Tue 07 of Sep, 2010 [00:53 UTC]

RootCryptoraid

Root Raid Crypto file system example

Русско

__Setup with Software Raid and Cryptofs on whole system__

You need ( of course ) kernel support for raid and your favourite raid level ( in this document i use a mirror raid (1)) , dm-crypt and the encryption algorithm you want , ramdisk, initrd.
so, if all the requirements are ok, and you have all the needed tools for dm-crypt, we can start.

First, we need to plan the partition table.

I have a debian installed on hda, and i have a new disk with the same capacity fisically mounted as hdb.
The partition table on hda is:

hda1: the actual root fs
hda2: swap
hda3: another fs, mounted in /home in my case

to make a working encrypted root fs, and have a passphrase request at boot time, we need an additional unencrypted small partition, then, hdb will appear as:

hdb1: a small ( ~10 Mb ) partition for the unencrypted fs, this partition will ask for a password in order to mount the encrypted root filesystem.
hdb2: will contain the new root partition
hdb3: swap
hdb4: will contain the new "/home" partition

NOTE: Remember to create all partitions with the correct partition type signature, Software Raid, or FD in cfdisk menu

ok, it's time to perform the first reboot to assure the correct creation of the partition table on hdb.

Now, we can setup the raid arrays:

# mdadm --create /dev/md0 --level 1 --raid-disks=2 missing /dev/hdb1
# mdadm --create /dev/md1 --level 1 --raid-disks=2 missing /dev/hdb2
# mdadm --create /dev/md2 --level 1 --raid-disks=2 missing /dev/hdb3
# mdadm --create /dev/md3 --level 1 --raid-disks=2 missing /dev/hdb4

Ok, now we have 4 raid arrays active, you can check this with cat /proc/mdstat command. At this point we should setup the encryption:
First of all,generate random data on the disks:

# shred -n 1 -v /dev/md1
# shred -n 1 -v /dev/md2
# shred -n 1 -v /dev/md3

And now the encryption. Note that for the "rootfs" you need to insert twice a password, for swap you can use
/dev/random as key file, so, at every boot the swap partition is cleaned and re-encrypted; for "home" i use a key-file stored on the rootfs, so, at every boot you will need to insert the pass only for rootfs, and not for all file systems. :

# mkdir /etc/crypt
# head /dev/urandom > /etc/crypt/keyfile

create the mapped crypt device:

# cryptsetup -y create rootfs /dev/md1
# cryptsetup -d /dev/random create swapfs /dev/md2
# cryptsetup -d /etc/crypt/keyfile create home /dev/md3

and finally create a filesystem on this devices. I use ext3, but fell free to choose another fs ( like reiser or xfs ... )

# mkfs -j /dev/mapper/rootfs
# mkfs -j /dev/mapper/home

NOTE: md0 should not be encrypted!!

Now, do you have a backup of the file systems? no? DO IT !!! ( you are alerted, don't blame if you don't have a backup copy and a worldwide blackout during the next steps fuck all your files! )
Trust me, backup the keyfile too on another machine, maybe with another cryptofs :)

It's time to copy your system in the new encrypted partitions! razz

one a time, mount the newly created partitions, and make a complete copy of your file systems:

# mount -t ext3 /dev/mapper/rootfs /mnt
# cp -ax / /mnt
# umount /mnt
# mount -t ext3 /dev/mapper/home /mnt
# cp -ax /home/* /mnt/
# umount /mnt

At this point we have a complete copy of the system, so, next step is to preparing the new root fs to boot. For this we will create a ramdisk.
First, mount the encrypted root fs, and create the mount point for the boot device:

# mount -t ext3 /dev/mapper/rootfs /mnt
# mkdir /mnt/loader

and now create the ram disk:

# chroot /mnt
# cd
# mkdir ramdisk
# dd if=/dev/zero of=initrd bs=1024 count=4096
# mke2fs -F ./initrd
# mount -o loop ./initrd ramdisk
# mkdir ramdisk/{bin,etc,lib,sbin,dev,proc,mnt}
# cp -ap /bin/{bash,mount,umount,mkdir,mknod,sed} ramdisk/bin/
# ln -s bash ramdisk/bin/sh
# cp -ap /usr/bin/cryptsetup ramdisk/bin/
# cp -ap /sbin/pivot_root ramdisk/sbin/
# mknod ramdisk/dev/console c 5 1
# mknod ramdisk/dev/hda2 b 3 2
# mknod ramdisk/dev/hdb2 b 3 66
# mknod ramdisk/dev/md1 b 9 1
# cp -ap /lib/{ld-linux.so.2,libdevmapper.so.1.00,libgcrypt.so.7, \ 
libncurses.so.5,libpopt.so.0,libc.so.6,libdl.so.2 ,libgpg-error.so.0, \
libnsl.so.1,libtermcap.so} ramdisk/lib/

You can check the libs with "ldd", for example ldd ramdisk/bin/bash.

now edit with your favorite text editor the file ramdisk/sbin/init, and create this shell script:

------------------------------------------- START ---------------------------------------------------------
#!/bin/sh
 
/bin/mount -t proc -n proc /proc
DM_DIR="mapper"
DM_NAME="device-mapper"
set -e
 
DIR="/dev/$DM_DIR"
CONTROL="$DIR/control"
 
if test -e /dev/.devfsd ; then
        echo "devfs detected: devmap_mknod.sh script not required."
        exit
fi
 
if test ! -e /proc/devices ; then
        echo "procfs not found: please create $CONTROL manually."
        exit 1
fi
 
MAJOR=$(sed -n 's/^ *\([0-9]\+\) \+misc$/\1/p' /proc/devices)
MINOR=$(sed -n "s/^ *\([0-9]\+\) \+$DM_NAME\$/\1/p" /proc/misc)
 
if test -z "$MAJOR" -o -z "$MINOR" ; then
        echo "$DM_NAME kernel module not loaded: can't create $CONTROL."
        exit 1
fi
 
/bin/mkdir -p --mode=755 $DIR
test -e $CONTROL && rm -f $CONTROL
 
echo "Creating $CONTROL character device with major:$MAJOR minor:$MINOR."
/bin/mknod --mode=600 $CONTROL c $MAJOR $MINOR
/bin/umount /proc
pass1="sux"
count="0"
while [ "$pass1" != "$pass2" ]
do
        if [ "$count" = "3" ] ; then
                echo "System halted!"
                exit 0
        fi
        if [ "$count" != "0" ] ; then
                echo "Passwords don't match!"
        fi
                                                                                                                         
        echo -n "Password for mounting root fs: "
        read -s pass1
        echo
        echo -n "Repeat: "
        read -s pass2
        echo
        count=$(( $count + 1 ))
done
echo "Ok! mounting root file system"
pass=$pass2
echo $pass | /bin/cryptsetup create rootfs /dev/md1
/bin/mount -r -n -t ext3 /dev/mapper/rootfs /mnt
                                                                                                                         
count="0"
while [ $? -ne 0 ]
do
        /bin/cryptsetup remove rootfs
        echo $pass | /bin/cryptsetup create rootfs /dev/md1
        /bin/mount -r -n -t ext3 /dev/mapper/rootfs /mnt
done
cd /mnt
/sbin/pivot_root . loader
exec /usr/sbin/chroot . /sbin/init

-------------------------------------- CUT HERE------------------------------------------------------

# chmod 755 ramdisk/sbin/init
# umount ramdisk
# gzip initrd
# rm -rf ramdisk
# mv initrd.gz /boot/

ok, we have a initrd ramdisk, now the "loader" partition...

# mkfs -j /dev/md0
# mount -t ext3 /dev/md0 /loader
# mkdir /loader/{boot,dev,etc}
# mknod -m 600 /loader/dev/hda b 3 0
# mknod -m 600 /loader/dev/hda1 b 3 1
# mknod -m 600 /loader/dev/hdb b 3 64
# mknod -m 600 /loader/dev/hdb1 b 3 65
# mknod -m 600 /loader/dev/md0 b 9 0
# mknod -m 600 /loader/dev/initrd b 1 150
# mknod -m 600 /loader/dev/ram0 b 1 0
# cp -ap /boot/vmlinuz-x.x.x /loader/boot/vmlinuz
# cp -ap /boot/{map,boot.b,initrd.gz} /loader/boot/

and edit /loader/etc/lilo.conf, my lilo config it's like this:

----------------------------- START ----------------------------------
lba32
#boot = /dev/md0
#raid-extra-boot=/dev/hdb,/dev/hda
boot = /dev/hda
delay = 20
default = Linux
install = /boot/boot.b
map = /boot/map
image = /boot/vmlinuz
  label = Linux
  root = /dev/ram0
  initrd = /boot/initrd.gz
  read-write
------------------------------ CUT HERE ---------------------------------

you can add an image with different root and alll options you need...
note the 2 commented line, the final lilo.conf will be with those 2 options instead of the actual boot.

now we can write the boot record:

# lilo -v -r /loader/

and edit the /etc/fstab file:

/dev/mapper/rootfs      /               ext3    defaults,errors=remount-ro      0       1
/dev/mapper/swapfs      none            swap    sw                      0       0
proc            /proc           proc    defaults                        0       0
/dev/fd0        /floppy         auto    defaults,user,noauto            0       0
/dev/hdc        /cdrom          iso9660 defaults,ro,user,noauto         0       0
/dev/mapper/home /home ext3 rw                  0       2
/dev/md0        /bootstrap ext3 defaults        0       0

ok, now a little modify to the sysv init, in my debian i put on /etc/rcS.d/S04cryptfs :

---------------------------- START -----------------------------
#!/bin/sh
mount -o remount,rw /
if [ -L /dev/mapper/rootfs ] ; then
        rm -f /dev/mapper/rootfs
fi
if [ -b /dev/mapper/rootfs ] ; then
        rm -f /dev/mapper/rootfs
fi
ln -s /loader/dev/mapper/rootfs /dev/mapper/rootfs
/usr/bin/cryptsetup -d /etc/crypt/keyfile create home /dev/md3
/usr/bin/cryptsetup -d /dev/urandom create swapfs /dev/md2
/sbin/mkswap /dev/mapper/swapfs
 mount -o remount,ro /
----------------------------- CUT HERE --------------------------------

now i have copied the devmap_mknod.sh script to /etc/rcS.d/S03devmap_mknod.sh, with a little add:
mount -o remount,rw / at the start of the script, and mount -o remount,ro / at the end.

Ok, REBOOT!

If all it's ok, now you are on you new crypted raid file system, so, the last few steps.

# mkdir /bootstrap
# mv /boot /boot.backup
# ln -s /bootstrap/boot /boot
# mv /etc/lilo.conf /etc/lilo.conf.backup
# ln -s /bootstrap/etc/lilo.conf /etc/lilo.conf
# sfdisk -d /dev/hdb | sfdisk /dev/hda
# sync && sync
# mdadm --add /dev/md0 /dev/hda1
# mdadm --add /dev/md1 /dev/hda2
# mdadm --add /dev/md2 /dev/hda3
# mdadm --add /dev/md3 /dev/hda4

Ok,now re-edit your lilo.conf, remove the boot line, decomment the 2 commented lines, do a "lilo -v".

That's all!

bye
Logo Design Naked Chat Nude Chat Webcam Chat Online Chat Live Chat

Created by: nextime last modification: Friday 30 of July, 2010 [11:56:39 UTC] by Anonymous

edit


Wiki	Blogs
Acticles	Forums
File galleries	Image galleries

Page generated in: 0.13 seconds