You are not logged in.

#1 2016-03-12 01:59:15

kete
Member
Registered: 2015-01-01
Posts: 36

[SOLVED] Encrypting RAID1 /home partition

Hello,
I have a functional RAID1 /home partition, but I want to encrypt it.
I'm thinking about using dm-crypt after unmounting the /home partition.
Would I succeed if I follow the wiki?
(Dm-crypt/Encrypting_a_non-root_file_system#Partition)

Last edited by kete (2016-03-21 02:13:37)

Offline

#2 2016-03-12 03:40:17

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: [SOLVED] Encrypting RAID1 /home partition

Not a Sysadmin issue, moving to NC...


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#3 2016-03-12 11:58:42

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: [SOLVED] Encrypting RAID1 /home partition

It's been a while but encrypting a partition (RAID or single) will be destructive so you will need to it from a live CD after you BACKUP the data on it, then copy it back once encrypted.  You will also need to link decryption to your displaymanger.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#4 2016-03-12 12:58:06

kete
Member
Registered: 2015-01-01
Posts: 36

Re: [SOLVED] Encrypting RAID1 /home partition

I can't find wiki instructions to "link decryption to your displaymanger".

PS—I think I found instructions: Dm-crypt/Encrypting_an_entire_system#LUKS_on_software_RAID

Last edited by kete (2016-03-12 13:21:01)

Offline

#5 2016-03-14 03:31:26

kete
Member
Registered: 2015-01-01
Posts: 36

Re: [SOLVED] Encrypting RAID1 /home partition

Hello, I tried these instructions without success.
I didn't have any luck with the login scripts, and it would ask for my passphrase after a reboot.
I wasn't sure what passphrase to use, so I made it the same as my login.
I decrypted the array and broke down the array to start over, but I read elsewhere on the wiki that stacking encryption on RAID "is the only choice for systems that need encrypted file systems to span multiple disks."

Offline

#6 2016-03-14 05:13:13

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: [SOLVED] Encrypting RAID1 /home partition

What does "without sucess" mean? That is not a helpful message: https://bbs.archlinux.org/viewtopic.php?id=57855

Also, I have read your post #5 several times and I am still none the clearer about what it is you are actually trying to do and have done (successfully or not).

Of course you will be prompted for a passphrase on boot: how else would the encrypted device be unlocked?

You probably should choose a passphrase that is significantly more complex than your user password: but ultimately it is your call in terms of risk vs convenience. Having them the same strikes me as pointless, though. Why bother encrypting at all if the key is the same as your login?


Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#7 2016-03-14 09:22:57

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: [SOLVED] Encrypting RAID1 /home partition

jasonwryan wrote:

Why bother encrypting at all if the key is the same as your login?

Some people do this in case they need to send their hdd back for a warrantee replacement.  This way, there is no need to zero the drive prior to shipping back.


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#8 2016-03-14 13:02:40

kete
Member
Registered: 2015-01-01
Posts: 36

Re: [SOLVED] Encrypting RAID1 /home partition

jasonwryan wrote:

What does "without sucess" mean? That is not a helpful message: https://bbs.archlinux.org/viewtopic.php?id=57855

Also, I have read your post #5 several times and I am still none the clearer about what it is you are actually trying to do and have done (successfully or not).

Of course you will be prompted for a passphrase on boot: how else would the encrypted device be unlocked?

You probably should choose a passphrase that is significantly more complex than your user password: but ultimately it is your call in terms of risk vs convenience. Having them the same strikes me as pointless, though. Why bother encrypting at all if the key is the same as your login?

Thanks, I tried to explain from memory what "without success" meant. A logon script wouldn't work when I logged in, and the encrypted RAID partition wasn't mounted. I changed some configuration(s), and another logon script wouldn't work. The shell told me the specific logon script. In each case, it was the secure mount or umount. I would be logged in with only a .bash_history file.

I could configure the RAID and LUKS, again, and tell more details, but I wanted some advice beforehand if possible. I guess so few people use mirroring and encryption that it isn't supported or hasn't been documented lately.

I am trying to make my home partition a RAID-1 redundant mirror for automatic backups, and I am trying to encrypt it to protect any kind of sensitive info. I am trying to unlock the encrypted part at login as suggested on the Disk encryption page in the Choosing a setup section.

One of my questions is what to make the passphrase, and another is how would the Mounting at login scripts unlock another passphrase using my credentials? The page really doesn't answer either question.

I would think that encryption would protect in case of hooking the hard drive(s) up to another computer. If a thief could assemble the raid (which might be trivial), then the info would still be encrypted unless they could guess my passphrase. If it was unencrypted, then they wouldn't need my credentials to access the files.

Offline

#9 2016-03-14 14:56:11

kete
Member
Registered: 2015-01-01
Posts: 36

Re: [SOLVED] Encrypting RAID1 /home partition

Ok, I read your link, and I checked the log files (journalctl); and it said

Mar 12 20:33:16 lbrbtprbl dbus[302]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service'
Mar 12 20:33:16 lbrbtprbl systemd[1]: Starting Authorization Manager...
Mar 12 20:33:16 lbrbtprbl polkitd[1550]: Started polkitd version 0.113
Mar 12 20:33:16 lbrbtprbl polkitd[1550]: Loading rules from directory /etc/polkit-1/rules.d
Mar 12 20:33:16 lbrbtprbl polkitd[1550]: Loading rules from directory /usr/share/polkit-1/rules.d
Mar 12 20:33:16 lbrbtprbl polkitd[1550]: Finished loading, compiling and executing 1 rules
Mar 12 20:33:16 lbrbtprbl dbus[302]: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
Mar 12 20:33:16 lbrbtprbl systemd[1]: Started Authorization Manager.
Mar 12 20:33:16 lbrbtprbl polkitd[1550]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Mar 12 20:33:16 lbrbtprbl polkitd[1550]: Registered Authentication Agent for unix-process:1546:9254276 (system bus name :1.5 [/usr/bin/pkttyagent --notify-fd 4 --fallback], object path /org/freedesktop/Polic
Mar 12 20:33:16 lbrbtprbl systemd[1]: Reloading.
Mar 12 20:33:16 lbrbtprbl polkitd[1550]: Unregistered Authentication Agent for unix-process:1546:9254276 (system bus name :1.5, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8
Mar 12 20:33:58 lbrbtprbl systemd[1]: Started Getty on tty2.
Mar 12 20:34:24 lbrbtprbl login[1584]: pam_exec(login:auth): execve(/usr/local/bin/savepass,...) failed: Permission denied
Mar 12 20:34:24 lbrbtprbl login[1569]: pam_exec(login:auth): /usr/local/bin/savepass failed: exit code 13
Mar 12 20:34:24 lbrbtprbl login[1569]: pam_unix(login:session): session opened for user kete by LOGIN(uid=0)
Mar 12 20:34:24 lbrbtprbl systemd[1]: Created slice User Slice of kete.
Mar 12 20:34:24 lbrbtprbl systemd[1]: Starting User Manager for UID 1000...
Mar 12 20:34:24 lbrbtprbl systemd[1]: Started Session c2 of user kete.
Mar 12 20:34:24 lbrbtprbl systemd-logind[301]: New session c2 of user kete.
Mar 12 20:34:24 lbrbtprbl systemd[1585]: pam_unix(systemd-user:session): session opened for user kete by (uid=0)
Mar 12 20:34:24 lbrbtprbl systemd[1585]: Reached target Paths.
Mar 12 20:34:24 lbrbtprbl systemd[1585]: Starting D-Bus User Message Bus Socket.
Mar 12 20:34:24 lbrbtprbl login[1569]: LOGIN ON tty2 BY kete
Mar 12 20:34:24 lbrbtprbl systemd[1585]: Reached target Timers.
Mar 12 20:34:24 lbrbtprbl systemd[1585]: Listening on D-Bus User Message Bus Socket.
Mar 12 20:34:24 lbrbtprbl systemd[1585]: Reached target Sockets.
Mar 12 20:34:24 lbrbtprbl systemd[1585]: Reached target Basic System.
Mar 12 20:34:24 lbrbtprbl systemd[1585]: Reached target Default.
Mar 12 20:34:24 lbrbtprbl systemd[1585]: Startup finished in 14ms.
Mar 12 20:34:24 lbrbtprbl systemd[1]: Started User Manager for UID 1000.
Mar 12 20:34:43 lbrbtprbl login[1569]: pam_unix(login:session): session closed for user kete
Mar 12 20:34:43 lbrbtprbl systemd[1]: getty@tty2.service: Service has no hold-off time, scheduling restart.
Mar 12 20:34:43 lbrbtprbl systemd[1]: Stopped Getty on tty2.
Mar 12 20:34:43 lbrbtprbl systemd[1]: Started Getty on tty2.
Mar 12 20:34:43 lbrbtprbl systemd-logind[301]: Removed session c2.
Mar 12 20:34:43 lbrbtprbl systemd[1]: Stopping User Manager for UID 1000...
Mar 12 20:34:43 lbrbtprbl systemd[1585]: Stopped target Default.
Mar 12 20:34:43 lbrbtprbl systemd[1585]: Stopped target Basic System.
Mar 12 20:34:43 lbrbtprbl systemd[1585]: Stopped target Timers.
Mar 12 20:34:43 lbrbtprbl systemd[1585]: Stopped target Sockets.
Mar 12 20:34:43 lbrbtprbl systemd[1585]: Closed D-Bus User Message Bus Socket.
Mar 12 20:34:43 lbrbtprbl systemd[1585]: Reached target Shutdown.
Mar 12 20:34:43 lbrbtprbl systemd[1585]: Starting Exit the Session...
Mar 12 20:34:43 lbrbtprbl systemd[1585]: Stopped target Paths.
Mar 12 20:34:43 lbrbtprbl systemd[1585]: Received SIGRTMIN+24 from PID 1602 (kill).
Mar 12 20:34:43 lbrbtprbl systemd[1589]: pam_unix(systemd-user:session): session closed for user kete
Mar 12 20:34:43 lbrbtprbl systemd[1]: Stopped User Manager for UID 1000.
Mar 12 20:34:43 lbrbtprbl systemd[1]: Removed slice User Slice of kete.
Mar 12 20:37:05 lbrbtprbl polkitd[1550]: Registered Authentication Agent for unix-process:1610:9277170 (system bus name :1.9 [/usr/bin/pkttyagent --notify-fd 4 --fallback], object path /org/freedesktop/Polic
Mar 12 20:37:05 lbrbtprbl systemd[1]: Created slice system-homedir.slice.
Mar 12 20:37:05 lbrbtprbl systemd[1]: Created slice user-kete.slice.
Mar 12 20:37:05 lbrbtprbl systemd[1]: Starting Home Directory for kete...
Mar 12 20:37:05 lbrbtprbl systemd[1616]: homedir@kete.service: Failed at step EXEC spawning /usr/local/bin/securemount: Permission denied
Mar 12 20:37:05 lbrbtprbl systemd[1]: homedir@kete.service: Main process exited, code=exited, status=203/EXEC
Mar 12 20:37:05 lbrbtprbl systemd[1]: Failed to start Home Directory for kete.
Mar 12 20:37:05 lbrbtprbl systemd[1]: Dependency failed for User Manager for UID kete.
Mar 12 20:37:05 lbrbtprbl systemd[1]: user@kete.service: Job user@kete.service/start failed with result 'dependency'.
Mar 12 20:37:05 lbrbtprbl systemd[1]: homedir@kete.service: Unit entered failed state.
Mar 12 20:37:05 lbrbtprbl systemd[1]: homedir@kete.service: Failed with result 'exit-code'.
Mar 12 20:37:05 lbrbtprbl polkitd[1550]: Unregistered Authentication Agent for unix-process:1610:9277170 (system bus name :1.9, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8
Mar 12 20:43:33 lbrbtprbl polkitd[1550]: Registered Authentication Agent for unix-process:1629:9315956 (system bus name :1.10 [/usr/bin/pkttyagent --notify-fd 4 --fallback], object path /org/freedesktop/Poli
Mar 12 20:43:41 lbrbtprbl polkitd[1550]: Unregistered Authentication Agent for unix-process:1629:9315956 (system bus name :1.10, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-
Mar 12 20:44:00 lbrbtprbl polkitd[1550]: Registered Authentication Agent for unix-process:1635:9318748 (system bus name :1.11 [/usr/bin/pkttyagent --notify-fd 4 --fallback], object path /org/freedesktop/Poli
Mar 12 20:44:00 lbrbtprbl systemd[1]: Reloading.
Mar 12 20:44:00 lbrbtprbl polkitd[1550]: Unregistered Authentication Agent for unix-process:1635:9318748 (system bus name :1.11, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-
Mar 12 20:44:01 lbrbtprbl systemd[1650]: homedir@kete.service: Failed at step EXEC spawning /usr/local/bin/securemount: Permission denied
Mar 12 20:44:01 lbrbtprbl systemd[1]: Starting Home Directory for kete...
Mar 12 20:44:01 lbrbtprbl systemd[1]: homedir@kete.service: Main process exited, code=exited, status=203/EXEC
Mar 12 20:44:01 lbrbtprbl systemd[1]: Failed to start Home Directory for kete.
Mar 12 20:44:01 lbrbtprbl systemd[1]: Dependency failed for User Manager for UID kete.
Mar 12 20:44:01 lbrbtprbl systemd[1]: user@kete.service: Job user@kete.service/start failed with result 'dependency'.
Mar 12 20:44:01 lbrbtprbl systemd[1]: homedir@kete.service: Unit entered failed state.
Mar 12 20:44:01 lbrbtprbl systemd[1]: homedir@kete.service: Failed with result 'exit-code'.
Mar 12 20:44:04 lbrbtprbl polkitd[1550]: Registered Authentication Agent for unix-process:1654:9319054 (system bus name :1.12 [/usr/bin/pkttyagent --notify-fd 4 --fallback], object path /org/freedesktop/Poli
Mar 12 20:44:04 lbrbtprbl systemd[1]: Starting Home Directory for kete...
Mar 12 20:44:04 lbrbtprbl systemd[1660]: homedir@kete.service: Failed at step EXEC spawning /usr/local/bin/securemount: Permission denied
Mar 12 20:44:04 lbrbtprbl systemd[1]: homedir@kete.service: Main process exited, code=exited, status=203/EXEC
Mar 12 20:44:04 lbrbtprbl systemd[1]: Failed to start Home Directory for kete.
Mar 12 20:44:04 lbrbtprbl systemd[1]: Dependency failed for User Manager for UID kete.
Mar 12 20:44:04 lbrbtprbl systemd[1]: user@kete.service: Job user@kete.service/start failed with result 'dependency'.
Mar 12 20:44:04 lbrbtprbl systemd[1]: homedir@kete.service: Unit entered failed state.
Mar 12 20:44:04 lbrbtprbl systemd[1]: homedir@kete.service: Failed with result 'exit-code'.
Mar 12 20:44:04 lbrbtprbl polkitd[1550]: Unregistered Authentication Agent for unix-process:1654:9319054 (system bus name :1.12, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-
Mar 12 20:45:03 lbrbtprbl systemd[1]: dev-disk-by\x2duuid-1f73c60d\x2d29ea\x2d4f9b\x2d9e9e\x2ddaecd17955df.device: Job dev-disk-by\x2duuid-1f73c60d\x2d29ea\x2d4f9b\x2d9e9e\x2ddaecd17955df.device/start timed
Mar 12 20:45:03 lbrbtprbl systemd[1]: Timed out waiting for device dev-disk-by\x2duuid-1f73c60d\x2d29ea\x2d4f9b\x2d9e9e\x2ddaecd17955df.device.
Mar 12 20:45:03 lbrbtprbl systemd[1]: dev-disk-by\x2duuid-1f73c60d\x2d29ea\x2d4f9b\x2d9e9e\x2ddaecd17955df.device: Job dev-disk-by\x2duuid-1f73c60d\x2d29ea\x2d4f9b\x2d9e9e\x2ddaecd17955df.device/start failed
Mar 12 20:46:33 lbrbtprbl login[1667]: pam_exec(login:auth): execve(/usr/local/bin/savepass,...) failed: Permission denied
Mar 12 20:46:33 lbrbtprbl login[1601]: pam_exec(login:auth): /usr/local/bin/savepass failed: exit code 13

I have mdadm 3.4-1 and cryptsetup 1.7.1-1 installed.
Anyway, I see the problem may be I put homedir@123.service in the system subfolder when it was just supposed to be in systemd. I'll try, again.
Wait, no, that's not right. That's a typo in the mounting scripts wiki page.

PS—I guess I need to make these executable by root/everyone. (Hur)

sh-4.3# ls -l /usr/local/bin
total 20
-rw-r--r-- 1 root root  58 Mar 12  2016 savepass
-rw-r--r-- 1 root root 316 Mar 12  2016 securemount
-rw-r--r-- 1 root root 316 Mar 12  2016 securemount~
-rw-r--r-- 1 root root 158 Mar 12  2016 secureumount
-rw-r--r-- 1 root root 158 Mar 12  2016 secureumount~

Last edited by kete (2016-03-14 15:34:58)

Offline

#10 2016-03-14 19:38:10

piratebill
Member
From: Sol System
Registered: 2011-10-20
Posts: 133

Re: [SOLVED] Encrypting RAID1 /home partition

why not just mount the raid by putting encrypt in your mkinit.conf and using fstab? whats the point of a separate script? I think you are making this a lot more complicated than it is.

Last edited by piratebill (2016-03-14 19:39:34)

Offline

#11 2016-03-21 02:20:33

kete
Member
Registered: 2015-01-01
Posts: 36

Re: [SOLVED] Encrypting RAID1 /home partition

What I did was set up RAID1 first, then encrypt the RAID array, and
configure /etc/crypttab to prompt for the passphrase at boot, so my
user's home directory partition mounts afterward, not when I login
because the RAID was just too complicated for that and systemd.

Last edited by kete (2016-03-21 02:20:53)

Offline

Board footer

Powered by FluxBB