[HOWTO] Encrypt whole Feisty installation without reinstalling

[Kopfgeldjaeger]

This describes how to encrypt a Ubuntu 7.04 (Feisty Fawn) installation. Because we work with a live cd, you can install Feisty and reboot (to test if it works, maybe more than one time [I got some strange error the first/second boot]).

I recommend to "shred" your harddisk before that... You can do this with

Code:

sudo dd if=/dev/zero of=/dev/sda

This may took some hours. On a 300 GB drive, 4 or 5 hours (for me).

Most of this tutorial is from this German thread.

The partitions (if it's not like that, you have to rethink a bit, but it is not difficult):

1.)

Code:

/dev/sda1: /boot: 100 to x MB. Filesystem does not really matter (I used ext3) 
/dev/sda2: swap, mine is 1GB
/dev/sda3: /, should be >=3GB, mine is 50GB :)
/dev/sda4: /home, size doesn't matter, but it should be enough.. Some GB are already enough, mine is 100GB

If you have /boot on your / partition, we can just copy the filez later
2.) Software/modules

Become root with

Code:

sudo su

Install software and load modules (you need "universe"-repository:

Code:

modprobe aes
modprobe dm-crypt
modprobe dm-mod
apt-get update
apt-get install cryptsetup

3.)
We work in /media and need three folders:

Code:

cd /media
mkdir boot root home

Now mount the partitions.

Code:

mount /dev/sda1 boot
mount /dev/sda3 root
mount /dev/sda4 home

If /boot is on your root partition:

Code:

cp -ax root/boot/* boot/*
umount boot
rm -rf boot root/boot

Now we save the data on / temporary to /home (this partition should be big enough, of course you can use another partition if you want)

Code:

mkdir home/root
cp -ax root/* home/root
umount root

4.) The first partition (= /) is being encrypted now!

Code:

cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda3

Type uppercase "YES" and choose a good password. Maybe the password will be the greatest weakness later...
If you get an error, modprobe the modules above or unmount sda3.
We open the partition, format it (NOT your old root partition!) with ext3 (what takes some time) and mount it:

Code:

cryptsetup luksOpen /dev/sda3 root
mkfs.ext3 /dev/mapper/root
mount /dev/mapper/root root

Now we copy the /-data on the home partition back and delete the root-files on the home partition

Code:

cp -ax home/root/* root
rm -rf home/root

The same with the home partition:

Code:

mkdir root/backup
cp -ax home/* root/backup
umount home
cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda4
cryptsetup luksOpen /dev/sda4 home
mkfs.ext3 /dev/mapper/home
mount /dev/mapper/home home
cp -ax root/backup/* home
rm -rf root/backup
umount home

Now / and /home are encrypted but would not really boot...

5.) Prepare the system for booting

We mount the root partition into the root partition...

Code:

mkdir root/boot
mount /dev/sda1 root/boot

...and chroot into the system.

Code:

chroot root

If cryptsetup is not already installed, you should install it now (universe is needed again, as editor you can use vim)

Code:

apt-get update
apt-get install cryptsetup

Now edit /etc/initramfs-tools/modules with your fav. editor and delete the lines in it (should be only some comments...)
Now paste the following into it:

Code:

aes
dm-crypt
dm-mod
sha256

Now edit the /etc/fstab (UUIDs are only examples)

Code:

UUID=7153f497-1b66-476d-bb3b-85e3fe18b402 /               ext3    defaults,errors=remount-ro 0       1
UUID=ab5f1dca-45c1-4c66-8cfb-e6ca84ec6650 /home           ext3    defaults        0       2

to

Code:

/dev/mapper/root /               ext3    defaults,errors=remount-ro 0       1
/dev/mapper/home /home           ext3    defaults                       0       0

and save it. Edit /etc/crypttab and paste

Code:

root /dev/sda3 none luks,retry=1,cipher=aes-cbc-essiv:sha256
home /dev/sda4 none luks,retry=1,cipher=aes-cbc-essiv:sha256

Edit /boot/grub/menu.lst and change

Code:

# kopt=root=/dev/sda3 ro quiet splash

to

Code:

# kopt=root=/dev/mapper/root ro

And make a

Code:

update-grub

.
To be sure, look if your Ubuntu entries look like this:

Code:

title           Ubuntu, kernel 2.6.20-15-generic
root            (hd0,0)
kernel          /vmlinuz-2.6.20-15-generic root=/dev/mapper/root ro quiet
initrd          /initrd.img-2.6.20-15-generic
savedefault

There may be some locale/vga=x entries or so... That is absolutely OK

Update initramfs:

Code:

update-initramfs -u All

You see some error msgs because "libdevmapper" or so, that doesn't matter now.

Now you can reboot. You should see
Enter LUKS passphrase:
Type in your root-partition password. After some seconds, enter your home-partition password (you will be asked again). If it does not work, boot with the live cd, mount the partitions, chroot into the fs and check which file is wrong.

So, that should be everything.. but

If you want to encrypt your swap partition, too, do the following while you booted into your encrypted system:

In /etc/crypttab, add the line

Code:

swap /dev/hda2 /dev/random swap,check=/bin/true

and in /etc/fstab, change the swap line to

Code:

/dev/mapper/swap  none            swap    sw              0       0

Don't reboot now.

Do the following:

Code:

sudo su
swapoff
dd if=/dev/zero of=/dev/sda2 bs=1M count=1

The first MB of the swap is changed...

HIBERNATE WILL NOT WORK ANYMORE IF YOUR SWAP IS ENCRYPTED [WITH A RANDOM KEY]



If you want to decrypt your home partition, or any other partition with a keyfile [if it gets "stolen"... hm. That'd not be good...]

Create a keyfile, e.g. in /etc/keyfiles

Code:

sudo mkdir /etc/keyfiles
sudo dd if=/dev/urandom of=/etc/keyfiles/extrapartition.key bs=1 count=32

Add the keyfile to the existing partition (the partition should not be mounted):

Code:

sudo cryptsetup luksAddKey /dev/sdaX /etc/keyfiles/extrapartition.key

Replace sdaX with the partition...
You have to enter the password for the partition (if you would not have to, "anybody" on your pc [with your account password ] could add a keyfile)

Now modify /etc/crypttab and change [e.g.]

Code:

home /dev/mapper/extrapartition      none      luks,retry=1,cipher=aes-cbc-essiv:sha256

to

Code:

home /dev/mapper/extrapartition       /etc/keys/extrapartition.key      luks,retry=1,cipher=aes-cbc-essiv:sha256

and reboot. Done.


I hope that will work (it worked perfectly for me and some others)

[Kopfgeldjaeger]

Er...and: If anyone tried it, a post here would be cool! Thank you

[mckryptyk]

I think you should replace "dd if=/dev/zero of=/dev/sdaX" with "dd if=/dev/urandom of=/dev/sdaX"

because I noticed a potential security flaw in your implementation.

If someone has physical access to the hardrive, they can do a bit dump of the encrypted partitions to determine where the data is physically located. (It might not help them now, but it will make it easier for them later.)

That is why it is better to write the partitions with "if=/dev/urandom" instead of "if=/dev/zero".

<< Actually, "if=/dev/random" would be better, but by the time it completed, your hardware might be obsolete or the kernel might run out of entropy >>

The trade-off is that this would take much longer to complete the "dd" command.

[Kopfgeldjaeger]

Hm. Yes, 'they' could see what is shreddered...

If you have the time, it'd be really better with urandom. But for my 300GB drive, it would have been at least 8 or 9 times slower.. Hm.

greetings

[Chachee]

Is there a way to modify this so you would have to use a usb key with a cert/keyfile on it? Boot, input key, enter password.

I have a box I will be setting up in the next few days and will run this through it.

Anything different for installing this on server you can think of off hand?

JT

[quark_77]

Hi Kopfgeldjaeger,

I followed your tutorial to the letter. I have the following setup:

Code:

/dev/sda9 = linux swap
/dev/sda12 = linux root (AES enc)
/dev/sda13 = home, AES

/dev/sda12 mounts successfully as /dev/mapper/root using crypttab, however, home does not. It falls over with the following error:

Code:

Enter LUKS passphrase: 
Unable to make device node for 'temporary-cryptsetup-6019'
Failed to read from key storage
Command failed.

Any Ideas? This occurs at boot time.

Thanks, Quark_77

[Kopfgeldjaeger]

@Quark:
Do you use a key file? What happens when you try to luksOpen it with a live-cd?

@Chachee:
Well, I think this is possible. But I do not really know if you have access to the USB-Stick at boot time. You could try it as I described it above - maybe it only works with the home-partition, but not with the root-partition [because /etc/fstab].

greetings

[quark_77]

Hi Kopfgeldjaeger,

I noticed a bunch of boot time errors saying sucha node couldn't be created under /dev/.static/dev/mapper. One look in there and no mapper! So I just did this:

Code:

sudo mkdir /dev/.static/dev/mapper
sudo mount -a

and up came /dev/mapper/home. Bingo. That's better!!

Two questions:

• Can you offer any guidance on using key files with luks?
• How do we use alternative ciphers such as Serpent?

Thanks for the great tutorial, it's easier for me to follow than the German version!

Quark_77

[Kopfgeldjaeger]

@Keyfiles: Just look at the end of the HowTo
@Alternative Ciphers:
Add "serpent" to your /etc/initramfs-tools/modules and "sudo modprobe serpent".
The change
cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda9
--------------------^^^^^^^^^^^^^
this. I'm searching for what you can use instead of that...

greetings

[Wurst09]

Hey folks, I've got a question. I followed the instructions (well basically the german version) and everything worked fine. Instead of the normal aes I used the padlock modules which is a hardware implementation of aes in a VIA cpu.

Code:

modprobe padlock

does the job like aes and I was able to encrypt and mount my partitions.
Of course I load padlock instead of aes in "etc/initramfs-tools/modules", but when it comes to updating the modules I get a nasty error:

Code:

update-initramfs: Generating /boot/initrd.img-2.6.20-15-generic
cat: /proc/cmdline: No such file or directory
/proc/devices: fopen failed: No such file or directory
Is device-mapper driver missing from kernel?
Failure to communicate with kernel device-mapper driver.
/proc/devices: fopen failed: No such file or directory
Is device-mapper driver missing from kernel?
Failure to communicate with kernel device-mapper driver.
Incompatible libdevmapper 1.02.08 (2006-07-17)(compat) and kernel driver 
Command failed
cryptsetup: WARNING: failed to determine cipher modules to load for root

When I try to boot with the encrypted partition I get an error that padlock could not be loaded and apparently linux falls back to normal aes. I'm able to mount / but then again I don't get gnome but only console and an error that the xserver crashed.
I'm trying to get you some bootlogs...

I would be very thankful if anyone has a possible solution for this problem.