfile, must still be all you need to auto decrypt other partitions, right? Like it can't be a hash. I guess it could be encrypted it self, but then you would still need to enter yet another password.

In anycase, with LVM none of that crypttab stuff is needed, and that is the benefit.


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#52 2012-11-10 03:35:59

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [solved] Switching to encrypted disk

OK. So I actually did this before reading the latest responses.

I basically used lvm-on-luks with 2 unencrypted partitions (/boot, /boot/efi) and 1 encrypted with lvm and 10 logical volumes (but I may tweak this).

I basically used cryptsetup's default settings except for specifying --use-random. As far as I can tell, the default is not subject to the watermark attack which made AES in plain mode vulnerable.

The most difficult bit was configuring grub.cfg because I don't handle that automatically and couldn't find clear hand-editing instructions. Anyway, I copied bits from the one installed by Fedora's installer and that seems to have worked.

So I can now boot but am running into some unforeseen complications.

The first I should have foreseen which is that I need a new emergency system since this setup breaks finnix.

The second has to do with Arch. It seems that rsync has not been deleting old files and directories in all cases. This caused a bit of a headache with pacman because I got duplicate database entries all over the place.  I think that I've got the pacman problem sorted. (Finally realised I have a backup of the database which I'd not managed to overwrite.)

However, I'm worried that I may have all kinds of other stray things on the system and am not quite sure yet about the best way to go about cleaning up. For example, I now have /usr/share/gcc-4.7.{1,2} which cannot be good...

EDIT: I guess the pacman-disowned script will help with this. That just leaves whatever mess I'll get in the non-system directories.

Oh, and switching to encryption has killed bluetooth. But that's no surprise. Everything kills bluetooth sad.

I'm also a bit worried about the fact that rsync has not given me a clean backup.

Last edited by cfr (2012-11-10 03:52:29)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#53 2012-11-10 04:02:27

WonderWoofy
Member
From: Los Gatos, CA
Registered: 2012-05-19
Posts: 8,414

Re: [solved] Switching to encrypted disk

Well, I cannot answer your issues here, but I have been following this thread since you started it.  I have learned quite a bit about encryption by reading/participating here.  So I am glad to see you finally made the plunge.  Though I assume the delay had to do with the former state of your laptop.

BTW, how is your laptop after the repair?  Did the new thermal paste and reseating of the heatsink make things better?  I assume there must have been some kind of improvment if you are now doing things like this.  I know that when you were having the issues, you were trying to avoid any resource heavy tasks.

Also, I am not sure why you didn't just keep finnix on a non-encrypted small partition.

Offline

#54 2012-11-10 09:33:49

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: [solved] Switching to encrypted disk

Hum, boy, it seems like you have a mess on your hands.

It seems like you set up the paritioning and LVM-on-LUKS which "I" vary much think is the best way to go. As for the grub.cfg config with this setup. You just need to add this one line to the GRUB_CMDLINE_LINUX="" string in /etc/default/grub
(note: /dev/sda2 is the parition that is LUKS/dm-crypt'ed and inside is all the LVM bla bla. Just not /boot)

/etc/default/grub

GRUB_CMDLINE_LINUX="cryptdevice=/dev/sda2:root"

Then rebuild the grub.cfg and it Auto-setup all the LVM stuff and eveyrthing else

grub-mkconfig -o /boot/grub/grub.cfg

Bluetooth nor anything else will be effected by block device level encryption. The OS dose not even know it is encrypted. Only the dm-crypt kernel module knows it is encrypted. The rest of the system just sees a normal plain text block device.

The Bluetooth and stuff must all be problems from rsync.

rant:
This is why I stick to tar. Tar is bulletproof. No need to worry about mix'ed up backups, or all the problems that come with block layer backups, on and on tar will never let you down. I just run a script to make a tar backup, pipe it into GPG2, and write to a sshfs mouned filesystem. You could also just pipe the output from GPG2 into scp.
http://myrelay.net/Public/Scripts/backup.sh

Last edited by hunterthomson (2012-11-10 09:34:26)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#55 2012-11-10 20:35:12

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [solved] Switching to encrypted disk

I admit that I have something of a mess but I'm not sure that is rsync's fault! As far as I know, rsync retains information which tar does not. (Or can tar now keep extended attributes?) Plus incremental backups are pretty much required for me.

In any case, I'm not sure the pacman-disowned script found everything but it found a lot. Currently hoping I haven't accidentally deleted anything crucial and not realised it and that I've cleaned up enough for things to work properly. The non-system directories are a different matter...

Bluetooth is unlikely to be rsync's fault. It is more a quirk of this laptop. Upset it in any way and it hard blocks bluetooth. I'll sort it out when I'm reasonably confident everything else is not going to implode.

Re. grub.cfg: I don't generate it automatically so that's why those instructions didn't work for me. But I figured it out from the Fedora files and it seems to work OK now. (Some remaining ugliness but I hope that will be tidied when I reboot.)

Yes, I should have kept finnix on an unencrypted partition. For some reason, I just didn't think to do that. And, yes, the new thermal paste seems to be helping although the critical test will be the end of next week in my office. (It is warmest at the end of the week.)

EDIT: Marking this thread as solved since I have switched to encrypted disk and the collateral damage is not strictly a result of that operation.

Last edited by cfr (2012-11-10 23:17:44)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#56 2012-11-10 23:31:01

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: [solved] Switching to encrypted disk

Yes, tar backups up eveything, stickybit, suid
Yes, tar has incremental backups

Well, you can still let grub make you a working grub.cfg then just cut 'n past the parts you want to use.

grub-mkconfig -o ~/auto-grub.cfg

Last edited by hunterthomson (2012-11-10 23:34:21)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#57 2012-11-11 00:05:33

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [solved] Switching to encrypted disk

Yes, thanks. I didn't know tar could do incremental. I don't think it backs up extended attributes, though.

I thought of doing that with grub but I was sitting next to a machine running fedora and it was just easier to get the information there. (I was mostly confused because "root" refers to different places in different contexts and I needed to figure out which place it wanted where.) If it is still ugly when I reboot, I might try comparing an auto-generated version.

I'm most concerned right now with all these stray files I've got everywhere smile.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#58 2012-11-11 11:33:13

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: [solved] Switching to encrypted disk

Ya, tar backs up exteded attributes.
Many times I have recovered my whole system from tar backups. Infact, your whole system is already just made up of unpacked tar archives... .pkg.tar.xz

Last edited by hunterthomson (2012-11-11 11:40:58)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#59 2012-11-11 16:41:50

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [solved] Switching to encrypted disk

Weirdly, I ran rsync to backup last night and it now seems to have deleted files on the backup which I spent the last two days deleting on the source... While this is good, I wish I understood why.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#60 2012-11-11 22:26:24

bernarcher
Forum Fellow
From: Germany
Registered: 2009-02-17
Posts: 2,281

Re: [solved] Switching to encrypted disk

cfr wrote:

Weirdly, I ran rsync to backup last night and it now seems to have deleted files on the backup which I spent the last two days deleting on the source... While this is good, I wish I understood why.

You will need one of the "--delete" options to delete extraneous files from dest dirs. See man rsync. Otherwise rsync will keep them untouched.


To know or not to know ...
... the questions remain forever.

Offline

#61 2012-11-11 22:29:22

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: [solved] Switching to encrypted disk

The rsync option "--delete-after" does such, but it can only be speculation as you have chosen not to give details of the commands you run.

edit: outpaced by a mod, again smile

Last edited by Strike0 (2012-11-11 22:54:07)

Offline

#62 2012-11-12 00:32:13

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: [solved] Switching to encrypted disk

I use --delete-excluded which assumes --delete according to the manual page. (I double-checked that it said this after I realised what had happened.)

Specifically,

/usr/bin/rsync -aAXv --delete-excluded --exclude-from=$list --log-file=$logdir/$logfile "$srcdir/" "$destdir"

My exclude list is basically:

P /mnt/IomegaHD/etc/fstab
P /mnt/IomegaHD/mnt/ComputerName
P lost+found/

# Include
+ /dev
+ /media
+ /mnt/generic
+ /mnt/generic/var
+ /mnt/IomegaHD
+ /etc/fstab\.*

# Exclude
- /dev/*
- /proc/*
- /run/*
- /sys/*
- /tmp/*
- lost+found/
- /media/*
- /mnt/generic/*
- /mnt/IomegaHD/*
- /etc/fstab
- /var/lib/pacman/sync/*
- /home/*/.gvfs/
- /home/*/wuala/WualaDrive/
- /home/*/.mozilla/firefox/*.default/Cache/*
- /home/*/.cache/chromium/*

I added the last few lines after reading the rsync wiki just because I realised they were unnecessary - not because I think not including them caused the issue particularly. (This is the last three lines, I think. .gvfs was definitely there before.) That is, re-reading the wiki. I was trying to figure out what I was doing wrong.

EDIT: Maybe adding the wuala to the exclude list is what made the difference?

Last edited by cfr (2012-11-12 00:35:30)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#63 2012-11-12 07:04:59

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: [solved] Switching to encrypted disk

cfr wrote:

...EDIT: Maybe adding the wuala to the exclude list is what made the difference?

I don't really understand that conclusion, but I don't use the option. Not having that "wuala" directory on the exclude list means it will be deleted from the backups after the original is deleted. _Having_ it on the exclude list, in combination with --delete-excluded, means the same. The only difference the exclude list makes refers to not backing up new files from the dir.

rsync man writes:
... Files that are excluded from the transfer are also excluded from being deleted unless you use the --delete-excluded option

So, with respect to deleting from the backup destination, adding the wuala directory made no difference in my view.

Offline

Board footer

Powered by FluxBB