Wed Aug 9 17:24:42 CDT 2006
Slax
I want to install Slax on my USB pendrive. I have to do some customizations to the distribution however, because my laptop requires a kernel that is not standard. To get things working nice, I will install my custom kernel on the pendrive and edit the initrd so that it contains the proper information to boot. I should then have a working slax distribution on my pendrive. I will then have 3 operating systems around my Linux Laptop at any time, the encrypted operating system on the hardrive, the operating system on the pendrive, and the read-only operating system on the cdrom drive which is xubuntu. I don't think that I will ever have too much trouble booting something on this laptop. Mathieu
Posted by Mathieu Allard
Sun Aug 6 17:25:31 CDT 2006
Encrypted Root Drive
I am happy to report that I have encrypted just managed to fully entrypt my root and swap partitions on my laptop, this includes /home.
First off, whoeve trying this process out, it is very risky so make sure to have a backup.
After much trial and error, this is what I had to do.
First off, I wanted the encryption key to be off of the laptop, and I wanted this key to be portable enough for me to carry around wihtout a hassle. I opted for a usb pen drive though other options could work.
The first setup was to boot off the usb pen drive. I did this by first partitioning my usb pen drive to have a first partition of a fat16 filesystem. I then proceed to make a fat16 filesystem on the first partition with
#mkdosfs /dev/sda1
I then copied my kernel and my initrd onto the root directory of the drive :
#mount /dev/sda1 /mnt/sda1
#cp /boot/vmlinuz /boot/initrd /mnt/sda1/
Then to install syslinux and make the pen bootable I did :
#syslinux -s /dev/sda1
Note that this last command required the debian mtools package.
I now had a usb pendrive that allowed me to boot any kernel I wanted with any initrd that I wanted. I absolutely wanted to have the key on another device and I had not found any howtos that had an easy way of doing this. I also had to use a custom kernel because the mainstream linux kernel does not yet have support for the sd flash reader that is on my laptop.
Because I wanted to have a hardrive that was completely scrambled save the partition information, all the of the commands to mount the root filesystem had to come from the pendrive. I opted to do these taksks by making the material needed to do this available in my initrd image. To edit the files inside my initrd I had to do the following:
#cp /mtn/initrd ~
#mv initrd initrd.gz
#gunzip initrd.gz
#mkdir dirinitrd
#cd dirinitrd
At this point I'm in the initrd directory and I become the master of what happens after the kernel loads at boottime. I needed several kernel modules, libs and utilities to make my root partition mountable from my initrd. The distribution that is installed on this laptop is ubuntu, and for some reason ubuntu's cryptsetup program was broken when I ran the commands inside the ramdisk, even if I had all of the libs required for it. To get around this, I copied all of the files in debian stable's cryptsetup package to my ramdisk as well as the utilities needed to run the binary. I tested all of the binaries by doing the following :
#mount --bind /dev dev
#chroot .
#crypsetup
#other commands
I made sure that the commands that I needed to run ran without errors.
I added the following to the ramdisks init file :
#make the crypt devices
insmod /lib/modules/2.6.18-rc1sdtimeout/kernel/drivers/ide/pci/via82cxxx.ko
insmod /lib/modules/2.6.18-rc1sdtimeout/kernel/drivers/md/dm-mod.ko
insmod /lib/modules/2.6.18-rc1sdtimeout/kernel/drivers/md/dm-crypt.ko
insmod /lib/modules/2.6.18-rc1sdtimeout/kernel/crypto/aes.ko
#let the devices register
sleep 10
echo "setting up cryptdisk"
cryptsetup -d /etc/root-key create root /dev/hda1
cryptsetup -d /etc/root-key create swap /dev/hda2
echo "checking root status"
cryptsetup status /dev/mapper/root
echo "checking swap status"
cryptsetup status /dev/mapper/swap ##
I found that the following stuff was needed by cryptsetup and the initrd after much trial and error. Something that I found very useful to get this working was to put a shell inside the initrd init. This allowed me to experiment and see which commands, kernel moddules needed to be run for the root partition to become mountable. So inside the initrd I put in a :
/bin/sh
I then had to repack the initrd. As root from my initrd directory:
#find > ./cryptfiles
#cpio --create --format=newc < ./cryptfiles > ./blog/cryptinitrd
#cd ..
#gzip --best cryptinitrd
#mv cryptinitrd.gz cryptinitrd
#cp cryptinitnrd /mnt/sda1/
#sync
After much trial and error, I can now boot my kernel and initrd and mount my root and swap filesystems. Of course these instructions are very specific to my hardware.
Mathieu
First off, whoeve trying this process out, it is very risky so make sure to have a backup.
After much trial and error, this is what I had to do.
First off, I wanted the encryption key to be off of the laptop, and I wanted this key to be portable enough for me to carry around wihtout a hassle. I opted for a usb pen drive though other options could work.
The first setup was to boot off the usb pen drive. I did this by first partitioning my usb pen drive to have a first partition of a fat16 filesystem. I then proceed to make a fat16 filesystem on the first partition with
#mkdosfs /dev/sda1
I then copied my kernel and my initrd onto the root directory of the drive :
#mount /dev/sda1 /mnt/sda1
#cp /boot/vmlinuz
Then to install syslinux and make the pen bootable I did :
#syslinux -s /dev/sda1
Note that this last command required the debian mtools package.
I now had a usb pendrive that allowed me to boot any kernel I wanted with any initrd that I wanted. I absolutely wanted to have the key on another device and I had not found any howtos that had an easy way of doing this. I also had to use a custom kernel because the mainstream linux kernel does not yet have support for the sd flash reader that is on my laptop.
Because I wanted to have a hardrive that was completely scrambled save the partition information, all the of the commands to mount the root filesystem had to come from the pendrive. I opted to do these taksks by making the material needed to do this available in my initrd image. To edit the files inside my initrd I had to do the following:
#cp /mtn/initrd
#mv initrd
#gunzip initrd
#mkdir dirinitrd
#cd dirinitrd
At this point I'm in the initrd directory and I become the master of what happens after the kernel loads at boottime. I needed several kernel modules, libs and utilities to make my root partition mountable from my initrd. The distribution that is installed on this laptop is ubuntu, and for some reason ubuntu's cryptsetup program was broken when I ran the commands inside the ramdisk, even if I had all of the libs required for it. To get around this, I copied all of the files in debian stable's cryptsetup package to my ramdisk as well as the utilities needed to run the binary. I tested all of the binaries by doing the following :
#mount --bind /dev dev
#chroot .
#crypsetup
#other commands
I made sure that the commands that I needed to run ran without errors.
I added the following to the ramdisks init file :
#make the crypt devices
insmod /lib/modules/2.6.18-rc1sdtimeout/kernel/drivers/ide/pci/via82cxxx.ko
insmod /lib/modules/2.6.18-rc1sdtimeout/kernel/drivers/md/dm-mod.ko
insmod /lib/modules/2.6.18-rc1sdtimeout/kernel/drivers/md/dm-crypt.ko
insmod /lib/modules/2.6.18-rc1sdtimeout/kernel/crypto/aes.ko
#let the devices register
sleep 10
echo "setting up cryptdisk"
cryptsetup -d /etc/root-key create root /dev/hda1
cryptsetup -d /etc/root-key create swap /dev/hda2
echo "checking root status"
cryptsetup status /dev/mapper/root
echo "checking swap status"
cryptsetup status /dev/mapper/swap ##
I found that the following stuff was needed by cryptsetup and the initrd after much trial and error. Something that I found very useful to get this working was to put a shell inside the initrd init. This allowed me to experiment and see which commands, kernel moddules needed to be run for the root partition to become mountable. So inside the initrd I put in a :
/bin/sh
I then had to repack the initrd. As root from my initrd directory:
#find > ./cryptfiles
#cpio --create --format=newc < ./cryptfiles > ./blog/cryptinitrd
#cd ..
#gzip --best cryptinitrd
#mv cryptinitrd.gz cryptinitrd
#cp cryptinitnrd /mnt/sda1/
#sync
After much trial and error, I can now boot my kernel and initrd and mount my root and swap filesystems. Of course these instructions are very specific to my hardware.
Mathieu
Posted by Mathieu Allard