LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 06-04-2008, 11:01 PM   #1
orbit
Member
 
Registered: Sep 2006
Location: Australia
Distribution: Slackware
Posts: 176

Rep: Reputation: 30
Partition Encryption - Errors and Confusion?


Hi all,
In an attempt to create an encrypted partition on my Slackware 12 system (not the root or swap partition, just a standard partition on a secondary drive to store all my important data). I would like this partition to be visible in KDE system:/media but require a password to open/decrypt it for use after booting into KDE.


I have been working with the "README_CRYPT.TXT" written by Alien_Bob; but after following the readme and (I think) adapting as necessary, I am a little stumped as to why it is not working.

What I have done so far:

1. Create a 5Gb ext3 partition as /dev/hdb6, label crypt.

2. Reboot for partition table to update and KDE to 'see' new partition.

3. Open root terminal in kde, type:
Quote:
cryptsetup -s 256 -y luksFormat /dev/hdb6

cryptsetup luksDump /dev/hdb6

cryptsetup luksOpen /dev/hdb6 crypt

echo "<passwd> crypt /dev/hdb6" > /etc/crypttab

pvcreate /dev/mapper/crypt

vgcreate cryptvg /dev/mapper/crypt

lvcreate -L 5G -n crypt cryptvg

vgscan --mknodes

vgchange -ay

After rebooting the computer, I have .. well .. nothing?

The crypt partition is no longer appearing in KDE system:/media. If I open a root terminal and type mount, there is no mention of /dev/hdb6 being mounted anywhere?

I then made a directory /mnt/crypt and attempted to mount /dev/hdb6 manually:
Quote:
root@Crazed-Weasel:~# mkdir /mnt/crypt
root@Crazed-Weasel:~# mount /dev/hdb6 /mnt/crypt
mount: wrong fs type, bad option, bad superblock on /dev/hdb6,
missing codepage or other error
In some cases useful info is found in syslog - try
dmesg | tail or so
So then I followed up with 'dmesg | tail' and was presented with this:
Quote:
EXT3-fs error (device hdb6): ext3_check_descriptors: Block bitmap for group 0 not in group (block 1880800975)!
EXT3-fs: group descriptors corrupted!
What does that mean?
Did I miss an important step in the encryption process somewhere?


I am very new to encryption so if anyone could offer suggestions or solutions to this, I would really appreciate it.

Thanks very much in advance for any help.

Regards

Orbit
 
Old 06-05-2008, 03:31 AM   #2
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,225

Rep: Reputation: Disabled
A lot of comments to make on your story.. but I do not have all that much time, so I am giving you some pointers so that it will be easier to do what you want.

* You do not have to use LVM if you want disk encryption. In your case, it may just add to the confusion. It will not hurt either

* When you encrypt the partition /dev/hdb6 using cryptsetup, you make it inaccessible using the "mount /dev/hdb6" command. Instead, you will have to mount the mapped device that is created as "/dev/mapper/crypt" after you run "cryptsetup luksOpen /dev/hdb6 crypt" and enter a passphrase.

* The format of /etc/crypttab is not well-documented. You made a mistake by running
Code:
echo "<passwd> crypt /dev/hdb6" > /etc/crypttab
. The correct syntax would be
Code:
echo "crypt /dev/hdb6 <password>" > /etc/crypttab
* I do not see you mentioning that you formatted the partition with a filesystem - something like
Code:
mkfs.ext3 /dev/mapper/crypt
is required before you can mount the partition using
Code:
mount /dev/mapper/crypt /mnt/crypt
Hope this helps.

Eric
 
Old 06-05-2008, 09:48 PM   #3
orbit
Member
 
Registered: Sep 2006
Location: Australia
Distribution: Slackware
Posts: 176

Original Poster
Rep: Reputation: 30
Hello Alien Bob,

Yes indeed, your comments did the trick, I adjusted the password string and did the mkfs as you suggested and the encryption is now working, thank you very much for your help!

I have set the encrypted partition label, and also have '/dev/mapper/crypt' now mounting and unmounting via HAL so it shows up and is usable in KDE system:/media as the 'Crypt' drive.


However, after exploring this cryptsetup partition encryption, I have some security concerns about my data.

These are:

1. Cryptsetup requires a password (which is written in plain english) in the file '/etc/crypttab' or without it the system pauses at the password prompt, and will not automatically boot.

2. I also tried entering the password into the 'cryttab' file to automate the system boot, but then setting chmod on '/etc/crypttab' to 100600 (read-write only by root, denied to other users), this would seem to 'protect' the file from other users viewing it while in Slackware; but after booting with SLAX, I was able to navigate straight to the file and read it's content and my password (ouch).

3. Even after either having the password written in the 'crypttab' file, or manually entering each time (yuk) the password to continue the system boot, it seems that the encrypted partition is automatically left Wide-Open for reading by anyone while the system is booted. To me this seems like a major security hole and it seems to negate the whole point of the encryption (which only works when the system is turned off?).


Therefore, do you know anyway that cryptsetup can be configured, so that the boot is automated without having the password written in the file or requiring user boot input?

My Goal:
What I am after; by default the partition is 'unmounted and encrypted' during boot and normal operation of the system. But .. If I actually want to use that partition while in KDE , I can click on it in system:/media and it will mount as it does now, but with the addition of requesting a password to access the drive?

Do you think this addition is possible? Any suggestion on how you think this may be done?

I look forward to your thoughts on this matter.

Regards

Orbit
 
Old 06-05-2008, 11:21 PM   #4
orbit
Member
 
Registered: Sep 2006
Location: Australia
Distribution: Slackware
Posts: 176

Original Poster
Rep: Reputation: 30
Hello again,

Never mind, I've sorted it out.

What I have done is used the LUKS frontend Krypt

This program gives me a graphical frontend to control the LUKS encrypted partitions. It does require a slight modification of the existing system to use it; in that you have to remove the '/etc/crypttab' file (not a bad thing at all).

I have noticed that it does encrypt & decrypt the partition quite well, even working in with HAL to show up the new volume, it can quickly be configured to give a password prompt only for when you want to access your encrypted partition, without passwords being stored on your system, so it is very good.

It does seem to have one small bug; if you encrypt/decrypt the partition too many times in one session, the program gets 'confused' and stops controlling. To overcome this, simply close the program and re-open it, and it runs well again.

Maybe this helps someone else.

Cheers

Orbit
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Full disk encryption on boot partition paul_mat Linux - Security 13 03-12-2008 02:11 AM
Partition Confusion Controlpanel Linux - Newbie 3 09-11-2007 08:01 PM
Linux directory/partition Encryption sehh Linux - Security 1 12-03-2006 01:37 PM
Drive encryption (not loop, not a new partition) grayFalcon Linux - Security 2 05-12-2005 01:28 AM
a bit confusion between partition type farhan Linux - General 3 03-15-2003 01:07 PM


All times are GMT -5. The time now is 01:55 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration