morphix-devel

[Morphix-devel] /home on luks-encrypted usb-stick

[Markus M. <mo...@ma...>]

Hello,

Before i waste my time and would develop something that exists or is in
work.

Does anyone have a skript or works on a skript to mount the
home-directory of the morphix-user to an encrypted luks-device like a
cryptsetup/luks-formated usb-stick?

There are working solutions with loopdevices and aes-encryption in
knoppx and morphix but i have not seen support for cryptsetup/luks
(which allows easy and secure to change the password of the encrypted
partition) until now.

Greetings,
Markus

Re: [Morphix-devel] /home on luks-encrypted usb-stick

[Alex de L. <al...@de...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Markus Mandalka wrote:
> Hello,
> 
> Before i waste my time and would develop something that exists or is in
> work.
> 
> Does anyone have a skript or works on a skript to mount the
> home-directory of the morphix-user to an encrypted luks-device like a
> cryptsetup/luks-formated usb-stick?

Hi Markus,

Nope, as far as I know this hasn't yet been done with Morphix (only
unencrypted home-directory mounting). If you do get this to work or if
you need something extra in morphix to do so I'm all ears, as this would
be a welcome addition.

cheers,

Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHfNX7QeuQA5TF/UsRAoQxAJ9ZJRZlYS0dfGiCYYmZh8RWHS2cCQCeMUir
+FBBf/HBp++GT5tb89YBxsE=
=9XMH
-----END PGP SIGNATURE-----

Re: [Morphix-devel] /home on luks-encrypted usb-stick

[Markus M. <mo...@ma...>]

Hello,

Thanks for your fast answer.

The skripts now are working in my morphix-based distri and will be
testet by others in the next days.

When the scripts are supporting not only english but german too and i
have worked on some optical stuff i'll upload them to a webserver and
will send a announcement to this list.

While developing i found some little problems or have still some questions:

1.) luks is working if the kernel supports cryptsetup/luks
(devicemappers, aes256 and so on...).

This works great with the kernel of basemod-2.6.17-2007-10-24_0014.iso.

But my favorite (more and newer drivers)
basemod-2.6.23-2008-01-03_0018.iso is not able to do a cryptsetup (tool
from in the package cryptsetup which contains commandline-tools and
initskripts for encryption-things) luksFormat or luksOpen.

I don't know if this kernel doesn't contain support for aes256 or
devicemappers or the modules are not loaded or if the kernel is not
compatible.

If you do not know without looking for that what is going on and you
should need more info, please write and i will do some additional checks.

This things are not only usefull for encrypted homes for morphix but for
rescue cd's too, because with debian etch and now with the new ubuntu
users are able to encrypt their systems with luks without enhanced
knowledge.

2.) Because of using luks for my not important: I had no time to check
much more or to check if the problem was in front of my computer and not
in the morphixkernel, but i think in both basemods the support for
loop-aes is broken, which would be neccecary to let the
standard-morphix-persistant-home-image working, if it is aes-encrypted
(for example knoppix asks if you want to encrypt an image while you
create one).

3.) Is it a bug, a feature or well thought special stuff avoiding
problems because beeing a livesystem, that the init-system of the
morphix-live-cd-system is not starting all this runlevels and
initscripts like a "normal debian" does?

So is it the right way to start all needed services like for example
dbus with an "/etc/init.d/dbus start" in an own startskript in
/morphix/rc.m/S0xYZ or is my developmentplattform broken or did i forgot
to switch into the right runlevel and all services from the used debian
packages should start themselves using the standard init-system while
booting the cd?

4.) If using the package morphix-init-light (xfce4 as gui) and not
"logging out" but exiting xfce with "reboot" or "halt" the system is not
running the skripts
/morphix/rc.m/S90X11-shutdown and S99exitshell because it seems directly
switch to runlevel 0 or 6.

So i am starting the stop-skript for my luks-encrypted-home at
/etc/rc0.d and /etc/rc6.d and not as /morhix/rc.m/S90crypthome_stop,
because so it is called on every scenario how to halt or reboot.

Is this the right way or is there a better "standardway" in morphix?

Greetings,
Markus

Re: [Morphix-devel] /home on luks-encrypted usb-stick

[<al...@de...>]

Hi Markus,

Paul answered your 2.6.23-related question, I'll try to help you out with
the others:

> 2.) Because of using luks for my not important: I had no time to check
> much more or to check if the problem was in front of my computer and not
> in the morphixkernel, but i think in both basemods the support for
> loop-aes is broken [...]

You are correct, loop-aes normally isn't added to the basemod which breaks
the homedir-encryption functionality. I'll make a note of it so it's
included in new(er) kernels.

> 3.) Is it a bug, a feature or well thought special stuff avoiding
> problems because beeing a livesystem, that the init-system of the
> morphix-live-cd-system is not starting all this runlevels and
> initscripts like a "normal debian" does?

It's a controversial bug/feature of Morphix. The mainmod-initscripts
aren't started as most of the same functions have already been performed
by the basemod/miniroot in booting the livecd (and this way you get a
more-or-less pure debian install when installing morphix, without live-cd
cruft).

You can however easily activate the runlevel-scripts by adding: "init 2"
to /morphix/init.sh in the mainmodule.

> 4.) If using the package morphix-init-light (xfce4 as gui) and not
> "logging out" but exiting xfce with "reboot" or "halt" the system is not
> running the skripts
> /morphix/rc.m/S90X11-shutdown and S99exitshell because it seems directly
> switch to runlevel 0 or 6.
>
> So i am starting the stop-skript for my luks-encrypted-home at
> /etc/rc0.d and /etc/rc6.d and not as /morhix/rc.m/S90crypthome_stop,
> because so it is called on every scenario how to halt or reboot.
>
> Is this the right way or is there a better "standardway" in morphix?

Adding it to both would be the most sure way to have these run upon
shutdown. There isn't a standard way; in your case the best way is one
that (always) works :)

thanks for your feedback,

Alex

Re: [Morphix-devel] /home on luks-encrypted usb-stick

[Paul <pa...@tu...>]

Hi Markus

On Sunday 06 January 2008 08:38, Markus Mandalka wrote:
> While developing i found some little problems or have still some questions:
>
> 1.) luks is working if the kernel supports cryptsetup/luks
> (devicemappers, aes256 and so on...).
>
> This works great with the kernel of basemod-2.6.17-2007-10-24_0014.iso.
>
> But my favorite (more and newer drivers)
> basemod-2.6.23-2008-01-03_0018.iso is not able to do a cryptsetup (tool
> from in the package cryptsetup which contains commandline-tools and
> initskripts for encryption-things) luksFormat or luksOpen.
>
> I don't know if this kernel doesn't contain support for aes256 or
> devicemappers or the modules are not loaded or if the kernel is not
> compatible.

The encryption modules are all available except for cryptd (config option 
CONFIG_CRYPTO_CRYPTD). Also enabled are CONFIG_BLK_DEV_DM and CONFIG_DM_CRYPT 
(both as modules), so I suspect you just need to load the modules to get 
going.

Please note - I built the kernel package(s) using Debian's default 
configurations except for ISO9660_FS, EXT2_FS, EXT3_FS, and REISER_FS 
options - These are compiled in to the kernel (perhaps XFS_FS should be too).

> If you do not know without looking for that what is going on and you
> should need more info, please write and i will do some additional checks.

Sounds like you need to load the dm_crypt and aes modules - If any others are 
missing, let me know and I'll rebuild the kernel.


Regards, Paul.

Re: [Morphix-devel] /home on luks-encrypted usb-stick

[Markus M. <mo...@ma...>]

Hello,

> The encryption modules are all available except for cryptd (config option 
> CONFIG_CRYPTO_CRYPTD). Also enabled are CONFIG_BLK_DEV_DM and CONFIG_DM_CRYPT 
> (both as modules), so I suspect you just need to load the modules to get 
> going.
> 
> Please note - I built the kernel package(s) using Debian's default 
> configurations except for ISO9660_FS, EXT2_FS, EXT3_FS, and REISER_FS 
> options - These are compiled in to the kernel (perhaps XFS_FS should be too).

> Sounds like you need to load the dm_crypt and aes modules - If any others are 
> missing, let me know and I'll rebuild the kernel.

It works with the new kernel if i load the dm-crypt module before
cryptsetup.

Thanks for the infos and sorry for wasting your time - When i asked i
was a little bit confused because it worked out of the box with the old
baseiso - so i didn't think about to check the easiest posibility. 8-)

Greetings,
Markus