Re: loop-aes encrypted root on Fedora 15 using systemd

[Frederick Gazerblezeebe <fgazerblezeebe@gmail.com>]

On Tue, May 31, 2011 at 5:59 AM, Jari Ruusu
<jariruusu@users.sourceforge.net> wrote:
> Frederick Gazerblezeebe wrote:
>> I am trying to set up a Fedora 15 system (kernel 2.6.39) on which the
>> root filesystem is encrypted with loop-aes (v3.6c).
>>
>> Can someone suggest the best location to place the initial losetup
>> commands? This new version uses the systemd boot stuff and
>> /etc/rc.d/rc.sysinit (where I placed the losetup commands before) no
>> longer exists. I was partially successful placing them in
>> /lib/systemd/fedora-readonly, meaning losetup successfully sets up the
>> loop device, but attempts to actually mount a file system on this loop
>> fail and the boot process terminates. I think I may be placing the
>> losetup too late in the sequence and the system is attempting to mount
>> on the loop before it is actually set up, but that's just a guess at
>> this point.
>
> I am assuming you used loop-AES' build-initrd.sh script. I changed the
> script so that it can be configured to set up more loop devices than the one
> used by encrypted root partition. For example, if you want to set up
> "no password entering required" /dev/loop6 and /dev/loop4, you can add these
> lines to build-initrd.sh config:
>
> EXTRACOMMANDRUN1=1
> EXTRACOMMANDSTR1="/sbin/losetup -e AES128 -P /etc/cleartextkey-loop6.txt /dev/loop6 /dev/sda3"
> EXTRACOMMANDRUN2=1
> EXTRACOMMANDSTR2="/sbin/losetup -e AES128 -P /etc/cleartextkey-loop4.txt /dev/loop4 /dev/sdd12"
>
> Limitations/rules:
> 1) Commands are run after switching to encrypted root but before starting
>   /sbin/init
> 2) Encrypted root partition is mounted read-only. Other file systems are not
>   mounted.
> 3) udev is not running yet, so dynamic device nodes on tmpfs (created and
>   mounted by udev on top of /dev directory) are not available.
> 4) If commands need /dev/* device nodes, you must make sure that static
>   device nodes exist on encrypted root partition on /dev directory. Use
>   mknod program to create those device nodes. Above example would need 4
>   nodes: /dev/loop6, /dev/sda3, /dev/loop4 and /dev/sdd12. The tricky part
>   is putting them on the directory that is under udev mounted tmpfs file
>   system.
> 5) /etc/cleartextkey-loop*.txt files (or whatever) on encrypted root
>   partition are protected by root partition encryption. Each of these files
>   contain 65 lines of key material that would normally be wrapped by and
>   protected by gpg encryption.
> 6) Up to 8 extra commands can be configured. If you need more, make it run a
>   shell script somewhere on encrypted root partition.
>
> New version of the build-initrd.sh script is here:
> http://loop-aes.sourceforge.net/updates/build-initrd.sh-20110531.bz2
> http://loop-aes.sourceforge.net/updates/build-initrd.sh-20110531.bz2.sign
>
> --
> Jari Ruusu  1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9  DB 1D EB E3 24 0E A9 DD
>

I am currently up on the encrypted root with a couple of issues, which
may not be problems with loop-aes.

Using the EXTRACOMMANDRUN# options in your new script I am able to get
the loop device for /home initialized, as shown by the output of
losetup -a (loop2=/, loop3=home),

/dev/loop2: [0001]:5099 (/dev/sda2) encryption=AES128 multi-key-v3
/dev/loop3: [0702]:2104244 (/dev/sda3) encryption=AES128 multi-key-v3

but systemd is unable to mount it to /home as defined in fstab,

/dev/loop3      /home      ext4    defaults        0 2    #/dev/sda3

resulting in a failure to boot. At first I thought this was a selinux
problem, but further testing shows that this is not likely the case.
Next I need to go through the systemd scripts and find exactly where
it is failing and see what I can do about it.

One additional peculiarity is that although the swap is activated at
boot time, it is not  encrypted until I remove/add it again.  The
fstab entry is

/dev/sda5       swap       swap    sw,loop=/dev/loop5,encryption=AES128   0 0

Immediately after boot:

###[102]% losetup -a
/dev/loop2: [0001]:5099 (/dev/sda2) encryption=AES128 multi-key-v3
/dev/loop3: [0702]:2104244 (/dev/sda3) encryption=AES128 multi-key-v3
###[103]% swapon -s
Filename                                Type            Size    Used    Priority
/dev/sda5                               partition       6136824 0       0
###[104]% swapoff -a
###[105]% swapon -a
Setting up swapspace version 1, size = 6136820 KiB
no label, UUID=4f1b6b95-bd99-4ac5-aee6-b87d599b1f5c
###[107]% losetup -a
/dev/loop2: [0001]:5099 (/dev/sda2) encryption=AES128 multi-key-v3
/dev/loop3: [0702]:2104244 (/dev/sda3) encryption=AES128 multi-key-v3
/dev/loop5: [0005]:5244 (/dev/sda5) offset=4096 encryption=AES128 multi-key-v3
###[109]% swapon -s
Filename                                Type            Size    Used    Priority
/dev/loop5                              partition       6136820 0       -1

Once again I think this is a systemd issue as opposed to a loop-aes
problem and I am currently looking into it as well.

So thanks again for the quick script update, it really helped, and
I'll post back again when I've made some more progress.

FG