centos Root partition encryption

breakcoder · 01-09-2009, 05:00 AM

Hello All,

I have the following problem:

I tried to encrypt root partition on new installed and fresh updated Centos 5.2 running on LVM.

Notebook Dell Latitude D630:

Disk partitioned:
fdisk -l

Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/sda1 * 3866 3882 136552+ 83 Linux------------> /boot partition
/dev/sda2 * 16 3865 30925125 7 HPFS/NTFS---> windows
/dev/sda3 3883 13609 78132127+ 83 Linux ----------> partition for encrypted data
/dev/sda4 18600 19457 6891885 8e Linux LVM----> current CentOs installation

I am running kernel: 2.6.18-92.1.22.el5PAE

I tried to create encrypted partition with cryptsetup luks to encrypt whole root partition, and I exactly followed this manual:

http://lists.centos.org/pipermail/ce...er/001791.html

So everything was ok, I was able to do all of this:

cryptsetup -v -y -s 256 luksFormat /dev/sda3
cryptsetup luksOpen /dev/sda3 crypt
key slot 0 unlocked.
Command successful.

cryptsetup luksDump /dev/sda3
LUKS header information for /dev/sda3

Version: 1
Cipher name: aes
Cipher mode: cbc-essiv:sha256
Hash spec: sha1
Payload offset: 1032
MK bits: 128
MK digest: 2c da d4 15 2b 0d d5 ed 6c 8a a6 e2 b9 fe 26 c8 da a5 90 b9
MK salt: bb 20 50 e4 73 df b6 31 8c a0 a8 69 9a e5 a6 a6
8d d4 fc 22 8b 46 7c 5a de 02 18 18 92 11 de 83
MK iterations: 10
UUID: 5a7a7b07-4a28-4c03-a913-c1313183c52a

Key Slot 0: ENABLED
Iterations: 212118
Salt: 91 20 0d 52 30 68 c6 1f a5 c0 6a 97 25 f6 85 31
c8 a1 98 33 57 2b b5 48 2b e7 c6 43 20 ba 14 3f
Key material offset: 8
AF stripes: 4000
Key Slot 1: ENABLED
Iterations: 211126
Salt: 98 e6 4b d6 4f 7b 77 c9 ab 17 9f 3a 16 73 dc 07
d0 5c ad e2 1a 92 e0 77 32 0c 9c be fe 4b c4 93
Key material offset: 136
AF stripes: 4000
Key Slot 2: DISABLED
Key Slot 3: DISABLED
Key Slot 4: DISABLED
Key Slot 5: DISABLED
Key Slot 6: DISABLED
Key Slot 7: DISABLED

cryptsetup status crypt
/dev/mapper/crypt is active:
cipher: aes-cbc-essiv:sha256
keysize: 128 bits
device: /dev/sda3
offset: 1032 sectors
size: 156263223 sectors
mode: read/write

dmsetup status
vg00-lvol01: 0 9175040 linear
crypt: 0 156263223 crypt
vg00-lvol04: 0 1179648 linear
vg00-lvol03: 0 983040 linear
vg00-lvol02: 0 1179648 linear

ls -l /dev/mapper
total 0
crw------- 1 root root 10, 63 Jan 9 2009 control
brw-rw---- 1 root disk 253, 4 Jan 9 08:12 crypt
brw-rw---- 1 root disk 253, 0 Jan 9 08:08 vg00-lvol01---------> /
brw-rw---- 1 root disk 253, 2 Jan 9 08:08 vg00-lvol02---------->/home
brw-rw---- 1 root disk 253, 1 Jan 9 08:08 vg00-lvol03----------->/tmp
brw-rw---- 1 root disk 253, 3 Jan 9 2009 vg00-lvol04------------>/swap

cryptsetup luksClose crypt

I am also able to load modules without any problem:

modprobe dm-mod aes sha256 cbc
ok

I was able to create mkinitrd with "patched" mkinitrd for encrypted FS:

/sbin/mkinitrd -v /boot/initrd-2.6.18-92.1.22.el5PAE.crypt.img 2.6.18-92.1.22.el5PAE

Then in single user mode:
cryptsetup luksOpen /dev/sda3 crypt

dd if=/dev/sda4 of=/dev/mapper/crypt

cryptsetup luksClose crypt

everything ok!

But when I tried to boot from new initrd image:
The system correctly asks for passphrase and.....

ERROR:
========================================
device-mapper: table: 253:0: crypt unknown target type ---------> I found something about multipath issue.
Failed to setup dm-crypt key mapping.
Check kernel for support for aes-cbc-essiv:sha256 cipher spec and verify that /dev/sda3 contains at least 133 sectors.
Failed to read from key storage.
========================================

maybe also problem with mkinitrd or kernel version ?
I tried to setup it all before on virtualbox (the same kernel without PAE) and it worked!

One more strange thing is happening, I checked other manuals, and it says that /dev/mapper/crypt should be formated to ext3.
So I tried also:
cryptsetup luksOpen /dev/sda3 crypt
mkfs.ext3 /dev/mapper/crypt --> but in this step, the system stopped to respond and I had to reboot.
Maybe try in single user mode?
But highly run be crazy upper issue.

breakcoder · 01-09-2009, 07:35 AM

You can find solution here:
http://www.centos.org/modules/newbb/...18034&forum=42

or and also below, just make sure not be deleted on only one place later:

Hi all,

(first for google)
(centos root encrypt cryptsetup luks dm-crypt) - hopefully will crawl this solution fast.

This is really great, that I can respond on my own question, and there is not a single hit for solution on this question from others !

So what needed to be done to be able encrypt root partiton on CentOs 5.2 and get it worked:

I found solution here:

http://agiletesting.blogspot.com/200...tion-with.html

So Man, thank you! You are really Guru of Centos stuff.

But I used just part of it
===========================================================

1. Start exactly here and RTFM first!

http://lists.centos.org/pipermail/ce...er/001791.html

When you get to step:
"Step Four: Configure mkinitrd for encrypted system"========STOP HERE========

just throw away what says in this manual and continue with these steps:
(It has been tested and worked on fresh CentOS 5.2 installation with updates.)

1. mkinitrd -v /boot/initrd-2.6.18-53.el5.crypt.img --with=aes --with=sha256 --with=dm-crypt 2.6.18-53.el5
(DO NOT FORGET TO REPLACE KERNEL NUMBERS WITH WHAT YOU CAN FOUND WITH COMMAND: uname -r"

So In our particular case command looks like this:
(BTW YOU DO NOT NEED TO PATCH MKINITRD!) USE THAT ONE INCLUDED IN SYSTEM.

mkinitrd -v /boot/initrd 2.6.18-92.1.22.el5PAE.crypt.img - --with=aes --with=sha256 --with=dm-crypt 2.6.18-92.1.22.el5PAE

if there is any problem you can verify if you are able to load all necessary modules simply trying:

#mobprobe dm-crypt aes sha256 ---> any problem here can be serious for the whole process.
..... but as I tried I have not found any with CentOs 5.2.

2.

Now we need to modify the initrd so that it will decrypt the partition at boot time
REPLACE KERNEL NUMBER WITH RESULT OF COMMAND "uname -r"

# cd /boot
# mkdir /boot/initrd-2.6.18-53.el5.crypt.dir
# cd /boot/initrd-2.6.18-53.el5.crypt.dir
# gunzip < ../initrd-2.6.18-53.el5.crypt.img | cpio -ivd

3.
Now, we need to modify init by adding the following lines after the line which reads “mkblkdevs”
and before “echo Scanning and configuring dmraid supported devices.”:

So in directory /boot/initrd-2.6.18-53.el5.crypt.dir

simple run commnad:
# vi init

you can find these lines starting at line 84:
If you do not know how to find line 84 in this file, press escape and write ": set nu" , to get rid of lines number write ": set nonu"

edit the file like this:

84 mkblkdevs
85 echo Decrypting root device
86 cryptsetup luksOpen /dev/sda3 crypt
87 echo Scanning logical volumes
88 lvm vgscan --ignorelockingfailure
89 echo Activating logical volumes
90 lvm change -ay --ignorelockingfailure vg00
91 echo Scanning and configuring dmraid supported devices

press ":wq!" and exit the file. Do not worry lines numbers will not break anything.

4. still stay in same directory and run below commands

cp /sbin/cryptsetup bin/
cp /sbin/lvm bin/ ----> here it will ask you to overwrite lvm, press y for yes, you can overwrite it, it is ok.

I TESTED IT AND WITHOUT THIS STEP IT DID NOT WORKED! YOU WILL BE ABLE TO BOOT THE MACHINE WITH CREATED INITRD BUT WITHOUT ENCRYPTION

...continue:

5.
Compress the new initrd

find ./ | cpio -H newc -o | gzip -9 > /boot/initrd-2.6.18-53.el5.crypt.img

Now you can continue with the manual for Centos since step editing /etc/grub.conf file:

There you go and f**king encryption is working.
Please honor me because I spent on this my last 10 days of my life . (and finally so simple solution)

Finally do not forget to take the last step from manual, and have a beer if you do not drive!!!

Thanks all for respond
Nice weekend at least for me.....