RE: Avoid shrinking non-selected partitions during capture?

Doh - I actually didn’t realize the “Multiple Partition Image - Single Disk” could do a single partition! I just tried a capture using this and it seems to work fine - haven’t had a chance for a deploy yet. I guess since I foresee only rarely changing partition sizes, this option would work fine.

My settings below. I’m trying to only capture my /root partition that is 20 GB but FOG goes through “shrinking” each partition which takes forever because it is a 1 TB drive.

@george1421 sounds great re: adding - thanks again. I’m pretty new to linux shell scripting though I do a lot of Python work

@Sebastian-Roth thanks! changing the line endings fixed the error and the difference in paths doesn’t seem to be an issue

I had to repad the base64 string as trailing ='s can’t be passed in the kernel parameter (they are ignored). Here’s the final result:

#!/bin/bash

# REF: https://gist.github.com/catwell/3046205
function repad {
  _l=$((${#1} % 4))
  if [ $_l -eq 2 ]; then _s="$1"'=='
  elif [ $_l -eq 3 ]; then _s="$1"'='
  else _s="$1" ; fi
  echo -n $_s
}

pass_dec=`echo -n $(repad $pass) | base64 -d | openssl enc -d -aes-128-ecb -K 691CACE3402341778F3DBCFD74859E0C -nosalt`

for i in {/dev/sd*,/dev/nvme*,/dev/md*}; do
    echo -n $pass_dec | cryptsetup luksOpen $i $(basename $i)_crypt  -d - 2> /dev/null
    if [ -e /dev/mapper/$(basename $i)_crypt ]; then
        rm $i
        ln -s /dev/mapper/$(basename $i)_crypt $i
        echo Decrypted $i
    fi
done
sed -i 's/blockdev --rereadpt/partprobe/g' /usr/share/fog/lib/funcs.sh

Generate the encrypted pass using echo -n 'MY_LUKS_PASSWORD' | openssl enc -base64 -aes-128-ecb -K 691CACE3402341778F3DBCFD74859E0C -nosalt and pass the result into a pass kernel parameter

Thanks again @george1421 and @Sebastian-Roth for all your help in making this work

@george1421 mostly figured out the script, but having trouble getting it to run. I’m following your guide here (https://forums.fogproject.org/topic/9463/fog-postinit-scripts-before-the-magic-begins/) but getting this error:

/images/dev/fog.postinit:

#!/bin/bash

. $postinitpath/fog.ACME.selector

/images/dev/fog.ACME.selector contains the script from your post and exeutes the decryption script if the machine type matches

Here’s the actual decryption script in a separate file:

#!/bin/bash

# only needed if using intel raid:
mdadm /dev/md126

pass_dec=`echo $pass_enc | openssl enc -base64 -d -aes-256-cbc -nosalt -pbkdf2 -pass pass:LOCALKEY`

for i in {/dev/sd*,/dev/nvme*,/dev/md*}; do
    echo -n $pass_dec | cryptsetup luksOpen $i $(basename $i)_crypt  -d -
    if [ -e /dev/mapper/$(basename $i)_crypt ]; then
        rm $i
        ln -s /dev/mapper/$(basename $i)_crypt $i
    fi
done

sed -i 's/blockdev --rereadpt/partprobe/g' /usr/share/fog/lib/funcs.sh

One would generate the encrypted key using echo 'MY_DECRYPTED_PASS' | openssl enc -base64 -e -aes-256-cbc -nosalt -pbkdf2 -pass pass:LOCALKEY and pass this in the “pass_enc” kernel parameter

@Sebastian-Roth don’t know the docker creator but his github is https://github.com/Mudislander/fogproject

@george1421 I run 1.5.5 because that’s the latest available as a docker container (https://github.com/Mudislander/fogproject).

I changed KERNEL RAMDISK SIZE to 275000 and it now works - thanks! I successfully decrypted and encrypted a sample file using the following commands.

openssl aes-256-cbc -a -salt -pass pass:PASSWORD -in sample.txt -out sample.txt.enc
openssl aes-256-cbc -d -a -pass pass:PASSWORD -in sample.txt.enc -out sample.txt.new

Is the best way for the postinit script to access kernel parameters to parse /proc/cmdline?

@george1421 getting error message below

@george1421 thanks for looking into this!

By the way, here is a simple initial stab at a postinit script for folks using LUKS with FOG in the future. It tries to decrypt all partitions and then links the decrypted partitions in the cases of successful decryption. It currently uses a plaintext PASSWORD in the script, but hopefully we can switch this out for an encrypted password passed as a kernel parameter.

for i in {/dev/sd*,/dev/nvme*,/dev/md*}; do
    echo -n PASSWORD | cryptsetup luksOpen $i $(basename $i)_crypt  -d -
    if [ -e /dev/mapper/$(basename $i)_crypt ]; then
        rm $i
        ln -s /dev/mapper/$(basename $i)_crypt $i
    fi
done
sed -i 's/blockdev --rereadpt/partprobe/g' /usr/share/fog/lib/funcs.sh

@george1421 that’s a good idea - I’ve been researching it, but it looks like openssl is not available in FOS. Is there another way available to decrypt a given cipher?

@george1421 thanks for pointing me to the conf file! Changing the default option to the 2nd choice did the trick and now it boots straight to OS. I guess it got hung on the 1st choice.

Here is the line I changed from:
default_selection 1
to:
default_selection grubx64
in /var/www/html/fog/service/ipxe/refind.conf

I have PXE as the first boot option, and when there are no tasks scheduled, I’d like my PC to boot my hard drive automatically. I have to use EFI for my setup, so I am using rEFInd (I tried all other exit options, but none worked with EFI). With rEFInd, it goes into a menu where I have to select to manually select an option below (the 2nd one for me) and hit enter to finish booting my PC each time.

Is there a way around this?

@george1421 That’s a good point and your method is safer, but the one that I’m using (from @Sebastian-Roth) also works - I unzipped and mounted the resulting .img file to make sure it’s good. It’s beyond me but cryptsetup must work in a way that once the decrypted partition is mapped, it’s no longer dependent on the device file representation.

Now I just need to think of a clever way of prompting for and transmitting the password over the network, as I’d rather not put the plaintext pass in the postinit script.

Both of you, thanks very much for your help!!

@Sebastian-Roth clever hack! there was one more hurdle: blockdev --rereadpt in the runPartprobe function fails due to ioctl error on BLKRRPART: Device or resource busy because cryptsetup luksOpen appears to be locking the device. Luckily partprobe works fine, so I just replaced that part of the script. Here’s my final commands (the last line just shows that the line has been replaced successfully). After running fog, the decrypted partition/disk is successfully captured (with /dev/md126 as “Host Primary Disk”). 1 GB instead of 800 GB!

@george1421 /dev/mapper/crypt is created, not /dev/crypt. Cryptsetup uses device mapper to create a mapped decrypted partition. I can mount this decrypted partition using mount /dev/mapper/crypt /mnt/temp and successfully view all the files on the partition. This is why I thought it’d work to use /dev/mapper/crypt in the “Host Primary Disk” field. Could FOS be confused because it expects to find a disk device and not a partition?

I’m not sure re: kernel parameters. This is a capture in debug mode. I’ve successfully completed captures of the full encrypted partition without debug mode (using /dev/md126 as “Host Primary Disk”). So, I’m not sure if missing parameters are contributing to the error.

See: https://wiki.archlinux.org/index.php/Dm-crypt/Device_encryption#Unlocking/Mapping_LUKS_partitions_with_the_device_mapper

See lsblk output below:

@george1421 I followed your instructions, but I keep running into an error after typing in “fog.” Maybe it’s because I set Host Primary Disk to /dev/mapper/crypt (which I confirm exists after using cryptsetup). Error message, commands, and host/image settings below.

mdadm -D /dev/md126
cryptsetup luksOpen /dev/md126p3 crypt
fog

@george1421 I tried the version with the XTS kernel module and it works! luksOpen works without errors and I can also mount the decrypted partition and see my files. Now I just need to setup a post init script.

@george1421 @Sebastian-Roth
Debugging info on FOS (latest bzImageCrypt):
cryptsetup --help

loop-AES: aes, Key 256 bits
plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom

on Ubuntu LTS 18.04:
cryptsetup --help

Default compiled-in device cipher parameters:
        loop-AES: aes, Key 256 bits
        plain: aes-cbc-essiv:sha256, Key: 256 bits, Password hashing: ripemd160
        LUKS1: aes-xts-plain64, Key: 256 bits, LUKS header hashing: sha256, RNG: /dev/urandom

user@server:~$ cat /proc/crypto  | grep aes
name         : cmac(aes)
driver       : cmac(aes-aesni)
name         : __xts(aes)
driver       : cryptd(__xts-aes-aesni)
name         : pcbc(aes)
driver       : pcbc-aes-aesni
module       : aesni_intel
name         : fpu(pcbc(__aes))
driver       : fpu(pcbc(__aes-aesni))
module       : aesni_intel
name         : pcbc(__aes)
driver       : pcbc(__aes-aesni)
name         : xts(aes)
driver       : xts-aes-aesni
module       : aesni_intel
name         : ctr(aes)
driver       : ctr-aes-aesni
module       : aesni_intel
name         : cbc(aes)
driver       : cbc-aes-aesni
module       : aesni_intel
name         : ecb(aes)
driver       : ecb-aes-aesni
module       : aesni_intel
name         : gcm(aes)
driver       : generic-gcm-aesni
module       : aesni_intel
name         : __generic-gcm-aes-aesni
driver       : __driver-generic-gcm-aes-aesni
module       : aesni_intel
name         : rfc4106(gcm(aes))
driver       : rfc4106-gcm-aesni
module       : aesni_intel
name         : __gcm-aes-aesni
driver       : __driver-gcm-aes-aesni
module       : aesni_intel
name         : __xts(aes)
driver       : __xts-aes-aesni
module       : aesni_intel
name         : __ctr(aes)
driver       : __ctr-aes-aesni
module       : aesni_intel
name         : __cbc(aes)
driver       : __cbc-aes-aesni
module       : aesni_intel
name         : __ecb(aes)
driver       : __ecb-aes-aesni
module       : aesni_intel
name         : __aes
driver       : __aes-aesni
module       : aesni_intel
name         : aes
driver       : aes-aesni
module       : aesni_intel
name         : aes
driver       : aes-asm
module       : aes_x86_64
driver       : drbg_nopr_ctr_aes256
driver       : drbg_nopr_ctr_aes192
driver       : drbg_nopr_ctr_aes128
driver       : drbg_pr_ctr_aes256
driver       : drbg_pr_ctr_aes192
driver       : drbg_pr_ctr_aes128
name         : aes
driver       : aes-generic

@george1421 thanks for uploading this! I just got a chance to try it out. It fails but a different error this time, so I think we’re getting closer.

[Mon Oct 21 root@fogclient /]# cryptsetup luksOpen /dev/md126p3 crypt
Enter passphrase for /dev/md126p3:
device-mapper: table: 251:0: crypt: Error allocating crypto tfm
reload ioctl on    failed: No such file or directory
Failed to setup dm-crypt key mapping for device /dev/md126p3
Check that the kernel supports aes-xts-plain64 cipher (check syslog for more info).

From /var/log/messages:

Oct 21 21:03:16 fogclient user.err kernel: device-mapper: table: 251:0: crypt: Error allocating crypto tfm
Oct 21 21:03:16 fogclient user.warn kernel: device-mapper: ioctl: error adding target to table

Doing some research, it looks like a module may be missing (“No such file or directory”). Could it be that the module for the cipher is missing? I’m currently using cryptsetup default options (which uses aes-xts-plain64 as cipher). When I try cat crypto | grep aes on this FOS build, I only see aes-generic whereas I see ~20 options when doing the same on my Ubuntu server (including xts-aes-aesni).

Let me know if I can do anything to help debug further.

Some links referencing similar error messages out there:

https://www.raspberrypi.org/forums/viewtopic.php?t=60278
https://bugs.centos.org/view.php?id=9311

@george1421 Thanks for your comprehensive treatment of this topic! Absolutely re: getting it working manually before automating with init scripts.

It sounds like dm crypt is not something that can be enabled with a flag? If not, I could try to rebuild the kernel if it’s a simple one-liner tweak somewhere here https://github.com/FOGProject/fos for example?

I’m trying to capture/image a decrypted LUKS partition (I don’t want to backup the whole encrypted partition). I would need to decrypt and mount the partition in an init script. Currently I can do this with Clonezilla (see here: https://www.errietta.me/blog/luks-clonezilla/)

I tried using the shell and debug, but i get the following error:

[Sat Oct 19 root@fogclient /]# cryptsetup luksOpen /dev/md126p3 crypt
Enter passphrase for /dev/md126p3:
device-mapper: table: 251:0: crypt: unknown target name
reload ioctl on    failed: Invalid argument
Failed to setup dm-crypt key mapping for device /dev/md126p3
Check that the kernel supports aes-xts-plain64 cipher (check syslog for more info).

[Sat Oct 19 root@fogclient /]# uname -r
4.19.1

As far as I know, the kernel should support this fine

Note that I’m using md126p3 in my example because this is an Intel VROC RAID1 drive, but this should apply to any device with a LUKS encrypted partition regardless