Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Debian Live encrypted persistence

New to Debian (Or Linux in general)? Ask your questions here!
Message
Author
/dev/null
Posts: 62
Joined: 2013-01-30 17:31

Debian Live encrypted persistence

#1 Post by /dev/null »

I'm trying to setup encrypted persistent partition for Debian Live.

I'm using custom build made this way:
lb_config -d sid -b hdd --interactive-shell
the only one additional package is cryptsetup.

Persistence works well but only when persistent partition is non-encrypted.
For encrypted partition - I've got a prompt for password and everything, but changes disappear after reboot.

I tried method with encrypted partition and persistence.conf file in it's root (inside the file there's "/ union", and partition has label "persistence")
and the method with image file(persistence.conf file is in the root of image file called persistence, which is inside encrypted partition.

boot parameters are: persistence and persistence-encryption=luks

What am I doing wrong?
Does encrypted persistence work for anyone here?

dzz
Posts: 257
Joined: 2007-02-05 20:39
Location: Devon, England

Re: Debian Live encrypted persistence

#2 Post by dzz »

I never managed to, nor even heard of anybody who did, get Luks encryption working for persistence. I don't believe it actually works, If that's incorrect I too want to know the answer. I suspect what happens is, the persistence department gets opened but then lost further into the boot process.

The live-boot docs and man pages (squeeze) seem to say only AES is supported but I never tried that. Wheezy/sid docs refer to Luks but seem to be incomplete.

It is possible to use a "live-hook" initscript to activate a Luks /home partition or loopback file before login, that works for me. More details are posted at Refracta forums.

pcalvert
Posts: 1939
Joined: 2006-04-21 11:19
Location: Sol Sector
Has thanked: 1 time
Been thanked: 2 times

Re: Debian Live encrypted persistence

#3 Post by pcalvert »

On what kind of drive is the persistent partition located?

Phil
Freespoke is a new search engine that respects user privacy and does not engage in censorship.

/dev/null
Posts: 62
Joined: 2013-01-30 17:31

Re: Debian Live encrypted persistence

#4 Post by /dev/null »

@pcalvert
On the second partition of Debian Live pendrive

@dzz
Thank you for info. Bad news but still something. I will definitely check that hack.

Anyway here's one of my messages from Debian live mailing list. It points the moment in boot procedure when the possible bug occurs. Maybe someone more competent than me can make some use of it.
I checked /var/log/live/boot.log using debug as another boot parameter and I compared it to boot.log file extracted from another Debian Live pendrive on which persistent partition is NON-encrypted.
The interesting part is this:
At certain point of boot process all partitions are probed for filesystem label. For my NON-encrypted Debian Live it goes like this:

+ probe_for_fs_label live-rw home-rw persistence /dev/sdb2
+ local overlays dev
+ overlays=live-rw home-rw persistence
+ dev=/dev/sdb2
+ /sbin/blkid -s LABEL -o value /dev/sdb2
+ [ persistence = live-rw ]
+ /sbin/blkid -s LABEL -o value /dev/sdb2
+ [ persistence = home-rw ]
+ /sbin/blkid -s LABEL -o value /dev/sdb2
+ [ persistence = persistence ]
+ echo persistence=/dev/sdb2
+ result=persistence=/dev/sdb2

So as you can see my persistent partition label "persistence" matched one of the overlays: "persistence"



Now in the same place in boot.log file from Debian Live with encrypted partition it goes like this:

+ probe_for_fs_label live-rw home-rw persistence Loading /etc/boottime.kmap.gz /dev/mapper/sdb2
+ local overlays dev
+ overlays=live-rw home-rw persistence
+ dev=Loading
+ /sbin/blkid -s LABEL -o value Loading
+ [ = live-rw ]
+ /sbin/blkid -s LABEL -o value Loading
+ [ = home-rw ]
+ /sbin/blkid -s LABEL -o value Loading
+ [ = persistence ]
+ result=
+ [ -n ]

So it looks like the filesystem label is not set. But it is not true!
I double checked it:
I plugged the Debian live pendrive to my regular desktop Debian machine and run:
cryptsetup luksOpen /dev/sdb2 xxx (sdb2 is the luks-encrypted persistent partition)
e2label /dev/mapper/xxx
and the output is:
persistence

User avatar
kiyop
Posts: 3983
Joined: 2011-05-05 15:16
Location: Where persons without desire to improve themselves fear to tread, in Japan
Been thanked: 3 times

Re: Debian Live encrypted persistence

#5 Post by kiyop »

I do not know if the initramfs file of your live debian accepts some kernel options which enable the feature you want; encrypted persistent pertition.
What is done at booting is written in an initramfs file (initrd.img or so).
If you expand it, you will see a file init and you can analyze it. It calls another scripts, which also are able to be analyzed.
Modification on the files may do a trick.
Good luck! :)
Openbox, JWM: Jessie, Sid, Arch / Win XP (on VirtualBox), 10
http://kiyoandkei.bbs.fc2.com/

/dev/null
Posts: 62
Joined: 2013-01-30 17:31

Re: Debian Live encrypted persistence

#6 Post by /dev/null »

If you expand it, you will see a file init
I don't know exactly how to do it :oops:
there are 2 initramfs:
initrd1.img and initrd2.img
I guess I should mount them first to see what is inside? But mount command prompts for filesystem type, and I don't know it :oops:

Midnight Commander's F3 button seem to open it in mostly human readable form, but I suppose it's not the way that it should be done.

User avatar
kiyop
Posts: 3983
Joined: 2011-05-05 15:16
Location: Where persons without desire to improve themselves fear to tread, in Japan
Been thanked: 3 times

Re: Debian Live encrypted persistence

#7 Post by kiyop »

/dev/null wrote:
If you expand it, you will see a file init
I don't know exactly how to do it :oops:
there are 2 initramfs:
initrd1.img and initrd2.img
I guess I should mount them first to see what is inside? But mount command prompts for filesystem type, and I don't know it :oops:
You can extract (expand) the contents inside initrd1.img into a newly generated directory such as "initramfs" by executing the following:

Code: Select all

mkdir initramfs && cd initramfs
gzip -dc PATH/TO/initrd1.img | cpio -i 
You should change the above "PATH/TO/" to correct path. Both of its absolute path and its relative path is OK.
If you do not know "absolute path" and/or "relative path", refer http://en.wikipedia.org/wiki/Path_%28computing%29
Openbox, JWM: Jessie, Sid, Arch / Win XP (on VirtualBox), 10
http://kiyoandkei.bbs.fc2.com/

pcalvert
Posts: 1939
Joined: 2006-04-21 11:19
Location: Sol Sector
Has thanked: 1 time
Been thanked: 2 times

Re: Debian Live encrypted persistence

#8 Post by pcalvert »

/dev/null wrote:@pcalvert
On the second partition of Debian Live pendrive
You should read these articles:
Solid State Drives And Encryption, A No-Go?
Seven Major Weaknesses with Software Encrypted USB Flash Drives

Phil
Freespoke is a new search engine that respects user privacy and does not engage in censorship.

dzz
Posts: 257
Joined: 2007-02-05 20:39
Location: Devon, England

Re: Debian Live encrypted persistence

#9 Post by dzz »

Already following that mailing list topic here, today the main man says it's on the TODO list and "patches welcome". So it doesn't work yet.

As far as I know a standard image has two kernel (one 486, one 686 or PAE) so 2x initrd. The problem probably is not in there.

The debug log shows what's going on but only as far as, apparently, the point where the mounts get transferred to the "real" FS (/lib/live/mounts/). Bash skills better than mine are needed to follow all of it. But your log snip does seem to show persistence being set at some point. What happens to it after, who knows.

cat /proc/mounts might give some clue, if anything beginning "/root/" is there, it didn't get moved properly and is no longer accessable. Another clue might be in /var/log/boot

BTW the initscript idea I mentioned is not actually a "hack", but a custom script, used with the existing live-hook mechanism provided for that purpose.

@pcalvert, thanks for those links, an interesting read. However a LUKS ext2 loopback file is probably about the best you can do for pen drive security (ext2 does less writes)

pcalvert
Posts: 1939
Joined: 2006-04-21 11:19
Location: Sol Sector
Has thanked: 1 time
Been thanked: 2 times

Re: Debian Live encrypted persistence

#10 Post by pcalvert »

dzz wrote: @pcalvert, thanks for those links, an interesting read. However a LUKS ext2 loopback file is probably about the best you can do for pen drive security (ext2 does less writes)
A pen drive with built-in encryption would be even better. Not all of them are compatible with Linux, though.

Phil
Freespoke is a new search engine that respects user privacy and does not engage in censorship.

fsmithred
Posts: 1873
Joined: 2008-01-02 14:52

Re: Debian Live encrypted persistence

#11 Post by fsmithred »

In squeeze, my way of dealing with this was to make a small, unencrypted home-rw and a large encrypted partition. The encrypted partition gets mounted after logging in, and I keep my files there. Things like ~/.mozilla, ~/.gnupg and ~/.ssh are symlinked to the encrypted partition.

In wheezy, I'm using dzz's scripts, and I'm very happy with the way they work. I'm using a second partition instead of a loopback file for persistence. See this thread - http://refracta.freeforums.org/snapshot ... -t182.html

Put the scripts in /live/hooks, edit the boot line, and you're good to go. No need for persistence.conf or special labels, no need for rebuilding the initramfs. (Is that last part still true if you use a loopback file?)

BTW, the label on your persistence partition is not showing up, because the label is on the filesystem inside the encrypted volume. The system can't see the label until the encrypted volume is opened.

CAVEAT: I just noticed that I'm posting in the Beginners section, and this might not be beginners material. END CAVEAT
Be brave. Go for it. It's not difficult.

dzz
Posts: 257
Joined: 2007-02-05 20:39
Location: Devon, England

Re: Debian Live encrypted persistence

#12 Post by dzz »

A persistence loopback file must be in a writable location. Because the live-media partition gets mounted RO that normally means, in a second partition.

Same goes with the luks-home "hook" method (which does not actually use persistence but replaces /home/user with a writable, custom one)

It's (unofficially) possible to hack live-boot scripts in the initrd to use different mount options though...

A loopback can be more flexible than an entire partition for persistence, e.g. you can use the partition for other things as well or even have multiple loopbacks for different purposes.

Beginners (and others who don't need extra capability) will find the ext2 dedicated partition method simpler.

/dev/null
Posts: 62
Joined: 2013-01-30 17:31

Re: Debian Live encrypted persistence

#13 Post by /dev/null »

Thank you all. I'll try to make it work and let you know about the results.

haylo
Posts: 3
Joined: 2013-02-12 14:49

Re: Debian Live encrypted persistence

#14 Post by haylo »

I have tested it and it works with lb from sid.

If you want help, then come on IRC @ irc.oftc.net #debian-live , and ask for help. The people there will be glad to assist you (including me)
Last edited by haylo on 2013-02-12 16:51, edited 1 time in total.

haylo
Posts: 3
Joined: 2013-02-12 14:49

Re: Debian Live encrypted persistence

#15 Post by haylo »

no need for any "hacks"
it works, just takes a lot of research
Last edited by haylo on 2013-02-12 16:45, edited 6 times in total.

haylo
Posts: 3
Joined: 2013-02-12 14:49

Re: Debian Live encrypted persistence

#16 Post by haylo »

here i just posted the code. That way there is some online documentation of this.


### LUKS PERSISTENCE ###
## for debian live ##

# Copyright (c) 2012-2013 cgraff , haylo
# LIVE BUILD SYNTAX AND PROGRAM FROM: Baumann, Armstrong and Lamb
# THIS IS FREE CODE AS LONG AS THESE COMMENTS ARE INCLUDED :-)

# WORK IN PROGRESS ... CHANGING until perfected


# BASIC LOW DOWN IS:
# 1 format the partition,
# 2 encrypt it with luks,
# 3 open it with luks,
# 4 make the filesystem,
# 5 mount it from /dev/mapper/* ,
# 6 populate the filesystem with a "persistence.conf" file,
# 7 un mount it,
# 8 close it with luks

# DEFINE SOME VARIABLES
# NOOBS TIP: the = sign assigns a value to a variable
devicel="/dev/sdb" # CHOOSE A DEVICE
usb_size="4gb" # TELL PARTED ITS SIZE

mirror="http://ftp.debian.org/debian/"
security_mirror="http://ftp.debian.org/debian-security/"



# MAKE THE IMAGE
# remember sid doesnt always build easily.
# going to need to learn a bit about live-build
# or make a live image with remastersys that includes `cryptsetup'
# LOOK TO: http://live.debian.net/manual/3.x/html/ ... al.en.html --/
# FOR ANSWERS ON GETTING YOUR BUILD WORKING CORRECTLY <---------------/
# NOOBS TIP: pin some stuff to wheezy for sid

sudo apt-get install live-build live-config live-config-doc \
cryptsetup --force-yes

mkdir -p ~/crypto_buildl

cd ~/crypto_buildl

lb config \
-a amd64 \
-b hdd \
-d sid \
--linux-flavours amd64 \
--bootstrap cdebootstrap \
--cdebootstrap-options "--flavour=minimal" \
--bootappend-live "\
boot=live \
config \
persistent=cryptsetup \
persistence-encryption=luks \
username=joe \
hostname=shmoe \
persistence" \
--apt-indices false \
--apt-recommends false \
--linux-packages linux-image-3.7-trunk \
--mirror-bootstrap "${mirror}" \
--mirror-binary "${mirror}" \
--mirror-chroot-security "${security_mirror}" \
--mirror-binary-security "${security_mirror}" &&


# THIS ADDS SOME USUAL DEPENDENCIES + CRYPTSETUP
printf "\
user-setup
sudo
cryptsetup
apt-utils
" > config/package-lists/package.list.chroot
# NOTICE 'cryptsetup"
# NOOBS TIP: add cryptsetup package

# PIN SOME PACKAGES TO WHEEZY
# NOOBS TIP: pin packages to other debian releases to get what you need
cat >> config/archives/sid.pref.chroot << EOF
# USER-SETUP
Package: user-setup
Pin: release n=wheezy
Pin-Priority: 600

# SYSLINU*
Package: syslinu*
Pin: release n=wheezy
Pin-Priority: 600

Package: *
Pin: release n=experimental
Pin-Priority: 1

EOF

# ADD WHEEZY REPOS FOR ABOVE PIN LIST

echo "deb "${mirror}" wheezy main" > \
config/archives/wheezy.list.chroot

# ADD WHEEZY REPOS FOR ABOVE PIN LIST
echo "deb "${mirror}" experimental main" > \
config/archives/experimental.list.chroot

# BUILD THE IMAGE
sudo lb build


# CHECK FOR BAD BLOCKS ON THE DEVICE
sudo badblocks -c 10240 -s -w -t random -v "${devicel}"

# OVERWRITE THE DEVICE WITH RANDOM DATA
sudo dd if=/dev/urandom of="${devicel}"


# DD THE binary.img to a usb
sudo dd if=binary.img of="${devicel}"

# THIS JUST TELLS PARTED WHERE TO START
# TO MAKE THE SDB2 PARTITION
read bytes _ < <(du -bcm binary.img |tail -1); echo $bytes

# MAKE THE PARTITION,
sudo parted "${devicel}" mkpart primary "${bytes}" "${usb_size}"


# ENCRYPT THE PARTITION
sudo cryptsetup --verbose --verify-passphrase luksFormat "${devicel}2"

# OPEN THE ENCRYPTED PARTITION
sudo cryptsetup luksOpen "${devicel}2" my_usb

# MAKE A FILESYSTEM ON IT AND LABEL IT "persistence"
sudo mkfs.ext3 -L persistence /dev/mapper/my_usb

# MAKE A MOUNT POINT
sudo mkdir -p /mnt/my_usb

# MOUNT THE OPENED ENCYRYPTION PARTITION
sudo mount /dev/mapper/my_usb /mnt/my_usb/

# MAKE THE PERSISTENCE.CONF FILE
echo "/ union" > ~/persistence.conf && sudo mv ~/persistence.conf \
/persistence.conf && sudo mv /persistence.conf /mnt/my_usb

# UMOUNT IT
sudo umount /dev/mapper/my_usb

# CLOSE THE LUKS PARTITION
sudo cryptsetup luksClose /dev/mapper/my_usb

# TEST IT
sudo apt-get install qemu --force-yes

sudo kvm "${devicel}"

dzz
Posts: 257
Joined: 2007-02-05 20:39
Location: Devon, England

Re: Debian Live encrypted persistence

#17 Post by dzz »

Good to hear luks persistence works with official packages only, even if only for sid. The hook script mentioned earlier was only ever done, for wheezy, because the official stuff did not.

However in wheezy we are already advised to use live-* packages from sid.. What is the difference that it does not work for wheezy and how can it be made to?

Looking changelogs for live-boot, live-config and live-build in experimental I see no mention of luks persistence in any recent stuff.

fsmithred
Posts: 1873
Joined: 2008-01-02 14:52

Re: Debian Live encrypted persistence

#18 Post by fsmithred »

Code: Select all

apt-cache policy live-boot
live-boot:
  Installed: 3.0~a35-1
  Candidate: 3.0.0-1
  Version table:
     4.0~a5-1 0
          1 http://debian.lcs.mit.edu/debian/ experimental/main amd64 Packages
     3.0.0-1 0
        500 http://debian.lcs.mit.edu/debian/ sid/main amd64 Packages
 *** 3.0~a35-1 0
        500 http://debian.lcs.mit.edu/debian/ wheezy/main amd64 Packages
        100 /var/lib/dpkg/status
That might explain why it didn't work for me. I'm using live-* packages from wheezy. I already had a usb stick with an encrypted partition, so I added persistence.conf, labeled the filesystem and added the relevant boot options to my syslinux boot menu. Thinking there might be a typo in the instructions, I tried both "persistent=cryptsetup" and "persistence=cryptsetup". Also tried "persistence-path=/dev/mapper/persistence. I can try this later in a sid install.

dzz
Posts: 257
Joined: 2007-02-05 20:39
Location: Devon, England

Re: Debian Live encrypted persistence

#19 Post by dzz »

Some details of a live usb set up here:

part1: FAT32 with syslinux and a custom Wheezy live image. All live-* packages are very recent sid. Tested and works normally (including with non-luks persistence). Image includes cryptsetup.

Code: Select all

:~$ dpkg -l|grep live-
ii  live-boot                               3.0~b11-1                          all          Live System Boot Scripts
ii  live-boot-doc                           3.0~b11-1                          all          Live System Boot Scripts (documentation)
ii  live-boot-initramfs-tools               3.0~b11-1                          all          Live System Boot Scripts (initramfs-tools backend)
ii  live-config                             3.0.18-1                           all          Live System Configuration Scripts
ii  live-config-doc                         3.0.18-1                           all          Live System Configuration Scripts (documentation)
ii  live-config-sysvinit                    3.0.18-1                           all          Live System Configuration Scripts (sysvinit backend)
ii  live-tools                              3.0.17-1                           all          Live System Support Scripts
part2: LUKS volume containing a EXT2 filesystem labelled "persistence". Contains a file "persistence.conf" with text "/ union,sources=."

cmdline includes: " persistence persistence-encryption=luks " Very early in the boot process the luks key was prompted for.

In the live session: It is already mapped but not mounted according to <blkid> and <cat /proc/mounts> It can be mounted manually without needing luks key again. It is certainly is not being used for persistence.

If "debug" is added to the cmdline everything freezes after the first 3 screens. Power button is the only way out.. Not even busybox. No clue why and no log to save.

The actual live* packages still don't work for luks persistence in wheezy (custom hook script does) I don't know what is different about a sid build (except that every day, it is different, yesterday's is already outdated)

EDIT <man live-boot>
persistence-encryption=TYPE1,TYPE2 ... TYPEn
This option determines which types of encryption that we allow to be used
when probing devices for persistence media. If "none" is in the list, we
allow unencrypted media; if "luks" is in the list, we allow LUKS-encrypted
media. Whenever a device containing encrypted media is probed the user will
be prompted for the passphrase. The default value is "none"
.

EDIT2:
# WORK IN PROGRESS ... CHANGING until perfected
Looking forward to that so "hacks" are no longer necessary.. thanks Debian-Live devs for your good work.

/dev/null
Posts: 62
Joined: 2013-01-30 17:31

Re: Debian Live encrypted persistence

#20 Post by /dev/null »

LUKS volume containing a EXT2 filesystem labelled "persistence". Contains a file "persistence.conf" with text "/ union,sources=."

cmdline includes: " persistence persistence-encryption=luks " Very early in the boot process the luks key was prompted for.

In the live session: It is already mapped but not mounted according to <blkid> and <cat /proc/mounts> It can be mounted manually without needing luks key again. It is certainly is not being used for persistence.
I've got exactly the same results for custom sid

Right after password check there's an error:

Code: Select all

mount: mounting Loading on live/persistence/Loading failed : no such device
so it basically looks similar to this "Loading" thing I mentioned before:

Code: Select all

+ probe_for_fs_label live-rw home-rw persistence Loading /etc/boottime.kmap.gz /dev/mapper/sdb2
+ local overlays dev
+ overlays=live-rw home-rw persistence
+ dev=Loading
+ /sbin/blkid -s LABEL -o value Loading
+ [ = live-rw ]
+ /sbin/blkid -s LABEL -o value Loading
+ [ = home-rw ]
+ /sbin/blkid -s LABEL -o value Loading
+ [ = persistence ]
+ result=
+ [ -n ]
If "debug" is added to the cmdline everything freezes after the first 3 screens. Power button is the only way out.. Not even busybox. No clue why and no log to save.
again, same here
last displayed line is

Code: Select all

uhci_hcd: USB Universal Host Controller Interface driver
on my other laptop it is :

Code: Select all

ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
Btw what is this boot parameter: persistent=cryptsetup ?
I can't see it in man live-boot.

Tomorrow I'll try debian live irc channel :D

Post Reply