HOWTO_loop-AES_LVM2_root_partition

Introduction

There are better ways of expressing your paranoia than by wearing a foil hat. How about installing Gentoo on a filesystem that sits on loop-AES encryption, which in turn sits on LVM2 logical volumes. This way you don't lose speed by way of encryption, yet retain the flexibility of LVM2. Here's how.

Approach

My approach is to store the encrypted gpg keyfile in the unencrypted /boot partition. Others put the keyfile on a thumb drive, or even boot from a thumb drive. I can see a theoretical advantage of this, but practically, I don't see the point. I think it's much better to concentrate on strong passwords.

So I have ~20M of unencrypted boot, the rest is either encrypted swap or encrypted storage. The storage can be an ordinary device-backed loop or LVM backed loop. Either way an initrd is needed, so I think the LVM route is not that much extra effort.

Don't put swap inside a logical volume. Establish it on the first possible partition. From what I've read swap needs to be at the beginning of the disk and if it is inside LVM you can't say where on the disk it is. I can't think of why you would want the flexibility of LVM for swap anyway.

Work

Backup. Now.

Check the backup before you do anything else.

Leave the Gentoo Live disk in its case as it doesn't include a patched losetup. I use and recommend Knoppix. I'm using 5.1.1., but for cpqarray computers I use version 4 and get LVMv2 from somewhere else.

Boot Knoppix and sudo /etc/init.d/xsession stop, sudo passwd knoppix and sudo /etc/init.d/ssh start.

Then ssh into the machine from the comfort of your favourite chair (login as user knoppix). sudo fdisk, sudo cfdisk or something to arrange the partitions that you will be installing on to, and don't forget to sudo reboot. For the purpose of this documentation I'll use the following configuration:

 
Disk /dev/hdb: 40.0 GB, 40020664320 bytes
255 heads, 63 sectors/track, 4865 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/hdb1               1           2       16033+  83  Linux
/dev/hdb2               3          63      489982+  82  Linux swap / Solaris
/dev/hdb3              64        2495    19535040   83  Linux
/dev/hdb4            2496        4865    19037025    5  Extended
/dev/hdb5            2496        4865    19036993+  83  Linux
  

I needn't have hdb3 and hdb5, but I'm using them here to illustrate a point later on. While I remember, establish a /boot filesystem, sudo mke2fs /dev/hdb1.

A volume for root

ssh into the machine again.

 
  Physical volume "/dev/hdb3" successfully created
  Physical volume "/dev/hdb5" successfully created
  

 
  Volume group "vg" successfully created
  

 
  Logical volume "root" created
  

Encryption for /dev/vg/root

Make a gpg key with something like

  head -c 3705 /dev/random | uuencode -m - | head -n 66 | tail -n 65 | gpg --symmetric -a >/mnt/hdb1/keyfile.gpg

Or, make one available from somewhere else. I don't care how much mouse wiggling you do, my experience is that this takes forever with /dev/random, so if experimenting, choose /dev/urandom.

Fill the partition with random looking data.

head -c 15 /dev/urandom | uuencode -m - | head -n 2 | tail -n 1 | losetup -p 0 -e AES128 /dev/loop3 /dev/vg/root
dd if=/dev/zero of=/dev/loop3 bs=4k conv=notrunc 2>/dev/null # This can take a while
losetup -d /dev/loop3
  

An encrypted loopback is established over the top of the logical volume with the following, losetup -e AES128 -G / -K /tmp/keyfile.gpg /dev/loop1 /dev/vg/root. I don't mean to start a filesystem war here, but really, I haven't had a problem with this: mkreiserfs /dev/loop1, and I've had more outages than you can poke a stick at. mount /dev/loop1 /mnt/hdb3, then follow the rest of the install procedure.

In addition to the tools listed in the howto, also emerge sys-fs/lvm2. Before you reboot setup the initrd.

building new mount, umount, losetup, swapon and swapoff

Gentoo people don't have to follow Section 4 of the readme.

I know that >=util-linux-2.13.0.1 works for the following. echo "sys-apps/util-linux loop-aes" >> /etc/portage/package.use and emerge sys-apps/util-linux loop-aes.

 
/dev/loop5   /         reiserfs    noatime              0 1
/dev/loop1   /data      reiserfs  noatime           0 2
/dev/hdb2   none      swap    sw,loop=/dev/loop6,encryption=AES128     0 0
/dev/hdb1         /boot           ext2            noauto,noatime  1 2
  

Loop-AES steps

What follows are some annotations against example 5 in the readme.

dietlibc

emerge dev-libs/dietlibc

aespipe

This is not required because we are doing a fresh install, not a conversion.

static gnupg

Use a 1.4 version of app-crypt/gnupg.

echo "=app-crypt/gnupg-1.4.7-r1 static" >> /etc/portage/package.use
emerge =app-crypt/gnupg-1.4.7-r1
 

backup

We've already backed up

kernel

   [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support

   [*] Block devices  ---> 
       <*>   RAM disk support
       (4096)  Default RAM disk size (kbytes)

   Pseudo filesystems  --->  
       -*- /proc file system support  
   Miscellaneous filesystems  --->  
       < > Compressed ROM file system support (cramfs) 

make modules && make modules_install and copy the kernel into /boot.

loop module

Grab >=loop-AES-v3.2c from /usr/portage/distfiles/, then:

tar -jxf loop-AES-latest.tar.bz2
cd loop-AES-[]
make LINUX_SOURCE=/usr/src/linux
 

copy loop module

Something like the following:

mkdir /boot/modules-2.6.23-gentoo-r3
cp -p /lib/modules/2.6.22-gentoo-r8/extra/loop.ko /boot/modules-2.6.22-gentoo-r8/

encryption keys

Done that

build-initrd.sh

This is the hard bit. cd loop-AES, cp build-initrd.sh build-initrd.conf and nano build-initrd.conf, and remove everything after ### End of options.

Edit build-initrd.conf:

USEPIVOT=2
BOOTDEV=/dev/hdb1
CRYPTROOT=/dev/hdb3
ROOTTYPE=reiserfs
GPGKEYFILE=keyfile.gpg
USEROOTSETUP=1''

Some of these and possibly other settings will be different for your configuration.

Create /boot/rootsetup:

 
#!/lib/sh
if [ "x$1" != "x-d" ] ; then
    /lib/mkdir -p /proc /dev/mapper
    /lib/mount -n -t proc proc /proc
    /lib/mknod /dev/hdb5 b  3  67
    /lib/lvm vgscan --ignorelockingfailure
    /lib/lvm vgchange -ay --ignorelockingfailure
    /lib/umount -n /proc
    /lib/losetup -e AES128 -K /lib/keyfile.gpg -G /lib /dev/loop5 /dev/mapper/v$
    x=$?
    exit ${x}   # exit with return status of losetup
else
    /lib/losetup -d /dev/loop5
    x=$?
    exit ${x}   # exit with return status of losetup
fi
  

Note the mknod /dev/hdb5 line. If the logical volume on which root is placed consists of more than one physical volume, you need manually mknod for the additional devices. In this example the logical volume is composed of the physical volumes /dev/hdb3 and /dev/hdb5. The CRYPTROOT=/dev/hdb3 line in build-initrd.conf establishes /dev/hdb3, and to make /dev/hdb5 we need the mknod /dev/hdb5 line in /boot/rootsetup.

 chmod 755 rootsetup
 cp -p /bin/mkdir /boot/
 cp -p /bin/mount /boot/
 cp -p {/lib/libblkid.so.1,/lib/libuuid.so.1} /boot
 cp -p /bin/mknod /boot/
 cp -p /sbin/lvm /boot/
 cp -p /bin/umount /boot/
 echo "app-shells/dash static" >> /etc/portage/package.use
 emerge app-shells/dash
 cp -p /bin/dash /boot/
 cd /boot && ln -sf dash sh

boot loader config

I use grub, so I:

 
splashimage=(hd0,0)/boot/grub/splash.xpm.gz
title=kernel-2.6.23-gentoo-r3
root (hd0,0)
kernel /boot/kernel-2.6.23-gentoo-r3
initrd /initrd.gz
  

a new /boot/initrd.gz

Make sure /boot is mounted. (Note : You may need to emerge dietlibc and gnupg before doing this step.)

 
Loading config from 'build-initrd.conf'
12 blocks
-rw------- 1 root root 2446 Jun 17 19:19 /boot/initrd.gz
Copying /sbin/losetup to /boot
Copying /lib/libc.so.6 to /boot
Copying /lib/ld-linux.so.2 to /boot
Copying /sbin/insmod to /boot
Copying /lib/libz.so.1 to /boot
Copying /lib/libc.so.6 to /boot
Copying /lib/ld-linux.so.2 to /boot
Copying /usr/bin/gpg to /boot
Done.
  

boot loader

Done.

fstab

 
/dev/loop5   /         reiserfs    noatime              0 1
#/dev/loop1   /data      reiserfs  noatime           0 2
/dev/hda5   none      swap    sw,loop=/dev/loop6,encryption=AES128     0 0
  

A cleartext loopback for a data logical volume

Clear text keyfile

We have an encrypted root and still need an encrypted data logical volume. The first step in establishing this is to set up a loopback.

The keyfile for the data logical volume should not have a password. The file should be clear text. This is because it is going to be stored in an encrypted partition and you don't want to have to enter passwords unnecessarily.

head -c 3705 /dev/random | uuencode -m - | head -n 66 | tail -n 65 >/etc/fskey-data
losetup -e AES128 -P /etc/fskey-data /dev/loop1 /dev/vg/data
mkreiserfs /dev/loop1
mkdir /data
mount /dev/loop2 /data
 

head -c 3705 etc might return bash: uuencode: command not found. This can be solved by emerge app-arch/sharutils, or perform the head -c 3705 etc from outside the chroot. -P for <=loop-AES-v3.2b does not work.

Data logical volume

When booted from a CD and not in a chroot, pvdisplay, and add up all of the Free PE values. This of course presumes that you would like to allocate all of the unallocated disk to the data volume. Then lvcreate -l Free PE vg -ndata Inside the chroot edit /etc/init.d/checkfs and create /etc/init.d/setup_loop.

 
#put the following lines at the top
ebegin "Setting up loops"
/etc/init.d/setup_loop
  

 
#!/bin/sh
losetup -e AES128 -P /etc/fskey-data /dev/loop1 /dev/vg/data
  

chmod 750 /etc/init.d/setup_loop

I would really appreciate a better solution than this kludge.

User experience

After the power is turned on, your computer will proceed through bios checks, the boot loader and the kernel will load. Booting will then halt with a password prompt. After the password is correctly entered booting will continue. Once booted, df lists the mounted loopback devices.

References

This howto doesn't really explain anything more than what is described in the readme and the heavily commented build-initrd.sh.