Talk:SECURITY System Encryption DM-Crypt with LUKS

From Gentoo Linux Wiki

Jump to: navigation, search

Contents

[edit] ToDO

  • Peer review of init script
  • LVM support
  • RAID support
  • steganography support -- to retrieve hidden key(s)
  • PKCS#11 cryptographic token support
  • suspend2 filewriter support
  • Add examples for other partitions beside root
  • /etc/conf.d/cryptfs
    • How to handle decryption of several partitions ?
One way is having keyfiles stored on root
Another way could be editing cryptfs implementation scripts to support retrieving keys from removable media, and having all keys encrypted in a gpg protected file.
  • Fix some bugs/issues in the init script
  • grub problem

[edit] Added example for automatic mounting of /home at startup

I've added an example (from my setup) of how to automatically mount /home at startup. I think this is needed as I found it confusing using /etc/conf.d/cryptfs, since the examples don't clearly indicate where to specify the underlying device or the mount point. It required me to trawl through the scripts to understand how they work. It is very simple though and anyone seeing the new example should be able to do it easily.

You could remove your note about whether it works for other encrypted volumes, in addition to swap and tmp. It does, my /home now mounts every boot :) Also note that I'm using serpent-cbc-essiv:sha256, so it also works with other ciphers. I didn't remove the note as requested in the discussion page, but rather posted here.

[edit] Re: Added example for automatic mounting of /home at startup

Thank you,
It's quite clear now, the cryptfs's implementation depends on the user passing the type argument and the fact that cryptsetup ignores the incorrect options assigned at line 20:
: ${options:='-c aes -h sha1'}
They could have added an if test to check whether the device is luks or not by using the isLuks option earlier, this avoids the incorrect options without depending on the user to supply options=' ' to workaround it.
Perhaps I'm missing something here, mm, don't know.
I knew about the error in the example cryptfs file that ships with cryptsetup, but I figured everybody would notice it and would get fixed soon, I guess I was wrong.
Somebody should post a bug about it.
Anyway, thanks.

Regards,
Reikinio 09:29, 29 May 2006 (UTC)

[edit] gnupg latest version 1.9.21 lacks the static flag

Gnupg latest version in portage no longer contains the static ebuild flag. Information here: http://gentoo-portage.com/app-crypt/gnupg

You must use version 1.4.4 of gnupg for this use flag. Under the heading GnuPG users: building statically linked gpg you should change echo "app-crypt/gnupg static" >> /etc/portage/package.use && emerge gnupg to USE="static" emerge -av =gnupg-1.4.4. This will then emerge version 1.4.4 statically..

Without it users will emerge the current version without the static flag and recive an error when building the iniramfs from the script. 

    Error: file /usr/bin/gpg not statically linked!
    or not a valid executable.

This is just my opinion as i ran into that problem.. thanks
12:23, 6th of August 2006

[edit] Re: gnupg latest version 1.9.21 lacks the static flag

Thank you, changed the emerge command and wrote a note about it in the document.
Reikinio 18:14, 10 August 2006 (UTC)

gnupg-1.4.7-r1( 1.4.8-r1 is hard masked ) is currently the latest gnupg that supports the static build flag and is not hard masked. As 1.4.4 is no longer in portage I would recommend it is changed in the main document. -Mad 2:29, 5 February 2008 (EST)

[edit] DM-Crypt vulnerable to watermark attacks

I just found this LINK:http://mareichelt.de/pub/texts.cryptoloop.php (Why Mainline Cryptoloop Should Not Be Used)
I'd like to use an encrypted system, but it should be safe then. I don't know if the link still matters today. Maybe someone can check it out.
Thanks,
Calvin

luks doesn't utilize the cryptoloop device so this doesn't conflict with this guide. this guide uses the dm-crypt mapping not cryptoloop :D

[edit] Re: DM-Crypt vulnerable to watermark attacks

AFAIK using linux kernel > 2.6.10 and ESSIV should prevent it.
You might find more information in dm-crypt mailing list archives.

Reikinio 00:04, 25 August 2006 (UTC)

[edit] No guide on how to use uClibc

The guide recommend uClibc but doesn't provide any instructions on how to go about doing that.

I checked out the support thread over in the gentoo forums and found some information about this on the first post of page 5.

I tried the directions in the post but it didn't work out for me however at least it is a starting point. --Hadees 19:04, 25 September 2006 (UTC)

IMHO, uClibc should be removed from this HowTo. glibc works great, is much easier to use and the ramdisk gets freed anyway. Why should we use a tiny C library then?

[edit] too much details

your article contains to much details and it is therefore quite difficult to follow all steps. Things that are no so important should be moved to an appendix.

[edit] Supplement to "Filling the disk with random data"

DBAN might worth to be noted there.

[edit] Supplement TWO for "Filling the disk with random data"

what even works faster and is total secure [or as secure as luks ;-)] is to open the luksformated device and dd zero to it; the dm-crypt layer will encrypt that and this works even faster than /dev/urandom!

cryptsetup luksFormat ...... /dev/xyz

cryptsetup luksOpen /dev/xyz xyz

dd if=/dev/zero of=/dev/mapper/xyz

this is my way of doing the preparation; on a 1ghz pIII ~12h for 300GB


Isn't here the Problem that you are (very) vulnerable to a known plaintext attack?

Plaintext attack shouldn't be a problem, as you can just luksFormat the /dev/xyz after zeroing it. This way you will use a different key for your actual data than the one used for the zeroes. So if it's possible to guess the key just because you know it's zeroes, you'll get the wrong key and all you have gained is that you know where free space is. However, if such an attack is actually possible, it's a problem anyway, because there is a high probability for any sector that it will contain only zeroes even in normal use. This is simply because many programs allocate files by filling them with zeroes. Frostschutz 19:16, 24 May 2008 (UTC)

However what may become a (minor) problem is if you forget to kill the luksheader too... I'm not sure if luks writes the full header upon format or just the slots that are actually being used for keys? so you should zero the first couple of megabytes of the disk directly before zeroing the encrypted device. I'm also doing it this way in this article here Booting_encrypted_system_from_USB_stick Frostschutz 19:19, 24 May 2008 (UTC)

[edit] Error: root missing.

A lot of people seem to be getting "Error: root missing." as an error after going through the guide. And the support thread on forums.gentoo.org there has been no reponse to this problem.

--Hadees 19:53, 20 November 2006 (UTC)

Yes, there is a answer in the thread.

And it says to change the init script, the whole parse_cmdl_args() function, as shown here: 

parse_cmdl_args() {
  local x
  CMDLINE=`cat /proc/cmdline`
  for param in $CMDLINE; do
         case "${param}" in
        rescue)
           gv_shell_checkpoint=1
           ;;
        root=*)
           gv_root_device="${param##*=}"
           ;;
        ro)
           gv_root_mode="ro"
           ;;
        splash=*)
           gv_splash_theme="`echo "${param}" | sed 's/.*theme://' | sed  's/,.*//'`"
           [ -n "`echo ${param} | grep silent`" ] && gv_splash_silent=1
           ;;
        CONSOLE=*)
           gv_splash_console="${param##*=}"
           ;;
        is2)
           # check if booting with noresume2
           if [ -z "`grep noresume2 /proc/cmdline`" ]; then
              gv_active_suspend2=1
           else
              gv_active_suspend2=0
           fi
           ;;
        ikmap=*)
           gv_kmap="`echo "${param}" | cut -d'=' -f2 | cut -d':' -f1`"
           gv_font="`echo "${param}" | cut -d':' -s -f2`"      
           ;;
        ichkpt=*)
           gv_shell_checkpoint="${param##*=}"
           ;;
        iswap=*)
           gv_swap_device="${param##*=}"
           ;;
        ikey_root=*)
                               x="${param##*=}"
                               gv_key_root_filepath="${x##*:}"
                               gv_key_root_mode="${x%%:*}"
                               x="${x%:*}"
                               gv_key_root_device="${x##*:}"
           ;;
        ikey_swap=*)
                               x="${param##*=}"
                               gv_key_swap_filepath="${x##*:}"
                               gv_key_swap_mode="${x%%:*}"
                               x="${x%:*}"
                               gv_key_swap_device="${x##*:}"
           ;;
         esac
  done
}

Alinefr 03:08, 10 December 2007 (UTC)

[edit] bug in the init script (not load modules)

bug in the init script (not load modules) 

at line 246:

Codice: 

  modprobe_group() { 
        local lv_group="$1" 
        local lv_mod 

        if [ -f "/etc/modules/${lv_group}" ]; then 
                for mod in `cat "/etc/modules/${lv_group}"`; do 
                        modprobe "${lv_mod}" > /dev/null 2>&1 
                done 
        fi 
}

Codice: 

  246:     for mod in `cat "/etc/modules/${lv_group}"`; do 

  
it should be

Codice: 

  246:     for lv_mod in `cat "/etc/modules/${lv_group}"`; do 

  

with this it load modules.


Nilo


[edit] New suspend2 path

For newer suspend2 versions path is /sys/power/suspend2/, not /proc/suspend2/.

[edit] RAID Support

It would be awesome if someone could invest some time and energy to let RAID work with all this. I think an encrypted root filesystem on a RAID 1 storing the key for the encrypted RAID 5 disks with all your data would be something really nice. ;)

I am implementing RAID,LVM2,EVMS currently and will update /init soon. --Likewhoa 04:01, 8 October 2007 (UTC)

Way to create software RAID: http://forums.gentoo.org/viewtopic-p-4956806.html#4956806

[edit] Badblocks unnecessary

If you always shred/urandom-dd the harddrive, why do you need the badblocks check before? Its only purpose is to let the harddrive reallocate the bad blocks automatically if I understood correctly.

[edit] Badblocks insecure

Here's an example

If you write to a device with the command...
/sbin/badblocks -c 10240 -s -w -t random -v /dev/loop0
... or somthing similar as recommended in many places.

Then...
xxd /dev/loop0

---SNIP---
002e800: 214c 2113 01ce 9965 3253 134a da50 99dd  !L!....e2S.J.P..
002e810: 1a18 a663 0b58 0e53 054f b72f 8058 d7a1  ...c.X.S.O./.X..
002e820: a4f8 b5a5 c74e 0bf9 a11e 447b 6edd 5888  .....N....D{n.X.
002e830: f5fe ec00 56fa 535c 490b 8bc9 6363 6b07  ....V.S\I...cck.
002e840: 5b20 ac22 6eb7 1c0f d560 8a43 3de2 cc32  [ ."n....`.C=..2
002e850: e0b8 3236 b286 92fc 911e c5f4 8130 fbdc  ..26.........0..
002e860: 50a7 ffbe 5f1b cd34 7b57 78b8 3944 ea19  P..._..4{Wx.9D..
002e870: fc1c 50ae a2e2 aa33 0070 2781 a022 5ef1  ..P....3.p'.."^.
002e880: ca5d af29 787d 5df3 d4d5 ab0e 1995 2715  .].)x}].......'.
002e890: b177 c454 5a6e 875a deaf dc7f d13a 709b  .w.TZn.Z.....:p.
---SNIP---

Then... looking for the data at 0x002e800...
xxd /dev/loop0 | grep "214c 2113 01ce 9965 3253 134a da50 99dd"
You'll get

---SNIP---
002e800: 214c 2113 01ce 9965 3253 134a da50 99dd  !L!....e2S.J.P..
0a2e800: 214c 2113 01ce 9965 3253 134a da50 99dd  !L!....e2S.J.P..
142e800: 214c 2113 01ce 9965 3253 134a da50 99dd  !L!....e2S.J.P..
1e2e800: 214c 2113 01ce 9965 3253 134a da50 99dd  !L!....e2S.J.P..
282e800: 214c 2113 01ce 9965 3253 134a da50 99dd  !L!....e2S.J.P..
322e800: 214c 2113 01ce 9965 3253 134a da50 99dd  !L!....e2S.J.P..
3c2e800: 214c 2113 01ce 9965 3253 134a da50 99dd  !L!....e2S.J.P..
462e800: 214c 2113 01ce 9965 3253 134a da50 99dd  !L!....e2S.J.P..
502e800: 214c 2113 01ce 9965 3253 134a da50 99dd  !L!....e2S.J.P..
5a2e800: 214c 2113 01ce 9965 3253 134a da50 99dd  !L!....e2S.J.P..
642e800: 214c 2113 01ce 9965 3253 134a da50 99dd  !L!....e2S.J.P..
6e2e800: 214c 2113 01ce 9965 3253 134a da50 99dd  !L!....e2S.J.P..
---SNIP---

Tell me if I'm wrong, but that kinda seems to defeat the purpose of randomizing the HDD

[edit] Swsusp2

Is the script in the article working if you plan on using swsusp2 and not having a swap partition but a file for it (stored on the root partition)?

[edit] New init script

the new init script http://wiki.suspend2.net/EncryptedSwapAndRoot is it a drop in replacement for the old script? it isn't very clear

that init script uses loop-aes which is not supported in Gentoo linux. cryptoloop will die eventually. --Likewhoa 04:03, 8 October 2007 (UTC)

It works: dmcrypt is the key word, and there is a bug with the gpg thing: --log-file should be --logger-file. Tm

[edit] Kernel option moved

Hi, the option "Initial RAM disk (initramfs/initrd) support" has been moved from Block devices to General setup. Maybe somebody can change that.

[edit] Bug in dm-crypt-start.sh when using gpg encrypted keys

cryptsetup-luks-1.0.3-r3 has a bug in the init scripts that prevents the reading of gpg passphrases from stdin when key="/path/to/keyfile:gpg" is configured in /etc/conf.d/cryptfs. I have added "--key-file -" to the cryptsetup options but that did not help. With this option the manual call of this script through /etc/init.d/checkfs stop/start is successfull, but does not fix the bug while booting. I have found a similar report on irc, but no solution yet: 

I have some problems with dmcrypt and the init scripts. When I boot, checkfs calls
cryptsetup which creates the device mappings. But I have to enter my passphrase
somewhere, and it seems that no data from stdin reaches cryptsetup so the system
just hangs halfways into the boot

[edit] Split

This page is too long. It is hard to navigate, I suggest splitting with an index page. --AnMaster 08:01, 22 October 2007 (UTC)

I wrote a separate guide for my own setup (cryptsetup + LVM + boot from USB), because I found this article too long and too confusing (and many of the things done here, are not necessary at all, like compiling your own busybox when Gentoo already provides a static busybox binary that works with initramfs). The Guide can be found here: Booting encrypted system from USB stick. I also think that splitting this page (and even more important, simplifying and updating the information in it) is important, however the contribution guidelines specifically say not to remove any content, so I'm unsure how / where to even start. In my case it was easier to just write a new guide from scratch. frostschutz 11:24, 20 June 2008 (UTC)

[edit] Performance

As the performance-link points to a broken wiki, we might as well collect some data here. Is someone knowledgeable enough to write a test script for different ciphers and key lengths?

Values for -c aes-cbc-essiv:sha256 -s 256:

AMD Athlon 1400: CPing a 700MB file from LUKS to /dev/null takes 40 seconds (thats 17.5 MB/s). DDing 719MB of /dev/zero onto the same LUKS partition takes 35 seconds, that makes almost 21MB/s.

Intel Core2 CPU 6600 @ 2.40GHz: DDing 700MB from /dev/zero to LUKS takes 10.7 seconds CPing 700MB from LUKS to /dev/null takes 10.3 seconds That makes almost 70MB/s, and both CPUs are saturated during en/decryption.

AMD Athlon64 X2 4600+ (2.4 GHz): 734003200 bytes (734 MB) copied, 10.7456 s, 68.3 MB/s

[edit] Update busybox and explain how to create busybox.links and the applets file

The current version of busybox is 1.9.1 and the config menu differ a bit from 1.2.1. Maybe the document could be updated to a recent version of busybox.

Version 1.9.1 of busybox doesn't seems to create busybox.links automatically. It should be mentioned how to do it: 

  # make busybox.links

Can't find or download from the site provided any applets file. As I couldn't get an answer created mine with (don't know if this ok): 

  # sed 's/\/bin\///g;s/\/sbin\///g' busybox.links > applets

Please explain how to generate this file. I have an unanswered post about this on the support thread

noisebleed 18:22, 3 March 2008 (UTC)

Retrieved from "http://www.gentoo-wiki.com/Talk:SECURITY_System_Encryption_DM-Crypt_with_LUKS"