Since last post many things have changed. No more NetBSD on my laptop (this has to do with several things, I'll write about in a future post): I had to fall in love with Gentoo! I'll try to give you some quick overview related to this posts title: Encryption under Gentoo using Luks.
There are serveral (good!) tutorials out there. Among these I've used:
| http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS | There you'll get a lot of information related to the topic. I've basically followed the same steps as described in the HowTo. However I didn't get any functionable system at all. Especially the initramfs part seems to be buggy. Therefore: Follow the steps ín the article except the initramfs part! |
| http://de.gentoo-wiki.com/wiki/DM-Crypt (german) | Really good explanations. If you want some technical background to this whole thing, this is the place to be. |
| http://djamc.ath.cx/2008/01/20/howto-gentoo-vollverschlusselung-mit-cryptsetup-und-initramfs-bei-der-installation/ (german) | Another nice howto I've found. |
| http://en.gentoo-wiki.com/wiki/Initramfs | As already mentioned above, you'll get into troubles if you don't have a working initramfs. Follow this link to get detailed information how to create your own - as I did! - initramfs and how to adapt it to your needs. |
There is no need for additional explanations! Just follow the instructions in the tutorial and you're done.
My initramfs
Here is my initramfs structure I'm using:
$ tree
.
├── bin
│ ├── busybox
│ ├── gpg
│ └── gpg-error
├── dev
├── etc
├── init
├── lib
│ └── modules
├── mnt
│ └── root
├── new-root
├── proc
├── README
├── root
│ └── keys
├── sbin
│ ├── cryptsetup
│ └── mdev
├── sys
└── usr
└── bin
15 directories, 7 files
Make sure all binaries are statically linked. And this is my init script:
$ cat init
#!/bin/busybox sh
# Some useful functions
rescue_shell() {
echo "Something went wrong. Dropping you to a shell."
busybox --install -s
exec /bin/busybox sh
}
# GPG workaround
cp -a /dev/console /dev/tty
# Mount the /proc and /sys filesystems.
mount -t proc none /proc
mount -t sysfs none /sys
busybox --install -s
mdev -s
echo /bin/mdev > /proc/sys/kernel/hotplug
# Decrypt root
while [ ! -e /root/keys/sda1_key ] ; do
sleep 2
echo "> Decrypt root ..."
gpg -o /root/keys/sda1_key -d /root/keys/sda1_key.gpg 2> /dev/null
done
# Unlock partition
cryptsetup -d /root/keys/sda1_key luksOpen /dev/sda1 root
# Mount new root
mount /dev/mapper/root /new-root
# Create swap device
cryptsetup -c twofish -h sha256 -d /dev/urandom create swap /dev/sda6
mkswap /dev/mapper/swap
# Unmount old root
umount -l /proc
umount -l /sys
# Start new system
exec switch_root /new-root /sbin/init || rescue_shell
Don't forget to copy your keys to /root/keys/ and rename them properly. Afterwards all you have to do is to create the initramfs file:
$ cd /usr/src/initramfs
$ find . -print0 | cpio --null -ov --format=newc | gzip -9 > /boot/initramfs.cpio.gz
That's all!