View Single Post
Community Council | Posts: 4,920 | Thanked: 12,867 times | Joined on May 2012 @ Southerrn Finland
#1
Allright, my quest for running on encrypted /home/ continues. Now I have managed to get sillykbd in such a shape that it is useful in password prompting in pre-init phase.

I do however have some problems I would like to share with you in case somebody can advice me.

This is how I have proceeded;
  • First I need of course to boot into plain console without any GUI running. At this point "/dev/mmcblk0p3" and "/dev/mmcblk0p1" are not mounted yet.
  • Then, I create a a directory entry "/enc_home" for the encrypted files to go into. I will now also change "/etc/fstab" so that "/dev/mmcblk0p3" will be mounted to "/enc_home" instead of "/home":
Code:
~ # cat /etc/fstab 
rootfs / rootfs defaults,errors=remount-ro,noatime 0 0
/dev/mmcblk0p3 /enc_home ext4 rw,noatime,errors=remount-ro,barrier=1 0 0
/dev/mmcblk0p1 /home/user/MyDocs vfat noauto,nodev,noexec,nosuid,noatime,nodiratime,utf8,uid=29999,shortname=mixed,dmask=000,fmask=0133,rodir 0 0
ubi0:var /var ubifs noauto,no_chk_data_crc,bulk_read
  • Next thing I do is I mount the "/enc_home" and copy everything off to "/root/home_backup". After that I do "rm -rf /enc_home/*".
  • Then I will mount "/home" as encfs on "/enc_home":
Code:
~ # 
~ # /usr/bin/encfs --public /enc_home /home
Creating new encrypted volume.
Please choose from one of the following options:
 enter "x" for expert configuration mode,
 enter "p" for pre-configured paranoia mode,
 anything else, or an empty line will select standard mode.
?> 

Standard configuration selected.

Configuration finished.  The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 3:0:2
Filename encoding: "nameio/block", version 3:0:1
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File holes passed through to ciphertext.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism.  However, the password can be changed
later using encfsctl.

New Encfs Password: 
Verify Encfs Password: 
~ # 
~ # mount | grep enc
encfs on /home type fuse.encfs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,default_permissions,allow_other)
~ #
  • Now, to finish this off I copy back all the stuff to the new cryptodir: "cp -a /root/home_backup/* /home/"

After this I have whole "/dev/mmcblk0p3" encrypted, and I need to setup my "/sbin/preinit" so that it does the right things to ask for the key and set up decryption on next boot.

So far so good.

Now, on next boot I get the password prompt and enter the correct key.
However, system does not come up but reboots after a while. Once I got so far as to enter PIN-code of my SIM, but after that it rebooted again.

Well, my first thought was that maybe wholesale encfs running would take so much time on boot that watchdog bit me on the tail but closer inspection shows that this is not the case.

When I restored my usual setup and checked the logs, I found that there was loads of mounting errors like this:
"devicelockd: aegis_common.cpp(387): ERROR creation of '/home' failed (Transport endpoint is not connected)"
and further on like this:
"GLIB WARNING ** default - Cannot create directory: /home/user/.accounts"

So apparently at some point in initialization some of the aegisfs thingies that get mounted under "/home/user" fail.

Here is the whole bootlog for your reference: http://www.swagman.org/juice/bootlog_encfs

Now, why does this happen?
I have booted my system before so that I have manually mounted normal unencrypted "/dev/mmcblk0p3" into "/home" so I know the reason is not that aegis wants to mount it by itself. It can well run with "/home" already mounted.
Why does it now complain as I similarily present it with a nice decrypted view of the home hierarchy?

Is there some problem mounting the aegis directories overlayed on the encfs? I would assume there should be no objections to that...?