Crypt non-root

dammannj · 2009-01-28 08:57:21

Hi,

I would like to have a non root partition and swap mounted on boot.
At the moment i do this via rc.local:

modprobe dm-crypt
modprobe aes-x86-64
cryptsetup -c aes-cbc-essiv:sha256 -h sha256 -s 256 -d /dev/urandom create swap /dev/md3
mkswap /dev/mapper/swap
swapon /dev/mapper/swap
cryptsetup luksOpen /dev/md4 data
mount /dev/mapper/data

Do I have to manually unmount/crypt remove those in rc.local.shutdown?

Is there a better option than rc.local?
I still want to be able to start the system, and then remotely login via ssh, which is why I don't use crypttab.

Thanks in advance
Julian

ndlarsen · 2009-01-28 09:12:10

Checked this wiki article?

dammannj · 2009-01-28 09:38:42

Thanks, but yes - I have.

http://wiki.archlinux.org/index.php/Sys … _partition
I think that this does not apply to me, as this init hook would get executed before any daemons, right?
Which means, I could not boot remotely anymore.

zyghom · 2009-01-28 09:40:11

dammannj wrote:

I still want to be able to start the system, and then remotely login via ssh, which is why I don't use crypttab.
Julian

what has crypttab to do with remote login ?

dammannj · 2009-01-28 09:58:46

As far as I know (please correct me if I'm wrong), crypttab is used only by /lib/initcpio/hooks/encrypt and /etc/rc.shutdown.
As hooks are executed *before* the ssh daemon is started (right?), one would be prompted for the passphrase, and as at that point I could only enter the password via the local keyboard, this prevents any further booting.

Last edited by dammannj (2009-01-28 09:59:53)

zyghom · 2009-01-28 10:14:07

yes, it is in /etc/rc.sysinit which is before daemons
but in such case only phassphrase instead of prompt in /etc/crypttab
or your /etc/rc.local
but specially swap which is without password can be in /etc/crypttab

dammannj · 2009-01-28 10:23:15

Yes, I could add swap to crypttab
But putting the passphrase for my encrypted volume in the crypttab on the not encrypted root would kind of nullify encrypting at all, right?

That's why I want to use rc.local for that.
As i understand things, I would have to put

umount /data
cryptsetup remove data

in /etc/rc.local.shutdown
Is that about right?

zyghom · 2009-01-28 10:30:53

actually, if you use /etc/rc.local and it asks for pass then it stops everything after, till you enter it
so, if you want to use encrypted i.e. /data, just don't do anything at all - let the system start without it, then ssh there and start it manually by means of script or whatever - using pass which you are going to enter from the keyboard
next reboot you will have to ssh there again - something for something - privacy or convinience

dammannj · 2009-01-28 10:35:57

Hmm...
I want convenience when I'm in front of the computer, and I want to start it via script when I am remote hehe

As rc.local gets executed last, it doesn't really matter to me if it doesn't finish, right?

But I'll try using something like a timeout, e.g. wait for confirmation, after timeout expires continue booting without setting up encrypted partitions

kludge · 2009-01-28 16:49:07

if you're worried about the encryption and mounting routines not exiting, put them in a script and then execute it in the background from rc.local with '&'.

Dieter@be · 2009-01-28 18:51:11

I like this thread.. interesting subject.

zyghom wrote:

yes, it is in /etc/rc.sysinit which is before daemons
but in such case only phassphrase instead of prompt in /etc/crypttab
or your /etc/rc.local
but specially swap which is without password can be in /etc/crypttab

I've looked a bit around in /etc/rc.sysinit.
If i understand correctly, the initcpio takes care of encrypted *root* fs, while non-root encrypted volumes are taken care of through /etc/rc.sysinit?

zyghom · 2009-01-28 19:15:00

of course
rc.sysinit is in /etc so it is available only after / is mounted - decrypted in case of root-encrypted file system
actually I have my /home encrypted but I really don't see any reason to encrypt / - there is no private data there
so IMHO /home encryption would be enough for me
in my case /home is 150GB and I don't see any influence on computer performance while using cryptsetup for such partition
ok, one only: full backup of /home takes time, specially that backup hdd is fully encrypted as well :-)

dammannj · 2009-01-30 13:46:02

In my opinion there are 2 reasons to encrypt the root filesystem.
1. protecting passwords used by e.g. daemons like ppp, vpn, or if you automate cryptsetup of other filesystems via crypttab (as described above, passphrase in crypttab)
2. Integrity: You can be quite sure that no one (without your / encryption key) has compromised your system. (yea, cold boot, etcetc...but the average attacker with physical access will not be able to tamper with any data on / )

I now found a to me satisfieing solution.
Reminder: I want to be prompted for passphrase on system boot if I boot it locally, e.g. have physical access to the machine via keyboard, and I don't want this to happen when I boot it remotely, e.g. my only access to the machine after boot is via ssh.

Yea, this violates KISS

First, my setup:
I mount the encrypted partition as /data , and I have several daemons which depend on it being mounted.
The daemons that use this partition are nfs, (icecast), mpd.

I use a little "pseudo" (as no executable) daemon for that (I'm not good at inventing names, I called it "data") which starts those daemons (instead of putting them in rc.conf they go in here).

#!/bin/bash

. /etc/rc.conf
. /etc/rc.d/functions

case "$1" in
  start)
    stat_busy "Starting data daemon"
    /root/bin/killer.sh 5 $$ &
    echo -n "Enter to stop timeout"
    read
    if [ -f "/tmp/killer$$.pid" ]; then
        kill `cat /tmp/killer$$.pid`
        rm /tmp/killer$$.pid
    fi
    cryptsetup luksOpen /dev/md4 data
    mount /dev/mapper/data
    /etc/rc.d/portmap start
    /etc/rc.d/nfslock start
    /etc/rc.d/nfsd start
    /etc/rc.d/icecast start
    /etc/rc.d/mpd start
    add_daemon data
    stat_done
    ;;
  stop)
    stat_busy "Stopping data daemon"
    /etc/rc.d/mpd stop
    /etc/rc.d/icecast stop
    /etc/rc.d/nfsd stop
    /etc/rc.d/nfslock stop
    /etc/rc.d/portmap stop
    umount /data
    cryptsetup remove data
    rm_daemon data
    stat_done
    /etc/rc.d/nfsd stop
    /etc/rc.d/nfslock stop
    /etc/rc.d/portmap stop
    umount /data
    cryptsetup remove data
    rm_daemon data
    stat_done
    ;;
  restart)
    $0 stop
    sleep 1
    $0 start
    ;;
  *)
    echo "usage: $0 {start|stop|restart}"
esac

I use a little script killer.sh for the timeout:

 #!/bin/bash
 echo $$ > /tmp/killer$2.pid
 sleep $1
 kill $2

I don't write shell scripts often, and in fact am neither good at it nor have tried to really "learn" it.
Is there a simpler/better way to realize this timeout?

mykhal · 2010-03-01 00:06:33

hi,
if you want to have been asked for the password when mounting encrypted volumes during boot, but without having the system bootup blocked in case you're not sitting in front of the machine in the moment, you can use the timeout feature of cryptsetup - simply add -t option in the crypttab

e.g.

data    /dev/sda3    ASK    -t 60

line in your /etc/crypttab makes the password question cancelled after a minute and your system continues to boot (without the encrypted partition mounted).

hth,
mykhal

Arch Linux

#1 2009-01-28 08:57:21

Crypt non-root

#2 2009-01-28 09:12:10

Re: Crypt non-root

#3 2009-01-28 09:38:42

Re: Crypt non-root

#4 2009-01-28 09:40:11

Re: Crypt non-root

#5 2009-01-28 09:58:46

Re: Crypt non-root

#6 2009-01-28 10:14:07

Re: Crypt non-root

#7 2009-01-28 10:23:15

Re: Crypt non-root

#8 2009-01-28 10:30:53

Re: Crypt non-root

#9 2009-01-28 10:35:57

Re: Crypt non-root

#10 2009-01-28 16:49:07

Re: Crypt non-root

#11 2009-01-28 18:51:11

Re: Crypt non-root

#12 2009-01-28 19:15:00

Re: Crypt non-root

#13 2009-01-30 13:46:02

Re: Crypt non-root

#14 2010-03-01 00:06:33

Re: Crypt non-root

Board footer