Welcome
Welcome to refracta

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

Snapshot on usb with encrypted /home

Tips and Instructional topics. Not for support questions.

Snapshot on usb with encrypted /home

Postby dzz » Sat Nov 10, 2012 3:28 pm

Any debian-live (what better than a custom Refracta Snapshot) makes an excellent "portable OS" on a USB stick. Saving changes over subsequent reboots is normally done using persistence, which can be system-wide or just the home directory.

Not so good for security though. If the device is lost or stolen that saved data is simple to access. For a long time I tried and failed to get a persistent /home with encyption working. Apparently current live-boot can't handle LUKS properly. I read this:
http://lists.debian.org/debian-live/200 ... 00186.html
but it didn't work like the author said.

What I finally came up with uses not persistence but the "live-hook" mechanism. It probably clunks badly... but it works! If anyone knows a better method (or can improve this one) please post here.

It is assumed the USB is already set up and working in "live" mode, is /dev/sdb, has a directory "/live" containing the filesystem.squashfs of the live-image (although a different directory can be used) and can actually boot the snapshot using syslinux/extlinux. Also assumed is basic knowledge of how to setup a LUKS partition (and basic is about my limit)

A second partition (LUKS) is needed, in my case 1GB, containing an ext2 filesystem. In there is an exact copy of the original /home directory from the snapshot, original Refracta or other debian-live image. If it's an image with no preconfigured user probably just the content of etc/skel is enough.

Make sure permissions are set right for the LUKS /home/user directory:

Code: Select all
cp /media/where_usb_device_is_mounted/home/user /media/where_luks_device_is_mounted/home/user
chown -R 1000:1000 /media/where_luks_device_is_mounted/home/user


Now the initscript which does the actual job. Before login it simply renames /home/user for the session, makes a new empty one and mounts the luks volume there. We will see later how to insert and activate it.

I tried (probably not very well) to explain in the script comments what will happen.

Copy to a text file named "lukshome", save and make it executable:

Code: Select all
#!/bin/sh
### BEGIN INIT INFO
# Provides:          lukshome
# Required-Start:    checkroot
# Required-Stop:     umountroot
# Should-Start:      udev devfsd
# Should-Stop:       udev devfsd
# X-Start-Before:    cryptdisks
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# X-Interactive: true
# Short-Description: Setup early encrypted block devices.
# Description:
### END INIT INFO

# in cmdline must be (example uuid used):
# lukshome=UUID="ade5a403-05e2-4a02-9724-46efe69b3b74"
# or
# lukshome=UUID=ade5a403-05e2-4a02-9724-46efe69b3b74
# or
# lukshome=ade5a403-05e2-4a02-9724-46efe69b3b74
# or
# lukshome=/dev/sdb2

case "$1" in
start)
   # if 'lukshome=whatever' is not in cmdline, do nothing and exit
   USELUKSHOME=$(cat /proc/cmdline|grep -o " lukshome=")
   if [ -z "$USELUKSHOME" ]; then
   echo " LUKS home setup is not activated"
   exit 0
   fi

# get what was acually entered 'lukshome=whatever' without quotes nor UUID= nor lukshome=
LUKS_HOME_ENTRY=$(cat /proc/cmdline|grep -o "lukshome.*"|sed 's/lukshome=//'|sed 's/UUID=//'|sed 's/ .*//'|sed 's/\"//'g)
# if it was uuid, translate that into /dev/sdx
LUKS_HOME_DEV=$(blkid|grep "$LUKS_HOME_ENTRY"|awk -F ":" '{print $1}')

   # check it is actually luks, if not exit now
   ISLUKS=$(blkid|grep "$LUKS_HOME_ENTRY"|grep -o "crypto_LUKS")
   if [ -z $ISLUKS ] ; then
   echo "$LUKS_HOME_DEV is not LUKS"
   exit 0
   fi
      # check if persist is active, exit now if so
      # wheezy/sid uses "persistence" squeeze uses "persistent"
      # <grep -o " persist"> (note the space) rules out " nopersistent" but gets " persistent" or " persistence"

      PERSIST_IS_ON=$(cat /proc/cmdline|grep -o " persist")
      if [ -n "$PERSIST_IS_ON" ] ; then
      echo " This LUKS home setup cannot be used with persistence"
      exit 0
      fi
         # check it exists?
         if [ -n $LUKS_HOME_DEV ]; then

         # open it (forces prompt for luks passphrase)
         cryptsetup luksOpen $LUKS_HOME_DEV home
         # rename original /home (current live session only, the iso/squash is RO)
         mv /home /home_original
         # make a new /home, to use as a mountpoint)
         mkdir /home
         # mount encrypted home there
         mount /dev/mapper/home /home

            # check for mount failure (e.g. because wrong passphrase), if so revert to /home_original
            NEWHOME_IS_MOUNTED=$(blkid|grep /dev/mapper/home)
            sleep 1
            if [ -z $NEWHOME_IS_MOUNTED ]; then
            umount /home
            rmdir /home
            mv /home_original /home
            fi
         else
         echo " Error... Luks home partition $LUKS_HOME_DEV not detected (or specified incorrectly) "
         fi
;;
esac
exit 0


Next make a simple script "hookscript" to use as a live-hook and make it executable:

Code: Select all
#!/bin/bash
# live-hook script
# script name: hookscript

# squeeze live-boot (findiso only works with grml patch)
if [ -d /live/findiso ]; then
LIVEMEDIAMOUNTPOINT="/live/findiso"
else
LIVEMEDIAMOUNTPOINT="/live/image"
fi

# sid live-boot
#if [ -d /lib/live/findiso ]; then
#LIVEMEDIAMOUNTPOINT="/lib/live/findiso"
#else
#LIVEMEDIAMOUNTPOINT="/lib/live/image"
#fi

echo ""
echo " Running live hook scripts "
echo ""
sleep 2
cp -a $LIVEMEDIAMOUNTPOINT/sid/hooks/lukshome $CENSORED/init.d/
update-rc.d lukshome defaults


Note: $CENSORED above means [slash]etc ... that word for some reason is banned here!

Make a new directory in the USB (part 1) /live/hooks and copy both "hookscript" and "lukshome" in there

Code: Select all
mkdir /media/where_usb_is_mounted/live/hooks
cp hookscript /media/where_usb_is_mounted/live/hooks
cp lukshome /media/where_usb_is_mounted/live/hooks


Lastly, edit syslinux.cfg (or whatever else is the device bootloader) to include in the cmdline:

Code: Select all
config=hooks hooks=/live/image/hooks/hookscript lukshome=/dev/sdb2


"lukshome=/dev/sdb2" can be uuid instead... or /dev/sd_whatever... see commented notes in the "lukshome" script

Voila! On boot the hook runs, LUKS passphrase prompt appears, then your alt /home gets used.

Without the correct passphrase (or without config=hooks hooks=whatever) the default /home will be used.

Testers appreciated. Sometimes copying text from/to code boxes doesn't work right, anyone interested say so if that's a problem
dzz
 
Posts: 647
Joined: Wed Apr 27, 2011 11:53 am
Location: Devon, England

Re: Snapshot on usb with encrypted /home

Postby fsmithred » Sun Nov 11, 2012 4:16 pm

Did you initially set up the usb stick according to your instructions here? experimental-alternative-usb-installation-method-t103.html

I haven't had a chance to try it yet, but I will report when I do.

My alternate method - make a small partition labeled home-rw and a large encrypted partition. Boot with persistence, and the unencrypted home-rw will be mounted as /home. Anything that needs to be secure is stored in the encrypted partition, and if needed, is symlinked from the home-rw. Examples: /home/user/.ssh, /home/user/.gnupg, and /home/user/.mozilla are all symlinks pointing to directories on the encrypted partition.
User avatar
fsmithred
 
Posts: 2082
Joined: Wed Mar 09, 2011 9:13 pm

Re: Snapshot on usb with encrypted /home

Postby dzz » Wed Nov 14, 2012 1:27 am

Did you initially set up the usb stick according to your instructions here? experimental-alternative-usb-installation-method-t103.html


Most likely I did initially but it has since had other stuff added/removed in what is now a multiboot setup. It was only ever designed for initial setup.

That script does nothing you can't do from cli, or with unetbootin, (setup a pendrive live OS using syslinux) except an included initrd hack that makes the live-media partition writable and the "findiso" patch from grml. I got a few reports that script failed to detect some usb devices when plugged, I finally reproduced that and found a more robust method so will update it soon.

I since worked out in sid, how to make the live-media partition RW, now I can use a loopback file for luks-home or (normal) persistence without needing a second partition... useful for a small device (or multiboot, where a dedicated persist partition might be needed for each)

Selective manual symlinking to a luks department is surely possible.. but this way does the whole lot including desktop setup configs and can be done in one partition
dzz
 
Posts: 647
Joined: Wed Apr 27, 2011 11:53 am
Location: Devon, England

Re: Snapshot on usb with encrypted /home

Postby fsmithred » Sun Jan 13, 2013 3:25 pm

I'm not getting it to work. (using beta6) Tried a few different permutations, and then I re-wrote the hookscript completely, and I think that hooks are not working. I should have testfile2 on the desktop when I log in. It's not there.

cmdline:
config=hooks hooks=/live/image/hooks/hookscript

/live/hooks/hookscript:
Code: Select all
#!/bin/bash

touch /home/user/Desktop/testfile2

exit 0
User avatar
fsmithred
 
Posts: 2082
Joined: Wed Mar 09, 2011 9:13 pm

Re: Snapshot on usb with encrypted /home

Postby fsmithred » Sun Jan 13, 2013 4:32 pm

OK, hooks are working - I had to change the cmdline
Code: Select all
config=hooks hooks=file:///lib/live/mount/medium/live/hooks/hookscript


So far, I just have the testfile appearing on the desktop, with or without persistence.
User avatar
fsmithred
 
Posts: 2082
Joined: Wed Mar 09, 2011 9:13 pm

Re: Snapshot on usb with encrypted /home

Postby fsmithred » Sun Jan 13, 2013 6:18 pm

Got it to work. Had to change a couple things in hookscript -
changed $LIVEMEDIAMOUNTPOINT and changed the directory where lukshome gets copied. This is in wheezy, using live-* packages from sid. Be sure to change "***FIXME***[slash]" to just a slash in front of the etc/init.d.
Code: Select all
#!/bin/bash
# live-hook script
# script name: hookscript

# squeeze live-boot (findiso only works with grml patch)
#if [ -d /live/findiso ]; then
#LIVEMEDIAMOUNTPOINT="/live/findiso"
#else
#LIVEMEDIAMOUNTPOINT="/live/image"
#fi

# sid live-boot
if [ -d /lib/live/findiso ]; then
LIVEMEDIAMOUNTPOINT="/lib/live/findiso"
else
LIVEMEDIAMOUNTPOINT="/lib/live/mount/medium"
fi

echo ""
echo " Running live hook scripts "
echo ""
sleep 2
cp -a $LIVEMEDIAMOUNTPOINT/live/hooks/lukshome ***FIXME***[slash]etc/init.d/
update-rc.d lukshome defaults


The other thing I had to change was cmdline as in the post above this -
Code: Select all
config=hooks hooks=file:///lib/live/mount/medium/live/hooks/hookscript
User avatar
fsmithred
 
Posts: 2082
Joined: Wed Mar 09, 2011 9:13 pm

Re: Snapshot on usb with encrypted /home

Postby dzz » Mon Jan 14, 2013 1:52 pm

The original "hookscript" posted was the wrong one. That was actually a variation I use for when the live-image is placed, on the device, in a directory different from the default (default is /live)

It may also be outdated, as debian-live mountpoints recently changed.

So for normal usage, fsmithred's version is now correct.

Thanks fsmithred for testing this and correcting the hookscript, good to know it's working.
dzz
 
Posts: 647
Joined: Wed Apr 27, 2011 11:53 am
Location: Devon, England

Re: Snapshot on usb with encrypted /home

Postby fsmithred » Mon Jan 14, 2013 2:26 pm

Guess we'll fix it again if and when they change the directories again. BTW, hooks work on the grub usb stick, and I also got multiple systems to work on one stick. Put snapshot1.iso, vmlinuz1, initrd1.img, snapshot2.iso, vmlinuz2, initrd2.img, etc., all in the /live folder, and make entries for each in the boot menu.
User avatar
fsmithred
 
Posts: 2082
Joined: Wed Mar 09, 2011 9:13 pm

Re: Snapshot on usb with encrypted /home

Postby dzz » Mon Jan 14, 2013 7:23 pm

Debian-live are in bug-fix mode now, getting ready for wheezy release, it's not far away. Unlikely to be any major changes till, for those of us who will still track testing/sid, after then.

Re multiboot: It will work using different names for vmlinuz, initrd and whatever.iso in one directory, /live or not, using "findiso" Probably not with multiple squash images.

I use, for convenience and tidiness, a seperate directory for each OS, configured appropriately in the bootloader but that is up to the user.

OT: more difficult is multiple persistence configurations. If anyone is interested we can deal with that seperately.
dzz
 
Posts: 647
Joined: Wed Apr 27, 2011 11:53 am
Location: Devon, England

Re: Snapshot on usb with encrypted /home

Postby dzz » Tue Feb 19, 2013 7:27 pm

live-boot_4.0~a7-1_all.deb made experimental today. Major difference: As of today, a luks persistence partition actually works as documented, which definitely did not before. Although we were previously told:
no need for any "hacks"
it works, just takes a lot of research

Tested here today with home and with full persistence, using a custom Wheezy live-image and syslinux-style usb setup. I haven't tested it with a persistence loopback file yet.

You don't have to actually install the experimental package into the build. For existing images It works to unpack the initrd used to boot from, replace /lib/live/* with the new stuff (unpack the deb or find the source package), then recompress and use the new initrd in your live-media's "/live" directory, be it cd or usb.

One problem still: if you use "debug" on the cmdline (to get a full boot log) with luks the system will hang early on. This was reported but remains unfixed.

The custom "luks-home" script has been a workaround but I am happy that Debian-Live now wants the luks problem sorted officially. We also don't know if anything, or what, may be broken in future versions, nor if this will make official wheezy in time.

http://forums.debian.net/viewtopic.php?f=30&t=95342
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700902
http://packages.debian.org/changelogs/p ... /changelog
http://packages.debian.org/experimental/live-boot
dzz
 
Posts: 647
Joined: Wed Apr 27, 2011 11:53 am
Location: Devon, England

Next

Return to How-to

Who is online

Users browsing this forum: No registered users and 1 guest

suspicion-preferred