You are not logged in.

#1 2012-12-30 19:23:54

Divinorum
Member
Registered: 2011-08-16
Posts: 44

dm-crypt with LUKS and systemd changes

I am planning on setting up an FSE using dm-crypt with LUKS and have just completed the secure wipe process using frandom. To avoid major pitfalls with the next step and confusion with outdated guides I was wondering if anyone can shed some light on dm-crypt with LUKS in regard to changes from systemd.

Specifically I am looking to partition using LVM and have a key-file. This is more complex than using a standard paritions and password-only setup.

Reading the discussion on the archwiki page for dm-crypt with LUKS it states at the bottom:

systemd requires lvm-on-cryptdevice.service active in order to open LVMs on cryptdevices that are not the root partition (which is handled by the initrd). 

What does this mean in the scope of my desired setup and are there any more major changes on the dm-crypt process brought about by systemd? Thank you for the support.

Offline

#2 2012-12-30 19:31:10

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: dm-crypt with LUKS and systemd changes

Why would that affect an FSE setup?


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#3 2012-12-30 20:01:40

Divinorum
Member
Registered: 2011-08-16
Posts: 44

Re: dm-crypt with LUKS and systemd changes

That is why I ask as I do not know why (or if) systemd changes and removal AIF have changed the overall process. The top of the guide reads:

This article or section is out of date.
Reason: As of the 2012.07.15 installation media release, AIF (the Arch Installation Framework) is no longer included but instead Arch Install Scripts are provided to aid in the installation process. A lot of content still has to get updated all over this page. Many external links are old so that they may not include all noticeable changes in Arch Linux configs. Just keep that in mind while reading.

If there the process isn't changed by this then I guess I have nothing to worry about. I justed wanted to be sure before I jumped in and risked screwing up the process and potentially having to perform another secure wipe to get a perfectly zeroed out drive.

Offline

#4 2012-12-30 20:33:35

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: dm-crypt with LUKS and systemd changes

Two things: the part of the wiki you quoted said it applied only if root was not encrypted which won't be the case if you want FSE.

Second, although it does say that, large parts of the guide have actually been updated. If you read through it, you will find "Prepare hard drive for Arch Install Scripts", for example, which obviously refers to the new installation method.

You could also search the forums as there was a post about this very recently and some very detailed, precise instructions were included in that thread.

If you have specific questions about setting it up or installing the system, post those questions. You will need to give more information about the setup you want to use though. For example, do you want LVM-on-LUKS or LUKS-on-LVM? Will /boot be an unencrypted partition on the same disk? Do you need an EFI partition? Etc.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#5 2012-12-31 04:18:45

Divinorum
Member
Registered: 2011-08-16
Posts: 44

Re: dm-crypt with LUKS and systemd changes

Thanks for the help so far. I decided against using a keyfile and tailored a set of instructions for my goal (LVM on LUKS, passphrase, non-efi). Is this procedure correct?

Partitioning

# cfdisk 

          -sda1   -   Boot   -   Primary   -    Linux   -   200 (MB)
          -sda2   -             -   Primary   -    Linux   -

Load the encryption module

# modprobe dm-mod

Configuring LUKS and formating paritions with a passphrase

Format LUKS

# cryptsetup -h SHA512 -i 5000 -c aes-xts-plain -y -s 512 luksFormat /dev/sda2

Check results

# cryptsetup luksDump /dev/sda2

Unlocking/Mapping LUKS Partitions with the Device Mapper

# cryptsetup luksOpen /dev/sda2 lvm

Initialize physical volume

# lvm pvcreate /dev/mapper/lvm

Create volume group

# lvm vgcreate vgroup /dev/mapper/lvm

Add logical volumes to volume group

# lvm lvcreate -L 20G -n root vgroup
# lvm lvcreate -l 100%FREE -n home vgroup

Make filesystems and mount partitions

# mkfs.ext4 /dev/mapper/vgroup-root
# mount /dev/mapper/vgroup-root /mnt
# mkfs.ext4 /dev/mapper/vgroup-home
# mkdir /mnt/home
# mount /dev/mapper/vgroup-home /mnt/home
# mkfs.ext2 /dev/sda1
# mkdir /mnt/boot
# mount /dev/sda1 /mnt/boot

Backup cryptheader

# cryptsetup luksHeaderBackup /dev/sda2 --header-backup-file /mnt/<backup>/<file>.img

Create an initial ramdisk environment

# nano /etc/mkinitcpio.conf

HOOKS="base udev autodetect block encrypt lvm2 filesystems shutdown"

# mkinitcpio -p linux

Syslinux

# pacman -S syslinux
# syslinux-install_update -i -a -m

Configure syslinux.cfg to point to the right root partition

# nano /boot/syslinux/syslinux.cfg

...
LABEL arch
        ...
        APPEND root=/dev/mapper/vgroup-root cryptdevice=/dev/sda2:vgroup ro
        ...

Last edited by Divinorum (2013-01-22 16:02:13)

Offline

#6 2012-12-31 12:17:57

Strike0
Member
From: Germany
Registered: 2011-09-05
Posts: 1,429

Re: dm-crypt with LUKS and systemd changes

Nice write-up. I have the following suggestions:
1. If it does not boot like this, then change your root device in syslinux (if you can in syslinux): APPEND root=/dev/mapper/vgroup-root cryptdevice=/dev/sda2:vgroup ro
2. It's modprobe dm-mod, dm-crypt is autoloaded
3. Enable the lvm-on-cryptdevice service you quote in your initial post (see systemd wiki)
4. Double-check the genfstab results during the installation to generate your fstab LVM mapper
5. Use the "block" module hook instead of pata, sata, scsi and add the "shutdown" hook at the end
6. Choose a good passphrase. You can add an easy one or a keyfile later.
7. If you intend to create a swap partition later, leave some space in the lvm right away. Using a swapfile in / works fine though.

Offline

#7 2012-12-31 17:14:51

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: dm-crypt with LUKS and systemd changes

I'm not sure you need to enable the service. My set up is similar (but with EFI) and I've never enabled this. I thought it was used when partitions other than root were encrypted but that doesn't apply here - by the time the services enabled become relevant, the thing has to have been unencrypted already.

I would not make home that big unless you need it. From what I read, it is less hassle to grow partitions later than to shrink them so I allocated basically what I needed for now and left the rest unallocated for later use.

Last edited by cfr (2012-12-31 17:16:15)


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#8 2012-12-31 19:21:29

Divinorum
Member
Registered: 2011-08-16
Posts: 44

Re: dm-crypt with LUKS and systemd changes

Strike0 wrote:

Nice write-up. I have the following suggestions:
1. If it does not boot like this, then change your root device in syslinux (if you can in syslinux): APPEND root=/dev/mapper/vgroup-root cryptdevice=/dev/sda2:vgroup ro
2. It's modprobe dm-mod, dm-crypt is autoloaded
3. Enable the lvm-on-cryptdevice service you quote in your initial post (see systemd wiki)
4. Double-check the genfstab results during the installation to generate your fstab LVM mapper
5. Use the "block" module hook instead of pata, sata, scsi and add the "shutdown" hook at the end
6. Choose a good passphrase. You can add an easy one or a keyfile later.
7. If you intend to create a swap partition later, leave some space in the lvm right away. Using a swapfile in / works fine though.

Solid advice, much appreciated. I didn't know I could add a keyfile later so that is a relief. I'll edit my post above accordingly to your advice.

cfr wrote:

I would not make home that big unless you need it. From what I read, it is less hassle to grow partitions later than to shrink them so I allocated basically what I needed for now and left the rest unallocated for later use.

Also a great tip. I'll set it according to my needs and leave a chunk for swap, tmp, var, or whatever I choose to use it for in the future. With specs like 8GB RAM, quad-core processor, etc is it really necessary to have swap?

Offline

#9 2012-12-31 19:31:17

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: dm-crypt with LUKS and systemd changes

The usual advice is that swap is not necessary with that much RAM. I have 8G and I have a swap partition within the LVM, though. I keep it in case I want to hibernate to disk. (It is possible to use a swap file but it seems more straightforward with a partition.) If I was short of disk space, I would get rid of it.

That said, my swap sometimes does get used just as VM although I can't really imagine why.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#10 2013-01-02 01:53:37

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: dm-crypt with LUKS and systemd changes

Looks good to me.

But, I would specify the hash to use for the passwords. The default is SHA1 which is broken.
Use SHA512 or Whirlpool. I really wish LUKS suported bcrypt, but I would use Whirlpool simply becuase there is a chance that the attacker may not have a ASIC or FPGA setup for Whirlpool. However, Whirlpool is designed to be easy to implement in hardware just like SHA, so.... maybe just go with SHA512 becuase many more eyeballs have been looking at it.

SHA, MD5, Whirlpool are all designed to be used for data integrity checking not password storage. bcrypt is designed for password storage.

Also, I woud set the --iter-time higher like 5sec's. The defualt is to spend 1sec.

I am not super sure how this works, but I would guess like when you first make a passphrase it hash's the hash over and over until 1sec is up. Then sets in stone however many iterations that was. So, if an attacker got your header and has 1,000 GPU cores or a ASIC or FPGA the attacker could do that in much less time.

# cryptsetup -h Whirlpool -i 5000 -c aes-xts-plain -y -s 512 luksFormat /dev/sda2

Ya, I have never needed to enable lvm-on-crypt

Also, don't worry about a keyfile just yet. First get it working with a passphrase. You can add a keyfile latter. LUKS allows for 8 keys. You can change/remove/add them as you like. However, I would suggest encrypting a USB stick and practice with that.

Also, I keep a backup of my LUKS header on an encrypted SD card.

Last edited by hunterthomson (2013-01-02 02:07:48)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#11 2013-01-02 02:32:13

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 7,130

Re: dm-crypt with LUKS and systemd changes

You can also encrypt the header with e.g. gpg and keep it somewhere. I keep mine in the cloud (wuala). I figure that is probably good enough.


CLI Paste | How To Ask Questions

Arch Linux | x86_64 | GPT | EFI boot | refind | stub loader | systemd | LVM2 on LUKS
Lenovo x270 | Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz | Intel Wireless 8265/8275 | US keyboard w/ Euro | 512G NVMe INTEL SSDPEKKF512G7L

Offline

#12 2013-02-08 12:34:28

Gat
Member
Registered: 2012-06-06
Posts: 16

Re: dm-crypt with LUKS and systemd changes

Hi, just wanted to say thanks. I just finished installing encrypted Arch and this post has helped a lot smile

Offline

Board footer

Powered by FluxBB