Am Tue, 15 Jan 2008 23:17:26 +0100 schrieb Peter_22@xxxxxx: ok - a second try. Hopefully, my mail come trough this time and you don't get it twice. > Hi! > > May I ask questions? On a separate IDE drive I do some testing with > Kubuntu. Building a new kernel for loop-aes worked fine, starts from > USB-storage devices as usual. It works even without building your own kernel. Of course: http://mail.nl.linux.org/linux-crypto/2007-06/msg00015.html; but I never heard of any problems with own-build modules and Ubuntu,.... 1) loop-aes installation $ rmmod loop $ apt-get install loop-aes-utils # loop-aes-utils are in the universe-section $ cd /PATH/TO/LOOP_AES_SOURCE $ make LINUX_SOURCE=/lib/modules/KERNEL_VERSION/build/ # KEYSCRUB=y EXTRA_CIPHERS=y The loop-AES modules are installed to /lib/modules/KERNEL_VERSION/extras/. Create a new directory /lib/modules/KERNEL_VERSION/updates (if it doesn't exist) and move the loop modules to it. After that execute 'depmod'. Type 'modinfo loop'. The first line of the output should show something like this: --- filename: /lib/modules/KERNEL_VERSION/updates/loop.ko --- and not: --- filename: /lib/modules/KERNEL_VERSION/kernel/drivers/block/loop.ko --- (this is your old loop-module, you don't wan't to use any longer) Check, if the installation succeded: $ make tests $ # make tests EXTRA_CIPHERS=y Some versions of ubuntu (dapper, but not 7.10) even ships with loop-aes-source. You can simply install it with 'module-assistant'. If you want to compile your own kernel, you can use the original conifg-file of Ubuntu and just change this values: CONFIG_BLK_DEV_LOOP=n CONFIG_BLK_DEV_CRYPTOLOOP=n CONFIG_DEBUG_INFO=n Other changes are not necessary, if you use initramfs-tools instead of build-initrd.sh. The initramfs-tools are more powerful and flexible, easier to use, and installed at default. You won't have any problem with wrong keymap - it seems to be done automatically in the right way the by initramfs-tools (according your system settings). (at least, I don't remember, that I've changed any further configuration file regarding this issue after the first installation of Ubuntu. I can use german umlauts and euro/ms-signs as part of my passphrase without any problems) And it doesn't matter, if /dev/sdb or /dev/sdc is your usb-stick. You can simply copy any files, that are needed to setup up your encrypted root device during system startup, to the initial ramdisk. The boot loader loads the kernel program and the content of your initial ramdisk into memory. You just need to edit/create 3 small scripts/configuration files, to use root-encryption with loop-aes. (I assume, that /dev/sda6 is your [up to now unencrypted] root partition and /dev/loop6 will be your root partition according to fstab. /dev/sdg is your usb-stick and /etc/keys/root.gpg is your symmetric(!) encrypted gpg-keyfile for the root-partition.) a) /etc/initramfs-tools/scripts/local-top/loopcrypt ( This script will be executed at each boot process, before the root-partition is mounted. The purpose of the script is to load the loop module(s) in the kernel and setup your encrypted loop-device. ) --- #!/bin/sh PREREQ="udev" HD="/dev/sda6" prereqs() { echo "$PREREQ" } case "$1" in prereqs) prereqs exit 0 ;; esac echo "Waiting for crypted root device..." slumber=1800 while [ ${slumber} -gt 0 -a ! -e "$HD" ]; do /bin/sleep 0.1 slumber=$(( ${slumber} - 1 )) done TEST=1 while [ 0 != $TEST ] ; do losetup -e AES256 -K /root.gpg -G / /dev/loop6 "$HD" # or losetup -e SERPENT128 -K /root.gpg -G / /dev/loop0 "$HD" # or whatever TEST=$? done --- b) /etc/initramfs-tools/modules --- # List of modules that you want to include in your initramfs. # # Syntax: module_name [args ...] loop #loop_blowfish #loop_sepent #loop_twofish #perhaps, you need more modules. for example, the following modules #are necessary, if you want higher resolution during system start: #fbcon #vesafb --- c) /etc/initramfs-tools/hooks/hloopcrypt ( This script will be executed during each creation of a initial ramdisk. Its purpose is to create the necessary folders, and copy the programs and files, that are needed at the beginning of the boot process, to the initial ramdisk. ) --- #!/bin/sh -e . /usr/share/initramfs-tools/hook-functions mkdir -p ${DESTDIR}/sbin mkdir -p ${DESTDIR}/usr/bin cp -p /etc/keys/root.gpg ${DESTDIR}/ copy_exec /sbin/losetup /sbin copy_exec /usr/bin/gpg /usr/bin --- Now type 'update-initramfs -u'. This command creates a new initial ramdisk (with the new configuration files) and put it to /boot/initrdXXX . Each time you've updated the initramfs-scripts or configuration files, changed the password of /etc/keys/root.gpg or installed a new version of the programs in your initial ramdisk, you have to execute this commands again. If you want to know in detail, what's included in the initial ramdisk, you can unpack it with this command: 'cat /boot/initrdxxxx | gzip -d | cpio -i' 2) bootable usb-stick: a) Prepare your USB-Stick (/dev/sdg) (all data on your stick will be lost!) $ dd if=/dev/zero of=/dev/sdg bs=8192 count=22 $ mkdosfs /dev/sdg $ syslinux /dev/sdg USB-Sticks without partition table works best at most motherboards,... b) create the syslinux configuration file 'syslinux.cfg' -- default linux label linux kernel vmlinuz append initrd=initrd root=/dev/loop6 quiet -- /dev/loop6 must be your root-partition according to /etc/fstab! c) copy the files to your stick $ mount /dev/sdg /mnt/stick $ cp /boot/initrd.your.version /mnt/stick/initrd $ cp /boot/vmlinuz-your.version /mnt/stick/vmlinuz $ cp /path/to/syslinux.cfg /mnt/stick/syslinux.cfg $ sync $ umount /mnt/stick After you have edited your /etc/fstab, created a new initial ramdisk and a new boot medium (need to be done in one step, without rebooting), you can boot from live-cd and encrypt /dev/sda6. After that, you can boot your system with the usb-stick... That's all. You don't need to compile your own kernel, you don't need to statically link any program and you won't have any problems with your keymap ;) - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
