Encrypted Slackware on USB Stick
Lession for today is: We need an bootable Slackware 12.2 on an LUKS encrypted USB stick.
The encryption part is not that hard and well documented in README_CRYPT.TXT so i will concentrate on the things that are new.
UUID
Our USB stick needs to work on most desktop boxes so we cannot hardcode /dev/sda1 in /etc/fstab, /etc/crypttab or when creating our initrd. Sad but true Slackware 12.2 supports UUID only in /etc/fstab out of the box so i've needed to patch the missing pieces to get it working.
That patch is against /etc/rc.d/rc.6 scripts from current.
--- slackware-current/source/a/sysvinit-scripts/scripts/rc.6.orig 2008-12-02 21:32:00.000000000 +0100
+++ slackware-current/source/a/sysvinit-scripts/scripts/rc.6 2009-07-29 12:05:59.000000000 +0200
@@ -208,6 +208,11 @@
LUKS=$(echo $line | tr 't' ' ' | tr -s ' ' | cut -f1 -d' ')
DEV=$(echo $line | tr 't' ' ' | tr -s ' ' | cut -f2 -d' ')
OPTS=$(echo $line | tr 't' ' ' | tr -s ' ' | cut -f4 -d' ')
+
+ if echo $DEV | egrep -q "(LABEL=|UUID=)" ; then
+ DEV=`findfs $DEV`
+ fi
+
if /sbin/cryptsetup.static isLuks $DEV 2>/dev/null ; then
echo "Locking LUKS crypt volume '${LUKS}':"
/sbin/cryptsetup.static luksClose ${LUKS}
--- slackware-current/source/a/sysvinit-scripts/scripts/rc.S.orig 2009-04-22 04:48:39.000000000 +0200
+++ slackware-current/source/a/sysvinit-scripts/scripts/rc.S 2009-07-29 13:18:19.000000000 +0200
@@ -74,6 +74,7 @@
PASS="${LUKSARRAY[2]}"
OPTS="${LUKSARRAY[3]}"
LUKSOPTS=""
+ if echo $DEV | egrep -q "(LABEL=|UUID=)" ; then DEV=`findfs $DEV` ; fi
if echo $OPTS | grep -wq ro ; then LUKSOPTS="${LUKSOPTS} --readonly" ; fi
# Skip LUKS volumes that were already unlocked (in the initrd):
After you have applied that patch you can replace all device entries in /etc/fstab and /etc/crypttab with UUID entries. To find the UUID for your devices you can use blkid or tune2fs -l.
initrd
You have already created an initrd during the installation if you followed the encryption guide but that initrd cannot mount a root device per UUID. To get that feature we need to patch the init script of the initrd tree which is a shellscript in a small busybox environment. The base for that initrd is /usr/share/mkinitrd/initrd-tree.tar.gz and mkinitrd does not much more than extracting that archive, modify a few files with config parameters and put that all in an compressed cpio archive when you create a new initrd.
So you need to patch that init script in /usr/share/mkinitrd/initrd-tree.tar.gz. The init script from current which will soon get Slackware 13 already has LABEL support so i've taken that and added UUID and luksdev support.
--- slackware-current/source/a/mkinitrd/init.orig 2009-04-03 00:13:59.000000000 +0200
+++ slackware-current/source/a/mkinitrd/init 2009-07-29 12:05:12.000000000 +0200
@@ -79,10 +79,13 @@
luksdev=/dev/*)
LUKSDEV=`echo $ARG | cut -f2 -d=`
;;
+ luksdev=LABEL=*|luksdev=UUID=*)
+ LUKSDEV=`echo $ARG | cut -f2- -d=`
+ ;;
waitforroot=*)
WAIT=`echo $ARG | cut -f2 -d=`
;;
- root=LABEL=*)
+ root=LABEL=*|root=UUID=*)
ROOTDEV=`echo $ARG | cut -f2- -d=`
;;
resume=*)
@@ -137,11 +140,17 @@
/sbin/mdadm -A -s
fi
- # Find root device if a label was given:
- if echo $ROOTDEV | grep -q "LABEL=" ; then
+ # Find root device if a label or uuid was given:
+ if echo $ROOTDEV | egrep -q "(LABEL=|UUID=)" ; then
ROOTDEV=`findfs $ROOTDEV`
fi
+ if echo $LUKSDEV | egrep -q "(LABEL=|UUID=)" ; then
+ if findfs $LUKSDEV 1>/dev/null 2>/dev/null ; then
+ LUKSDEV=`findfs $LUKSDEV`
+ fi
+ fi
+
# Make encrypted root partition available:
# The useable device will be under /dev/mapper/
# Three scenarios for the commandline exist:
@@ -175,6 +184,12 @@
# Make encrypted root partition available (scenario 3):
# We have to handle cases here where the LUKS volume is created on a LV
if [ -x /sbin/cryptsetup ]; then
+ if echo $LUKSDEV | egrep -q "(LABEL=|UUID=)" ; then
+ if findfs $LUKSDEV 1>/dev/null 2>/dev/null ; then
+ LUKSDEV=`findfs $LUKSDEV`
+ fi
+ fi
+
if /sbin/cryptsetup isLuks ${LUKSDEV} 1>/dev/null 2>/dev/null ; then
# Only act if we could not open the LUKS device before (i.e. is on a LV):
if [ "x$CRYPTDEV" == "x" ]; then
findfs
Slackware current already includes findfs in the initrd busybox environment but for Slackware 12.2 you need a static compiled version of findfs which is part of e2fsprogs. So you have to include it in your /usr/share/mkinitrd/initrd-tree.tar.gz under bin or sbin.
let's create our initrd
mkinitrd -c -k 2.6.27.7-smp -m ext3:ehci_hcd:uhci_hcd:usb_storage
-f ext3 -r cryptroot -C UUID="ae04abe2-90f4-472c-9db6-ac0d2b14c4a5" -w 10
It's that easy. You need the USB kernel modules which are ehci_hcd uhci_hcd and usb_storage and wait a few seconds at boot until the drive appears so we add "-w 10" to wait for 10 seconds.
Don't forget to call lilo before rebooting and have fun with your mobile Slackware USB stick.
Programming, Linux : Read more : comments (0) : 29.07.2009 14:36
Comments
no comments