[ubuntu] Encrypted live CD encfs

[yogg]

No I only tested it with VirtualBox from an iso file. Have you used the right option?

-b iso # create an iso9660 image, for CD
-b usb-hdd # create an image for USB keys or HD

But the way to Ubuntu is short. If I only could add the aes-i586 module to the initramfs it would work. I have tested to copy the losetup code (from debian live-helper to casper-helper) and vmlinuz from the debian live CD to mine. My Ubuntu ask for the code and after that it starts up (with a few minor failures ). But if I try to startx the mouse and keyboard does not work. So I now try to add all needet functions to my initrd.

Have you an idea how I can add the aes module? I have copied the aes-i586 file from /lib/module .... to my initrd but that does not work. Modprobe aes-i586 in initramfs also don't work. Cat /proc/crypto says only the md5 module is loaded. Lsmod does not work in initramfs

losetup -e aes256 /dev/loop0 /cdrom/casper/filesystem.squashfs
gives me
ioctl: loop_set_status: invalid argument, requested chiper or key lenght (256 bts) not supported by kernel

[[3w`Sparky]]

I will have alook around for the aes i586 module and adding of it ,

I was looking at going the other direction with this ,

I am going to try a couple of things ,

Moving the squashfs from ubuntu and the linuz to the debian iso and see if the initrd will boot them , and or move both of the above + the scripts folder from the debian initrd to the ubuntu initrd scripts folder.

my thinking is yeah the kernel might be missing the support but we have already added the encryption methods to the initrd, also you need the right kernel for the squashfs and the two are as a pair, running the kernel from one o/s onto another o/s is going to cause some real issues i beleive.

shame there isn't a casper-helper script builder - that would solve the whole thing simple pimple.

had a quick play with the above in the last hour , no joy as yet , looking to follow your root yogg if i can't get any joy soon, have you got your initrd.gz working yet ? if so can you post the link.

[yogg]

Ok I have a working Ubuntu live CD
I now used luks, because someone told me cryptoloop is not secure (Watermark Attack)


How to:
Build your own live CD. (I used https://help.ubuntu.com/community/Li...ionFromScratch)
Install cryptsetup to your live CD!

Encrypt your filesystem.squashfs:

Code:

// set count to a value you need for the filesystem.squashfs (take ~50MB more or so for luks header, ...)
dd if=/dev/urandom" of=filesystem bs=1M count=400
sudo losetup /dev/loop0 filesystem
sudo cryptsetup luksFormat -c "aes-cbc-essiv:sha256" /dev/loop0
// YES, Passwd, ...

sudo cryptsetup luksOpen /dev/loop0 luksloop

// now we must use a wourkarount because of
sudo mksqashfs ... /dev/mapper/luksloop -> ends up with an error
see: http://ubuntuforums.org/showthread.php?t=1189797

// workaround (part 1):
sudo mkfs.ext3 /dev/mapper/luksloop
sudo mkdir /mnt/cryptfs
sudo mount /dev/mapper/luksloop /mnt/cryptfs
sudo mv filesystem.squashfs /mnt/cryptfs

sudo umount /mnt/cryptfs
sudo rm -r /mnt/cryptfs // only remove the dir if you no longer need it
sudo cryptsetup luksClose /dev/mapper/luksloop
sudo losetup -d /dev/loop0

// rename the encrypted ext3 filesystem (with the included filesystem.squashfs :/ )
mv filesystem filesystem.squashfs

So now we must modify the startscript:
unzip the initrd.gz (I used the GUI -> no need for console commands )
Open scripts/casper-helpers and search for setup_loop()

Code:

setup_loop() {
    local fspath=$1
    local module=$2
    local pattern=$3
    local offset=$4

    modprobe ${MP_QUIET} -b "$module"
    /sbin/udevadm settle

    if [ "$module" = loop ]; then
        if [ ! -e /dev/loop0 ]; then
            # temporary workaround for kernel bug
            for i in 0 1 2 3 4 5 6 7; do
                mknod "/dev/loop$i" b 7 "$i" || true
            done
        fi

        dev="$(losetup -f)"
        if [ "$dev" ]; then
            if [ -n "$offset" ]; then
                losetup -o "$offset" "$dev" "$fspath"
            else

        # my changes begin
        # don't know how to load them automatically
        modprobe aes
        modprobe dm-crypt
        modprobe dm-mod
        modprobe sha256
        modprobe cbc
        modprobe blkcipher
        mkdir /mnt

        losetup "$dev" "$fspath"
        echo "Please enter your password (QWERTY layout!)" >&6
        cryptsetup luksOpen "$dev" luksloop >&6

        # workaround (part 2):
        mount -t ext3 /dev/mapper/luksloop /mnt
        dev="$(losetup -f)"
        losetup "$dev" /mnt/filesystem.squashfs
        # my changes end

            fi
            echo "$dev"
            return 0
        else
            panic "No loop devices available"
        fi
    else
        for loopdev in $pattern; do
            if [ "$(cat $loopdev/size)" -eq 0 ]; then
                dev=$(sys2dev "${loopdev}")
                if [ -n "$offset" ]; then
                    losetup -o "$offset" "$dev" "$fspath"
                else
                    losetup "$dev" "$fspath"
                fi
                echo "$dev"
                return 0
            fi
        done
        panic "No loop devices available"
    fi
}

Now repacking everything (the GUI does not work for this )

Code:

find ./ | cpio -H newc -o > initrd
gzip -c initrd > initrd.gz

And replace the old initrd.gz

Now create the ISO image (or whatever) and you should have an encrypted live CD (if I have nothing forgotten )

My initrd.gz
http://www.file-upload.net/download-...initrd.gz.html

Hope it works.

[[3w`Sparky]]

tied up with a microwave config at the mo , not the type that cook dinner!

I will give this ago yogg, if all goes well then i should be running encrypted very soon.

here is to hoping!

[[3w`Sparky]]

Hi Yogg,

I followed your guide, made my count=550 as my image is abit bigger.

done everything as per your guide, but when booting it pauses at mounting filesystem, then kicks out to raminitfs

cat casper.log says that no filesystem could be found,

I wonder tho - your script creates a dir called /mnt

if i ls the root of raminitfs it only shows the contents of the initrd.gz file it doesn't show a folder called /mnt

do you think it's crapping out before it reaches this point ?
is there a step missing? also if i cd /cdrom that is also blank so its not able to pull anything from the source device.

i tried my own initrd.gz and your one that i know is a working one as you have managed to crack it.

[yogg]

Its strange sometime in my preview tests /cdrom was also clear.

But make a test.
rename the filesystem.squashfs to something else (filesystem.shashfs.noboot) and start the CD with the original initrd.gz file.

After that you should land in the initramfs. Here you can make some tests.
ls /cdrom -> hopefully not clear
if clear
mount /dev/scd0 /cdrom

No make the same step by step that the script does:

1 load modules:

Code:

modprobe aes
modprobe dm-crypt
modprobe dm-mod
modprobe sha256
modprobe cbc
modprobe blkcipher

check if the modules are loadet

Code:

cat /proc/modules | grep aes
cat /proc/modules | grep dm
...

cat /proc/modules | more
does not work in initramfs :(

2 create the first loop:

Code:

// get the first free loop device
losetup -f

// enter what loopsetup -f says
losetup /dev/loop0 /cdrom/casper/filesystem.squashfs.noboot

//should now give you the next device
losetup -f

// you can also test with
cat /dev/loop0
// but this ends with many strange characters and a system hang :D
// strg + c also don't work in my case :/

3 decrypt and mount the device:

Code:

cryptsetup luskOpen /dev/loop0 luksloop
mkdir /mnt
mount /dev/mapper/luksloop -t ext3

ls /mnt
// here you should see the filesystem.squashfs file

4 make last loop + mount it:

Code:

losetup /dev/loop1 /mnt/filesystem.squashfs
mkdir filesystem
mount /dev/loop1 /filesystem -t squashfs

ls /filesystem
// you now should see alle the folders and files (/etc, /dev, /proc, ...)

If that works without problems the same way should work in a script. Only the last mount (mount /dev/loop1 /filesystem -t squashfs) is not necessary, the script makes this automatically.

O and don't forget the >&6 in your script after cryptsetup!!!!!!!
If you don't use this a variable will be destroyed and the system does not boot

[[3w`Sparky]]

I think its a kernel issue , your initrd.gz /lib/modules contains 2.6.27-14-generic

I'm using 2.6.27-7-generic, i can't seem to find the sources to obtain everything your have in the /modules/2.6.27-14-generic/crypto to add the support to my kernel.

do you think squashing the -14 kernel onto the cd might work ?

i also am unable to find the any source to remove the following error when trying to do a luksFormat

command failed: Failed to setup dm-crypt key mapping.
check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that the /dev/loop1 contains at least 133 sectors

[[3w`Sparky]]

Yogg , are you using mini ubuntu by chance ?

[yogg]

Quote:

Originally Posted by [3w`Sparky] check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that the /dev/loop1 contains at least 133 sectors

Looks like a module is missing. Which output you get from "cat /proc/modules | grep ..." ?

Is there a howto or something else for an mini Ubuntu live CD/DVD? Sounds interesting.

[[3w`Sparky]]

http://www.crealabs.it/ubuntu-mini-remix/

this is the mini ubuntu

about 180MB i think from memory , I'm not sure what it's lacking to squeeze it down to that size, office org bits but unsure what else.

I am stuck back on microwave at the mo but will have another battle with that blooming CD before next week.

cheers for all your help so far though yoggs

does this forum have a magic star rating or something (bit like tek-tips)