Home

Howto install Debian Linux onto a USB thumb drive with the root partition encrypted (using UUIDs, Initramfs-tools & Dm-Crypt)

Sat, 01/27/2007 - 8:12pm — dave

This howto is an update of Howto install a Debian/GNU Linux system onto a USB flash thumbdrive with the root partition encrypted (using Yaird & DM-Crypt).

Improvements:
Using Initramfs-tools instead of Yaird so its no longer restricted to only installing on the device it will boot from (i.e. /dev/sda).
Uses UUIDs for partitions labels to eliminate device conflicts.

So open your favorite root login shell and follow these steps!

Notes:
  1. This howto has only been tested to work with Debian Sid and Etch.
  2. This howto works with the USB thumbdrive detected as any device. Within these notes, you will find /dev/sda and /dev/sdc used interchangeably.
  3. This howto roughly follows the process used by the Automated Installer as of 01/27/2007.

I. Load required kernel modules (if necessary)

Load any/all needed kernel modules (this is a partial list, actual list depends on your configuration):

root@hostname# modprobe ehci_hcd
root@hostname# modprobe ohci_hcd 
root@hostname# modprobe usbhid
root@hostname# modprobe usb_storage
root@hostname# modprobe dm-crypt
root@hostname# modprobe aes (or aes_686 or aes_x86_64 as appropriate for your system)

II. Install required applications

Install the necessary applications on the build system:

root@hostname# apt-get install cryptsetup dmsetup parted debootstrap grub

III. Identifying your media

Determine what device our system identifies our flash media as. To do this, simply stick the usb thumbdrive into one of the usb ports and then run the tail command:

root@hostname# tail -n 14 /var/log/messages
Jan  1 12:00:00 hostname kernel: ohci_hcd 0000:00:02.1: wakeup
Jan  1 12:00:00 hostname kernel: usb 2-3: new full speed USB device using ohci_hcd 
                                 and address 2
Jan  1 12:00:00 hostname kernel: Initializing USB Mass Storage driver...
Jan  1 12:00:00 hostname kernel: scsi2 : SCSI emulation for USB Mass Storage devices
Jan  1 12:00:00 hostname kernel: usbcore: registered new driver usb-storage
Jan  1 12:00:00 hostname kernel: USB Mass Storage support registered.
Jan  1 12:00:00 hostname kernel:   Vendor:           Model: TS256MJFLASHA     Rev: 1.00
Jan  1 12:00:00 hostname kernel:   Type:   Direct-Access                      ANSI SCSI 
                                   revision: 02
Jan  1 12:00:00 hostname kernel: SCSI device sda: 506400 512-byte hdwr sectors (259 MB)
Jan  1 12:00:00 hostname kernel: sda: Write Protect is off
Jan  1 12:00:00 hostname kernel: SCSI device sda: 506400 512-byte hdwr sectors (259 MB)
Jan  1 12:00:00 hostname kernel: sda: Write Protect is off
Jan  1 12:00:00 hostname kernel:  sda: sda1 sda2
Jan  1 12:00:00 hostname kernel: sd 2:0:0:0: Attached scsi removable disk sda
root@hostname#

As we can see from this output, the device was detected and assigned to /dev/sda.

IV. Partition the media

Next we need to partition the media. For a flash media installation, we will have a boot & a root partition. There will be no swap as this could prematurely age the drive.

For formating, we'll need a small unencrypted boot partition and then assign the rest to / (root).

root@hostname# parted /dev/sda "mklabel msdos mkpart primary 0.0 25.0 mkpart primary 25.0 -0 set 1 boot on"
root@hostname#

V. LUKS Format the encrypted partition

root@hostname# cryptsetup luksFormat /dev/sda2

WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
root@hostname#

VI. Cryptsetup Mount the Encrypted Partition

root@hostname# cryptsetup luksOpen /dev/sda2 rootfs
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
root@hostname#

VII. Format the encrypted partition

root@hostname# mkfs.ext2 /dev/mapper/rootfs
mke2fs 1.39-WIP (29-Mar-2006)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
123392 inodes, 246383 blocks
12319 blocks (5.00%) reserved for the super user
First data block=0
8 block groups
32768 blocks per group, 32768 fragments per group
15424 inodes per group
Superblock backups stored on blocks:
        32768, 98304, 163840, 229376

Writing inode tables: done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 35 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

VIII. Format the boot partition

root@hostname# mkfs.ext2 /dev/sda1
mke2fs 1.39-WIP (29-Mar-2006)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
5208 inodes, 20800 blocks
1040 blocks (5.00%) reserved for the super user
First data block=1
3 block groups
8192 blocks per group, 8192 fragments per group
1736 inodes per group
Superblock backups stored on blocks:
        8193

Writing inode tables: done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 35 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.
root@hostname#

IX. Get the Universally Unique Identifiers (UUID)

Ok, this stage we can lookup the UUIDs for the /boot and encrypted partitions for use later in /etc/crypttab and /etc/fstab.

root@hostname# /lib/udev/vol_id -u /dev/sda1
72ea8e0a-256e-47bd-bfc6-6ba33c2ecd48
root@hostname# /lib/udev/vol_id -u /dev/sda2 or cryptsetup luksUUID /dev/sda2
6278aae2-cad0-437d-affa-02277a0cca52
root@hostname#

Note: /sbin/blkid will give the wrong UUID for LUKS partitions.

X. Mount the Partitions

Now that we have our partition, we need to create a temporary mount point and mount our partition to it so we can perform our install.

root@hostname# mkdir /mnt/buildroot
root@hostname# mount -t ext2 /dev/mapper/rootfs /mnt/buildroot
root@hostname# mkdir /mnt/buildroot/boot
root@hostname# mount /dev/sda1 /mnt/buildroot/boot
root@hostname#

XI. Install base packages

Now that we have our partition mounted, we can install the base Debian system onto it.

root@hostname# debootstrap --arch i386 sid /mnt/buildroot
I: Retrieving Release
I: Retrieving Packages
I: Validating Packages
I: Resolving dependencies of required packages...
I: Resolving dependencies of base packages...
I: Found additional base dependencies: libdb4.2 libgnutls12 libreadline5
   libsigc++-2.0-0c2a openbsd-inetd readline-common
I: Checking component main on http://ftp.debian.org/debian...
I: Retrieving adduser
<SNIP>
I: Configuring gnupg...
I: Configuring sysklogd...
I: Configuring klogd...
I: Configuring netbase...
I: Configuring openbsd-inetd...
I: Base system installed successfully.
root@hostname#

XII. Temporary bind /dev and /sys to the build directories.

Some applications that we will install while need access to the system devices and files. To allow that we need to bind certain directories.

root@hostname# mount -o bind /dev/ /mnt/buildroot/dev
root@hostname# mount -o bind /sys /mnt/buildroot/sys
root@hostname#

XIII. Chroot Jail

root@hostname# chroot /mnt/buildroot /bin/su -l
hostname:~#

XIV. System Configuration

FILE: /etc/fstab

Use vi to create the /etc/fstab file and add these contents to it:

#/etc/fstab: static file system information.
#
/dev/mapper/rootfs  /          ext2    defaults,errors=remount-ro,noatime 0 1
UUID=72ea8e0a-256e-47bd-bfc6-6ba33c2ecd48 /boot ext2 defaults,noatime,ro  0 1
none            /proc          proc    defaults                           0 0
tmpfs           /tmp           tmpfs   defaults,noatime                   0 0
tmpfs           /var/lock      tmpfs   defaults,noatime                   0 0
tmpfs           /var/log       tmpfs   defaults,noatime                   0 0
tmpfs           /var/run       tmpfs   defaults,noatime                   0 0

Note: /var/tmp should not be mounted as tmpfs as the files stored here are often expected to survive a reboot.

Since we're mounting /boot as read-only, we need to add a hook for apt to remount it as read-write for updates. Create /etc/apt/apt.conf.d/30remount_readwrite like so:

DPkg
{
    Pre-Invoke {
        "mount -o remount,rw /boot;" }
    Post-Invoke {
        "mount -o remount,ro /boot;" }
}

Then mount all the filesystems:

hostname:~# mount -a (may need to be run twice)
hostname:~#
Set Hostname

Set the hostname by editing /etc/hostname, and then add the base configuration to /etc/hosts:

127.0.0.1 localhost.localdoman localhost <hostname>
FILE: /etc/apt/sources.list

Next we have to add some sources to the Apt configuration.

deb http://ftp.debian.org/debian sid main non-free contrib
deb-src http://ftp.debian.org/debian sid main non-free contrib
deb http://mirrors.kernel.org/debian/ sid main non-free contrib
deb-src http://mirrors.kernel.org/debian/ sid main non-free contrib

XV. Recreate subdirectories for tmpfs mounted directories.

Using Tmpfs to save space has one side effect, and that is since it deletes everything when you unmount it, it causes some applications to lose their log directories. So we need to recreate them when the system boots. The easiest way to do that is to create a initialization file in /etc/rcS.d/S37feraga-init.sh.

#!/bin/sh

case "$1" in
    start)
        echo
        echo "Feraga"
        echo "-Recreating required subdirectories on /var/log (tmpfs)"

        # /var/log subdirectories.
        mkdir -p /var/log/fsck
        mkdir -p /var/log/ksymoops
        mkdir -p /var/log/news

        # Example for the mixmaster anonymous remailer
        if [ -f /usr/bin/mixmaster ] ; then
            mkdir -p /var/log/mixmaster
        fi

        # Example for the Tor proxy
        if [ -f /usr/sbin/tor ] ; then
            mkdir -p /var/log/tor
        fi

        # Example for Privoxy
        if [ -f /usr/sbin/privoxy ] ; then
            mkdir -p /var/log/privoxy
        fi

        # Apt archive subdirectories.
        mkdir -p /var/cache/apt/archives/partial

        echo "-done."
        echo
        ;;
    stop)
        echo "Feraga shutting down."
        # Add anything that needs to happen at shutdown here.
        echo
        ;;
    *)
        echo "Usage: cryptdisks {start|stop}"
        exit 1
        ;;
esac

XVI. Install additional packages.

Start by updating the apt databases.

hostname# apt-get update
Get:1 http://mirrors.kernel.org sid Release.gpg [189B]
Get:2 http://mirrors.kernel.org sid Release [38.3kB]
Get:3 http://mirrors.kernel.org sid/main Packages [4079kB]
Get:4 http://ftp.debian.org sid Release.gpg [189B]
Hit http://ftp.debian.org sid Release
Hit http://ftp.debian.org sid/main Packages
Get:5 http://ftp.debian.org sid/non-free Packages [74.6kB]
Get:6 http://ftp.debian.org sid/contrib Packages [57.1kB]
Get:7 http://ftp.debian.org sid/main Sources [1559kB]
Get:8 http://ftp.debian.org sid/non-free Sources [30.3kB]
Get:9 http://ftp.debian.org sid/contrib Sources [24.3kB]
Get:10 http://mirrors.kernel.org sid/non-free Packages [74.6kB]
Get:11 http://mirrors.kernel.org sid/contrib Packages [57.1kB]
Get:12 http://mirrors.kernel.org sid/main Sources [1559kB]
Get:13 http://mirrors.kernel.org sid/non-free Sources [30.3kB]
Get:14 http://mirrors.kernel.org sid/contrib Sources [24.3kB]
Fetched 7608kB in 48s (158kB/s)
Reading package lists... Done
hostname#

As space is limited, get in the habit of removing apt's cached files frequently.

hostname# apt-get clean

Install initramfs-tools 
hostname#  apt-get install initramfs-tools
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
  busybox klibc-utils libklibc libvolume-id0 udev
The following NEW packages will be installed:
  busybox initramfs-tools klibc-utils libklibc libvolume-id0 udev
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 873kB of archives.
After unpacking 2564kB of additional disk space will be used.
Do you want to continue [Y/n]? y
<SNIP>             
Fetched 873kB in 1s (711kB/s)
Preconfiguring packages ...
Selecting previously deselected package libvolume-id0.
(Reading database ... 9071 files and directories currently installed.)
Unpacking libvolume-id0 (from .../libvolume-id0_0.103-2_i386.deb) ...
Selecting previously deselected package udev.
Unpacking udev (from .../archives/udev_0.103-2_i386.deb) ...
Selecting previously deselected package busybox.
Unpacking busybox (from .../busybox_1%3a1.1.3-4_i386.deb) ...
Selecting previously deselected package libklibc.
Unpacking libklibc (from .../libklibc_1.4.31-1_i386.deb) ...
Selecting previously deselected package klibc-utils.
Unpacking klibc-utils (from .../klibc-utils_1.4.31-1_i386.deb) ...
Selecting previously deselected package initramfs-tools.
Unpacking initramfs-tools (from .../initramfs-tools_0.85e_all.deb) ...
Setting up libvolume-id0 (0.103-2) ...

Setting up udev (0.103-2) ...
A chroot environment has been detected, udev not started.

Setting up busybox (1.1.3-4) ...
Setting up libklibc (1.4.31-1) ...
Setting up klibc-utils (1.4.31-1) ...
Setting up initramfs-tools (0.85e) ...
hostname#

Configure /etc/initramfs-tools/modules:

usbcore
ehci-hcd
ohci-hcd
uhci-hcd
usbhid
ide-core
scsi_mod
usb-storage
mbcache
ext2
ide-cd
ide-disk
ide-generic
sd_mod

Configure /etc/initramfs-tools/initramfs.conf

# initramfs.conf
# Configuration file for mkinitramfs(8). See initramfs.conf(5).
MODULES=most
BUSYBOX=y
BOOT=local
DEVICE=eth0
NFSROOT=auto
Install Cryptsetup 
hostname#  apt-get install cryptsetup dmsetup hashalot
Reading package lists... Done
Building dependency tree... Done
Suggested packages:
  dosfstools
The following NEW packages will be installed:
  cryptsetup dmsetup hashalot
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 318kB of archives.
After unpacking 942kB of additional disk space will be used.
Do you want to continue [Y/n]? y
<SNIP>
Fetched 318kB in 0s (1400kB/s)
Selecting previously deselected package dmsetup.
(Reading database ... 9299 files and directories currently installed.)
Unpacking dmsetup (from .../dmsetup_2%3a1.02.12-1_i386.deb) ...
Selecting previously deselected package cryptsetup.
Unpacking cryptsetup (from .../cryptsetup_2%3a1.0.4+svn26-1_i386.deb) ...
Selecting previously deselected package hashalot.
Unpacking hashalot (from .../hashalot_0.3-4_i386.deb) ...
Setting up dmsetup (1.02.12-1) ...
Setting up cryptsetup (1.0.4+svn26-1) ...

Setting up hashalot (0.3-4) ...

localepurge: Disk space freed in /usr/share/locale: 4K
hostname#

Now that cryptsetup is installed, add the required mounting information to /etc/crypttab:

# <target name> <source device> <key file> <options>
rootfs /dev/disk/by-uuid/6278aae2-cad0-437d-affa-02277a0cca52 none luks

Install cryptroot scripts for initramfs.

hostname# cp /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/
hostname:~# cp /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/
hostname:~#

Now we need to add a small delay in /etc/initramfs-tools/scripts/local-top/cryptroot to allow for USB detection.

<SNIP>
    modprobe -q dm_crypt  ## After this line add the following.

    # Add delay
    echo "Sleeping for 5 seconds to allow USB detection."
    sleep 5
    echo "Awake, attempting to mount encrypted partitions."

<SNIP>

XVII. Install Grub.

We want to install Grub before the kernel. We do this to take advantage of the kernels automagic configuration of the required Grub boot stanzas.

First from within the chroot jail, we need to remount /boot as read-write.

hostname# mount -o remount,rw /boot
hostname# apt-get install grub
hostname#

Next from outside the chroot jail:

root@hostname# grub-install --recheck --root-directory=/mnt/buildroot /dev/sda 
Probing devices to guess BIOS drives. This may take a long time.
Installation finished. No error reported.
This is the contents of the device map /mnt/buildroot//boot/grub/device.map.
Check if this is correct or not. If any of the lines is incorrect,
fix it and re-run the script `grub-install'.

(fd0)   /dev/fd0
(hd0)   /dev/hda
(hd1)   /dev/sda
root@hostname#

Now back inside the chroot jail, we need to open /boot/grub/menu.lst and add this simplified configuration.:

# default num
default         0

# timeout sec
timeout         5

# pretty colours
color green/black black/green

### BEGIN AUTOMAGIC KERNELS LIST

## ## Start Default Options ##

# kopt=root=/dev/mapper/rootfs ro\n")
# groot=(hd0,0)
# alternative=true
# lockalternative=false
# defoptions=
# lockold=false
# howmany=all
# memtest86=true
# updatedefaultentry=false

## ## End Default Options ##

### END DEBIAN AUTOMAGIC KERNELS LIST

Then we need to run grub (again from outside the chroot jail) to link it all together

root@hostname# grub
Probing devices to guess BIOS drives. This may take a long time.


    GNU GRUB  version 0.97  (640K lower / 3072K upper memory)

       [ Minimal BASH-like line editing is supported.   For
         the   first   word,  TAB  lists  possible  command
         completions.  Anywhere else TAB lists the possible
         completions of a device/filename. ]
grub> root (hd1,0)
root (hd1,0)
 Filesystem type is ext2fs, partition type 0x83
grub> setup (hd1)
setup (hd1)
 Checking if "/boot/grub/stage1" exists... yes
 Checking if "/boot/grub/stage2" exists... yes
 Checking if "/boot/grub/e2fs_stage1_5" exists... yes
 Running "embed /boot/grub/e2fs_stage1_5 (hd1)"... 
          failed (this is not fatal)
 Running "embed /boot/grub/e2fs_stage1_5 (hd1,0)"... 
          failed (this is not fatal)
 Running "install /boot/grub/stage1 (hd1) /boot/grub/stage2 
          p /boot/grub/menu.lst "... succeeded
Done.
grub> quit

Remove the Grub device map to force rescanning during boot.

hostname:~# rm -f /boot/grub/device.map
hostname:~#

XVIII. Install kernel.

Install Kernel

Before we can install the kernel, we need to set its configuration. Edit /etc/kernel-img.conf so that it looks like this:

do_symlinks = yes
relative_links = yes
do_bootloader = no
do_bootfloppy = no
do_initrd = yes        ## <--- Verify this line
link_in_boot = yes
postinst_hook = /sbin/update-grub
postrm_hook   = /sbin/update-grub

Next we install the kernel. The package linux-image-686 is a dummy package that requires the current kernel image as a dependency. Remove the linux-image-686 dummy package immediately afterwards or it will force you to update kernels every time a new one is published.

hostname:~# apt-get install linux-image-686
<SNIP>
hostname:~# apt-get remove linux-image-686
<SNIP>
hostname:~# apt-get clean
hostname:~#

After the kernel is installed, remount /boot as read-only.

hostname:~# mount -o remount,ro /boot
hostname:~#

XIX. Add user accounts

Either:

Copy an existing /etc/group, /etc/passwd, and /etc/shadow file over from another system (this has to be done from outside the chroot directory).

root@hostname# cp /etc/passwd /etc/group /etc/shadow /mnt/buildroot/etc/
root@hostname#

Then chroot in and create their homedirectories

root@hostname# chroot /mnt/buildroot /bin/su -
hostname:~# mkdir /home/<username>
hostname:~# chown <username>.<username> /home/<username>
<Repeat as necessary>
hostname:~# exit
root@hostname#
Or:

Set root password and add users in the chroot

hostname# chroot /mnt/buildroot /bin/su -
hostname:~# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
hostname:~# adduser test
Adding user `test'...
Adding new group `test' (1001).
Adding new user `test' (1001) with group `test'.
Creating home directory `/home/test'.
Copying files from `/etc/skel'
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for test
Enter the new value, or press ENTER for the default
        Full Name []: test
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [y/N] y
hostname:~#
<Repeat as necessary for more users>

XX. Exit Chroot Jail

hostname:~# umount -a
hostname:~# umount /proc
hostname:~# exit
root@hostname:~#

XXI. Unmount

Time to unmount everything we've mounted and prepare for reboot.

root@hostname# umount /mnt/buildroot/dev/mapper
root@hostname# umount /mnt/buildroot/sys
root@hostname# umount /mnt/buildroot
root@hostname# cryptsetup luksClose rootfs
root@hostname#

And thats it. time to reboot and test.

Comments

Thu, 02/14/2008 - 8:19pm — Dan (not verified)

fail at XVI. Install additional packages.

Rather annoyingly it would seem that
debootstrap --arch i386 etch /mnt/buildroot
couldnt configure (amongst others) aptitude or apt-utils.

Being a none too bright chap I didnt actually notice until stage XVI where i get the message
-su: apt-get: command not found

so my question is whether my problem lies in having chosen etch rather than sid? or is debootstrap unhappy being invoked on a ubuntu (gutsy) box?

looking at the debootstrap.log it would seem that a host of dependencies are not installing:
libpopt0
libapt-pkg-libc6.3-6-3.11
libncursesw5

resulting in failure to configure and install:
whiptail
logrotate
aptitude
nano
apt-utils
tasksel
tasksel-data

Are the correct files only available with a sid debootstrap? or have I merely been handed a bad set of files and I should try again in a few days?

Fri, 02/15/2008 - 4:00pm — dave

re: fail at XVI. Install additional packages.

Remember is that debootstrap installs a BASE system image. It will be missing many things and leave a lot of steps up to the administrator. So it's common to have apt-get but not apt-utils.

Now as for the missing apt-get...

Package dependencies are handled by the setup scripts for each distro by their maintainers. Every once in a (great) while they are screwed up and you have to wait until they get them sorted out.

That seems to be part of your problem.

The other part is probably related to Ubuntu. Some people have reported success, others report lots of issues. I do the majority of my testing with Debian Sid and occasionally use Etch so I can't personally say anything about Ubuntu issues.

Can someone else who has had success with Ubuntu offer some advice here?

Fri, 02/15/2008 - 8:12pm — Dan (not verified)

fair enough

I shall take that as a try again in a few days :-).

Thu, 02/14/2008 - 4:26pm — bob (not verified)

Typo in X. Mount the Partitions

root@hostname# mount /dev/sdc1 /mnt/buildroot/boot

Should say /dev/sda1 - not /dev/sdc1

Fri, 02/15/2008 - 3:44pm — dave

re: Typo in X. Mount the Partitions

Fixed. Thanks.

Sun, 01/20/2008 - 12:16pm — ScHiZniK (not verified)

Ubuntu Gutsy (7.10)

Just wanted to say this worked a treat with ubuntu 7.10. I needed to make a slight change to grubs menu.lst as I used a seperate /boot

it needed /vmlinuz and /initrd.img instead of /boot/vm..

other than that all worked according to plan. I did try with dapper (? - definitly 6.10), but ran into problems with cryptsetup/initramfs-tools (specifically "Install cryptroot scripts for initramfs." - the source files didnt exist..)

Many thanks for the howto :)

ScHiZniK..

Mon, 01/28/2008 - 8:31am — Rasmus (not verified)

Also tried this on Gutsy

Also tried this on Gutsy (7.10) but I can't get it working... I have tried making your changes to menu.lst, but regardless of what option I choose in the GRUB menu i get "Error 15: File not found" and I can not boot.

Any suggestions to what I might be doing wrong? The /boot partion is obviously found since GRUB can load the menu...

Tue, 01/22/2008 - 3:57pm — dave

re: Ubuntu Gutsy (7.10)

Ubuntu is forked off Debian Sid every 6 months and tweaked, so it often isn't as current as Sid.

It's good to know that it now works. Thanks for the heads-up.

Tue, 12/11/2007 - 11:31am — Partho (not verified)

yes, got GUI up and running!

yep, if you are asking if i am able to get the GUI up? the answer will be yep, kde, gnome, xfce, all worked and even native xorg also worked. and hell what? i was even able to get the automatix2 script also run and all programs run (but comparatively friggin slow compared to a hdd install execution including google earth and google picasa), and even upgrade it to lenny and sid, and whats worse? i was even able to run asterisk and openser and even a kernel recompile, run nessus, compile mplayer, blah blah blah blah, 64-bit amd64/emt64 environment, LFS stuffs, et al. i need to try the DNS/DHCP/sendmail/iptables/openvpn and who knows what else is/could be possible. i was planning to buy a laptop. *BUT THANKS A LOT DAVE, TRILLION THANKS YOU ARE LIKE 2007 Year Santa Clause :-D* you saved me the money for a brand new laptop. now i am just going to buy 2-3 16 GiB USB drives and get the stick with me anywhere. trust me. it works like a SAME (She Ate My Eyes). :-D
*three cheers and kudos to dave* hip hip hurray!

this is the USB drive model!

scsi 0:0:0:0: Direct-Access Kingston DataTraveler 2.0 PMAP PQ: 0 ANSI: 0 CCS
SCSI device sda: 8060928 512-byte hdwr sectors (4127 MB)

now i need to set up my firewall, DNS, MX, vpn, ummmmmmmm, what not?
p.s. even wine ie5,6,7 & WMP using wine even MSN7 & yahoo5.3 using wine! now what will i call this Laptop or USBTop. :-D

Wed, 12/12/2007 - 9:50am — dave

re: yes, got GUI up and running!

You're welcome!

It's good to know it's all working for you that is the way I had hoped it would work. With a few small changes to the base install, we can use almost every package in the Debian repositories (Not like many other USB optimized GNU/Linux installs that require special packages).

Merry Xmas.

Tue, 12/04/2007 - 7:10am — gimi (not verified)

Password and special chars

Please note:

In case the default US keyboard layout does not fit to your keyboard you may get in trouble when using some special chars in your password. Just think of swapped y and z or german umlauts and some more.

Desperated half an hour before i got the point on line "Enter LUKS Passphrase: " ...

gimi

PS: thanks for your great howto!

Tue, 12/04/2007 - 9:24am — dave

re: Password and special chars

That's good to know. We probably need to find a way to set the correct keyboard in the initrd that is built.

Interesting issue, anyone know a solution?

Fri, 11/09/2007 - 10:23pm — Mike (not verified)

Okay got it working but...

Okay i have it working, it boots, it connects to the net, i did a apt-get install kde. and it almost finishes and then bitches about xserver-xorg --config stuff at the end, anyone here sucessfully installed kde on their drive? and managed to startx ?

below is the print out

lazarus:~# apt-get install blackbox
Reading package lists... Done
Building dependency tree
Reading state information... Done
blackbox is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
Need to get 0B of archives.
After unpacking 0B of additional disk space will be used.
Setting up xserver-xorg (1:7.3+3) ...
dpkg: error processing xserver-xorg (--configure):
subprocess post-installation script returned error exit status 10
Errors were encountered while processing:
xserver-xorg
E: Sub-process /usr/bin/dpkg returned an error code (1)

Tue, 11/06/2007 - 4:17am — Michael (not verified)

problem installing useing a debian-live cd to build system

Im useing a 8GB jump drive, drive mounts fine, not sure why its not working for the install, hopefully someone will see this and give me a solution by morning. thanks!

debian:/home/user/0.1-prerelease# lsusb
Bus 005 Device 005: ID 13fe:1d23

debian:/home/user/0.1-prerelease# lspci
00:00.0 Host bridge: Intel Corporation Mobile 945GM/PM/GMS/940GML and 945GT Express Memory Controller Hub (rev 03)
00:01.0 PCI bridge: Intel Corporation Mobile 945GM/PM/GMS/940GML and 945GT Express PCI Express Root Port (rev 03)
00:1b.0 Audio device: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller (rev 02)
00:1c.0 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 1 (rev 02)
00:1c.3 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 4 (rev 02)
00:1d.0 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #1 (rev 02)
00:1d.1 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #2 (rev 02)
00:1d.2 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #3 (rev 02)
00:1d.3 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI #4 (rev 02)
00:1d.7 USB Controller: Intel Corporation 82801G (ICH7 Family) USB2 EHCI Controller (rev 02)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev e2)
00:1f.0 ISA bridge: Intel Corporation 82801GBM (ICH7-M) LPC Interface Bridge (rev 02)
00:1f.1 IDE interface: Intel Corporation 82801G (ICH7 Family) IDE Controller (rev 02)
01:00.0 VGA compatible controller: ATI Technologies Inc M56P [Radeon Mobility X1600]
02:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 01)
03:00.0 Network controller: Intel Corporation PRO/Wireless 3945ABG Network Connection (rev 02)
04:01.0 CardBus bridge: Ricoh Co Ltd RL5c476 II (rev b3)
04:01.1 FireWire (IEEE 1394): Ricoh Co Ltd R5C552 IEEE 1394 Controller (rev 08)
04:01.2 Generic system peripheral [0805]: Ricoh Co Ltd R5C822 SD/SDIO/MMC/MS/MSPro Host Adapter (rev 17)
04:01.3 System peripheral: Ricoh Co Ltd R5C592 Memory Stick Bus Host Adapter (rev 08)
debian:/home/user/0.1-prerelease#

debian:/home/user/0.1-prerelease# modprobe ehci_hcd
debian:/home/user/0.1-prerelease# modprobe ohci_hcd
debian:/home/user/0.1-prerelease# modprobe usbhid
debian:/home/user/0.1-prerelease# modprobe usb_storage
debian:/home/user/0.1-prerelease# modprobe dm-crypt
debian:/home/user/0.1-prerelease# modprobe aes
debian:/home/user/0.1-prerelease# tail -n 14 /var/log/messages
Nov 6 02:49:31 debian kernel: Bluetooth: Core ver 2.10
Nov 6 02:49:31 debian kernel: NET: Registered protocol family 31
Nov 6 02:49:31 debian kernel: Bluetooth: HCI device and connection manager init
ialized
Nov 6 02:49:31 debian kernel: Bluetooth: HCI socket layer initialized
Nov 6 02:49:31 debian kernel: Bluetooth: L2CAP ver 2.8
Nov 6 02:49:31 debian kernel: Bluetooth: L2CAP socket layer initialized
Nov 6 02:49:31 debian kernel: Bluetooth: RFCOMM socket layer initialized
Nov 6 02:49:31 debian kernel: Bluetooth: RFCOMM TTY layer initialized
Nov 6 02:49:31 debian kernel: Bluetooth: RFCOMM ver 1.8
Nov 6 02:49:32 debian dhcdbd: message_handler: message handler not found under
/com/redhat/dhcp/eth0 for sub-path eth0.dbus.get.nis_domain
Nov 6 02:49:32 debian dhcdbd: message_handler: message handler not found under
/com/redhat/dhcp/eth0 for sub-path eth0.dbus.get.nis_servers
Nov 6 02:52:39 debian kernel: NET: Registered protocol family 10
Nov 6 02:52:39 debian kernel: lo: Disabled Privacy Extensions
Nov 6 02:52:39 debian kernel: IPv6 over IPv4 tunneling driver
debian:/home/user/0.1-prerelease# tail -n 14 /var/log/messages
Nov 6 02:52:39 debian kernel: lo: Disabled Privacy Extensions
Nov 6 02:52:39 debian kernel: IPv6 over IPv4 tunneling driver
Nov 6 03:04:36 debian kernel: usb 5-3: USB disconnect, address 3
Nov 6 03:04:43 debian kernel: usb 5-3: new high speed USB device using ehci_hcd and address 5
Nov 6 03:04:43 debian kernel: usb 5-3: configuration #1 chosen from 1 choice
Nov 6 03:04:43 debian kernel: scsi1 : SCSI emulation for USB Mass Storage devic es
Nov 6 03:04:48 debian kernel: Vendor: Model: CENTRIOS Rev: PMAP
Nov 6 03:04:48 debian kernel: Type: Direct-Access ANSI SCSI revision: 00
Nov 6 03:04:48 debian kernel: SCSI device sda: 16120832 512-byte hdwr sectors ( 8254 MB)
Nov 6 03:04:48 debian kernel: sda: Write Protect is off
Nov 6 03:04:48 debian kernel: SCSI device sda: 16120832 512-byte hdwr sectors ( 8254 MB)
Nov 6 03:04:48 debian kernel: sda: Write Protect is off
Nov 6 03:04:48 debian kernel: sda: sda1
Nov 6 03:04:48 debian kernel: sd 1:0:0:0: Attached scsi removable disk sda
debian:/home/user/0.1-prerelease# parted /dev/sda "mklabel msdos mkpart primary 0.0 25.0 mkpart primary 25.0 -0 set 1 boot on"
Warning: Partition(s) on /dev/sda are being used.
Ignore/Cancel? Ignore
New disk label type? [msdos]?
Information: Don't forget to update /etc/fstab, if necessary.

debian:/home/user/0.1-prerelease# cryptsetup luksFormat /dev/sda1

WARNING!
========
This will overwrite data on /dev/sda1 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Failed to setup dm-crypt key mapping.
Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/sda1 contains at least 133 sectors.
Failed to write to key storage.
Command failed.
debian:/home/user/0.1-prerelease#

Fri, 11/02/2007 - 8:59pm — SsJ_Naruto-Vash (not verified)

stage1 missing

After rewreading the instructions a couple times to make sure I didn't omit anything, I get an error during Instruction XVII, part 4.

The grub console ( that's what I like to call it :) ) doesn't seem to detect /boot/grub/stage1... Here is my output:

  1. grub> root (hd2,0)
  2.  Filesystem type is ext2fs, partition type 0x83
  3. grub> setup (hd2)
  4. setup (hd2)
  5.  Checking if "/boot/grub/stage1" exists... no
  6.  Checking if "/boot/grub/e2fs_stage1_5" exists... yes
  7.  Running "install /boot/grub/stage1 (hd1) /boot/grub/stage2 
  8.           p /boot/grub/menu.lst "... succeeded
  9. Done.

(My USB key was detected as HD2 because I have 2 Hard Drives... HD0 and HD1)
I checked, and stage1 and stage2 actually DO exist. Am I supposed to run grub within the "jail" or outside? (I ran mine outside)

Sun, 10/28/2007 - 4:50pm — hikenboot

Grub Error 17 Cannot mount selected partition

Getting this grub error when I build this anyone know why I have followed the how to carefully although I am deboostrapping ubuntu feisty instead of debian.

thanks for your help!

steve

Fri, 10/26/2007 - 6:26pm — hikenboot (not verified)

Grub Error 17 Cannot mount selected partition

Greetings!

I have followed these directions with the exception of debootrstrapped ubuntu feisty and am getting Grub Error 17 cannot mount selected partition.

Anyone know why?

thanks for your help in advance!

Tue, 10/09/2007 - 12:06pm — Ravnos (not verified)

Using key file instead of pass phrase

Great article, had no problems setting up everything (or at least nothing that I couldn't manage to work around), but I want to make it boot using a key file because I can't type a password on my remote server that may not be accessible through network. It doesn't let you do anything after boot so anyone sneaking after boot isn't a problem. AFAIK I should change /etc/initramfs-tools/scripts/local-top/cryptroot and run mkinitramfs but where should/could I place the key file to use at boot time ?

Thu, 10/11/2007 - 8:03am — Ravnos (not verified)

Just found out how to do

Just found out how to do this:
edit /etc/initramfs-tools/hooks/cryptroot to add the key file to the boot image:

  1. # Prepare the initramfs
  2. copy_exec /sbin/cryptsetup /sbin
  3. copy_exec /sbin/dmsetup /sbin
  4. copy_exec <path to my key file>/my.key /sbin
  5.  
  6. # Done
  7. exit 0

then edit /etc/initramfs-tools/scripts/local-top/cryptroot to use the key file instead of reading from console:

  1.                 else
  2.                         # $cryptcreate < /dev/console > /dev/console 2>&1
  3.                         $cryptcreate --key-file=/sbin/my.key
  4.                 fi

finally run this to recreate the image:

  1. update-initramfs -u

Done ! How could I improve it ? Reading a key file from inside the boot image isn't really smart :P

Tue, 07/24/2007 - 6:14pm — Guido (not verified)

"Grub Hard Disk Error"

I followed the tutorial step by step. When I reboot and try to boot with the USB drive, I get Grub Hard Disk Error. I googled around but still got no clue so I'm hoping you could help me with any hint. Thanks.

Fri, 06/15/2007 - 9:15am — Dilip (not verified)

Get Stuck at Kernel Installation Step of above Guide

Hi Dave:
Followed every instruction above (infact copy-pasted to be honest), but keep running into this error. Retried from scratch 4 times now, but get stuck at this point every time. Did an apt-get update & apt-get dist-upgrade too before starting the whole process again but no luck.

the usb-drive on which the installation is tried boots up as though everything is fine, but whenever apt-get dist-upgrade is done the following error occurs.

will really appreciate any help, thanx in anticipation of an early response. have pasted the screen log below:

debian-etch-x86:/etc# apt-get install linux-image-686
Reading package lists... Done
Building dependency tree... Done
linux-image-686 is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
3 not fully installed or removed.
Need to get 0B of archives.
After unpacking 0B of additional disk space will be used.
Setting up linux-image-2.6.18-4-686 (2.6.18.dfsg.1-12) ...
Running depmod.
Finding valid ramdisk creators.
Using mkinitramfs-kpkg to build the ramdisk.
initrd.img(/boot/initrd.img-2.6.18-4-686
) points to /boot/initrd.img-2.6.18-4-686
(/boot/initrd.img-2.6.18-4-686) -- doing nothing at /var/lib/dpkg/info/linux-image-2.6.18-4-686.postinst line 583.
vmlinuz(/boot/vmlinuz-2.6.18-4-686
) points to /boot/vmlinuz-2.6.18-4-686
(/boot/vmlinuz-2.6.18-4-686) -- doing nothing at /var/lib/dpkg/info/linux-image-2.6.18-4-686.postinst line 583.
Running postinst hook script /usr/sbin/update-grub.
User postinst hook script [/usr/sbin/update-grub] failed to execute: No such file or directory
dpkg: error processing linux-image-2.6.18-4-686 (--configure):
subprocess post-installation script returned error exit status 255
dpkg: dependency problems prevent configuration of linux-image-2.6-686:
linux-image-2.6-686 depends on linux-image-2.6.18-4-686; however:
Package linux-image-2.6.18-4-686 is not configured yet.
dpkg: error processing linux-image-2.6-686 (--configure):
dependency problems - leaving unconfigured
dpkg: dependency problems prevent configuration of linux-image-686:
linux-image-686 depends on linux-image-2.6-686; however:
Package linux-image-2.6-686 is not configured yet.
dpkg: error processing linux-image-686 (--configure):
dependency problems - leaving unconfigured
Errors were encountered while processing:
linux-image-2.6.18-4-686
linux-image-2.6-686
linux-image-686
E: Sub-process /usr/bin/dpkg returned an error code (1)

Mon, 06/18/2007 - 10:11am — dave

re: Get Stuck at Kernel Installation Step of above Guide

OK, in all that output the line we care about is:

User postinst hook script [/usr/sbin/update-grub] failed to execute: No such file or directory

This tells us that we forgot to install grub because I forgot to include it in step XVII. Please refer to the newly edited step XVII for the fix.

Enjoy!

Wed, 05/02/2007 - 3:14pm — brunosampayo

Start Aplications and partitions ext3 / swap

Hi,
I followed this howto http://feraga.com/node/94 to install debian on an USB hard disk. And it is I ready done. What I would like to do is start dhclient service before the system ask: "Enter LUKS passphrase:", is it possible, how?
If I using an Usb hard disk instead USB flash can I format the disk with ext3? and create swap partition?

Thank for any help,
Bruno Sampayo

Thu, 05/03/2007 - 11:22am — dave

re: Start Aplications and partitions ext3 / swap

What I would like to do is start dhclient service before the system ask: "Enter LUKS passphrase:", is it possible, how?

This is certainly possibly, however it will be a little involved. The Initrd file that asks for the password is created using initramfs-tools, which uses a modular system for building the initrd. For our application, we modify one file (cryptroot) to add the delay for USB devices to be detected. As for which file you would need to modify to use dhclient, I dont know but I would start with their documentation. I'm sure someone else has needed networking during boot and figured out how.

If I using an Usb hard disk instead USB flash can I format the disk with ext3? and create swap partition?

Yes and Yes

I've been experimenting with the new Etch installer and it is pretty slick. For a standard hard drive installation, there is a lot to recommend it. You may want to test it yourself.

As for the swap, remember to encrypt that too!

Sat, 04/21/2007 - 11:19am — Jones (not verified)

one-time passwords???

is it possible to add one-time password support to this setup? How would one do this?

Is the concept of one-time passwords incorporated into hard disk encryption?

Would be good to have!

Sun, 04/22/2007 - 4:47pm — dave

re: one-time passwords???

Short Answer:

Yes its possible and not very difficult.

Mkinitramfs from Initramfs-Tools is build on a modular structure so you can replace parts as you want.

Long Answer:

Wikipedia: One-Time-Passwords

From the background, we can see that there are 3 basic types of One-Time-Password (OTP).

  1. Mathematical Algorithm Type
  2. Time-Synchronized Type
  3. Challenge Type

Now I'm going to address these in reverse order because I believe the second two have significant issues that would make them undesirable for our purposes.

Challenge OTP require that the user provide a series of Challenges and Responses to use for verification. The Challenges can be as simple as "What is your pets name?" or "What team won the 1968 World Series?". Now the user needs to provide quite a few of these so that when one is selected randomly from the list, it doesn't repeat too often and become obvious.

Challenge OTP won't work for us because we have to store all of the verification information in the /boot/initrd.img unencrypted. So if you lost your USB flash thumb drive, someone could loopback mount the initrd.img and gain access to the full list of Challenges and Responses. Or if you did encrypt it, you would have to leave the key for the encryption somewhere in the initrd.img filesystem or have the user enter it in addition to the Challenge/Response. Getting too cumbersome to be practical.

Time-Synchronized OTP has been pushed by companies like RSA, and has many uses. It basically works by requiring each user to carry a hardware token that gives a rotating "key" that changes with time (generally rotates every few seconds). So the user would enter his username & password then be prompted for the "key" from the token. If the "key" you provide matches what the system calculates itself then it lets you in.

While this is much better than just a simple password, it has a couple of flaws for our use. First, we can't always be sure that the system we're booting into has the correct time set in the BIOS. Without that the system will never calculate the same value that the hardware token will. Second, the hardware token becomes a second item to lose (the USB flash thumb drive is the first for our use) so most people would store them together. Maybe even on the same keychain. Which means if you lose your USB flash thumb drive, then you lose your hardware token with it, completely destroying any value of using it.

Mathematical Algorithm OTP works by calculating a password based on a mathematical formula. For example, a user might have a base password of "Password" and the mathematical formula was "day of the month" so on the first of the month the user would enter "Password01" for his password and "Password02" on the second. Generally the more complicated the formula the better. However if its too complicated then the user will need a hardware token to calculate it. So for our purposes, we need to keep the formula relatively simple so that it can be worked in your head. Something like (Day-of-month[1-31] * Month-of-Year[1-12] / Day-of-Week[1-7]) rounded to 2 decimal places. So on January 1, 2007 the password would be "Password1.00" and on February 1, 2007 the password would be "Password0.67".

Now to implement this for a DM-Crypt mounted partition like we use, we need to create a custom /etc/initramfs-tools/scripts/local-top/cryptroot script. The basic format for this script can be copied from /usr/share/initramfs-tools/scripts/local-top/cryptroot. Our Automated Installer currently creates a custom version of this script to add a 5 second delay for USB devices to be detected. If you look in that file, you will see a section of code that looks like:

if [ -n "$cryptkeyscript" ]; then
    if [ ! -x "$cryptkeyscript" ]; then
        echo "cryptsetup: error - $cryptkeyscript missing"
        return 1
    fi
    $cryptkeyscript $cryptkey < /dev/console | $cryptcreate --key-file=-
else
    $cryptcreate < /dev/console
fi

Now by creating and defining our own cryptkeyscript, we can add in our own password handling function. I haven't seen an example of a cryptkeyscript so I do not have one handy to show you but it is a bash script so it should be relatively easy to implement.

However, lets say we did. Does this increase our security significantly? I don't think so because the cryptkeyscript is unencrypted within the /boot/initrd.img filesystem so an attacker could figure out that portion and the only security left is how good the base password is.

Of course if I've missed anything I'm sure someone will chime in with corrections....

Sun, 03/04/2007 - 2:28pm — Dan (not verified)

grub-install

I am getting an error while trying to install grub...here is my error message:

dan@socrates:~$ sudo grub-install --recheck --root-directory=/mnt/buildroot /dev/sda
rm: cannot remove `/mnt/buildroot/boot/grub/device.map': Read-only file system
rm: cannot remove `/mnt/buildroot/boot/grub/stage1': Read-only file system
dan@socrates:~$ sudo mount -o remount,rw /mnt/buildroot/boot dan@socrates:~$ sudo grub-install --recheck --root-directory=/mnt/buildroot /dev/sda
Probing devices to guess BIOS drives. This may take a long time.
The file /mnt/buildroot/boot/grub/stage1 not read correctly.

Any hints as to what may be causing this error?

Many thanks,
Dan

Wed, 03/21/2007 - 8:34pm — Anonymous Caller (not verified)

Yeah not sure - Ive got the

Yeah not sure - Ive got the same problem and been googleing it for the last 2 days
Most relevant thing I read was flash memory has a large block size and ext2 filesystem cant handle it that well, but ive tried FAT32, ext2, ext3 and keep getting the same error

Please post a solution here if you find one and i'll do the same

Allan

Thu, 03/22/2007 - 8:55am — dave

re: Yeah not sure - I've got the

Same problem as what?

I haven't had any problem using ext2/3 or fat32 on any flash drive that I've tried.

Sun, 03/04/2007 - 8:49pm — dave

re: grub-install

First, I added steps to remount /boot as read-write. That was problem one but you figured that out yourself.

As for the second error, I wonder if its because you remounted /mnt/buildroot/boot from outside the chroot jail rather than remounting /boot inside the jail. But thats just a guess, I haven't seen this error before.

Anyone else have any ideas?

Sun, 03/11/2007 - 9:19am — Dan (not verified)

re: re: grub-install

Dave,
Good call, it seems like remounting it outside of the jail was giving me troubles. Thanks for the help!

Fri, 02/23/2007 - 7:38pm — Fielder George Dowding (not verified)

Installation Breaks at grub Install

We (me and Doug MacLean) are trying to set up a 1 GB flash drive according to your instructions on http://feraga.com/node/94

We were successful up to Part XVII, Install grub. Here is the error message from attempting to install grub from outside the chroot jail:

amos:/home/doug# grub-install --recheck --root-directory=/mnt/buildroot /dev/sda
rm: cannot remove `/mnt/buildroot/boot/grub/device.map': Read-only file system
Could not find device for /mnt/buildroot/boot: Not found or not a block device.

We note that the mount stanza for the boot partition (/dev/sda1) mounts read-only, to wit:
UUID=b628f3e4-81d4-43da-8082-f17a8e926ae0 /boot ext2 defaults,noatime,ro 0 1

What are we missing? We also tried to find deb2flash in etch (testing) without success.

Thanks for the effort and we hope we can help achieve world domination one computer at a time.

fgd and dmacl

Sat, 02/24/2007 - 10:15pm — dave

re: Installation Breaks at grub Install

Remount /mnt/buildroot/boot/ as read-write.

mount -o remount,rw /mnt/buildroot/boot

Then it should work.

Thu, 02/15/2007 - 4:00am — termlimit

Cryptsetup

I hit a snag early in the process at:
V. LUKS Format the encrypted partition

It states to enter:
cryptsetup luksFormat /dev/sda2
When I enter that it gives me this error:
anthrax:~/crypt# cryptsetup luksFormat /dev/sda2

WARNING!
========
This will overwrite data on /dev/sda2 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Unable to obtain sector size for /dev/sda2Failed to setup dm-crypt key mapping.
Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/sda2 contains at least 133 sectors.
Failed to write to key storage.
Command failed.anthrax:~/crypt#

Now I am using a thumbdrive, but it is an SD card thumbdrive. The ones that can be inserted into a phone, but also have a little tab that comes of and makes it a usb drive. I am wondering if this is the problem or if I have set something up wrong.

an example of the USB key is here:
http://www.ocztechnology.com/products/flash_drives/ocz_secure_digital_du...

Thanks for the great tutorial though! I can't wait to get it finished.

Fri, 02/16/2007 - 12:31pm — VBNight

RE: Cryptsetup

It appears you don't have the SHA256 kernel module loaded.

Try running: modprobe sha256

To load the sha kernel module.

If the modprobe command fails, verify you have the file (/lib/modules/2.6.XX-XX-XXX/kernel/crypto/sha256.ko)

Then try the luksFormat command again.

Tue, 02/20/2007 - 1:44am — termlimit

RE: Cryptsetup

I went ahead and tried your suggestions. I started over completely and I still get the same error. I do have that file (sha256.ko).

Any other suggestions? Could it be the media that I have?

Tue, 02/27/2007 - 5:53pm — Anonymous Caller (not verified)

Are you root?

Make sure you are root when you run the command...thats the same problem I had.

Mon, 02/26/2007 - 4:44pm — VBNight

RE: Cryptsetup

No its not your media. This error is from the system you are using to setup the drive with not being able to create the encrypted partition because its missing that kernel module (sha256.ko).

Are you using a debian machine to build from?

Also verify you have run this command from the Guide:

apt-get install cryptsetup dmsetup parted debootstrap grub

The sha256.ko is a kernel module which either should be part of the distro you are running or be installed by these packages (cryptsetup and dmsetup)

A knoppix live cd is capable of building the USB drive according to this guide so you might want to try that if you having problems on an existing system.

Tue, 01/30/2007 - 10:19pm — Thornhill (not verified)

Trying to make this work with Ubuntu Edgy...

First off, I really appreciate the documentation. Thanks very much for that.

Now, my problem: I attempted your procedure with Ubuntu Edgy, and it seems as if it's very close to working, but I've noticed a problem when the cryptroot script attempts to read the password upon boot.

For some reason, the script generates an error like "Error opening device, no such file or directory" and never actually waits for a password to be entered when booting. The problem seems to be somehow related to the block of code in that file that reads input from the console and pipes it to the cryptsetup command.

I'm guessing it can't read from the console period - but I have no idea why. It continually just fails, spewing out errors, and sits in a while loop forever without ever actually registering the input.

Any ideas are appreciated.

Wed, 01/31/2007 - 1:45am — dave

re: Trying to make this work with Ubuntu Edgy...

Ok, first thought. Did you add the delay to /etc/initramfs-tools/scripts/local-top/cryptroot? (Last part of installing Cryptsetup in step XVI).

If you did add it, reboot the system and watch the output. Are the USB drives detected before the timeout wakes up? If not, make the timeout longer.

For that matter does the "Error opening device" message come before or after the USB drives are detected and assigned scsi device names (i.e. /dev/sda#)?

Wed, 01/31/2007 - 7:29am — Thornhill (not verified)

Trying to make this work with Ubuntu Edgy...

I thought at first that might be the case as well - but I did verify, and the drive is definitely detected before the script tries to read the password. No love there.

The version of the 'cryptroot' script that comes with edgy appears to be a bit different from the one in Etch - there is no 'modprobe -q dm_crypt' directive to load the dm_crypt module in that script, which is where you added the pause. I added the pause as well as the modprobe statement where I thought to be a logical place, and the drive is detected, but still no luck hoping for a chance to input the password. If the scripts are substantially different, there's probably not much you can do without having Edgy somewhere - I'm actually wondering if the 'cryptroot' script has been split into multiple scripts, but I haven't had a chance to look into it deeply. I'll hopefully get to poke at it today and get back to you if I find anything out. A copy of your final etch cryptroot script would be really useful if you could post it somewhere!

On a general note, I believe there are a couple of typos (or possibly this is just different with edgy) - instead of copying to /etc/initramfs, you need to copy scripts to /etc/initramfs-tools. As well, when you copy the cryptroot script, the source directory is /usr/share/initramfs-tools/scripts/local-top/ (scripts with an s). Other than that, everything else about the guide seems to be exactly right as far as I can recall (and as far as I've gotten it to work, though I feel like it's very close to working for me with edgy). I have to reiterate that it's very well done and much appreciated, this should be a supported install path IMO :)

Thu, 02/01/2007 - 5:52pm — dave

re: Trying to make this work with Ubuntu Edgy...

I downloaded a copy of cryptsetup from the Ubuntu repositories for comparison.

Versions:
Ubuntu: 1.0.4-8ubuntu2
Debian Sid: 1.0.4+svn26-1

Ok, comparing /usr/share/initramfs-tools/scripts/local-top/cryptroot shows that the two files are about 90% the same. The Debian version includes support for EVMS but Ubuntu does not. However that difference should not affect what we are doing here.

Both files have the "modprobe -q dm_crypt" line. Its sixteen lines into the setup_mapping() function.

I dont see anything in the Ubuntu version that would make it not work. Unless perhaps you're running an older version?

What version did you install?

Fri, 02/02/2007 - 8:58pm — Thornhill (not verified)

Interesting - my version of

Interesting - my version of cryptsetup (from the edgy universe repository) is 1.0.3-3ubuntu3.

From which repository did you find the later version? Perhaps I just need to upgrade.

Fri, 02/02/2007 - 9:39pm — Thornhill (not verified)

Answered my own question -

Answered my own question - downloaded the newer .deb from archive.ubuntu.com and extracted it. The scripts are substantially different, so I decided to use the ones from the new package, and...

Well, not success, but a new error. This time the UUID device file wasn't found - but that's an improvement at least.

So, I removed the UUID from my configuration files and replaced it with /dev/sdb2 instead (which is how the USB drive appears on my current system). Success! I was able to boot off the USB drive to a functional system.

So clearly the problem is related to UUID mappings now. I noticed, interestingly enough, that on my live system the only entries in /dev/disk/by-uuid are for ext2 filesystems - nothing else gets a UUID. Is this the way it appears in Etch? It seems possible that since Edgy is a bit older it may not support everything we need to make this work.

Fri, 02/02/2007 - 10:31pm — Thornhill (not verified)

OK - I couldn't make it

OK - I couldn't make it work by UUID, but I did make it work using /dev/disk/by-id/ devices which *should* be just as good - I figure Edgy uses an older version of udev that doesn't have all of the needed rules for the UUID stuff. Thanks for all the help!

So, here's how my procedure differed from the above:

1) Download http://archive.ubuntu.com/ubuntu/pool/universe/c/cryptsetup/cryptsetup_1... and extract it (dpkg -x cryptsetup_1.0.4-8ubuntu2_i386.deb somedir)
2) Use the scripts extracted from this package (somedir/usr/share/mkinitramfs-tools) instead of the ones from /usr/share/initramfs-tools
3) Determine the IDs for /boot and / by running ls -l /dev/disk/by-id
4) Replace the entries in /etc/fstab and /etc/crypttab with /dev/disk/by-id/devicename

That should do it!

Sat, 02/03/2007 - 8:38am — dave

re: OK - I couldn't make it

As for UUIDs and filesystems, as far as I know the only filesystems to currently support UUIDs are XFS, Ext2/3 and LUKS enabled DM-Crypt.

Many thanks for the input and modified procedure for Ubuntu users. I will try to find some time to do some testing and integrate it into the howtos and automated installer somehow.

Wed, 01/31/2007 - 8:51am — dave

re: Trying to make this work with Ubuntu Edgy...

Ok, fixed the typos. Thanks.

I'll look into the cryptroots from Ubuntu and Debian to see if I can find the difference. I should have time in the next couple days. I'll post what I learn here or in the Developer Forums.

And thanks for the review. Its good to know that it all makes sense.