alphazo Posted December 24, 2011 Posted December 24, 2011 I'm investigating the use of dm-crypt for encrypted backups on external USB drive. I found a cryptsetup package for Slackware but when formating the device I get an error message regarding crypto modules. In order to use dm-crypt I AES, SHA, CBC support. On most distributions they are loaded as modules. The only one available in unRAID (/lib/modules/3.0.3-unRAID/kernel/crypto) is xor.ko... not the strongest encryption algorithm out there and missing crypto hash. Here is what should give the most flexibility. aes_generic.ko cbc.ko ctr.ko cts.ko des_generic.ko ecb.ko hmac.ko rmd128.ko rmd160.ko rmd256.ko rmd320.ko sha1_generic.ko sha256_generic.ko sha512_generic.ko xcbc.ko xts.ko Is there a simple way to build those modules for my unRAID box? Thanks alphazo
elkay14 Posted December 24, 2011 Posted December 24, 2011 I can compile a custom kernel and build a custom bzroot for you. You'd replace the bzimage and bzroot files on your flash with them. What version of unRAID are you using?
elkay14 Posted December 24, 2011 Posted December 24, 2011 Here' what is built in for beta14: # # Security options # # CONFIG_KEYS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set # CONFIG_SECURITY is not set # CONFIG_SECURITYFS is not set CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_DEFAULT_SECURITY="" CONFIG_XOR_BLOCKS=m CONFIG_CRYPTO=y # # Crypto core or helper # CONFIG_CRYPTO_ALGAPI=y CONFIG_CRYPTO_ALGAPI2=y CONFIG_CRYPTO_AEAD2=y CONFIG_CRYPTO_BLKCIPHER=y CONFIG_CRYPTO_BLKCIPHER2=y CONFIG_CRYPTO_HASH=y CONFIG_CRYPTO_HASH2=y CONFIG_CRYPTO_RNG2=y CONFIG_CRYPTO_PCOMP2=y CONFIG_CRYPTO_MANAGER=y CONFIG_CRYPTO_MANAGER2=y CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y # CONFIG_CRYPTO_GF128MUL is not set # CONFIG_CRYPTO_NULL is not set # CONFIG_CRYPTO_PCRYPT is not set CONFIG_CRYPTO_WORKQUEUE=y # CONFIG_CRYPTO_CRYPTD is not set # CONFIG_CRYPTO_AUTHENC is not set # CONFIG_CRYPTO_TEST is not set # # Authenticated Encryption with Associated Data # # CONFIG_CRYPTO_CCM is not set # CONFIG_CRYPTO_GCM is not set # CONFIG_CRYPTO_SEQIV is not set # # Block modes # CONFIG_CRYPTO_CBC=y # CONFIG_CRYPTO_CTR is not set # CONFIG_CRYPTO_CTS is not set CONFIG_CRYPTO_ECB=y # CONFIG_CRYPTO_LRW is not set # CONFIG_CRYPTO_PCBC is not set # CONFIG_CRYPTO_XTS is not set # Hash modes # CONFIG_CRYPTO_HMAC=y # CONFIG_CRYPTO_XCBC is not set # CONFIG_CRYPTO_VMAC is not set # # Digest # # CONFIG_CRYPTO_CRC32C is not set # CONFIG_CRYPTO_CRC32C_INTEL is not set # CONFIG_CRYPTO_GHASH is not set CONFIG_CRYPTO_MD4=y CONFIG_CRYPTO_MD5=y # CONFIG_CRYPTO_MICHAEL_MIC is not set # CONFIG_CRYPTO_RMD128 is not set # CONFIG_CRYPTO_RMD160 is not set # CONFIG_CRYPTO_RMD256 is not set # CONFIG_CRYPTO_RMD320 is not set # CONFIG_CRYPTO_SHA1 is not set # CONFIG_CRYPTO_SHA256 is not set # CONFIG_CRYPTO_SHA512 is not set # CONFIG_CRYPTO_TGR192 is not set # CONFIG_CRYPTO_WP512 is not set # # Ciphers # # CONFIG_CRYPTO_AES is not set # CONFIG_CRYPTO_AES_586 is not set # CONFIG_CRYPTO_AES_NI_INTEL is not set # CONFIG_CRYPTO_ANUBIS is not set CONFIG_CRYPTO_ARC4=y # CONFIG_CRYPTO_BLOWFISH is not set # CONFIG_CRYPTO_CAMELLIA is not set # CONFIG_CRYPTO_CAST5 is not set # CONFIG_CRYPTO_CAST6 is not set CONFIG_CRYPTO_DES=y # CONFIG_CRYPTO_FCRYPT is not set # CONFIG_CRYPTO_KHAZAD is not set # CONFIG_CRYPTO_SALSA20 is not set # CONFIG_CRYPTO_SALSA20_586 is not set # CONFIG_CRYPTO_SEED is not set # CONFIG_CRYPTO_SERPENT is not set # CONFIG_CRYPTO_TEA is not set # CONFIG_CRYPTO_TWOFISH is not set # CONFIG_CRYPTO_TWOFISH_586 is not set # # Compression # # CONFIG_CRYPTO_DEFLATE is not set # CONFIG_CRYPTO_ZLIB is not set # CONFIG_CRYPTO_LZO is not set # # Random Number Generation # # CONFIG_CRYPTO_ANSI_CPRNG is not set # CONFIG_CRYPTO_USER_API_HASH is not set # CONFIG_CRYPTO_USER_API_SKCIPHER is not set CONFIG_CRYPTO_HW=y # CONFIG_CRYPTO_DEV_PADLOCK is not set # CONFIG_CRYPTO_DEV_GEODE is not set # CONFIG_CRYPTO_DEV_HIFN_795X is not set CBC is at least built in (not a module)
alphazo Posted December 24, 2011 Author Posted December 24, 2011 I'm on 5.0-beta12a. I was about to switch to beta14 but some of the messages on the forum scared me so I'll wait a bit. Thanks for offering me a custom kernel (no backdoor please . I think I would need most of the security option enabled for testing. Now if that works you need to teach me how to build my own kernel too (I have a Slackware VM laying around) because I don't want to bother you everytime a new release comes out. Thanks alphazo
elkay14 Posted December 24, 2011 Posted December 24, 2011 Yes, I'm actually writing something up to explain how to do the kernel compiles (someone else already asked, too.) I'll get it compiled here shortly (it doesn't take much effort once you have an environment set up.)
alphazo Posted December 24, 2011 Author Posted December 24, 2011 Thanks for the quick package. Last question, the URL says "3.1.6" at then end... Is this beta12a or beta14? I'm currently running beta12a which features kernel 3.0.3. alphazo
elkay14 Posted December 24, 2011 Posted December 24, 2011 It shouldn't matter and 3.1.6 has bugfixes over 3.0.3.
alphazo Posted December 25, 2011 Author Posted December 25, 2011 As mentioned before I wanted to wait a bit before moving to beta 14 even if there should be no issue. Is what you generated a regular b14 with crypto functions enabled or a hybrid beta12a with 3.1.6 kernel? Thanks alphazo
alphazo Posted December 26, 2011 Author Posted December 26, 2011 Thanks. I'll give it a try and keep you posted. PS: In the future, I will definitely like to know how to build my own kernels for adding stuff like EXT4 support as well for external drives.
alphazo Posted December 27, 2011 Author Posted December 27, 2011 I installed your custom kernel and noticed a couple of missing crypto modules: - arc4.ko - cbc.ko - des_generic.ko - ecb.ko - hmac.ko - md4.ko - md5.ko The CBC one is pretty important. I then installed the device-mapper package before issuing: dd if=/dev/zero of=/mnt/user/testshare/testluks bs=20M count=10 losetup /dev/loop0 /mnt/user/jd/testluks modprobe sha512 modprobe aes cryptsetup luksFormat /dev/loop0 WARNING! ======== This will overwrite data on /dev/loop0 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Failed to setup dm-crypt key mapping. Check kernel for support for the aes-cbc-essiv:sha256 cipher spec and verify that /dev/loop0 contains at least 133 sectors. Failed to write to key storage. Command failed. I think the dm-crypt module is missing. Would you be kind enough to generate a new one that includes the missing kernel crypto as well as dm-crypt modules? Thanks alphazo
elkay14 Posted December 27, 2011 Posted December 27, 2011 It cannot be done. unRAID replaces the md (multidevice) kernel modules and both dm-crypt and devicemapper are under md. The kernel options are missing when unraid md code is installed into the kernel source tree.
BRiT Posted December 28, 2011 Posted December 28, 2011 I think that can be done, but you need to use a modified Kconfig file with those options in it. This was done in some of the initial community SAS patches.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.