[lfs-fr] [Fwd: r1113 - trunk]

Jean-Philippe MENGUAL jmengual at linuxfromscratch.org
Dim 3 Jan 03:57:46 PST 2010


Salut,

Voici la mise à jour de l'astuce traduite par Emmanuel. Quelqu'un veut
la répercuter? Sinon je m'en chargerai dans la semaine. Il faut
récupérer le texte français et le modifier selon les modif de la VO.

Bonne journée,

-- 
       Jean-Philippe MENGUAL
       Vice-Président de l'association traduc.org 
       Coordinateur du projet Linux From Scratch



-------- Message transféré --------
De: robert at linuxfromscratch.org
À: hints at linuxfromscratch.org
Sujet: r1113 - trunk
Date: Sun, 3 Jan 2010 04:44:08 -0700 (MST)

Author: robert
Date: 2010-01-03 04:44:08 -0700 (Sun, 03 Jan 2010)
New Revision: 1113

Modified:
   trunk/crypt-rootfs.txt
Log:
Updated crypt-rootfs hint.

Modified: trunk/crypt-rootfs.txt
===================================================================
--- trunk/crypt-rootfs.txt	2009-12-02 02:23:26 UTC (rev 1112)
+++ trunk/crypt-rootfs.txt	2010-01-03 11:44:08 UTC (rev 1113)
@@ -1,6 +1,6 @@
 AUTHOR: Lars Bamberger <Lars.Bamberger at gmx dot de>
 
-DATE: 2009-11-20
+DATE: 2009-12-30
 
 LICENSE: GNU Free Documentation License Version 1.2
 
@@ -37,9 +37,12 @@
 
 This is about encrypting all but one of your hard drive partitions using LUKS
 for dm-crypt. We'll boot from one small unencrypted partition using initramfs in
-order to to decrypt the rootfs.
+order to decrypt the rootfs.
 This hint assumes that a small partition from where to boot from is already set
-up. (10 MB should be enough.)
+up. This partition should be 10 to 15 MB in size in order to store more than
+one kernel and more than one initramfs image for testing and upgrading
+purposes. Avoid any larger partition because during every boot we'll calculate
+a checksum for this partition, a time consuming process.
 

 2. Required software and dependencies
@@ -47,9 +50,10 @@
 
 2.1 Software in the BLFS book
 
-You need to install 'Popt' as 'cryptsetup' depends on this. Furthermore you need
-'uuencode' to create key files. 'uuencode' is included in 'GMime' which has
-further dependencies mentioned in the BLFS book.
+You need to install 'Popt' as 'cryptsetup' depends on this.
+Furthermore you need 'uuencode' to create key files. 'uuencode' is included in
+'sharutils' and 'GMime' which has further dependencies mentioned in the BLFS
+book. To create the initramfs, you need 'Cpio'.
 
 2.2 Software not in the BLFS book
 
@@ -75,28 +79,29 @@
 * switch_root.
 
 Compile it, but DO NOT install it. Keep the binary and name it
-"busybox-minimum". Next, reconfigure busybox for a full-blown desktop system.
+'busybox-minimum'. Next, reconfigure busybox for a full-blown desktop system.
 You will need all the standard tools and utilities for the purpose of initially
-encrypting your root partition and for troubleshooting. Name this binary
-"busybox-large" or something similar. Again, it is not required to install it.
+encrypting your root partition and for troubleshooting. (Don't forget 'mkefs'.)
+Name this binary 'busybox-large' or something similar. Again, it is not
+required to install it.
 

-3 Recompiling the kernel
-========================
+3. Recompiling the kernel
+=========================
 
 Decide what algorithm you would like to use to encrypt your hard drive
 with. Note that this is a crucial decision and you should read more background
 information on this. (See ACKNOWLEDGMENTS below.)
-The appropriate modules need to be compiled (hardcoded, not as modules) into
+The appropriate modules need to be compiled (hard-coded, not as modules) into
 the kernel.
 As an example you could use the "twofish-cbc-essiv:sha256" method.
 
-Also, select the 'Device mapper support' from the 'Multiple devices driver
-support' menu in the kernel configuration and the 'crypto target' support as
-well.
+Also, from the 'Device Drivers' -> 'Multiple devices driver support' menu in
+the kernel configuration, select the 'Device mapper support' and the 'Crypt
+target support' as well.
 
-Configure 'Initial RAM filesystem and RAM disk' under 'general setup'
-and 'RAM block device support' under 'Block devices'.
+Under 'Device Drivers' -> 'Block devices', select 'RAM block device support'
+and from 'General setup', select 'Initial RAM filesystem and RAM disk'.
 
 NOTE: You must boot this new kernel before proceeding.
 
@@ -122,7 +127,7 @@
 cryptsetup must be on the root partition. Use 'ldd cryptsetup' to find out.
 It may be necessary to switch to runlevel 1 because you need to be able to
 unmount /usr. Also, make sure that root's shell does not use any libs on that
-partition. If required, compile a static shell for root's use.
+partition. If required, compile a statically linked shell for root's use.
 
 The process is as follows for every partition:
 
@@ -153,17 +158,18 @@
 7) Open the encrypted partition. Do a
    cryptsetup -d $keyfile luksOpen /dev/sd?? sd??
    Replace '$keyfile' and '/dev/sd??' with the corresponding values. Replace
-   'sd??' with a meaningful name. If everything worked out, the partition will
-   appear as '/dev/mapper/sd??' with sd?? being the name you chose.
+   'sd??' with a meaningful name. If everything worked out, the unencrypted
+   partition will appear as '/dev/mapper/sd??' with sd?? being the name you
+   chose.
 
-8) Create a filesystem on the partitions. Do a
+8) Create a filesystem on the partition. Do a
    mkefs.$WHATEVER /dev/mapper/sd??
    Replace '$WHATEVER' with the type of filesystem you would like to use
-  (e.g. ext2) and '/dev/mapper/sd??' with the corresponding partition.
+   (e.g. ext2) and '/dev/mapper/sd??' with the corresponding partition.
 
 9) Adjust /etc/fstab
-   Because the mountpoints for encrypted partitions have changed, you need to
-   tell the system where to find them. Change the mountpoint by inserting
+   Because the device for the partition has changed, you need to
+   tell the system where to find it. Change the device by inserting
    "mapper/" in the device field.
 
    Example:
@@ -178,7 +184,7 @@
 
 4.2 Making the system automatically decrypt and mount the partition(s)
 
-Create a bootscript that will decrypt your encrypted partitions. It is assumed
+Create a bootscript that will decrypt your encrypted partition. It is assumed
 that the passphrases are stored in /etc/crypt for example. Note that storing the
 passphrases on disk might pose a security problem! Use the template for
 bootscripts included with BLFS and make it do:
@@ -196,7 +202,7 @@
 # Begin $rc_base/init.d/cryptsetup
 #
 # Description : Make encrypted filesystems available for mounting
-#               Ande clean up afterwards
+#               And clean up afterwards
 #
 # Authors     : Lars Bamberger
 #
@@ -260,15 +266,14 @@
 Do not omit encrypting your swap partitions. Lot's of interesting data can be
 found on swap spaces. Do not consider you data safe if you don't use encrypted
 swap spaces. 
-
 In theory, the data on the swap partition(s) does not need to be consistent
-between reboots. This means we could create a swapspace anew during boottime,
+between reboots. This means we could create a swap space anew during boottime,
 using a random (and thus different) cryptokey every time the system boots. This
 way you don't have to bother with managing swap's cryptokeys and you won't have
 to store them anywhere (except in memory). This can be considered an additional
 security feature.
 However, if you suspend your system (either to RAM or to disk), data in
-swapspace must remain consistent. Therefore you have to treat the swap
+swap space must remain consistent. Therefore you have to treat the swap
 partition(s) just as if they were a regular partition, meaning you should
 encrypt them like explained above.
 
@@ -282,7 +287,7 @@
 be found in the kernel's documentation:
 'filesystems/ramfs-rootfs-initramfs.txt'.)
 
-You'll need all the standard directories (bin, sbin, usr/{bin,sbin}, proc, sys,
+You'll need the standard directories (bin, sbin, usr/{bin,sbin}, proc, sys,
 dev, lib). In bin we put our busybox-large (rename to busybox) and a softlink to
 busybox named hush. Copy cryptsetup to sbin.
 In dev put some useful devices: console, null, urandom, sd?? and a directory
@@ -299,42 +304,43 @@
 /bin/busybox --install -s
 exec /bin/busybox hush
 
-Put all this into a directory (init goes there as well and not into sbin) and
-create the image using
-find . | cpio --quiet -H newc -o | gzip -9 -n > /boot/imagefile.img
-Pass the appropriate initrd argument to the kernel when booting and this will
-drop you into the hush shell after system boot.
+Put all this into one directory (init goes there as well and not into sbin). Cd
+into this directory and create the image using
+find . | cpio --quiet -H newc -o | gzip -9 -n > /boot/initramfs.img
+Pass the appropriate initrd argument (e.g. initrd (hd0,0)/initramfs.img) to the
+kernel when booting and this will drop you into the hush shell after system
+boot.
 
-PITFALLS:
-cryptsetup needs proc and sys mounted. It also requires the dev directory.
-As we want to save dev when we switch_root later, we mount it as tmpfs. This
-means that the devices in dev will be gone, so copy them back into dev. Be aware
-that you need at least 'null' and 'console' in dev before mounting tmpfs on dev.
+*** PITFALL ***
+Cryptsetup needs /proc and /sys mounted. It also requires the /dev directory.
+As we want to save /dev when we switch_root later, we mount it as tmpfs. This
+means that the devices in /dev will be gone, so copy them back into /dev. Be
+aware that you need at least 'null' and 'console' in /dev before mounting
+tmpfs on /dev.
 
 Once in the shell, encrypt your rootfs like any other partition as described
 above. Don't forget the backup! ABSOLUTELY, POSITIVELY make certain that you are
 able to mount and access the unencrypted backup of the rootfs from within the
 hush shell!
 
-Next, create the encrypted rootpartition. Note that the passphrase won't be
+Next, create the encrypted root partition. Note that the passphrase won't be
 stored anywhere on disk, so do:
-
 cryptsetup -y -c $cipher-algorithm luksFormat /dev/sd??
-
 to create the encrypted rootfs. Replace '$cipher-algorithm' and '/dev/sd??' with
-the respective values. Next, open the partition and format it and recover the
+the respective values. Next, open the partition, format it and recover the
 backup:
 
 cryptsetup luksOpen /dev/sd?? sd??
-$BAKUROOTFS/mkefs.$TYPE /dev/mapper/sd??
+$BACKUPROOTFS/mkefs.$TYPE /dev/mapper/sd??
 mkdir /new-root
 mount -t $FSTYPE /dev/mapper/sd?? /new-root
 cp -a $BACKUPROOTFS /new-root
 
-PITFALL: Since your old rootfs isn't mounted, you might not be able to to run
-         mkefs do to missing libraries. Either copy everything needed to where
-         the linker can find it, or use the mkefs from busybox. Be sure to
-         configure busybox accordingly.
+*** PITFALL ***
+Since your old rootfs isn't mounted, you might not be able to to run 'mkefs' do
+to missing libraries. Either copy everything needed to where the linker can
+find it, or use the 'mkefs' from busybox. Be sure to configure busybox
+accordingly.
 
 Next, modify /etc/fstab (on /new-root) to reflect the new device for the rootfs.
 Also modify the cryptsetup script as described below (7. PITFALL).
@@ -361,8 +367,8 @@
 /bin/busybox mount --move /dev /new-root/dev 
 exec /bin/busybox switch_root /new-root /sbin/init $@
 
-PITFALLS:
-You want to keep /proc /sys and /dev after switch_root because cryptsetup uses
+*** PITFALL ***
+You want to keep /proc, /sys and /dev after switch_root because cryptsetup uses
 them. Hence the 'mount --move' commands. Note that /dev/mapper/sd?? (the root
 device) will be gone once you mount the true root partition, switch_root and the
 rootfs proper starts udev. That's the reason why this device needs to be
@@ -403,21 +409,25 @@
         boot_mesg -n " DO NOT TRUST THIS SYSTEM!\n\n"
         boot_mesg_flush
 
-PITFALLS:
+*** PITFALL ***
 Make sure this is the very last thing you implement, as the hashsums will
 change as we go on. The hashsums will also change if you run a fsck on the boot
 partition.
 

-ACKNOWLEDGEMENTS:
-  * Various for the wiki at http://de.gentoo-wiki.com/Cryptsetup-luks_initramfs
-    (not online anymore) and
-    http://en.gentoo-wiki.com/wiki/SECURITY_System_Encryption_DM-Crypt_with_LUKS
-  * Clemens Fruhwirth (http://clemens.endorphin.org/) 
-    for LUKS for dm-crypt: http://code.google.com/p/cryptsetup
+ACKNOWLEDGMENTS:
+  * Emmanuel Trillaud for some suggestions and pointers.
+  * Various for the Gentoo-Wiki at
+    http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS
+  * Clemens Fruhwirth (http://clemens.endorphin.org/) for LUKS for dm-crypt:
+    http://code.google.com/p/cryptsetup
 

 CHANGELOG:
+[2009-12-30]
+  * Merged suggestions (typos, format and others) from Emmanuel Trillaud
+  * More verbosity on the boot partition size
+  * Some reformatting
 [2009-11-23]
   * list dependencies in the BLFS book
 [2009-11-20]





More information about the lfs-traducfr mailing list