You are not logged in.
Hi all, anyone know if it is possible to encrypt a root partition using a gpg encrypted key?
To create it and open it I would use something like this.
#dd if=/dev/urandom bs=512 count=4|gpg –symmetric –a > ./rootkey.gpg
#gpg --quiet --decrypt rootkey.gpg | cryptsetup -v --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda3
#gpg --decrypt key.gpg 2>/dev/null | cryptsetup luksOpen /dev/sda3 root
which works, if i can manually enter the commands to decrypt the drive, but how would i do that at boot? i was reading a article on the gentoo wiki about creating custom scripts etc etc to handle it all. can something similar be applied in arch linux? if this is at all possible is there somewhere where i can find some documentation regarding doing this?
cheers.
Offline
Script you want is the encrypt hook you get with the cryptsetup package /lib/initcpio/hooks/encrypt you can do your modifications there, or create a new hook based on it.
You need to install an RTFM interface.
Offline
Thanks for the reply, modifying the script shouldn't be too hard. But I can see one small problem with only modifying that script. For this to work I would need to have GnuPG available at boot time. So do I just add BINARIES="/usr/bin/gpg" to mkinitcpio.conf when I install?
from what i understand this should do the trick?
Offline
You'll also need the libraries and any other files.
But what's wrong with using LUKS?
[git] | [AURpkgs] | [arch-games]
Offline
Nothing wrong with using LUKS, and in a way I am still using LUKS but what I am doing here is having a key file encrypted using GnuPG and stored between the MBR and first partition. In my modified /lib/initcpio/hooks/encrypt script it will ask for the password for the keyfile to decrypt the root partition and if an incorrect password is entered more than say 3 times it will shred the keyfile making the root partition impossible to ever decrypt. For a backup for myself I will have a copy of the gpg encrypted key stored somewhere on the web.
So basically adding a whole new layer of security to the system. The more layers of security you can add the better.
I do know this is a little over board, but its more for the fun of doing it. In a strange sort of nerdy way
But back to what you were saying about the libraries? From the archlinux wiki
These options allow users to add files to the image. Both BINARIES and FILES are added before hooks are run, and may be used to override files used or provided by a hook. BINARIES are dependency-parsed, meaning any required libraries will also be added. FILES are added as-is. For example:
So I shouldn't have to worry about them.
Offline
It's probably a bit beside the point, but why not use TrueCrypt? http://www.truecrypt.org/
Offline
And what is wrong with using loop-aes?
Offline
It's probably a bit beside the point, but why not use TrueCrypt? http://www.truecrypt.org/
As far as i know Truecrypt does not support full disk encryption in linux, only windows. Truecrypt is good when you want to encrypt that something that has to be decrypted cross platform. For example a usbkey.
And what is wrong with using loop-aes?
loop-aes isn't supported in mkinitcpio as yet. I think i could get it to work but i would have to build a custom hook, and that's a whole lot more work.
Offline
As far as i know Truecrypt does not support full disk encryption in linux, only windows.
Well, I just tested it myself with an empty partition on my hard drive and it worked perfectly fine. It doesn't offer ext4 yet, but ext3 works.
Offline
Well, I just tested it myself with an empty partition on my hard drive and it worked perfectly fine. It doesn't offer ext4 yet, but ext3 works.
Yes you can use Truecrypt to encrypt almost any-type of disk attached to you box, but to get the root disk encrypted, which is what i am trying to achieve, the problem is that the kernel doesn't know how to decrypt it, so it has to be done in early userspace, i may be wrong, but i would think you would need to create a custom hook, and include truecrypt in the initramfs, same problem as loop-aes i guess...
so the easy option is to just slightly modify what arch linux already has, and which has been thoroughly tested...
Offline
Ah, yes. You are right. Done some research but couldn't find any "out-of-the-box" solution for Linux for your particular problem. Weird.
You might find this entry interesting though: http://wiki.archlinux.org/index.php/LUKS
or a very detailed entry from the Gentoo wiki: http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS
Hope it helps
Offline
Offline