This describes how to encrypt a Ubuntu 7.04 (Feisty Fawn) installation. Because we work with a live cd, you can install Feisty and reboot (to test if it works, maybe more than one time [I got some strange error the first/second boot]).
I recommend to "shred" your harddisk before that... You can do this with
Code:
sudo dd if=/dev/zero of=/dev/sda
This may took some hours. On a 300 GB drive, 4 or 5 hours (for me).
Most of this tutorial is from this German thread.
The partitions (if it's not like that, you have to rethink a bit, but it is not difficult):
1.)
Code:
/dev/sda1: /boot: 100 to x MB. Filesystem does not really matter (I used ext3)
/dev/sda2: swap, mine is 1GB
/dev/sda3: /, should be >=3GB, mine is 50GB :)
/dev/sda4: /home, size doesn't matter, but it should be enough.. Some GB are already enough, mine is 100GB
If you have /boot on your / partition, we can just copy the filez later
2.) Software/modules
Become root with
Install software and load modules (you need "universe"-repository:
Code:
modprobe aes
modprobe dm-crypt
modprobe dm-mod
apt-get update
apt-get install cryptsetup
3.)
We work in /media and need three folders:
Code:
cd /media
mkdir boot root home
Now mount the partitions.
Code:
mount /dev/sda1 boot
mount /dev/sda3 root
mount /dev/sda4 home
If /boot is on your root partition:
Code:
cp -ax root/boot/* boot/*
umount boot
rm -rf boot root/boot
Now we save the data on / temporary to /home (this partition should be big enough, of course you can use another partition if you want)
Code:
mkdir home/root
cp -ax root/* home/root
umount root
4.) The first partition (= /) is being encrypted now!
Code:
cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda3
Type uppercase "YES" and choose a good password. Maybe the password will be the greatest weakness later...
If you get an error, modprobe the modules above or unmount sda3.
We open the partition, format it (NOT your old root partition!) with ext3 (what takes some time) and mount it:
Code:
cryptsetup luksOpen /dev/sda3 root
mkfs.ext3 /dev/mapper/root
mount /dev/mapper/root root
Now we copy the /-data on the home partition back and delete the root-files on the home partition
Code:
cp -ax home/root/* root
rm -rf home/root
The same with the home partition:
Code:
mkdir root/backup
cp -ax home/* root/backup
umount home
cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda4
cryptsetup luksOpen /dev/sda4 home
mkfs.ext3 /dev/mapper/home
mount /dev/mapper/home home
cp -ax root/backup/* home
rm -rf root/backup
umount home
Now / and /home are encrypted but would not really boot...
5.) Prepare the system for booting
We mount the root partition into the root partition...
Code:
mkdir root/boot
mount /dev/sda1 root/boot
...and chroot into the system.
If cryptsetup is not already installed, you should install it now (universe is needed again, as editor you can use vim)
Code:
apt-get update
apt-get install cryptsetup
Now edit /etc/initramfs-tools/modules with your fav. editor and delete the lines in it (should be only some comments...)
Now paste the following into it:
Code:
aes
dm-crypt
dm-mod
sha256
Now edit the /etc/fstab (UUIDs are only examples)
Code:
UUID=7153f497-1b66-476d-bb3b-85e3fe18b402 / ext3 defaults,errors=remount-ro 0 1
UUID=ab5f1dca-45c1-4c66-8cfb-e6ca84ec6650 /home ext3 defaults 0 2
to
Code:
/dev/mapper/root / ext3 defaults,errors=remount-ro 0 1
/dev/mapper/home /home ext3 defaults 0 0
and save it. Edit /etc/crypttab and paste
Code:
root /dev/sda3 none luks,retry=1,cipher=aes-cbc-essiv:sha256
home /dev/sda4 none luks,retry=1,cipher=aes-cbc-essiv:sha256
Edit /boot/grub/menu.lst and change
Code:
# kopt=root=/dev/sda3 ro quiet splash
to
Code:
# kopt=root=/dev/mapper/root ro
And make a
.
To be sure, look if your Ubuntu entries look like this:
Code:
title Ubuntu, kernel 2.6.20-15-generic
root (hd0,0)
kernel /vmlinuz-2.6.20-15-generic root=/dev/mapper/root ro quiet
initrd /initrd.img-2.6.20-15-generic
savedefault
There may be some locale/vga=x entries or so... That is absolutely OK
Update initramfs:
Code:
update-initramfs -u All
You see some error msgs because "libdevmapper" or so, that doesn't matter now.
Now you can reboot. You should see
Enter LUKS passphrase:
Type in your root-partition password. After some seconds, enter your home-partition password (you will be asked again). If it does not work, boot with the live cd, mount the partitions, chroot into the fs and check which file is wrong.
So, that should be everything.. but
If you want to encrypt your swap partition, too, do the following while you booted into your encrypted system:
In /etc/crypttab, add the line
Code:
swap /dev/hda2 /dev/random swap,check=/bin/true
and in /etc/fstab, change the swap line to
Code:
/dev/mapper/swap none swap sw 0 0
Don't reboot now.
Do the following:
Code:
sudo su
swapoff
dd if=/dev/zero of=/dev/sda2 bs=1M count=1
The first MB of the swap is changed...
HIBERNATE WILL NOT WORK ANYMORE IF YOUR SWAP IS ENCRYPTED [WITH A RANDOM KEY]
If you want to decrypt your home partition, or any other partition with a keyfile [if it gets "stolen"... hm. That'd not be good...]
Create a keyfile, e.g. in /etc/keyfiles
Code:
sudo mkdir /etc/keyfiles
sudo dd if=/dev/urandom of=/etc/keyfiles/extrapartition.key bs=1 count=32
Add the keyfile to the existing partition (the partition should not be mounted):
Code:
sudo cryptsetup luksAddKey /dev/sdaX /etc/keyfiles/extrapartition.key
Replace sdaX with the partition...
You have to enter the password for the partition (if you would not have to, "anybody" on your pc [with your account password ] could add a keyfile)
Now modify /etc/crypttab and change [e.g.]
Code:
home /dev/mapper/extrapartition none luks,retry=1,cipher=aes-cbc-essiv:sha256
to
Code:
home /dev/mapper/extrapartition /etc/keys/extrapartition.key luks,retry=1,cipher=aes-cbc-essiv:sha256
and reboot. Done.
I hope that will work (it worked perfectly for me and some others)
Bookmarks