CRUX

Welcome to CRUX bug tracking.
Tasklist

FS#341 - Add support for dmcrypt to the installation ISO

Attached to Project: CRUX
Opened by Thomas Penteker (teK) - Tuesday, 05 August 2008, 19:58 GMT
Last edited by Jose V Beneyto (sepen) - Tuesday, 22 January 2013, 14:14 GMT
Task Type Feature Request
Category ISO
Status Assigned
Assigned To Thomas Penteker (teK)
Operating System CRUX
Severity Low
Priority Normal
Reported Version Development
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 4
Private No

Details

I already spent some time implementing this and currently creating/opening/mounting/installing on a dmcrypt-ed device works like a charm.

Still needed is:
documentation
initrd to support setups with encrypted /

a sidenote: I don't know who is in charge of creating the ISOs but I could give some advice/hints for building the next ISO as I switched kernel to 2.6.26 and rebuilt all core and opt ports to reflect the currently available versions.
This task depends upon

Comment by Danny Rawlins (Romster) - Friday, 02 January 2009, 15:16 GMT
I think this got overlooked... maybe for CRUX2.6

Jue Tilman and Matt I think were the ones that built isos.

<ot>
I would be keen implementing dmcrypt or maybe LUKs into my project. mdadm and lvm2 is supported currently.
</ot>
Comment by Rabmurb Kip (rabmurb) - Monday, 01 June 2015, 06:22 GMT
Hello,

Is there any progress on this? Any chances for dmcrypt support in 3.2?

I saw that there is an updated unofficial 3.1 installation ISO on https://serverop.de/~tek/crux-dmcrypt/ and will be glad to know what issues remain to be solved.

Regards,
Rabmurb
Comment by Danny Rawlins (Romster) - Sunday, 25 September 2016, 10:39 GMT
Bump for inclusion into crux 3.3?
Comment by Fun (fun) - Friday, 14 April 2017, 08:13 GMT
3.4?
Comment by Chris Rainey (ckrzen) - Thursday, 16 January 2020, 05:01 GMT
A shameless paste from the Slackware64-current, `/etc/rc.d/rc.S` file, as of 2020-01:

1. Add an empty `/etc/crypttab` to the base install

2. Then, put this function in-between the `# Create device-mapper ...` and the `# Mount root ...` functions in the `/etc/rc` file:

<code>

# Open any volumes created by cryptsetup.
#
# Some notes on /etc/crypttab in Slackware:
# Only LUKS formatted volumes are supported (except for swap)
# crypttab follows the following format:
# <luks_name> <device> <password> <options>
#
# <luks_name>: This is the name of your LUKS volume.
# For example: crypt-home
#
# <device>: This is the device containing your LUKS volume.
# For example: /dev/sda2
#
# <password>: This is either the volume password in plain text, or the name of
# a key file. Use 'none' to interactively enter password on boot.
#
# <options>: Comma-separated list of options. Note that there must be a
# password field for any options to be picked up (use a password of 'none' to
# get a password prompt at boot). The following options are supported:
#
# discard -- this will cause --allow-discards to be passed to the cryptsetup
# program while opening the LUKS volume.
#
# ro -- this will cause --readonly to be passed to the cryptsetup program while
# opening the LUKS volume.
#
# swap -- this option cannot be used with other options. The device given will
# be formatted as a new encrypted volume with a random key on boot, and used as
# swap.
#
if [ -f /etc/crypttab -a -x /sbin/cryptsetup ]; then
# First, check for device-mapper support.
if ! grep -wq device-mapper /proc/devices ; then
# If device-mapper exists as a module, try to load it.
# Try to load a device-mapper kernel module:
/sbin/modprobe -q dm-mod
fi
# NOTE: we only support LUKS formatted volumes (except for swap)!
cat /etc/crypttab | grep -v "^#" | grep -v "^$" | while read line; do
eval LUKSARRAY=( $line )
LUKS="${LUKSARRAY[0]}"
DEV="${LUKSARRAY[1]}"
PASS="${LUKSARRAY[2]}"
OPTS="${LUKSARRAY[3]}"
LUKSOPTS=""
if echo $OPTS | grep -wq ro ; then LUKSOPTS="${LUKSOPTS} --readonly" ; fi
if echo $OPTS | grep -wq discard ; then LUKSOPTS="${LUKSOPTS} --allow-discards" ; fi
# Skip LUKS volumes that were already unlocked (in the initrd):
/sbin/cryptsetup status $LUKS 2>/dev/null | head -n 1 | grep -q "is active" && continue
if /sbin/cryptsetup isLuks $DEV 2>/dev/null ; then
if [ -z "${LUKSOPTS}" ]; then
echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV':"
else
echo "Unlocking LUKS encrypted volume '${LUKS}' on device '$DEV' with options '${LUKSOPTS}':"
fi
if [ -n "${PASS}" -a "${PASS}" != "none" ]; then
if [ -f "${PASS}" ]; then
# A password was given a key-file filename
/sbin/cryptsetup ${LUKSOPTS} --key-file=${PASS} luksOpen $DEV $LUKS
else
# A password was provided in plain text
echo "${PASS}" | /sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS
fi
else
# No password was given, or a password of 'none' was given
/sbin/cryptsetup ${LUKSOPTS} luksOpen $DEV $LUKS </dev/tty0 >/dev/tty0 2>&1
fi
elif echo $OPTS | grep -wq swap ; then
# If any of the volumes is to be used as encrypted swap,
# then encrypt it using a random key and run mkswap:
echo "Creating encrypted swap volume '${LUKS}' on device '$DEV':"
/sbin/cryptsetup --cipher=aes --key-file=/dev/urandom --key-size=256 create $LUKS $DEV
mkswap /dev/mapper/$LUKS
fi
done
fi

</code>
Comment by Matt Housh (jaeger) - Friday, 10 July 2020, 22:53 GMT
Very recently support for using cryptsetup was improved on the -updated ISO (https://crux.ninja/updated-iso/). cryptsetup on the ISO works for the simple setups I tested, at least, and using contrib/dracut to generate an initramfs works properly.
Comment by Matt Housh (jaeger) - Monday, 13 July 2020, 23:28 GMT
Note that these changes will persist into the next official CRUX release as well.

Loading...