encrypted FS

[shadowbox]

I'd like to encrypt my data related partitions in the case that ninja storm my abode and decide the black box with the pretty blue light is worth stuffing into a pouch.

Firstly, I'd like to thank the folks at Excito for having the foresight to lvm 90% of the drive.

Here's what I've done so far:

-- first reduce /home to 100 gigs

Code: Select all

  # umount /home
  #  resize2fs -p /dev/mapper/bubba-storage 100G
  #  e2fsck -f /dev/mapper/bubba-storage 
  #  resize2fs -p /dev/mapper/bubba-storage 100G
  #  e2fsck -f /dev/mapper/bubba-storage 

   # lvm
   lvm> lvreduce -L100G /dev/bubba/storage
   lvm> exit
   # mount /home

That gives me:

Code: Select all

/dev/mapper/bubba-storage
                       99G   75G   21G  79% /home

Okay, things are good so-far. Now to create a little test crypt partition:

Code: Select all

   lvm> lvcreate -L20G -ncrypttest bubba
   lvm> exit
   # apt-get install cryptsetup
   #  cryptsetup luksFormat /dev/mapper/bubba-crypttest

Now I get:

Code: Select all

Failed to setup dm-crypt key mapping.
Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/mapper/bubba-crypttest contains at least 258 sectors.
Failed to write to key storage.
Command failed.

Trying:

Code: Select all

   # modprobe dm-mod aes sha256 cbc
   FATAL: Module dm_mod not found.
   # zgrep SHA256 /proc/config.gz
   CONFIG_CRYPTO_SHA256 is not set

Since my bubba is specialized hardware, and because I want a toaster, not a hobby, I'm not intending on rolling my own kernel. Does anyone have any other suggestions? Has anyone else gotten encrypted filesystems working for bubbaII?

thanks.

[Strider]

Hi,

I just installed a new bubba 2 and connected an external wd MY Book 1TB that contains a single encrypted partition.
The disk does not mount as Excito does not have the sha256 module.
I think in order to mount luks encrypted partitions one needs to make modprobe to the following modules:

modprobe dm-mod (does not find or install this module)
dm-crypt
sha1
aes
sha256 (does not find the module and does not install it ... )

If someone coudl help to solve this issue it would be good.


Regards,
Pedro

[jonj1]

Does anyone have any other suggestions? Has anyone else gotten encrypted filesystems working for bubbaII?

thanks.

I've used 'encfs' on other linux boxes but it's a similar story there; the 'fuse' module isn't in bubba's kernel by default.

[Strider]

Hi,

I was trying to use rsync in order to backup my BB2 1TB.
The process is very slow as the network connection does not surpass 3Mbps ...

So I was thinking about a faster way to do it and I actually forgot about this thread

So I plugged my external hdd 1TB drive that was encrypted under OpenSuSE with luks.

Bubba does not mount the drive by default of course.
But the drive is mountable!

Just open the drive with :

Code: Select all

cryptsetup -v luksOpen /dev/sdb1 hddexternal

the prompt asks for the password and once the password is entered mapper can be used to decrypt the file system partition.

And it worked!

Now we only need mount the partition(s) on bubba.

in my case it was:

Code: Select all

 mount -v -t ext3 -o rw,users /dev/mapper/hddexternal /mnt/hddext

Well, that's it!
It works!

I think the problem the first time I tryed it was simple:
I did not noticed a way to find out what was the actual USB device on Bubba.
I could not install fdisk so I did not knew what device was actually being used (ignorance of mine ... )
But the web admin panel does contain a very simpe method to find that out.
Just plug the usb drive, go to drive ... and there is the devices connected to your Bubba2.
Simple.

Regards,
Pedro

[Strider]

Hi,

The problem now is more difficult ... in OpenSuSE I can mount the usb external hdd as any user.
In Bubba I do not know how to do that.
Taking a look at the mount all files and dirs are owned by admin.
This prevents me from using rsync effectively from the usb local port.

Regards,
Pedro

[jonj1]

Just open the drive with :

Code: Select all

cryptsetup -v luksOpen /dev/sdb1 hddexternal

Thanks for the tip!

I did not noticed a way to find out what was the actual USB device on Bubba.
I could not install fdisk so I did not knew what device was actually being used (ignorance of mine ... )
But the web admin panel does contain a very simpe method to find that out.
Just plug the usb drive, go to drive ... and there is the devices connected to your Bubba2.

Perhaps running dmesg from the command line is an alternative to fdisk / the web admin panel. A few seconds after plugging in a drive, dmesg gives this:

Code: Select all

usb 1-1.2: new high speed USB device using fsl-ehci and address 12
usb 1-1.2: configuration #1 chosen from 1 choice
scsi5 : SCSI emulation for USB Mass Storage devices
usb-storage: device found at 12
usb-storage: waiting for device to settle before scanning
scsi 5:0:0:0: Direct-Access     Multi    Flash Reader     1.00 PQ: 0 ANSI: 0
sd 5:0:0:0: [sdc] 2041200 512-byte hardware sectors (1045 MB)
sd 5:0:0:0: [sdc] Write Protect is off
sd 5:0:0:0: [sdc] Mode Sense: 03 00 00 00
sd 5:0:0:0: [sdc] Assuming drive cache: write through
sd 5:0:0:0: [sdc] 2041200 512-byte hardware sectors (1045 MB)
sd 5:0:0:0: [sdc] Write Protect is off
sd 5:0:0:0: [sdc] Mode Sense: 03 00 00 00
sd 5:0:0:0: [sdc] Assuming drive cache: write through
 sdc: sdc1
sd 5:0:0:0: [sdc] Attached SCSI removable disk
sd 5:0:0:0: Attached scsi generic sg1 type 0
usb-storage: device scan complete

so it's /dev/sdc1 ...

cheers,

[Strider]

Hi,


Hey ... I did that ?!?!?! it did not showed up on the system log ... .... hummm ... I think I know the problem ... I did not wait enough time ... maybe I have to wait a little longer ....

Yup, it is there all right, is had to be.

Also I must tell you that even connecting locally it is a _very_ slow process if one uses rsync to synchronize both drives ...

We can not complain about this .... it must support mapper and rsync algorithm to compare every single file ... this must take time.
And finally we are talking about 1TB hdd ...


Regards,
Pedro

[jonj1]

Hi there,

Yeah, I use 'unison' which is similar and it takes a while to do the file comparison.

So long as you have a wired network, not wireless, I'd say the fastest backup would be to share bubba's drive over samba / NFS and run rsync on a remote linux box with the backup drive plugged in there

[shadowbox]

jonj1: you don't happen to use Unison from another debian box running Lenny or Squish to your bubbaII running Etch?

I've stepped down my Squish unison version so it's the same as the Etch version, but I believe there is an underlying library incompatibility that's making this fail.

I just wanted to know what your configuration is because I really miss using Unison.

[jonj1]

jonj1: you don't happen to use Unison from another debian box running Lenny or Squish to your bubbaII running Etch?

I've stepped down my Squish unison version so it's the same as the Etch version, but I believe there is an underlying library incompatibility that's making this fail.

Yeah, I know what you mean.

I got 2.27.57 working with help from this page:
http://blog.philippheckel.com/2008/05/1 ... ntu-hardy/ Looks like there's a binary posted there now.

I followed the 'install ocaml from backports, compile unison from source' route. These aren't full instructions but you need this in /etc/apt/sources.list:

Code: Select all

deb http://www.backports.org/debian etch-backports main contrib non-free
# Unstable source packages - added for ocaml to compile unison
deb-src ftp://ftp.uk.debian.org/debian/ unstable main contrib non-free

and this in /etc/apt/preferences:

Code: Select all

# Want ocaml from unstable to compile unison
Package: ocaml
Pin:  release a=etch-backports
Pin-Priority: 1001

# more ocaml
Package: ocaml-base
Pin:  release a=etch-backports
Pin-Priority: 1001

# more ocaml
Package: ocaml-nox
Pin:  release a=etch-backports
Pin-Priority: 1001

Package: ocaml-base-nox
Pin:  release a=etch-backports
Pin-Priority: 1001

Package: ocaml-interp
Pin:  release a=etch-backports
Pin-Priority: 1001

then

Code: Select all

$ apt-get update
$ apt-get install debian-backports-keyring
$ apt-get update
$ apt-get -t etch-backports install ocaml
$ apt-get update
$ apt-get source unison
$ dpkg-source -x unison_2.27.57-1.dsc # unpacks the tar.gz's and applies diff
$ cd unison-2.27.57/
$ make

there was one other package needed to avoid an error during 'make'. I think it was emacsen-common

[shadowbox]

Thanks. Guess I have my project for the weekend.

[shadowbox]

Well, I couldn't wait. And it worked perfectly. Thanks for the help.

The only deviation I made from the instructions is to cp ./union to /usr/bin/unison-2.27.5 and then link /usr/bin/unison-latest-stable to it. But that was just a bit of housekeeping.

[shadowbox]

The OP regarding encryptedFS now works as of the 2.6.26.5-8 kernel.

Thanks for including the module, Bubba Folks.

[jonj1]

For anyone reading this thread and thinking of using cryptsetup for an encrypted partition, I did some experimenting with different ciphers to see if this could speed it up on Bubba2. It turns out you can make it noticably faster by encrypting with this option:

Code: Select all

cryptsetup -c aes-cbc-plain:sha256 ... <as above>

This (i believe) turns off 'essiv' which makes it not quite so strong, but that shouldn't be an issue unless you work at Nasa

The read-speeds for a large file from the encrypted partition on bubba2 were:
* default setting: 10,000kB/s
* aes-cbc-plain:sha256: 17,000kB/s
* blowfish: 7,000kB/s