> > mount -t ext2 /dev/hda3 /mnt -o loop=/dev/loop0,encryption=AES256,gpgkey=/mnt/hda1/rootkey.gpg
> ^^^^ ^^^^
> Not a very good idea to try to mount something over existing non-empty
> directory.
I tried to save/access the crtypted hda3; had I better used aespipe ?
Which sequence should be used, that's the big question ?
I cannot access the hda3 now + yet but I used the saved files I saved after
the editing-work on the testsystem to a usbstick + another PC.
Mistakes where made by me, but I am still shure that the saved files I now read
are the actual ones on the testsystem. All + everything is saved there in case
I must rebuild the whole testsystem again right from the start.
> > I used loop0 in /etc/fstab for hda3 (which is / ("root")) and in the
> > build-initrd.sh (where it is loop5 by default).
>
> The root loop-device index in build-initrd.sh configuration *must* match the
> the one used in /etc/fstab .
That is clear. I was shure to edited it to loop0, but seeing it now, it really is 5.
First, deadly mistake made by me !
testsystem edited build-initrd.sh, edited, but wrong loop for /, as I see now:
------------cut------------------
### All default-values can be altered via the configfile
# 1 = use devfs, 0 = use classic disk-based device names. If this is
# enabled (USEDEVFS=1) then setting USEPIVOT=1 is also required and kernel
# must be configured with CONFIG_DEVFS_FS=y CONFIG_DEVFS_MOUNT=y
USEDEVFS=0
# 1 = use pivot_root, 0 = use old change_root
# See above header for root= and append= lilo.conf definitions.
# pivot_root is not available on 2.2 and older kernels.
# Always enable pivot_root for 2.4 and later kernels.
USEPIVOT=1
# Unencrypted /boot partition. If devfs is enabled (USEDEVFS=1), this must
# be specified as genuine devfs name.
BOOTDEV=/dev/hda1
# /boot partition file system type
BOOTTYPE=ext2
# Encrypted root partition. If devfs is enabled (USEDEVFS=1), this must
# be specified as genuine devfs name.
CRYPTROOT=/dev/hda3
# root partition file system type
ROOTTYPE=ext2
# Encryption type (AES128 / AES192 / AES256) of root partition
CIPHERTYPE=AES256
# Optional password seed for root partition
#PSEED="-S XXXXXX"
# Optional password iteration count for root partition
#ITERCOUNTK="-C 100"
# This code is passed to cipher transfer function.
LOINIT="-I 0"
# 1 = use gpg key file to mount root partition, 0 = use normal key.
# If this is enabled (USEGPGKEY=1), file named rootkey.gpg or whatever
# GPGKEYFILE is set to must be manually copied to /boot (or to
# EXTERNALGPGDEV device if EXTERNALGPGFILES=1). If rootkey.gpg is not
# encrypted with symmetric cipher, pubring.gpg and secring.gpg must be
# manually copied to /boot (or to EXTERNALGPGDEV device if
# EXTERNALGPGFILES=1).
USEGPGKEY=1
# gpg key filename. Only used if USEGPGKEY=1
GPGKEYFILE=rootkey.gpg
# 1 = mount removable device EXTERNALGPGDEV that contains gpg key files
# 0 = don't mount
EXTERNALGPGFILES=0
# Device name that contains gpg key files. If devfs is
# enabled (USEDEVFS=1), this must be specified as genuine devfs name.
# Only used if EXTERNALGPGFILES=1
EXTERNALGPGDEV=/dev/fd0
# Removable device EXTERNALGPGDEV file system type
# Only used if EXTERNALGPGFILES=1
EXTERNALGPGTYPE=ext2
# 1 = use loop module, 0 = loop driver linked to kernel
USEMODULE=1
# 1 = stop after creating and copying initrd, 0 = also copy tools/libs
INITRDONLY=0
# Source root directory where files are copied from
SOURCEROOT=
# Destination root directory where files are written to.
# Normally this is empty, but if you run this script on some other root
# (i.e. Knoppix live CD), this must be configured to point to directory
# where your about-to-be-encrypted root partition is mounted. This script
# checks that an initrd directory exists there.
DESTINATIONROOT=
# dest-dir below dest-root
DESTINATIONPREFIX=/boot
# Name of created init ram-disk
INITRDGZNAME=initrd.gz
# Encrypted root loop device index (0 ... 7), 5 == /dev/loop5
# Device index must be one character even if max_loop is greater than 8
# _must_ match /etc/fstab entry: /dev/loop5 / ext2 defaults,xxxx 0 1
ROOTLOOPINDEX=5
# Temporary loop device index used in this script, 7 == /dev/loop7
TEMPLOOPINDEX=7
# Additional loop module parameters.
# Example: LOOPMODPARAMS="max_loop=8 lo_prealloc=125,5,200"
LOOPMODPARAMS=""
# 1 = load national keyboard layout, 0 = don't load
# You _must_ manually copy correct keyboard layout to /boot/default.kmap
# which must be in uncompressed form. (can not be .gz file)
LOADNATIONALKEYB=0
# Initial delay in seconds before /linuxrc attempts to mount /boot
# partition. Slow devices (USB-sticks) may need some delay.
INITIALDELAY=0
# Delay in seconds before /linuxrc attempts to mount partition containing
# external gpg key files. Slow devices (USB-sticks) may need some delay.
MOUNTDELAY=0
# 1 = prompt for BOOT-TOOLS media and ENTER press before mounting /boot
# 0 = normal case, don't prompt
TOOLSPROMPT=0
# 1 = use "rootsetup" program that executes losetup to initialize loop
# 0 = use normal "losetup" program directly to initialize loop
# If enabled, rootsetup program (+libs) _must_ be manually copied to /boot.
USEROOTSETUP=0
# 1 = use dietlibc to build linuxrc. This permits passing parameters to init.
# 0 = use glibc to build linuxrc. This prevents passing parameters to init
# and includes hacks that may be incompatible with some versions of glibc.
# The dietlibc can be found at http://www.fefe.de/dietlibc/
USEDIETLIBC=1
# 1 = load extra module, 0 = don't load
# If this is enabled, module must be manually copied to
# /boot/modules-KERNELRELEASE/ directory under name like foomatic.o
EXTRAMODULELOAD1=0
EXTRAMODULENAME1="foomatic"
EXTRAMODULEPARAMS1="frobnicator=123 fubar=abc"
# 1 = load extra module, 0 = don't load
EXTRAMODULELOAD2=0
EXTRAMODULENAME2=""
EXTRAMODULEPARAMS2=""
# 1 = load extra module, 0 = don't load
EXTRAMODULELOAD3=0
EXTRAMODULENAME3=""
EXTRAMODULEPARAMS3=""
# 1 = load extra module, 0 = don't load
EXTRAMODULELOAD4=0
EXTRAMODULENAME4=""
EXTRAMODULEPARAMS4=""
# 1 = load extra module, 0 = don't load
EXTRAMODULELOAD5=0
EXTRAMODULENAME5=""
EXTRAMODULEPARAMS5=""
### End of options
-------------cut--------------------
testsystem-/etc/fstab, residing on crypted hda3:
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
/dev/hda3 / ext2 defaults,errors=remount-ro 0 1
/dev/hda1 /boot ext2 defaults 0 2
/dev/hda2 none swap sw 0 0
/dev/hdc /media/cdrom0 udf,iso9660 user,noauto 0 0
usbdevfs /proc/bus/usb usbdevfs devmode=0666 0 0
/dev/sda /usbdev ext2 user,noauto 0 0
Second, deadly mistake made by me: no loop-editing whatsoever !
testsystem-/boot/grub/menu.lst, residing un unencrypted hda1:
---------------cut----------------------------
## ## End Default Options ##
title Debian GNU/Linux, kernel 2.6.15
root (hd0,0)
kernel /vmlinuz-2.6.15 root=/dev/hda3 ro
initrd /initrd.img-2.6.15
savedefault
boot
titel Debian, USEPIVOT=1, 2.6.15
root (hd0,0)
kernel /vmlinuz root=100 init=/linuxrc rootfstype=minix
initrd /initrd.gz
### END DEBIAN AUTOMAGIC KERNELS LIST
------------------cut-----------------------
Note, that I did not saw the lower kernel on screen, I only saw the upper kernel, unable for crypto and, therefore had nothing to choose from.
Is this testsystem still changeable or must it be rebuild from the start ?
Regards, Reverend
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
