Full disk encryption settings; serpent how?

Hi,

I would like to use LVM on LUKS full disk (root, home, swap) encryption with the following settings:

cryptsetup -v --cipher **serpent-xts-plain64** --key-size 512 --hash sha512 --iter-time 3000 --use-random luksFormat /dev/sdaX

Can I achieve this somehow with or without yast?
Can I change somehow yast’s default encryption settings?

(Beforehand I managed to create and encrypt my partitions with the rescue cd, and then I started the installation, then when asked I provided the password to yast, made the partition settings, and the installation went well, but I got an unbootable system with Dracut Emergency Shell…)

/Sorry for my poor English/

On 2014-11-30 18:26, atskler wrote:
>
> Hi,
>
> I would like to use LVM on LUKS full disk (root, home, swap) encryption
> with the following settings:
>
>
> Code:
> --------------------
> cryptsetup -v --cipher serpent-xts-plain64 --key-size 512 --hash sha512 --iter-time 3000 --use-random luksFormat /dev/sdaX
>
> --------------------
>
>
> Can I achieve this somehow with or without yast?

Not with YaST.

> Can I change somehow yast’s default encryption settings?

Not that I know.

Manually, I guess so, but I’m not familiar with LVM.

> (Beforehand I managed to create and encrypt my partitions with the
> rescue cd, and then I started the installation, then when asked I
> provided the password to yast, made the partition settings, and the
> installation went well, but I got an unbootable system with Dracut
> Emergency Shell…)

You need a non-encrypted /boot partition.

> /Sorry for my poor English/

Good enough - English is not my first language either

–
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

You need a non-encrypted /boot partition.

I know, and there was.

I think there must be somewhere a config file from where yast reads it’s “how to do” the encryption…

On 2014-11-30 19:06, atskler wrote:
>
>> -You need a non-encrypted /boot partition.-
>
> I know, and there was.

Then someone has to look at the exact error messages you got, and it can
not be me, as I don’t know a word of dracut and close to none about LVM.

–
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

I understand, and I appreciate and thank you your help.

At first I would like to find that file which contains the encryption settings for the installer.

On 2014-11-30 19:16, atskler wrote:
>
> I think there must be somewhere a config file from where yast reads it’s
> “how to do” the encryption…

Code.

–
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

On 2014-11-30 19:46, atskler wrote:
>
> I understand, and I appreciate and thank you your help.
>
> At first I would like to find that file which contains the encryption
> settings for the installer.

It is code. Hardcode. Not a configuration setting. Search in YaST source
code.

–
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

Are you sure, that “serpent” is supported?

I don’t see it in /proc/crypto.

Hendrik

Sorry for the noise.
After running “cryptsetup benchmark” /proc/crypto contained a lot more entries then before, incuding serpent.

Hendrik

robin_listas it seems you are right

Currently I can think in the following alternatives:

1. make a yast feature request – to implement full cryptsetup control in yast

2. make a yast feature request – to be able to install flawlessly on already encrypted system partitions

3. find someone who has the knowledge and willingness to write a guide to installing on already encrypted system partitions

4. trying to recompile cryptsetup with alternate defaults and tampering it into the installation system

5. installing with yast and with the default encryption settings, then installing on manually encrypted partitions and then comparing the two installation’s config files which dealing with system startup

6. learn to use Arch Linux

7. live with the system as it is and/or throwing the computer out of the window

…

On 2014-11-30 21:36, atskler wrote:

> 2) make a yast feature request – to be able to install flawlessly on
> already encrypted system partitions

Actually, this should work as it is now, if the partition is recognized
as “LUKS”. Maybe, just maybe, you have to add some mount options for
fstab, right at install. YaST allows this, in the expert partitioner.

> 4) trying to recompile cryptsetup with alternate defaults and tampering
> it into the installation system

I don’t think you have to rebuild that one. You just need access to the
options the partitioner gives to it.

> 8) live with the system as it is and/or throwing the computer out of
> the window

LOL.

–
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

I’m not sure that analysis is correct.

If “cryptsetup” did not complain when you setup the encrypted LVM, then it should have been fine. As far as I know, when installing into an existing encrypted LVM (which I often do), Yast just opens the LVM and possibly reformats some of the volumes. But it just uses the existing encryption.

To test, you should check if you can access the installed system from a live rescue CD or similar.

If that works, then it might be that there is something missing from the “initrd” that is needed for the encryption algorithm that you setup. Maybe some “dracut” config is needed.

Meanwhile, to be more tangible I uploaded what I get after installation.
There are screenshots, log, blkids, complete /boot and complete /etc - all from clean 13.2 install.

https://drive.google.com/folderview?id=0B1GdRhi1OBjQNFBtWHVkaVZJdnc&usp=sharing#list

What I miss in your /etc is a file named “crypttab”. It should contain an entry for your encrypted lvm device.

Hendrik

Finally I found a solution rotfl!
In the following days I will write about The Solution

I made a clean installation with the default encryption settings and I made comparisons between the problematic and the working installation.

I found that – as hendwolt found too – that my problem’s source is the missing crypttab file from /etc, and from the initrd image.

For me the working /etc/crypttab looks like this:

cr_ata-HGST_HTS721010A9E630_JR10006P0N9SEF-part2 **/dev/disk/by-id/**ata-HGST_HTS721010A9E630_JR10006P0N9SEF-part2 none       none

Workaround: boot with an opensuse rescue cd, mount the installed system’s partitions, make a correct /etc/crypttab file, and rebuild the initrd with dracut -f.
This is the process.

cryptsetup luksOpen /dev/disk/by-id/ata-HGST_HTS721010A9E630_JR10006P0N9SEF-part2 cr_ata-HGST_HTS721010A9E630_JR10006P0N9SEF-part2

vgchange -ay system

mkdir /mnt/sysimage

mount /dev/mapper/system-root /mnt/sysimage
mount /dev/sda1 /mnt/sysimage/boot

At this point I created the proper /etc/crypttab file in /mnt/sysimage/etc. Then continued the mounting to rebuild the initrd:

mount --bind /proc /mnt/sysimage/proc
mount --bind /dev /mnt/sysimage/dev
mount --bind /sys /mnt/sysimage/sys

chroot /mnt/sysimage

dracut -f /boot/initrd-3.17.2-1-desktop 3.17.2-1-desktop

exit

umount /mnt/sysimage/sys
umount /mnt/sysimage/dev
umount /mnt/sysimage/proc
umount /mnt/sysimage/boot
umount /mnt/sysimage/

vgchange -an system

cryptsetup luksClose cr_ata-HGST_HTS721010A9E630_JR10006P0N9SEF-part2

Then reboot and finished.

Addition: my partitions:

Device          │      Size│F│Enc│Type              │FS Type│Label│Mount Point
/dev/sda        │931.51 GiB│ │   │HGST-HTS721010A9  │       │     │ 
/dev/sda1       │  1.00 GiB│ │   │Linux native      │Ext4   │     │/boot
/dev/sda2       │930.51 GiB│ │ E │Linux LVM         │       │     │
/dev/system     │930.50 GiB│ │   │LVM2 system       │       │     │
/dev/system/home│851.50 GiB│ │   │LV                │XFS    │     │/home
/dev/system/root│ 70.00 GiB│ │   │LV                │XFS    │     │/
/dev/system/swap│  9.00 GiB│ │   │LV                │Swap   │     │swap

Additional reading:

Working Dracut > http://blog.fritzhardy.com/?p=621

I have never run into that problem with “opensuse”, though I have been hit with it when trying “ubuntu”.

For me, the installer has always added an entry in “/etc/crypttab”.

I have seen others report a problem. My understanding is that they did an upgrade rather than a clean install (in existing partitions or volumes). Apparently the crypttab entry was not required before 13.1, at least for the LVM containing the root file system. That was handled by “mkinitrd” scripts, which checked the current root file system to decide what to do and did not depend on “/etc/crypttab”. Apparently, “dracut” does go by what is in “crypttab”.

For me, the installer has always added an entry in “/etc/crypttab”.

For me too, with clean installation and setting up encryption and partitions with yast.

My understanding is that they did an upgrade rather than a clean install (in existing partitions or volumes).

I wanted to use already existing encrypted partition configuration. The yast finds, opens, mounts, use them correctly but forgets to create crypttab.

Apparently the crypttab entry was not required before 13.1, at least for the LVM containing the root file system.
That was handled by “mkinitrd” scripts, which checked the current root file system to decide what to do and did not depend on “/etc/crypttab”. Apparently, “dracut” does go by what is in “crypttab”.

Maybe the 13.1 worked like Fedora:

*A stock Fedora install on a crypto-root does not create this file, but its existence may (or may not) eliminate the need to specify rd.luks.uuid on the kernel command-line, among other things. I did not create this file on my system. Your mileage may vary. *( Fedora Linux Migration Part 2: Switch to Encrypted Root | Fritzhardy’s Blog | http://blog.fritzhardy.com/?p=584 )

I used 13.2 and Tumbleweed.

That’s what’s puzzling. Because that’s how I normally install.

I created the LVM manually, before the install. Maybe I used Yast for part of that, but I was doing it booted from a live image and it did not save any crypttab information to the hard drive. Then later, when installing, I told the installer to use existing partitions, LVM volumes, etc. And it has always created “crypttab” for that.