2011-10-03

Fedora 16 Alpha - issues with encrypted drives

Here is the list of issues I was facing when upgrading from Fedora 15 to Fedora 16 Alpha.
First of all - have your backup ready for everything you have on the disk. Having bit backup of whole disk saved my ass really.

I do have multiple encrypted systems installed on my machine:

/dev/sda1 50GB Truecrypt - Windows
/dev/sda2 3GB Unencrypted - Grub boot partition
/dev/sda3 16GB LUKS - Backtrack5
/dev/sda4 Extended
/dev/sda5 16GB LUKS - Fedora root
/dev/sda6 16GB LUKS - home
/dev/sda7 4GB LUKS - swap
....


Issue #1 - LUKS device of the other system


I asked installator to format and install to sda5. Anaconda installator formatted sda5, but actually mounted luks device on sda3 as the /mnt/sysimage and tried to install there (this is the Backtrack partition on my computer) - and it failed. Changing the partition type to something insane didn' help. I had to delete partition sda3 from the partition table and return it after the installation.

Issue #2 - LUKS device with ext3


I do have "home" partition encrypted for quite some long time. It was with ext3 filesystem when I started, but installator failed with error. The anaconda installer assumes during the installation that the filesystem on LUKS encrypted disk needs to be ext4 and fails if it is ext3.

I wanted to migrate already for a while to ext4. So I didn't investigated much, why is anaconda throwing an error. I just flushed home to secondary disk, recreated luks device, formated with ext4 and restored the data from backup using conventional weapons.

Issue #3 - Truecrypt vs Grub2



After installation of Fedora 16 and realcrypt from rpmfusion I have found I am unable to mount the windows partition encrypted with TrueCrypt. After investigation it turns out that Fedora 16 Alpha is using grub2 as boot loader, which is the source of the issues.

Both truecrypt and grub2 use not only MBR to store boot loader, but these in fact use much more sectors to store the necessary information (64 sectors?). With grub it was enough to have backup of the MBR (1 sector of size 512 bytes) to boot the Truecrypt bootloader doing chainloading of the truecrypt MBR. Rest of Truecrypt remained untouched on the disk. With grub2 the truecrypt boot loader and volume header is overwritten completely.

I used to boot the truecrypt boot loader from the MBR saved directly after Truecrypt installation with:

dd if=/dev/sda of=/boot/win/truecrypt.mbr

#Old Grub configuration
title Windows XP
root (hd0,1)
chainloader (hd0,1)/win/truecrypt.mbr

#New Grub2 configuration form grub2-menulst2cfg
menuentry 'Windows XP' {
set root='(hd0,2)'; set legacy_hdbias='0'
chainloader '(hd0,2)/win/truecrypt.mbr'
}



Unfortunately this doesn't work anymore with grub2. Truecrypt boot loader reports this error:

TrueCrypt Boot Loader
Loader damaged! Use Rescue Disk: Repair Options > Restore Truecrypt Boot Loader


Trying to mount it from linux using realcrypt will fail as well:

# realcrypt --text --filesystem=none -m system -k "" --protect-hidden=no /dev/sda1
Enter password for /dev/sda1:
Incorrect keyfile(s) and/or password or not a RealCrypt volume.

Note that pre-boot authentication passwords need to be typed in the pre-boot environment where non-US keyboard layouts are not available. Therefore, pre-boot authentication passwords must always be typed using the standard US keyboard layout (otherwise, the password will be typed incorrectly in most cases). However, note that you do NOT need a real US keyboard; you just need to change the keyboard layout in your operating system.


You can boot from Truecrypt Rescue CD ISO image. The trick is to use the memdisk from the syslinux package:

yum install syslinux
cp /usr/share/syslinux/memdisk /boot/memdisk

cat /etc/grub.d/20_windows_truecryptiso
#!/bin/sh

echo "Adding entry for Windows/Truecrypt ISO" >&2

cat << EOF
menuentry 'WindowsXP/Truecrypt ISO' {
set root='(hd0,2)'; set legacy_hdbias='0'
linux16 /memdisk iso raw
initrd16 /win/tcrescue2011.iso
}
EOF


To regenerate the grub configuration:

grub2-mkconfig -o /boot/grub2/grub.cfg



I tried to restore the Truecrypt Boot Loader and it (as expected) obviously breaks grub2. So you have to reinstall grub2, which breaks the Truecrypt loader - chicken and egg problem right?:

# grub2-install /dev/sda
Installation finished. No error reported.





Only compromise between these two bootloaders, which I have found on the internet is to setup the grub2, boot from the truecrypt rescue cd iso using memdisk in grub2 and have only the key+data structure restored on the disk. This apparently doesn't overwrite grub2. Press F8 from when booted from the truecrypt rescue CD and choose option 3:




Not restoring the key+data will as a result mean that the disk can't be booted even from rescue CD and it won't be possible to mount it from linux. The error will not be obvious for the first sight as only the "Incorrect Password" is reported despite the fact you are sure the password is right:



Testing the configuration with qemu:

sync ; echo 3 > /proc/sys/vm/drop_caches ; qemu -hda /dev/sda

1 comment: