LMDE 201303 or 201403 with luks encrypted lvm2 partitions

Questions about Grub, the liveCD and the installer
Forum rules
Before you post please read this

Re: LMDE 201303 with luks encrypted lvm2 partitions

Postby Pepas on Sun Jan 26, 2014 1:06 pm

Well caught MoonSire, I guess I never tried to do that.
It's fixed now.
User avatar
Pepas
Level 1
Level 1
 
Posts: 35
Joined: Mon Jan 24, 2011 10:18 am

Linux Mint is funded by ads and donations.
 

Re: LMDE 201303 with luks encrypted lvm2 partitions

Postby MoonSire on Sun Jan 26, 2014 1:21 pm

Thank you for a very nice script by the way :)

I have been trying to learn more and more about this, mostly to have some kind of noob protection if anyone breaks into my house and steals my things ;)

maybe an optional disk wipe could be added, as in step #3 here (with the nice progress display):
http://www.cyberciti.biz/hardware/howto-linux-hard-disk-encryption-with-luks-cryptsetup-command/

PS. I did an edit to my earlier post as well :)
MoonSire
Level 1
Level 1
 
Posts: 4
Joined: Sun Jan 26, 2014 11:44 am

Re: LMDE 201303 with luks encrypted lvm2 partitions

Postby Pepas on Sun Jan 26, 2014 1:31 pm

Yes, something like that is not hard to add. Usually people use pseudorandom data instead of zero though. The pv utility (or dfcldd) will need to be installed first for a progress bar. I'll look into this. The problem is also, it is likely to take very long... And I have never heard of a method to break the encryption due to not preformatting in such a way.
User avatar
Pepas
Level 1
Level 1
 
Posts: 35
Joined: Mon Jan 24, 2011 10:18 am

Re: LMDE 201303 with luks encrypted lvm2 partitions

Postby MoonSire on Sun Jan 26, 2014 1:38 pm

I think it would be most useful if people are reusing old hard drives, just to keep people from gaining access to old stored data. And if it is in the script they might be interested to learn more about why and that's always nice ;)

I read that it could take days for multi-terabyte hard drives, so the optional bit might be nice :D
MoonSire
Level 1
Level 1
 
Posts: 4
Joined: Sun Jan 26, 2014 11:44 am

Re: LMDE 201303 with luks encrypted lvm2 partitions

Postby Pepas on Sun Jan 26, 2014 7:17 pm

Thank you MoonSire for your debugging. I encorporated the modifications you linked to in your earlier post.
And I added the pseudo-random filling of the encrypted partion, using badblocks. (That's already installed, has a progress bar, and has the nice side effect of making sure there are no bad blocks to start out with!)
I also added some more comments in the SETTINGS section. :)
User avatar
Pepas
Level 1
Level 1
 
Posts: 35
Joined: Mon Jan 24, 2011 10:18 am

Re: LMDE 201303 with luks encrypted lvm2 partitions

Postby MoonSire on Tue Jan 28, 2014 3:09 pm

Oooh, extremely nice :) I am just happy to help!

After upgrading the system (I suspect to UP7) I lost the font on the boot screen that would tell me to input the password for the encrypted volume (it was just squares). I found a solution here:
http://forums.linuxmint.com/viewtopic.php?f=189&t=146997
(Mostly just added to this thread to help others find it easily ;) )

Maybe this should be transferred to an official wiki page for everyone to see :) You have done a great job and made it so very easy, so it would be nice if as many people as possible could benefit from it.
MoonSire
Level 1
Level 1
 
Posts: 4
Joined: Sun Jan 26, 2014 11:44 am

Re: LMDE 201303 with luks encrypted lvm2 partitions

Postby volodka on Tue Mar 04, 2014 5:46 am

I tried using your script on LMDE 201403, it didn't work. After reboot grub commandline met me, and no kernel got loaded.
Even so, your script helped me - I looked at it to know what to do when using linux mint default installer when it told me to mount everything at /target and then told me to chroot, write fstab and install packages.
Btw you should add a setting for choosing cipher.
volodka
Level 1
Level 1
 
Posts: 1
Joined: Tue Mar 04, 2014 5:43 am

Re: LMDE 201303 with luks encrypted lvm2 partitions

Postby Pepas on Tue Mar 04, 2014 2:31 pm

volodka wrote:I tried using your script on LMDE 201403, it didn't work.

Sorry, I had been hacking on it after uploading, it now works for me at Cinnamon 32bit and Mate 64bit 201403.

volodka wrote:Btw you should add a setting for choosing cipher.

It would not be difficult, but people who really require this can easily edit the Makefile at the luksFormat line and add --cipher and/or --key-size. Most people are only concerned with average people being able to decrypt their stuff. The biggest way to increase security is to use longer and stronger passphrases. But, I have changed the default to honour Dr.Bruce and speed it up. :-)
User avatar
Pepas
Level 1
Level 1
 
Posts: 35
Joined: Mon Jan 24, 2011 10:18 am

Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition

Postby Trapper on Tue Mar 04, 2014 6:14 pm

I successfully created a FDE drive with LMDE 201403 64bit with Mate using the updated script. Worked a charm for me. I only have one thing I question. The script has:

Code: Select all
root_size=REST
swap_size=DEFAULT
data_size=NO


My thinking is it should be:

Code: Select all
root_size=DEFAULT
swap_size=DEFAULT
data_size=REST


...and be adjusted if the user desires.

Overall, I am very happy the updated Makefile script for 201403 has been made available. Thank you!
Trapper
Level 3
Level 3
 
Posts: 183
Joined: Sat Dec 03, 2011 12:21 pm
Location: Sebring, Florida USA

Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition

Postby Pepas on Tue Mar 04, 2014 6:43 pm

Trapper wrote:
Code: Select all
data_size=NO

Overall, I am very happy the updated Makefile script for 201403 has been made available. Thank you!


I had something more similar to what you propose, but it's more likely to fail for smaller spaces. This way, any install can fit in a smaller space.
But people are encouraged to change the settings according to their need: separate /home partition perhaps, particular size for root, perhaps more (or no) swap space. :-)
User avatar
Pepas
Level 1
Level 1
 
Posts: 35
Joined: Mon Jan 24, 2011 10:18 am

Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition

Postby Trapper on Tue Mar 04, 2014 7:07 pm

I understand your reasoning. Thanks. Thanks again for the updated script too.
Trapper
Level 3
Level 3
 
Posts: 183
Joined: Sat Dec 03, 2011 12:21 pm
Location: Sebring, Florida USA

Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition

Postby j0b on Sun Mar 16, 2014 10:45 pm

Pepas wrote:Upgraded the Makefile to work with LMDE 201403 as well.
It works for both the Mate and the Cinnamon 32bit and 64bit editions

Makefile: http://j.mp/makelmde
"This Makefile will result in a working install of Linux Mint Debian Edition edition (version 201303 or 201403) on a luks encrypted lvm2 partition with root, swap and data filesystem"

Instructions:

.
.
.

And that's it!


Pepas,

Thanks for posting the Makefile, it's a nice option until proper support is implemented into the installer. I've reviewed your Makefile and have some observations re: _encrypt (line 294-307).

# LINE 300 - ORIGINAL
Code: Select all
cryptsetup luksFormat -c twofish-xts-plain -s 256 -h sha256 ${crypt_device}     ## effective twofish 128 bit due to halving by XTS mode

# LINE 300 - SUGGESTION (either)
Code: Select all
cryptsetup luksFormat -c aes-xts-plain64 -s 512 -h sha512 ${crypt_device}
cryptsetup luksFormat -c aes-xts-plain64:sha512 -s 512 ${crypt_device}

# -c [cipher/mode/IV]
# -c twofish-xts-plain #ORIGINAL
# -c aes-xts-plain64 #SUGGESTION
# "plain" initialization vector (IV) is susceptible to watermarking on devices >2TiB
# "plain64" IV should be identical to output of "plain" <2TiB, yet handle output >2TiB
#
# REFERENCE (section 5.15)
# https://code.google.com/p/cryptsetup/wi ... ty_Aspects
#
# 5.15 Are there any problems with "plain" IV? What is "plain64"?
#
# First, "plain" and "plain64" are both not secure to use with CBC, see previous FAQ item.
#
# However there are modes, like XTS, that are secure with "plain" IV. The next limit is that "plain" is 64 bit,
# with the upper 32 bit set to zero. This means that on volumes larger than 2TiB, the IV repeats, creating a
# vulnerability that potentially leaks some data. To avoid this, use "plain64", which uses the full sector number
# up to 64 bit. Note that "plain64" requires a kernel >= 2.6.33. Also note that "plain64" is backwards compatible
# for volume sizes <= 2TiB, but not for those > 2TiB. Finally, "plain64" does not cause any performance penalty
# compared to "plain".



I'm trying to understand why you include two different cipher/mode/IV strings in the Makefile.
Code: Select all
cryptsetup luksFormat -c twofish-xts-plain -s 256 -h sha256 ${crypt_device}        ## LINE 300          ## force_reencrypt==yes > luksFormat with cipher/mode/IV "twofish-xts-plain"
cryptsetup luksFormat -c aes -s 128 ${crypt_device}                                ## LINE 304          ## force_reencrypt==no  > lukstest > if luks header not found encrypt with 128 bit aes cipher


# LINE 294-307 - ORIGINAL
Code: Select all
_encrypt:
  @echo
ifeq "${force_reencrypt}" "YES"                                                                         ## force_reencrypt test
ifeq "${force_random}" "YES"                                                                            ## force_reencrypt==yes > force_random test
  badblocks -c 10240 -s -w -t random -v ${crypt_device}                                                 ## force_reencrypt==yes > force_random==yes > run badblocks
endif                                                                                                   ## force_reencrypt==yes > force_random==no  > continue
  cryptsetup luksFormat -c twofish-xts-plain -s 256 -h sha256 ${crypt_device}                           ## force_reencrypt==yes > luksFormat with cipher/mode/IV "twofish-xts-plain"
  rm -fv _decrypt                                                                                       ## force_reencrypt==yes > remove -f _decrypt?
else                                                                                                    ## force_reencrypt==no  > continue
  if cryptsetup isLuks ${crypt_device}; then echo; echo "  ${crypt_device} is already formatted";\      ## force_reencrypt==no  > lukstest > if luks header found (encrypted container) do nothing
  else cryptsetup luksFormat -c aes -s 128 ${crypt_device}; rm -fv _decrypt; fi                         ## force_reencrypt==no  > lukstest > if luks header not found encrypt with 128 bit aes cipher
endif
  touch $@
Last edited by j0b on Mon Mar 17, 2014 4:04 pm, edited 1 time in total.
j0b
Level 1
Level 1
 
Posts: 1
Joined: Sun Mar 16, 2014 9:48 pm

Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition

Postby Pepas on Mon Mar 17, 2014 1:45 pm

j0b wrote:Thanks for posting the Makefile, it's a nice option until proper support is implemented into the installer.

Thank you for your review. Unfortunately, the latest version where I had fixed the encryption options got overwritten by an older version. This should be fixed now.

I did change the default to "-c aes-xts-plain64 -s 512 -h sha512" with the longer cypher and hash, and chose aes because it is much more likely to be supported by hardware (making it much faster). It can be adapted in the SETTINGS section. If you have further comments, I'm looking forward to hearing from you.

Incidentally, there is a great installer available that the creator and maintainer of Semplce Linux (also Debian based) coded, which has the support built in. But it looks like LMDE only gets minimal resources...
User avatar
Pepas
Level 1
Level 1
 
Posts: 35
Joined: Mon Jan 24, 2011 10:18 am

create public git repo?

Postby TomRoche on Tue Mar 18, 2014 1:31 pm

j0b wrote:Thanks for posting the Makefile, it's a nice option until proper support is implemented into the installer.


ditto! I'm setting up a new box, and was going to ask if any LMDE installers supported resizable encrypted partitions.

Pepas wrote:Unfortunately, the latest version where I had fixed the encryption options got overwritten by an older version. This should be fixed now.


My proposal is, put this Makefile (and any related files) in a web-based `git` repository, hosted by, e.g., Bitbucket or GitHub. That would

  1. provide a commit trail, so one could see what was added when, and why
  2. tend to prevent problems like that overwrite (above)
  3. allow others to fork and contribute via pull request

as well as retain easy download of the current version. Bitbucket has an advantage here with its separate project section=Downloads (e.g., this, but that shouldn't be a problem for just a Makefile. Bitbucket also allows one to give a URI that points directly to the "raw"/downloadable latest version (i.e., HEAD) of a managed file (e.g., this); I suspect GitHub also allows this, but it's been awhile since I've used GH much (since they removed Downloads).

Pepas wrote:looks like LMDE only gets minimal resources...


Hafta disagree there: LMDE is (IMHO) the single most usable direct Debian fork (i.e., non-Ubuntu fork), and that doesn't "just happen." That being said, IIUC, the Debian installer has supported LUKS and LVM for awhile. I'd like to see such support in the "native" LMDE installers, and perhaps making your Makefile more available would help that happen.
TomRoche
Level 3
Level 3
 
Posts: 172
Joined: Thu Jan 13, 2011 2:52 pm

created public git repo

Postby TomRoche on Tue Mar 18, 2014 3:49 pm

TomRoche wrote:My proposal is, put this Makefile


`s/Makefile/bash script/g`

TomRoche wrote:(and any related files) in a web-based `git` repository


As a quick'n'dirty example, I made this.
TomRoche
Level 3
Level 3
 
Posts: 172
Joined: Thu Jan 13, 2011 2:52 pm

Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition

Postby Pepas on Tue Mar 18, 2014 5:59 pm

Sure Tom. I see you somehow already 'found' the bash script I made for this task...
I've decided to focus on 201403 only. We don't want to encourage people installing from the old 201303 iso, that does not make sense.

http://j.mp/makelmdescript

It's not too difficult to have the script also do the partitioning, but it gets very destructive that way...
User avatar
Pepas
Level 1
Level 1
 
Posts: 35
Joined: Mon Jan 24, 2011 10:18 am

Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition

Postby TomRoche on Sat Mar 22, 2014 1:09 am

I love this script! Running straight outta terminal is fast (and ... umm ... I ♥ character-mode graphics :-) and being able to specify additional packages in the script is great. (Gotta find a way to hook `mintbackup` into this workflow.) Thanks, PePas. FWIW, I have

  • added a few more tests
  • refactored it so that users will only need to edit a .properties file (sourced by the script) without needing to touch the script itself.

and added more documentation in the README. All: feel free to [fork, pull request]!

That being said, IMHO what really needs done (and is in the TODOs is to get this functionality into the mainline LMDE installer, so that this doesn't need bolted on.
TomRoche
Level 3
Level 3
 
Posts: 172
Joined: Thu Jan 13, 2011 2:52 pm

Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition

Postby LarkinVB on Thu Apr 10, 2014 6:34 am

Thanks for the great makefile/script.

The link to the makefile seems to point to an outdated file as it has the 256bit encryption and a strange line lvmdata=-l +100%FREE -Zn where the + does not seem right.

The script does not accept username characters like - though the makefile does.
LarkinVB
Level 1
Level 1
 
Posts: 4
Joined: Thu Apr 10, 2014 6:25 am

Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition

Postby Pepas on Thu Apr 10, 2014 11:07 am

LarkinVB wrote:The link to the makefile seems to point to an outdated file as it has the 256bit encryption and a strange line lvmdata=-l +100%FREE -Zn where the + does not seem right.

The script does not accept username characters like - though the makefile does.


Sorry, dropbox did something undesirable again... Updated the makefile.
But the script is really better. As you noticed, it has more checks. The only thing is, the makefile also works with 201303 (which I think should not be used anymore).
User avatar
Pepas
Level 1
Level 1
 
Posts: 35
Joined: Mon Jan 24, 2011 10:18 am

Re: LMDE 201303 or 201403 with luks encrypted lvm2 partition

Postby LarkinVB on Fri Apr 11, 2014 8:45 am

I constantly get 'Invalid partition table' after install before grub menu is displayed with a Dell 6420 laptop. I can boot up normally afterwards. Same Samsung 840 EVO SSD does work in a different laptop without this message. Any idea what the reason is for the Dell to show this warning or how to fix it ?

EDIT: I guess it is because the Dell BIOS is expecting the boot flag on the boot partition and there is none.
LarkinVB
Level 1
Level 1
 
Posts: 4
Joined: Thu Apr 10, 2014 6:25 am

Linux Mint is funded by ads and donations.
 
PreviousNext

Return to Installation & Boot

Who is online

Users browsing this forum: No registered users and 4 guests