r1108 - trunk

robert at linuxfromscratch.org robert at linuxfromscratch.org
Sun Sep 20 13:44:45 PDT 2009


Author: robert
Date: 2009-09-20 14:44:45 -0600 (Sun, 20 Sep 2009)
New Revision: 1108

Modified:
   trunk/crypt-rootfs.txt
Log:
Updated crypt-rootfs.txt

Modified: trunk/crypt-rootfs.txt
===================================================================
--- trunk/crypt-rootfs.txt	2009-09-13 17:37:13 UTC (rev 1107)
+++ trunk/crypt-rootfs.txt	2009-09-20 20:44:45 UTC (rev 1108)
@@ -1,6 +1,6 @@
 AUTHOR: Lars Bamberger <Lars.Bamberger at gmx dot de>
 
-DATE: 2009-02-15
+DATE: 2009-11-20
 
 LICENSE: GNU Free Documentation License Version 1.2
 
@@ -53,7 +53,7 @@
 
 2.2 cryptsetup with LUKS extension
 
-Get it from http://luks.endorphin.org/dm-crypt
+Get it from http://code.google.com/p/cryptsetup/
 Compile and install it. Required to handle encrypted partitions.
 
 
@@ -277,7 +277,7 @@
 You'll need all the standard directories (bin, sbin, usr/{bin,sbin}, proc, sys,
 dev, lib). In bin we put our busybox-large (rename to busybox) and a softlink to
 busybox named hush. Copy cryptsetup to sbin.
-In dev put some useful devices: console, null, sd?? and a directory
+In dev put some useful devices: console, null, urandom, sd?? and a directory
 'mapper' containing 'control'. Then make a copy of dev:
 cp -a dev init-dev
 In lib (and dev) put everything needed to run busybox and cryptsetup.
@@ -323,6 +323,11 @@
 mount -t $FSTYPE /dev/mapper/sd?? /new-root
 cp -a $BACKUPROOTFS /new-root
 
+PITFALL: Since your old rootfs isn't mounted, you might not be able to to run
+         mkefs do to missing libraries. Either copy everything needed to where
+         the linker can find it, or use the mkefs from busybox. Be sure to
+         configure busybox accordingly.
+
 Next, modify /etc/fstab (on /new-root) to reflect the new device for the rootfs.
 Also modify the cryptsetup script as described below (7. PITFALL).
 
@@ -370,7 +375,7 @@
 
 Once everything works as it should, remove the unencrypted backup of your
 rootfs. Protect your bootloader (and possibly the BIOS) with a password to
-disable fiddling with the boot parameters.
+disable unauthorized fiddling with the boot parameters.
 Create a bootscript (checkbootfs) that makes sure that the unencrypted partition
 we booted from was not compromised. Use something like:
 
@@ -398,13 +403,18 @@
 
 ACKNOWLEDGEMENTS:
   * Various for the wiki at http://de.gentoo-wiki.com/Cryptsetup-luks_initramfs
-    and
+    (not online anymore) and
     http://en.gentoo-wiki.com/wiki/SECURITY_System_Encryption_DM-Crypt_with_LUKS
   * Clemens Fruhwirth (http://clemens.endorphin.org/) 
-    for LUKS for dm-crypt: http://luks.endorphin.org/dm-crypt
+    for LUKS for dm-crypt: http://code.google.com/p/cryptsetup
 
 
 CHANGELOG:
+[2009-11-20]
+  * cryptsetup needs /dev/urandom
+  * mkefs might not work from initramfs
+  * update some URLs
+  * some minor touchups
 [2009-02-15]
   * Basic rewrite.
 [2008-02-17]




More information about the hints mailing list