Menu

#48 loop-AES and debian wheezy

closed
nobody
None
5
2012-11-26
2012-11-19
El Santo
No

Hi!

I'm a loop-AES user for many years. It's a great piece of software.
In the old days i was using linuxfromscratch and build loop-AES by myself.

At some point I became lazy and switched to debian and get loop-AES through debian repositories.

Now I'm setting up a new workstation with debian testing (wheezy) and found that loop-AES is not in wheezy repositories, so i decided to build it myself.

First i downloaded a debian kernel, changed the configuration to disable loop module and builded, installed and rebooted the reconfigured kernel.

Then i builded, and installed the loop-AES modules.
- I saw that asm code are used if posible by default, but no intel AES instructions. Is there any reason for this?

The next step was to setup a patched mount, losetup,etc...

Debian wheezy ships util-linux 2.20.1
On the other hand loop-AES includes patchs for 2.12r, 2.21.2 and 2.22.1.

I downloaded util-linux 2.21.2 and applied your patch. I builded and installed the commands (mount, losetup, etc) as noted in loop-AES.README.
So I have some util-linux commands from 2.20 (debian build) and mount, losetup, etc from 2.21.2 (loop-AES build).
- Is this correct or all the util-linux command must have same versioning?

My intend is to have a unencrypted root partition and a encrypted partition for data. The gpg file with the encrypted keys are stored on root partition.
I setup /etc/fstab and can manually mount encrypted partition and it works well, but i'd like to be mounted when the system boots, being asked for a password of course. But if i remode the noauto fstab option it this doesn't work. From previous loop-aes-utils debian package I saw some files to enable filesystem check on loop-AES partitions, and some initramfs files, but i guess that related with root on loop-aes paritions.
- Any idea?

Thank you very much.

Discussion

  • Jari Ruusu

    Jari Ruusu - 2012-11-20

    > I saw that asm code are used if posible by default,
    > but no intel AES instructions. Is there any reason
    > for this?

    Intel AES code does not necessarily compile
    successfully if assembler is too old. Auto-probing that
    problem case is more work than simply grep'ing kernel
    configuration file.

    > So I have some util-linux commands from 2.20 (debian
    > build) and mount, losetup, etc from 2.21.2 (loop-AES
    > build). - Is this correct or all the util-linux
    > command must have same versioning?

    mount and umount should be same version.
    swapon and swapoff should be same version.

    > I setup /etc/fstab and can manually mount encrypted
    > partition and it works well, but i'd like to be
    > mounted when the system boots, being asked for a
    > password of course.

    Try this: Modify boot scripts so that they run losetup
    command before file systems are fsck'ed, and change
    /etc/fstab so that device to mount is plain /dev/loopX,
    and no loop= or encryption= or gpgkey= or other loop
    set up related mount options on that fstab entry. When
    system boots, losetup will ask for a passphrase and set
    up a loop device, fsck will then fsck the file system
    on that loop device, and finally mount will mount it
    without any loop device set up or passphrase asking.

     

  • Jari Ruusu

    Jari Ruusu - 2012-11-26
    • status: open --> closed
     

  • El Santo

    El Santo - 2012-11-26

    Sorry Jari, i've been very busy last week and couldnt answer before.

    Just for reference, Intel AES compiled succesfully in a standard wheezy setup. :)

    I will use mount, umount and losetup from your patched version of util-linux 2.21.2 and the rest from stock debian package. I dont have swap partition, so no need to patch swapon/swapoff.

    I'm not sure i understand very well your suggestion about the boot scripts modification.
    If i remove specific losetup option from /etc/fstab, and file systems are not mounted yet, i will need to copy gpgkeyfile to somewhere in the initramfs.

    is this correct?

     

  • Jari Ruusu

    Jari Ruusu - 2012-11-27

    I quickly looked at current stable release of Debian 6.0
    "squeeze" init scripts, without doing any actual tests. That
    distro version seems to do non-root file system fsck's from
    /etc/init.d/checkfs.sh shell script. So, if you add these
    lines to beginning of checkfs.sh script's do_start ()
    function:

    echo "Setting up encrypted loop device"
    losetup -e AES128 -K /etc/fskey-sda99.gpg /dev/loop0 /dev/sda99

    And this line to /etc/fstab :

    /dev/loop0 /foo ext3 defaults 0 2

    Then at boot, losetup asks for a passphrase and sets up
    encrypted loop device before non-root file systems are
    checked.

    If file systems are to be checked at boot, then encrypted
    loop file system gets fsck'd just like any other non-root
    file system, and finally that encrypted loop file system
    gets mounted just like any other non-root file system.

    When /dev/loop0 has been properly set up by losetup, fsck
    and mount tools see /dev/loop0 as just another device, like
    /dev/sda1 or /dev/sda2. fsck and mount will access
    /dev/loop0 without any knowledge that it encrypts or
    decrypts writes or reads to some other backing device.