I figured out there is a possibility that I can change the algorithm in the built-in cryptor, in the openSUSE install. The default algo loaded is AES and I want to change it to Twofish. I saw a post in gentoo’s forums where it seems to be possible, although I don’t know if I can do the graphic install after it nor how to procceed.
What should I do? How to install the system afterwards? (with graphical install). Also, is there a way to check the encryption description after the system install?
Step 1: Create the partition of the desired size.
Step 2: setup luks encryption with a command similar to what you have given.
For LVM, then go into Yast partitioner, and convert that encrypted partition to an LVM and create the volumes you want within that LVM.
For install, you must select the expert partitioner. If I recall correctly, that’s the last choice. It might be labelled “create partitioning”. Once in the expert partitioner, you just select the existing file systems, and assign to root, home, swap (r whatever). The name of a listed partition will be something like “/dev/name-of-lvm/volume-name”.
If you are not using LVM, it will be easier. The partition name will just show up as something like “/dev/sda3” with a padlock next to it to indicate that it is encrypted.
If you have setup the encryption with “cryptsetup”, then Yast will just use what you have already setup. It won’t change the encryption method.
Then, on the partitioner, it auto-selected partitions and assigned them to mount-points. No problem, I edited them but it said “can’t assign mount-point without formatting”, then I formatted the desired partitions (“encrypt” was already signed) and provided a new password .This is where I thought it wasn’t going to work, because I already provided the partitions password before.
Proceeded with install process, and now checked for it’s encryption:
bd67268e:~ # cryptsetup status /dev/mapper/cr_ata-WDC_WD10EARS-00Y5B1_WD-WCAV5W506023-part7
/dev/mapper/cr_ata-WDC_WD10EARS-00Y5B1_WD-WCAV5W506023-part7 is active and is in use.
type: LUKS1
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda7
offset: 4096 sectors
size: 31453184 sectors
mode: read/write
bd67268e:~ #
I guess no matter the cipher you select for it, the default loaded algorithm will always be AES.
But I guess there is a way to load a terminal on the graphical install. I tried changing the algorithm with Ctrl+Alt+F1, but the devices were busy.
Problem is, Yast does recognize the partitions, it even asks me for their passwords as if they were encrypted using the default algo. I wish I could record the process, but I can’t do so. Seems impossible to do what I want when the algorithm that is loaded is AES. I remember seeing “modprobe twofish” or something on other forums, I’ll check it and see if there’s a possibility to change from AES to twofish before the graphical install.
I’m pretty sure that Yast is just running “cryptsetup” from a script. So it should not care what algo is used, as long as you provide a password that cryptsetup can use to access to the partition. I admit to not experimenting with different algorithms.
Looks like I’m on the right direction after your last post, nrickert, I can now assign mount points to partitions without formatting them, as you can see here and here. Only problem is this: -> SUSE Paste
I couldn’t find anything on google about these errors so I’ll wait for someone to clear things to me.
About /swap, I remember being able to point ‘fstab’ to make a specific partition as swap. When I finally get this working (and assuming the algorithm stays as twofish, which I assume it will since I was never prompted to enter a new password now) I will be already learned how to point it.
PS: Nevermind Ubuntu, it’s more efficient to try things on a virtual machine then re-installing like the real deal.
The way to deal with that problem, is to forget about “/dev/sda6”. Just leave “/var” as part of the root partition.
Once you have completed the install, boot to a live system, unlock “/dev/sda6”, copy “/var” to there (full recursive copy, or use tar), modify “/etc/crypttab” and “/etc/fstab” so that “/var” uses “/dev/sda6” on the next boot.
Hmm, there might still be a problem. I’m not sure how to unlock “/var” early enough. I think you have to rebuild “mkinitrd” before you can boot.
I don’t use plymouth. And, without plymouth, here is what I would do:
Make sure that there is an entry for “/dev/sda6” in crypttab. Set the last column to say “initrd” instead of “none”, or add “initrd” to the last column. Then run “mkinitrd”. You should be prompted for the key for “/dev/sda6” early (from the initrd). When that is checked, boot from a live system and copy “/var” to “/dev/sda6”, then update “/etc/fstab” to mount “/dev/sda6” on “/var”. On reboot, that should be fine, because the partition will be unlocked by the time the system wants to mount “/var”. Make sure that the “fstab” entry for “/var” uses the “/dev/mapper/some-name” to reference your encrypted var.
You can delete what’s below the mount point (the “/var” part of the root partition) later, when everything is checked.
The reason that I use an encrypted LVM, is to avoid those difficulties.
If you use the same encryption key for swap as for other partitions, then plymouth or the initrd (if you force the crypto to the initrd) will only prompt once. The other possibility for swap is to use straight dm_crypt without LUKS, and use a random key. You won’t be able to hibernate, since the key will be different on each boot. However, you will never be prompted for a key because that comes from “/dev/urandom”.
You’re right, nrickert, I’ll try to do what you said I couldn’t even select /home to sda7 nor /tmp or /var to any mount point, so I’ll select sda2 to “/” and leave it there. Then, follow your instructions. Seems like I have a big job ahead.
Boy, it’s too hard! >:( I don’t think I have the brains to do it yet.
I wish there was a documentation on “How to change the Crypto algorithm before installing your system” hahaha
On 2013-08-13 03:16, amarildojr wrote:
>
> Boy, it’s too hard! >:( I don’t think I have the brains to do it yet.
> I wish there was a documentation on “How to change the Crypto algorithm
> before installing your system” hahaha
You may open a bugzilla (feature) or a feature request at openfate,
requesting the partitioner in YaST to allow selecting the algorithm for
encryption.
Otherwise, the procedure would be similar than it is for root encryption
without LVM: install clear, prepare second partition, encrypted,
manually, move over. This is something I’m attempting but not yet finished.
–
Cheers / Saludos,
Carlos E. R.
(from 12.3 x86_64 “Dartmouth” at Telcontar)
I’m re-posting in this topic to add that I could do what I wanted on Arch Linux. Maybe the info will help developers to implement FDE without the need of LVM on openSUSE.
I used an openSUSE install to look at critical files and I’ll post the complete install process I use on Arch. If someone would like to see this also on openSUSE, feel free to tell devs about this thread.
Install process
loadkeys br-abnt2
nano /etc/locale.gen
(Unmark:
en_US
pt-BR)
modprobe dm-crypt
dhcpcd
cfdisk
(I used Gparted to create my partitions since my drive is a 1TB one and cfdisk/fdisk create misaligned partitions)
On Fri, 27 Sep 2013 16:06:02 +0000, amarildojr wrote:
> Maybe the info will help developers to implement FDE without the need of
> LVM on openSUSE.
Generally, posting it here won’t get it to them. Put this info in a FATE
request or open a bug in bugzilla (though as a feature request, FATE is
probably a better place for it).
I posted this so that openSUSE’s users can contact the Developers Team if they feel interested in such a crypto scheme. Since I no longer use openSUSE I don’t feel the need to do such a task.
I couldn’t even select /home to sda7 nor /tmp or /var to any mount point, so I’ll select sda2 to “/” and leave it there. Then, follow your instructions. Seems like I have a big job ahead.