Slackware :: Pondering About Encrypting The Keycard For A LUKS/LVM Partition?
Aug 15, 2010
So I was wondering about the dilemma of how to encrypt the password file on a key card to unlock your harddrive without having to enter any password. I came to the conclusion that that the scripts could do this without storing any passwords in plane text them self. Have a few extra steps to the scripts that would:
1. Read the UUID of any disks coming in.
2. Attempt to use that ID to decrypt a password file stored in the initrd.
3. Use the decrypted password file to unlock the the keycard partition.
4. THEN use the password files on the keycard to decrypt the main partition and boot the system.
However, if somebody stole your key card and didn't know what the unencrypted information was, then it's harmless for them to have it anyway. And if they did know, you wouldn't be any better off with it being encrypted because they probably can gain access to your computer anyway; leaving them to just pop the key card in and automatically decrypt the drive.
I suppose encrypting the keycard would give you extra assurance that the information would be much harder to recover if you destroyed the key card in a hurry. So would this extra security step even be worth it?
I guess the most secure thing would be to only have a password and type it in every time... unless you are concerned about the aliens/government stealing that from your brain which would probably mean they wouldn't need your password anyway.
View 3 Replies
ADVERTISEMENT
Mar 9, 2011
Has anyone tried encrypting the boot partition to prevent the kernel from being modified. Iv tried following this but I'm running into issues when building. [URL] Im using the source from bzr checkout [URL] Last time I tried I screwed grub and it wouldnt boot.
View 9 Replies
View Related
May 11, 2010
I need to change my LUKS partition to NTFS as I do not need the boot partition any longer, but I need to keep sdb3 (truecrypted ext3) intact. This is how the disk looks now:
Code:
Disk /dev/sdb: 1000.2 GB, 1000204886016 bytes
255 heads, 63 sectors/track, 121601 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
[code]....
View 2 Replies
View Related
Nov 25, 2010
Kernel 2.6.21.5, Slackware 12.0
Firefox 2.0.0.20
When sending an LQ post, my browser says "You're about to send information that's not encrypted". OK. I tell him not to show the warning again. But what if I want to encrypt? How do I do it?
View 1 Replies
View Related
Jun 12, 2011
I have Kubuntu 11.04 64-bit installed (software upgrade from 10.10) and I have a separate /home partition. I want to encrypt my /home partition (and perhaps the swap partition as well) but I don't want to have to reinstall Kubuntu. (Mostly because it was a software upgrade and I don't have an 11.04 disc.) I found a tutorial for Encryptfs via one of the stickies that mentions post-install migration, but it says that using Encryptfs on a separate /home partition is more complicated than if it were part of the root partition and that the CDs don't have any software to preserve and configure existing encrypted /home partitions. (Granted this tutorial is made for 9.04, so things may have changed.)
Also, this tutorial makes it sound like if you have your /home directory encrypted that the encrypted data is stored in a folder on the root partition. Is it done the same way if the /home directory is on its own partition? Because I don't think my root partition is large enough to have all of my /home data. (I purposely kept it small because the root partition doesn't seem to get very large.)
View 9 Replies
View Related
Aug 6, 2010
On my laptop (Dell Studio 1745) w/500GB HD, I have a common data partition shared by openSUSE. Fedora, FreeBSD, and windoze 7 currently. I would like to encrypt this partition (/Common) and have it accessible from all distros either with a passphrase key in /root or on a flash key. I've been researching on the web and there seem to be several possibilities using eCryptfs, Luks, cryptosetup, or any of several methods.
My question is, what have people here used and how well did it work? Also, what was required for setup (I'll probably have to explain/teach it to my wife who is technology challenged-but I still love her anyway) and my daughter who's just getting into linux. I would like to be able to keep the entire directory on the hard drive but also have the ability to copy it to external USB device for transport.
View 4 Replies
View Related
Aug 10, 2011
I would like to encrypt my swap partition ...During installation, I tried to select the "encrypt partition" choice, but it needed a passphrase.After installation, I tried to encrypt my partition ... I followed this article: The problem is that my swap partition always changes its path ...When I first booted the system, it was /dev/sda10, next it became /dev/sdc10, now it is /dev/sdb10. This is probably the reason why in fstab all entries are according to UUID.However, the swap partition is not fond of UUIDs ! I tried to mkswap /dev/<current swap partition> -L Swap, I received a UUID, puted it in /etc/crypttab ... it worked for the first time ... but the second time... did not.
View 14 Replies
View Related
Jan 27, 2011
I've created a /tmp partition on a server that I would like to encrypt in a fashion that doesn't require a password to be entered on boot because this server is in a remote data center. Storing the password on the server so that it can automatically boot would obviously defeat the purpose of encrypting in the first place. Skipping automounting is another option but I'd really like to avoid that because there are a number of other services that would have to be suspended until the /tmp partition is online.
I found this article designed for centos (HowTos/EncryptTmpSwapHome - CentOS Wiki) which seems perfect since it generates a key randomly on boot and that key is destroyed and regenerated on each successive boot. However, the script doesn't seem to work on openSUSE - it throws errors saying . /etc/init.d/functions doesn't exist, restorecon command not found, action command not found, etc. Is there an openSUSE-ish way to achieve promptless partition encryption?
View 9 Replies
View Related
Jan 8, 2010
I want to encrypt Full partition instead of creating a file and encrypting it, and also want to move this disk to another server. do i need some files also (that hold keys) with my self on new server. i am using FC11.
View 2 Replies
View Related
Aug 20, 2011
I need to resize (increase) LUKS partition. I have found a lot of manuals, but they are just for LVM volumes(I dont use LVM and I dont plan to use it). I have HDD splited to the 4 parts:
sda1(/)
sda2(LUKS)
unalocated
swap
I want to increase LUKS partition, by using the part of unalocated space.
BUT I dont want to do the following:
Backup data from LUKS partition
Delete LUKS partition
Create new bigger LUKS partition
Restore data to the LUKS partition
View 1 Replies
View Related
May 10, 2010
I have a LVM logical volume, that contains a LUKS encrypted volume, on which is an ext4 filesystem. I shrank the partition to the minimum size. Next step is to luksClose the device, and then to resize the LVM logical volume. I suspect that LUKS has overhead. So if the ext4 filesystem was resized from, say 1TB to 500G, I have the idea that resizing the LVM LV to 500G does not take LUKS overhead into account and this might corrupt data on the end of the FS. So, what's the smart move to take? How do I calculate the safe minimum LV size? Or should I just give the 500G disk a few gigabytes extra to be sure?
View 4 Replies
View Related
May 9, 2011
if encrypt my root partition with Luksformat on my laptop and the battery suddenly goes out without a proper shutdown, I stand a big chance on corrupting the luks header or key slot?
View 1 Replies
View Related
Jun 30, 2010
I have a really tricky and may be intresting problem with a encrypted disk partition (cryptsetup luks...) which was fine until it accidentally got re-formatted by an instance of Windows 7. Most of the data on that 1TB-disk will probably still exist, only the LUKS header at the very beginning of the partition is - of course - gone.
So when I try to open the container, it gives no verbose, just the return value 234.
I scanned the whole partition for other LUKS headers with hexedit, none there. But, luckyly I have another partition which is encrypted in the exact same way with the exact same passphrase (which I remember very well!), so I had an idea: I copied the LUKS header (592 bytes) from the other LUKS encrypted partition over to the damaged partition.
When I now issue
Code:
Code:
No key available with this passphrase
Here is the command how I created the container:
Code:
How do I get the existing passphrase accepted by LUKS?
View 9 Replies
View Related
Feb 1, 2016
I have two basically identical harddrives that are encrypted with LUKS containing a complete debian installation:
Code: Select allroot@x200s:/home/b# lsblk --fs
NAME FSTYPE LABEL UUID MOUNTPOINT
sda
├─sda1 ext2 0b851969-281e-4db2-8a5b-3798e801711b /boot
├─sda2
└─sda5 crypto_LUKS cfcf63ef-448a-4f72-9f58-8f7731cf3dfc
└─sda5_crypt LVM2_member 21CS3f-SQeQ-XcMr-kyDs-OPtR-egmT-HkvJAu
[Code] ....
sda is what I currently run to write this text, sdb is my former harddrive, connected via USB.
I want to access the root partition on sdb.
The problem is:
Code: Select allcryptsetup luksOpen /dev/sdb5 oldhd
Enter passphrase for /dev/sdb5:
root@x200s:/home/b# ls /dev/mapper/
control oldhd sda5_crypt x200s--vg-root x200s--vg-swap_1
root@x200s:/home/b# mount /dev/mapper/oldhd /mnt/
[b]mount: unknown filesystem type 'LVM2_member'[/b]
[Code] ..
Before all this, both sda and sdb where in the same volume group. I renamed the volume group of sdb to "oldDisk"
using
Code: Select allvgrename <UUID> oldDisk
How I can access the data on the root filesystem of my sdb..
View 2 Replies
View Related
Nov 8, 2009
I need to access /etc/modprobe.d on an encrypted LVM LUKS partition. I m not sure how to go about it though. Mount usually handles my mounting needs, do I need to decrypt the physical volume first? LIst of commands need would make my day.
View 1 Replies
View Related
Jul 19, 2010
I'm planning a fresh F13 install, with separate partitions for /boot, /home, /tmp, /, and swap. All but /boot will be logical volumes, and I'd like to encrypt all but boot. If I encrypt the underlying partitions, is there any reason to also encrypt the logical volumes themselves?
my system will be:
HP dv6-3040us Pavillion laptop
AMD Phenon II
4GB DDR3
View 3 Replies
View Related
Aug 30, 2010
I have encrypted a partition while installing Fedora 13, and I need to disable its automount - I will mount those manually.
But even though I commented out the corresponding line in /etc/fstab, I am still asked for the passphrase for the partition at startup.
How to completely disable this behaviour - and how to mount the partition manually afterwards?
View 5 Replies
View Related
May 16, 2011
I need to move a LUKS encrypted partition to the end of a harddrive to expand another partition. Does anyone know how to do this?
Is it possible to do this with other partition editing programs?
Gparted doesnt support LUKS/LVM
View 1 Replies
View Related
Mar 21, 2010
I have been following Alien Bob's README_CRYPT.TXT on the install disk and playing around with LUKS and LVM as highlighted in the section Combining LUKS and LVM. I got this working following the examples in the readme however I now wish to add another volume to the volume group. I have got this working and extended the group with an encrypted volume so it's now bigger. I want the two included physical volumes in the volume group (which are both encrypted) to be opened on bootup.
As it is now I am prompted for a password for the first physical volume (the passwords are set to be the same) and that opens and boots the volume. It has a problem with the second PV I have added and doesn't open this. There are errors on boot up about this and pvdisplay give this:
Code:
Couldn't find device with uuid 'JVirxL-lmqH-SUym-3lXG-MnXx-Qjk8-JZRha8'.
Couldn't find device with uuid 'JVirxL-lmqH-SUym-3lXG-MnXx-Qjk8-JZRha8'.
Couldn't find device with uuid 'JVirxL-lmqH-SUym-3lXG-MnXx-Qjk8-JZRha8'.
--- Physical volume ---
PV Name /dev/block/253:0
[Code]....
View 6 Replies
View Related
Nov 25, 2010
I've just did a fresh Slackware 13.1 install on a 32-bit box for friends of mine. It's an older machine with an AMD Athlon XP 2500. Generally everything works just fine, with one exception, however.Connecting a LUKS encrypted USB harddisk is notified by KDE. Clicking on the device icon in Dolphin opens the dialog asking for the LUKS passphrase. No error message appears, but the file system is not opened and mounted, anyway.However, before another attempt I have to "remove" the device in Dolphin.Output of dmesg:
Code:
# Nov 25 23:58:24 mycomputer kernel: device-mapper: ioctl: unable to remove open device temporary-cryptsetup-3023
[code]....
View 12 Replies
View Related
Mar 9, 2011
Basic Problem: I have been trying to install 13.1 (64-bit) and have not been able to get lilo to install.
Procedure:
1) partitioned drive /dev/sdc 1GB (Linux RAID) and 499GB (Linux Raid)
2) copied partitioning scheme to /dev/sdd
3) set up RAID-1 arrays md0 (sdc1-sdd1) and md1 (sdc2-sdd2)
4) write random data to partitions
5) set up LUKS on md1 (swluks)
6) set up LVM on swluks (80GB /, 375GB /home, 20GB swap)
7) ran setup, chose partitions, installed software
8) setup lilo (mbr, selected /)
9) TRIED to install lilo
[Code]..
View 4 Replies
View Related
Dec 17, 2008
I am trying to get Slackware 12.2 running on a system with two identical harddiscs using RAID-1, LVM and LUKS.
Here is what I get:
Code:
The system is still the same, however, the results of upgrading or installing 12.2 are different. The system refuses to boot. The screen messages during boot seem to suggest, that the RAID system is "seen" by the system, but the encrypted filesystem is not.
I can boot with the installation DVD, however, and
Code:
View 14 Replies
View Related
May 9, 2011
I just installed slackware 13.37 64 using luks and lvm by following this. However, when its time to enter the password, my usb keyboard won't work. I included the uhci-hcd, and usbhid modules when running mkinitrd,
View 3 Replies
View Related
May 20, 2010
Anyone had any experience with unlocking a LUKS encrypted root partition via ssh? It is ok to leave /boot unencrypted.
There are a few pages from google with the debians variants, archived by putting dropbear into initrd.
I like to do that with my fedora/centos remote servers, but struggle to find any resources specific to it. Anyone has any suggestions and thoughts as to what might be a suitable way forward?
View 2 Replies
View Related
Feb 22, 2010
I'm trying to have a LUKS encrypted partition mounted at startup and to have GDM ask for my key so it will decrypt. Now I followed [URL] to the letter. Except for now, I have it just mounted into /mnt/cryptohome so I'm not messing with my system. My problem is the one everyone mentions in the comments, ubuntu isn't asking for the LUKS key in the X display, it's asking in the first terminal (Ctrl-Alt-F1). This will not do. I need it to ask to mount my drive before I'm even asked to login, so eventually I can encrypt my /home.
View 9 Replies
View Related
May 27, 2010
I'm having a problem auto-mounting a new luks partition. I have crypttab and fstab entries. I already have my primary encrypted partition (root) mounting at boot (from the install), but after creating this one manually, it does not open on boot. It auto-mounts when I run the following command manually after boot: sudo luksOpen /dev/disk/by-uuid/<uuid> mycrypt
/etc/crypttab entry:
personalcrypt /dev/disk/by-uuid/a1af5b7b-db58-4690-b586-b74407795e2c none luks
/etc/fstab entry:
[code]...
View 1 Replies
View Related
Oct 26, 2010
I'm trying to migrate my LVs over to a Luks volume (prompt on password at boot). Unfortunately, as soon as I add my luks-encrypted physical volume to my volume group, I'm no longer able to update my grub configuration. I've detailed my steps below:
I've created and unlocked my encrypted partition with the following:
Code:
sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sdb1
sudo cryptsetup luksOpen /dev/sdb1 crypto_agilityssd
My /etc/crypttab looks like this:
[Code].....
View 2 Replies
View Related
Mar 3, 2010
Slackware 13 Kernel 2.6.29.6 have three hard drives. Root is on own drive sda1. sdb and sdc are raid via mdadm with two partitions. one for /home raid0 md0 one for swap raid1 md1. md0 is encrypted vi cryptsetup. md1 is encrypted vi fstab. everything boots fine and is accessible. However, /dev/mapper/* shows sda1 as block device connected to the raid md0. swap crypted device is correct in /dev/mapper/*. fstab is set correctly. problem seems to be with initrd. I would like the correct device in /dev/mapper so that I can access drive info; size, available space, etc. now info shows only sda1 info
View 1 Replies
View Related
Apr 5, 2011
I have a luks-encrypted external drive with lvm on top. When I plug it in xfce prompts me (twice as usual) for the encryption phrase. Then, unlike when I have a regular file system on top and it automounts, I need to activate the volumes and manually mount. Is there a way to make these steps happen automatically?
View 7 Replies
View Related
May 24, 2010
Anyone else experiencing the random LUKS fails? Anyone know of a solution?I filed a bugBasically I have a USB hard drive with two LUKS partitions on it (sdb2, sdb3). When plugged in, it asks for the password in Xfce (like it did in Slackware 13.0), but instead of the previous "asks twice for password" bug, now it asks once, but nothing pops up on the desktop. It's rare to see either of them put an icon on the desktop (usually nothing results).
I see /dev/mapper/luks_crypto_{UUID} get populated, so they are successfully being unlocked (LUKS), but no icon appears, and no mount point for the volume label (i.e. /media/BACKUP /media/ASUS) is populated.Does anyone know how I could produce a more useful bug report? I'm wondering if "strace startxfce" would produce anything useful or if I should alias Thunar to "strace -o /tmp/thunar-`date`.txt" would be in order.
View 14 Replies
View Related
