Blog Forum Wiki Links Contact Us
[[dmCrypt]]
 
Trace: » How to restore factory default settings on Xandros (default) linux » Eee PC related IRC Channels » How To Restore a 1000H XP without a DVD Drive » Ruby on Rails 2.0.2 Installation » Using a Bluetooth GPS with the Eee: a work in progress » dmCrypt
Translations of this page:

Table of Contents

dmCrypt

Introduction

This howto was created on a german eeePC image. The image can differ on other localisations. dmcrypt self was installed from asus but dmcrypt need some kernel options. Asus dont prepared the kernel for them. A other method the make the eeePC drive encrypted can you find here: Truecrypt. But under truecrypt i can't use suspend to ram. My native language is german. I hope you can forgive and understand me my bad english. Please correct errors.

900 series: On the EEE 90x aufs has replaced unionfs and the user data is stored on sdb1. Sda1 contains the read only system files. Sda2 contains the writable system files. See the 90x specifics.

What needs to happen?

  • Installation of a modified Kernel (Asus installed dmcrypt itself, but the needed kernel modules are not compiled in)
  • Installation of a modified initramfs
  • Installation of 2 scripts
  • Installation new grub menu

Important!!!

The user partition will be reformatted. Backup all your own data, before follow these instructions.

Installation

  1. Preparation 
    sudo su
cd /root
mkdir dmcrypt.tmp
cd dmcrypt.tmp
  2. Download files 
    wget http://eee-dmcrypt.googlecode.com/files/vmlinuz-2.6.21.4-eeepc-dmcrypt
wget http://eee-dmcrypt.googlecode.com/files/initramfs-eeepc-dmcrypt.img
wget http://eee-dmcrypt.googlecode.com/files/eeedmcryptformatuser.sh
wget http://eee-dmcrypt.googlecode.com/files/eeedmcryptscanuser.sh
wget http://eee-dmcrypt.googlecode.com/files/menu.lst
chmod 755 eeedmcryptformatuser.sh
chmod 755 eeedmcryptscanuser.sh
  3. Reboot in the Rescue-/Debug-Mode to install the files. See also Rescue Mode or: How I Learned to Stop Worrying and Learned to Love Single-User Mode.
  4. Mount the system- and the user-partition 
    mount /dev/sda1 /mnt-system/
mount /dev/sda2 /mnt-user/
  5. Copy and save the needed files 
    mv /mnt-system/boot/grub/menu.lst /mnt-system/boot/grub/menu.lst.bak
cp /mnt-user/root/dmcrypt.tmp/menu.lst /mnt-system/boot/grub/
cp /mnt-user/root/dmcrypt.tmp/initramfs-eeepc-dmcrypt.img /mnt-system/boot/
cp /mnt-user/root/dmcrypt.tmp/vmlinuz-2.6.21.4-eeepc-dmcrypt /mnt-system/boot/
cp /mnt-user/root/dmcrypt.tmp/eeedmcryptformatuser.sh /mnt-system/sbin
cp /mnt-user/root/dmcrypt.tmp/eeedmcryptscanuser.sh /mnt-system/sbin
  6. Unmount the partitions, to be ensure all data was written
    umount /mnt-*
  7. Reboot the system with Ctrl+Alt+Del, on reboot press F9-key again to see the grub boot selection menu.
  8. select “Restore Factory Settings”
  9. Now follow the instruction on the screen to delete and encrypt the user-partition.

Reboot the system and you're done. Now your user partition is encrypted, you will be prompted for your password during the boot process.

Create own Kernel

Follow these steps if you wish to create your own kernel, instead of using the one provided.

See Rebuilding the eee kernel on eeePC needed kernel modules:

  • Device Drivers → Multi-device support (RAID and LVM) →
    • <*> Device mapper support
    • <*> Crypt target support
  • Cryptographic options →
    • <*> SHA256 digest algorithm
    • <*> AES cipher algorithms
    • <*> AES cipher algorithms (i586)

Create own initramfs

Follow these steps if you wish to create your own initramfs, instead of using the one provided. 

sudo su
cd ~
 
mkdir dmcrypt.tmp dmcrypt.tmp/unpacked
cd dmcrypt.tmp
wget http://eee-dmcrypt.googlecode.com/files/init
chmod 755 init
cd unpacked
cp /boot/initramfs-eeepc.img .
cat initramfs-eeepc.img | gzip -d | cpio -i
rm initramfs-eeepc.img
mv ../init .
find | cpio -H newc -o | gzip -9 > ../initramfs-eeepc-dmcrypt.img

90x specifics

There are not much difference between the 700 and 90x howto. This section will point out the steps which differs from the 700 howto.

Since there are no pre-made “modules” you will have to follow the “manual method” as described in the 700 howto, ie create own initramfs and kernel (901 kernel howto) (The menu.lst is the same as long as you use the same filenames as in the 700 howto).

90x modified eeedmcryptformatuser.sh: 

#!/bin/sh
#########################
#
# eeedmcryptformatuser.sh
# v0.3 Steffen Eichhorn aka indubio
# contact: mail at indubio.org
#
# Modified to fit EEE 901 by Stein E Gullvik, stein.gullvik at gmail.com
#
# based on truecrypt scripts from George Foot
# http://www.glost.eclipse.co.uk/gfoot/eee/truecrypt 
#
############################################
 
mount -tproc proc /proc
/sbin/mkfs -t ext2 /dev/ram0
mount /dev/ram0 /dev/mapper
 
clear
 
echo You are about to restore this unit to factory settings.
echo All user data will be lost!
echo
echo -n "Enter 'yes' to continue: "
 
read INPUT
 
if [ "$INPUT" != "yes" ]; then
    /sbin/busybox.asus reboot -f
fi
 
#Remove "HOME" label from /dev/sdb1. Fastinit uses the label to mount home partition.
/sbin/e2label /dev/sdb1 ""
 
echo "Encrypting user partition, please type a secure password as prompted..."
/sbin/cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sdb1
 
echo "Mounting encrypted volume - please re-enter password..."
/sbin/cryptsetup luksOpen /dev/sdb1 cryptedpartition
 
#Important to label the partiton with "HOME". Fastinit mounts label "HOME" as /home/	
echo -n "Formatting user partition, please wait... "
/sbin/mkfs.ext3 -q -L HOME /dev/mapper/cryptedpartition
 
echo -n "Copying skeleton home directory..."
mount /dev/mapper/cryptedpartition /mnt
cp -a /home/* /mnt/
 
 
umount /mnt
cryptsetup luksClose cryptedpartition
 
echo -n "done!"
echo
 
umount /proc
echo "Press <ENTER> to reboot..."
read
/sbin/busybox.asus reboot -f

90x modified eeedmcryptscanuser.sh: 

#!/bin/sh
#########################
#
# eeedmcryptscanuser.sh
# v0.1 Steffen Eichhorn aka indubio
# contact: mail at indubio.org
#
# Modified to fit EEE 901 by Stein E Gullvik, stein.gullvik at gmail.com
#
############################################
mount -tproc proc /proc
/sbin/mkfs -t ext2 /dev/ram0
mount /dev/ram0 /dev/mapper
 
clear
 
echo "Scanning user partition, please wait..."
 
/sbin/cryptsetup luksOpen /dev/sdb1 cryptedpartition
 
/sbin/fsck -C -f -y -text3 /dev/mapper/cryptedpartition
/sbin/tune2fs -j /dev/mapper/cryptedpartition
 
#Clean up
/sbin/cryptsetup luksClose cryptedpartition
umount /proc
 
echo
echo "Press <ENTER> to reboot..."
 
read
 
/sbin/busybox.asus reboot -f

90x modified init script (for initramfs):

(See my comment regarding the echo -n “[?25l” entry) 

#!/bin/sh
mount -t proc proc /proc
mount -t sysfs sys /sys
echo "0 0 0 0">/proc/sys/kernel/printk
 
if [ -n "$XANDROSBOOTDEBUG" ]; then
    mount -t ext2 /dev/sda1 /mnt-system
    mount -t ext3 /dev/sda2 /mnt-user
    ln -s /mnt-system/lib /                                                         
    ln -s /mnt-system/usr /                                                         
    ln -s /mnt-system/sbin /
    cryptsetup luksOpen /dev/sdb1 cryptedpartition
    mount -t ext3 /dev/mapper/cryptedpartition /mnt
    /bin/busybox sh
    set -x
fi
 
ROOT=`cat /proc/cmdline | sed 's/.*root=// ; s/ .*//'`
#VERSION=`cat /proc/version | cut -f3 -d" "`
 
mount -t ext2 -o ro $ROOT /mnt-system
if [ $? -ne 0 ] ; then
    echo Could not mount OS on $ROOT. Starting debugging shell....
    /bin/busybox sh
fi
 
if [ -n "$XANDROSSCAN" ]; then
#    exec switch_root /mnt-system /sbin/scanuser.sh
	exec switch_root /mnt-system /sbin/eeedmcryptscanuser.sh
fi
 
if [ -n "$XANDROSRESTORE" ]; then
#    exec switch_root /mnt-system /sbin/formatuser.sh
	exec switch_root /mnt-system /sbin/eeedmcryptformatuser.sh
fi
 
# The echo line might have been scrabled in the wiki. 
# I recommend that you copy the echo line from your existing init script
if [ -z "`grep nosplash /proc/cmdline`" ]; then
    echo -n "[?25l"
    cp /mnt-system/boot/startup.fb /dev/fb/0
fi
 
if ! mount -t ext3 -o rw,noatime /dev/sda2 /mnt-user; then
    echo Error mounting user partition. Must run filesystem scan!
    exec switch_root /mnt-system /sbin/scanuser.sh
fi 
 
##### mounting crypted partition
#make sure unlocked partition is available after switch-root to fastinit
ln -s /mnt-user/dev/mapper /dev/mapper
 
ln -s /mnt-system/lib /
ln -s /mnt-system/sbin /
if ! cryptsetup luksOpen /dev/sdb1 cryptedpartition; then
    echo Error unlocking crypted partition. Starting debug shell....
    exec /bin/busybox sh
fi
 
#901 fastinit mounts label HOME (sdb1)
#if ! mount -t ext3 -o rw,noatime /dev/mapper/cryptedpartition /mnt-user; then
#    echo Error mounting user partition. Starting debug shell....
#    exec /bin/busybox sh
#fi 
####################################
 
 
# Factory auto-format functionality
if [ -f /mnt-user/.autoformat ]; then
    umount /mnt-user
    exec switch_root /mnt-system /sbin/formatuser.sh -- --auto
fi
 
#insmod /mnt-system/lib/modules/$VERSION/kernel/fs/aufs/aufs.ko > /dev/null
mount -t aufs -o br:/mnt-user:/mnt-system none /mnt
if [ $? -ne 0 ]; then
    echo Could not mount aufs on USER partition. Starting debugging shell....
    /bin/busybox sh
fi
 
mount --move /mnt-system /mnt/.ro
mount --move /mnt-user /mnt/.rw
 
umount /sys
umount /proc
 
if [ -n "$INIT" ]; then
    if [ -n "$XANDROSBOOTDEBUG" ]; then
    exec switch_root /mnt $INIT </mnt/dev/console >/mnt/dev/console
    else
    exec switch_root /mnt $INIT </mnt/dev/null >/mnt/dev/null
    fi
else
    exec switch_root /mnt /sbin/fastinit "$@" </mnt/dev/console >/mnt/dev/console
fi
 
echo 
echo Init Failed. Starting emergency shell....
/bin/busybox sh

Conclusion

Feel free to mail me: mail <at> indubio <dot> org (700 series) and stein <dot> gullvik <at> gmail <dot> com (900 series)

 
howto/dmcrypt.txt · Last modified: 2009/05/06 20:57 by goldcove
 
Recent changes RSS feed Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki