You are not logged in.
This is a placeholder. I managed to do it, and I need the link, see also:
Grsecurity/Pax installation on Devuan GNU/Linux
https://dev1galaxy.org/viewtopic.php?pid=1422#p1422
It's still partly a placeholder. Quickly, if I manage to paste from lynx... Namely I don't (yet) know where to get and how to install
paxctl-ng, and Iceweasel crashes yet, without paxctl{,-ng} treatment...
But, hey, I'm pasting here from my Devuan! ...
Last edited by miroR (2017-05-13 07:59:15)
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
For now, I'll only get readers the links, without repeating what is clearly explained in those.
First of all, installing an encrypted root+swap Devuan system may already be supported in Devuan, but I wasn't able to get it (and I made numerous tries), or if it isn't at the time of writing this how-to, it is likely to be in the future when, kind aspirant Devuaner, are reading it. Pls. check around before diving in here!
(We need not shy from our precursor's ducumentation, and they cherich it in the free way, and we need to thank them for that:)
https://wiki.debian.org/initramfs
needed, the key to build an encrypted root+swap Devuan system.
LINKS/NAMES OF MAN PAGES
https://wiki.debian.org/InitramfsDebug
my first booting into a freshly installed partially working encrypted root+swap Devuan system was thanks to the sticking of "break" into kernel command line
There's also:
https://wiki.debian.org/CryptsetupDebug
but it hasn't been needed (yet) in my tentatives
Here is where, allegedly by some, encrypted root+swap is available out-of-the-box:
https://wiki.debian.org/DebianInstaller/PartmanCrypto
and also Ubuntu installer claims it can do it, as I read somewhere in some links starting from this page:
https://help.ubuntu.com/community/EncryptedFilesystem
This one is four (4) years old, but it helped me a lot to get going:
http://madduck.net/docs/cryptdisk/
And there is this guide, from my other home-distro:
https://wiki.gentoo.org/wiki/Custom_Initramfs
And maybe bug reports like this:
initramfs-tools: Missing crypto-components in initramfs when explicitly requested
https://bugs.debian.org/cgi-bin/bugrepo … bug=783393
That much for now. And just: after reading the madduck's page linked above (http://madduck.net/docs/cryptdisk/) I slowly started figuring out how to do it...
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
The regular installer isos use the debian installer, so encryption is supported. You can encrypt individual partitions or use lvm to have multiple partitions inside one encrypted volume. For lvm, you can do it manually or let the installer do the partitioning for you.
The devuan-live isos use refractainstaller, which supports encryption of separate root and/or home partitions. It does not support lvm, and it does not support encrypted swap partition, but it can create a swapfile inside the encrypted root partition.
Offline
The regular installer isos use the debian installer, so encryption is supported.
That's what the books say. But, I tried quite a few times. Unfortunately, my Gentoo is broken currently, and I couldn't demonstrate it my usual way, with screencasts and traffic dumps while running Devuan in a VM... (And adapting my uncenz set of scripts for Devuan will take longer.)
But I assure you it was a real no go. Encrypt the partitions -- fine, but can't use them, no setting / on any of the partitions set to be encrypted... Try again. Set a partition to be / , well then you have to set some file system on it (ext4 the usual choice)... And then you can't encrypt them any more... And I didn't want to use LVM, just plain one /boot and the rest of the system all in / and one swap...
You can encrypt individual partitions or use lvm to have multiple partitions inside one encrypted volume. For lvm, you can do it manually or let the installer do the partitioning for you.
The devuan-live isos use refractainstaller, which supports encryption of separate root and/or home partitions. It does not support lvm, and it does not support encrypted swap partition, but it can create a swapfile inside the encrypted root partition.
It would be great if I could find time and dive into the above more... I trust your word though that it is so, but I couldn't get it to work for me.
I had to chroot into a copied content of my / partition, and run:
# update-initramfs -t
from it, and only then my encrypted / (and swap as well!) were functional. (And there were more interim steps, which I can not remember in detail any more, but they were either what I found in the links or in some manpages available in Devuan installation.) And now that I compiled unoffic-grsec kernel, the initrd for it is just perfect... It all set into place...
Last edited by miroR (2017-05-14 08:42:10)
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
I can believe that encrypted install with the debian-installer failed. It is not intuitive or straightforward, but if you can find the right path through the maze, you will get to the end. Here's a guide. Unfortunately, the pictures are long gone, but the words should help you get the steps in the right order. Also, if you go to forums.debian.net and search for posts about encrypted lvm install, you will find a couple of guides.
Offline
I can believe that encrypted install with the debian-installer failed. It is not intuitive or straightforward, but if you can find the right path through the maze, you will get to the end. Here's a guide. Unfortunately, the pictures are long gone, but the words should help you get the steps in the right order. Also, if you go to forums.debian.net and search for posts about encrypted lvm install, you will find a couple of guides.
Read it, up unto "Adding a keyfile (optional)" (because in the:
/usr/share/doc/cryptsetup/README.initramfs.gz
there is great stuff that I want to re-read (and re-read till I can apply it, such as decrypt_derived) first.
Maybe it's the maze, but I do think I tried the way explained in that guide, but it wouldn't work for me... Not sure, maybe I get a way to retry soon (really don't know...) and be able to tell...
Thanks for caring!
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
Wow. It took me five attempts to get it right. Here's a video of manual partitioning (you can get there from non-expert as well as expert install).
Create a boot partition
Create a partition to be used as physical volume for encryption.
Uh... watch the video.
There are a lot of places where I drop the highlight down below the item I'm about to select, and then move up one line and select it. Did that in case it's hard to read in the red highlight.
http://distro.ibiblio.org/refracta/misc … rypt-4.ogv
Offline
Wow. It took me five attempts to get it right. Here's a video of manual partitioning (you can get there from non-expert as well as expert install).
Create a boot partition
Create a partition to be used as physical volume for encryption.
Uh... watch the video.There are a lot of places where I drop the highlight down below the item I'm about to select, and then move up one line and select it. Did that in case it's hard to read in the red highlight.
http://distro.ibiblio.org/refracta/misc … rypt-4.ogv
I didn't know you were doing it... And I can't view it before I give the links of my videos that show where I get stuck...
Because I just minimally prepared the videos, and I like to post the sooned the more credible, when I document things:
https://www.croatiafidelis.hr/foss/cap/ … rypt-root/
(no HTML at the time of posting this)
But the videos (verifiable with SHA256 hashes, PGP-signed):
https://www.croatiafidelis.hr/foss/cap/ … 81min.webm
https://www.croatiafidelis.hr/foss/cap/ … _2309.webm
show where I'm stuck...
Got to rush (I'm online, and I'm not a wizard... been owned in the past), and then I'll watch your video...
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline
Wow. It took me five attempts to get it right. Here's a video of manual partitioning
...
http://distro.ibiblio.org/refracta/misc … rypt-4.ogv
I think I see now... It took you five attempts, and it took me applying workarounds instead, for my main Devuan Air-Gapped + cloned system(s).
But the two, first 8min of 81min video (the remaining 73min is randomizing the three volumes) and the second 4 min video, are both on another Devuan system of mine, in the works.
And thanks to your demonstration, I think I can now do it.
I think I'll soon (well, it's late now in Europe, and in your UK, if I correctly placed you in my memory)...
I think I'll soon be able to thank you for making sense out of this tips page...
--
LATER: Yes. It works! Thanks! I'll post the successful encrypted root+swap (and one more partition, just the /boot is unencrypted in the entire 200GB old Western Digital) screencast tomorrow I hope.
Last edited by miroR (2017-05-15 22:57:14)
Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html
Offline