Brain Dump

A place to store my random thoughts and anything else I might find useful.

Archive for October, 2008

Installing gentoo with root encryption: notes

Posted by mzanfardino on October 23, 2008

Note: This is compiled from several sources (which I will site at the end) and my own experience. This example assumes the following partition table:

/dev/sda1 /boot
/dev/sda2 swap
/dev/sda3 /
  • Follow Gentoo Handbook through 4.d. FUTURE: Add notes regarding flushing drive with /dev/urandom before encrypting.
  • Be sure to emerge cryptsetup. (NOTE: this should not be necessary as gentoo 2008.0 includes luks support).
  • Load necessary modules:
    modprobe dm-crypt # required
    modprobe dm-mod # required
    modprobe serpent # optional
    modprobe blowfish # optional
    modprobe aes # optional but required for aes-cbc-essiv
  • Encrypt the swap partition and mount it. NOTE: Encytping with random passkey – does not require passkey to mount:
    cryptsetup -c aes-cbc-essiv:sha256 -d /dev/urandom create swap /dev/sda2
    mkswap /dev/mapper/swap
    swapon /dev/mapper/swap
  • Encrypt the root partition. NOTE: This example assumes a keyword/passphrase. FUTURE: Add examples for keyfile encryption:
    cryptsetup -y --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda3
  • Open newly encrypted partition:
    cryptsetup openLuks /dev/sda3 root
  • Create the file system on the logical root. This example assumes ext3. FUTURE: Add notes concerning the user of alternate file system:
    mke2fs -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/root -L root
  • Create the file system for /boot. This example assumes ext2 (as you needn’t journal a boot partition). FUTURE: Add notes concerning the use of alternate file system:
    mke2fs /dev/sda1 -L boot
  • Mount the file system for use during the remainder of install:
    mount /dev/mapper/root /mnt/gentoo
  • Return to the Gentoo Handbook from step 5 to 7.d (genkernel)
  • Build the kernel with genkernel
    cd /usr/src/linux
    genkernel --luks --menuconfig all

    The key here is that you configure your kernel for ramdisk support and luks support FUTURE: add details.
  • Continue with Gentoo Handbook from 7.e till 8.a
  • Modify /etc/fstab to mount root from /dev/mapper/root. fstab will look as follows:
    /dev/sda1 /boot ext2 defaults,noatime 1 2
    /dev/mapper/swap none swap sw 0 0
    /dev/mapper/root / ext3 noatime 0 1
  • Modify /etc/conf.d/dmcrypt to mount swap during boot:
    swap=swap
    source='/dev/sda2'
  • Continue with Gentoo Handbook from 8.b till 10.b.
  • Configure GRUB to use genkernel:
    title Gentoo Linux 2.6.25-r8 (genkernel)
    root (hd0,0)
    kernel /boot/kernel-genkernel-x86-2.6.25-gentoo-r8 root=/dev/ram0 init=/linuxrc ramdisk=8192 crypt_root=/dev/sda3 vga=791
    initrd /boot/initramfs-genkernel-x86-2.6.25-gentoo-r8

    NOTE:kernel name may be different,be sure to use the correct initramfs and kernel.

Unbelievably that’s it! After days and days of trying to create my own initramfs and writing my own linuxrc files it really comes down to passing using genkernel to build the kernel and initramfs with luks support by passing genkernel –luks! (well, and the rest).

More to come later.

Citation:
http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS#Preparing_the_disk
http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUKS#Using_initramfs_and_busybox
http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt
http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=1

Here is a handy one for when you have to chroot into your system because you omitted something and it doesn’t boot: http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=6

Advertisements

Posted in gentoo, linux | Tagged: , , , | 2 Comments »

Access MySQL with mysql-query-browser over ssh tunnel

Posted by mzanfardino on October 23, 2008

Problem:
Your mysql database lives on a server that has all but a handful of ports blocked. Specifically you can’t use mysql-query-broswer to connect directly as port 3306 is blocked.

Solution:
Tunnel traffic through an ssh connection and forward the traffic from some other port (assuming you have mysql running on your localhost on port 3306) to port 3306.

How?

Simple: Open a new shell and create the tunnel on the local machine to the remote server as follows:

ssh -L $localport:127.0.0.1:3306 -l $remoteuserid $remoteserveraddress

  • $localport can be any available port, include 3306, but only if mysql is *not* running on the local machine.
  • $remoteuserid is the user id used to connect to the remote server.
  • $remoteserveraddress is the address of the remote server.

Once the tunnel is established, leave the shell open. You might get timed out depending on your server configuration, so you might need to have some application running on the remote server to maintain the connection.

Now launch mysql-query-browser, set the Server Hostname to 127.0.0.1 and the port to $localport. That’s it!

Posted in linux | Tagged: , , , , | 1 Comment »