HowTo: Full-Encrypt data using Gentoo,Luks and initramfs

Since last post many things have changed. No more NetBSD on my laptop (this has to do with several things, I'll write about in a future post): I had to fall in love with Gentoo! I'll try to give you some quick overview related to this posts title: Encryption under Gentoo using Luks.

There are serveral (good!) tutorials out there. Among these I've used:

http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS There you'll get a lot of information related to the topic. I've basically followed the same steps as described in the HowTo. However I didn't get any functionable system at all. Especially the initramfs part seems to be buggy. Therefore: Follow the steps ín the article except the initramfs part!
http://de.gentoo-wiki.com/wiki/DM-Crypt (german) Really good explanations. If you want some technical background to this whole thing, this is the place to be.
http://djamc.ath.cx/2008/01/20/howto-gentoo-vollverschlusselung-mit-cryptsetup-und-initramfs-bei-der-installation/ (german) Another nice howto I've found.
http://en.gentoo-wiki.com/wiki/Initramfs As already mentioned above, you'll get into troubles if you don't have a working initramfs. Follow this link to get detailed information how to create your own - as I did! - initramfs and how to adapt it to your needs.

There is no need for additional explanations! Just follow the instructions in the tutorial and you're done.

My initramfs

Here is my initramfs structure I'm using:

$ tree
.
├── bin
│   ├── busybox
│   ├── gpg
│   └── gpg-error
├── dev
├── etc
├── init
├── lib
│   └── modules
├── mnt
│   └── root
├── new-root
├── proc
├── README
├── root
│   └── keys
├── sbin
│   ├── cryptsetup
│   └── mdev
├── sys
└── usr
    └── bin

15 directories, 7 files

Make sure all binaries are statically linked. And this is my init script:

$ cat init 
#!/bin/busybox sh

# Some useful functions
rescue_shell() {
    echo "Something went wrong. Dropping you to a shell."
    busybox --install -s
    exec /bin/busybox sh
}

# GPG workaround
cp -a /dev/console /dev/tty

# Mount the /proc and /sys filesystems.
mount -t proc none /proc
mount -t sysfs none /sys

busybox --install -s
mdev -s 
echo /bin/mdev > /proc/sys/kernel/hotplug

# Decrypt root
while [ ! -e /root/keys/sda1_key ] ; do
   sleep 2
   echo "> Decrypt root ..."
   gpg -o /root/keys/sda1_key -d /root/keys/sda1_key.gpg 2> /dev/null
done

# Unlock partition
cryptsetup -d /root/keys/sda1_key luksOpen /dev/sda1 root

# Mount new root 
mount /dev/mapper/root /new-root

# Create swap device
cryptsetup -c twofish -h sha256 -d /dev/urandom create swap /dev/sda6
mkswap /dev/mapper/swap

# Unmount old root
umount -l /proc
umount -l /sys

# Start new system
exec switch_root /new-root /sbin/init || rescue_shell

Don't forget to copy your keys to /root/keys/ and rename them properly. Afterwards all you have to do is to create the initramfs file:

$ cd /usr/src/initramfs
$ find . -print0 | cpio --null -ov --format=newc | gzip -9 > /boot/initramfs.cpio.gz

That's all!


Prev: Think before you type part 2
Next: My own cheap NAS – the OpenWRT way

comments powered by Disqus
Published:
2011-03-07 00:00
category:
Tag: