[dm-crypt] Boot from fully encrypted disk which looks like unused

Arno Wagner arno at wagner.name
Mon May 23 02:13:08 CEST 2011


On Sun, May 22, 2011 at 09:53:02PM +0600, dhvvcb at lavabit.com wrote:
> Using luks is the standard way of boot from an encrypted disk. However
> luks header is not encrypted and it may cause a security issue when it
> is necessary to hide the fact of encryption.

In practice it is basically never necessary to hide encryption.
Either it is perfectly legal for you to refuse handing over the
keys, or the presence of a large, random-looking partition or file
is already enough that they can lock you up and demand the key.

So there really is no security issue. I propose you do not try
to jump through hoops for no effect.

Maybe I should add this as a FAQ item. 

Arno

 
> Usual section of grub.conf when root file system is placed on an
> unencrypted disk has the form:
> 
> title Fedora 12
> root (hd0,0)
> kernel /boot/vmlinuz-2.6.31.12-174.2.3.fc12.i686.PAE ro root=/dev/sda1
> LANG=ru_RU.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us
> rhgb quiet
> initrd /boot/initramfs-2.6.31.12-174.2.3.fc12.i686.PAE.img
> 
> Boot works.
> 
> After this I rsync this file system as a whole to a filesystem on an
> encrypted virtual disk /dev/mapper/hdd2 corresponding to another
> physical disk, for example /dev/sdb. Then I created an additional
> section in grub.conf so as to make it possible to boot from /dev/sdb. It
> looks the same as above, but with some distinctions. Location of
> bootloader and kernel image is unchanged (1st sector and /boot
> directory), only root filesystem is transferred onto an encrypted new
> device.
> 
> title Fedora 12 NEW
> root (hd0,0)
> kernel /boot/vmlinuz-2.6.31.12-174.2.3.fc12.i686.PAE ro
> root=/dev/mapper/hdd2 LANG=ru_RU.UTF-8 SYSFONT=latarcyrheb-sun16
> KEYBOARDTYPE=pc KEYTABLE=us rhgb quiet
> initrd /boot/initramfs-NEW.img
> 
> Two modifications of the initial section have been done:
> 1. root=/dev/sda1 ---> root=/dev/mapper/hdd2
> 2. initramfs-2.6.31.12-174.2.3.fc12.i686.PAE.img ---> initramfs-NEW.img
> 
> The second modification is needed to prepare /dev/mapper/hdd2 before
> mounting it as a root filesystem. So changing initramfs is necessary. I
> did it in the following way.
> 
> 1. At the beginning of /mount/mount-root.sh, before 'mount' command, I
> put the string:
> cryptsetup -d /etc/key -c aes-cbc-essiv:sha256 -s 256 create
> hdd2 /dev/sdb
> 
> 2. key file is added to /etc
> 
> After this I reboot and select the second item in grub menu. During the
> boot the messages appear:
> 
> WARNING: Deprecated config file /etc/modprobe.conf, all config files
> belong into /etc/modprobe.d/.
> (... the same string repeats a number of times ...)
> No root device found
> Boot has failed, sleeping forever 
> 
> Please, give me a suggestion what should I do to solve the problem.
> 
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 


More information about the dm-crypt mailing list