Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Ubuntu Netbook Remix 9.04 and Whole Disk encryption

  1. #1
    Join Date
    Sep 2006
    Location
    San Antonio, Texas
    Beans
    10
    Distro
    Ubuntu

    Question Ubuntu Netbook Remix 9.04 and Whole Disk encryption

    I recently installed the beta 9.04 on my Asus EEE 1000HE and I didn't see any way to do whole disk encryption through the installer. I was wondering if anyone knows if 9.04 UNR supports whole disk encryption and if so, are there any good write ups on it. The info I'm look for is how to do it and pros/cons.

  2. #2
    Join Date
    Apr 2009
    Beans
    1

    Re: Ubuntu Netbook Remix 9.04 and Whole Disk encryption

    If 9.04 is similar to 8.04, the reason is that encrypted root is only available using the alternate install CD. I hope I am wrong, because one of the things I would like to do is use an encrypted disk with my netbook.

    The following link may be helpful, but it looks a bit painful to me:
    https://help.ubuntu.com/community/En...stemOnIntrepid

    As for pro's and con's, I have an encrypted root laptop, and it works great. If there is a performance penalty, I don't sense it.

  3. #3
    Join Date
    May 2008
    Beans
    1

    Re: Ubuntu Netbook Remix 9.04 and Whole Disk encryption

    Hi, I also had a look to 9.04 UNR and it seems it's not possible.

    I'm currently using the LVM+crypted root setup using 8.10 alternate CD and on my Lenovo Ideapad S10e works great (using XFCE as desktop).

    I'll probably try to upgrade my 8.10 using the 9.04 alternate CD, then convert it to something similar to UNR, maybe getting some hints there:

    https://wiki.ubuntu.com/MobileTeam/M...topIntoNetbook

    or similar...

    jco

  4. #4
    Join Date
    Sep 2008
    Beans
    21

    Re: Ubuntu Netbook Remix 9.04 and Whole Disk encryption

    I also need to know how to get encrypted lvm on UNR. I was thinking about just using Fedora to make the encrypted volumes, then try to load up UNR 9.04 to see if I can somehow load up the modules I need and let the installer try to install UNR on the encrypted volumes.

    I'm going to try it in Virtual Box right now.

    Has anyone had any luck with this? Thanks.

  5. #5
    Join Date
    Sep 2008
    Beans
    21

    Re: Ubuntu Netbook Remix 9.04 and Whole Disk encryption

    Good News!

    I'm happy to say that I finally figured it out and now have a Virtual Box image running of UNR with an encrypted filesystem and swap!

    See my next post on how I did it.
    Attached Images Attached Images
    Last edited by LonelyAppleHater; April 30th, 2009 at 06:42 AM.

  6. #6
    Join Date
    Sep 2008
    Beans
    21

    Smile Re: Ubuntu Netbook Remix 9.04 and Whole Disk encryption - Try this technique!

    Ok, I was able to successfully install it again. I couldn't avoid using Fedora 10 to do the encrypted volumes and partitioning for me, as I was tearing my hair out trying to figure out how to do it from the CLI.

    Here were my steps:

    1. Download the Live USB image (or CD) of Fedora 10 and install the image on a USB stick, CD-ROM, whatever you're preferred media is.

    2. Install Fedora 10 as you normally would, but make sure you check the box that says "encrypt" when you are formatting your drives. Also, there is a checkmark at the bottom that says "Review and modify partitioning layout", make sure that is checked as well, as you may want to switch your partitions to ext2, add a /home volume, etc. The volume group name should be VolGroup00 and your Logical Volume names should be LogVol00 and LogVol01. **REMEMBER THE PASSWORD TO DECRYPT YOUR DRIVES**

    3. Once the installation is finished, shutdown.

    3a. Now download Ubuntu Netbook Remix 9.04 Live USB image and install it to a USB key using Unetbootin, the new USB Startup Disk Creator Utility, etc.

    4. Once booted up, go to Accessories and click the Terminal Application.

    5. Type in the following:
    Code:
    # sudo su -
    # apt-get install lvm2 cryptsetup
    # modprobe dm-crypt
    # modprobe aes
    # cryptsetup luksOpen /dev/sda2 sda2_crypt  
    (enter password)
    # vgchange -a y VolGroup00
    Now your encrypted swap and root (and your home if you made a separate /home volume) volumes should show up in the installer.

    Leave this terminal open, as you'll need it for later.

    6. Go ahead and go back to the Favorites tab and start the installer.

    7. When you get to the partitioner, you should see all your encrypted volumes, as well as the sda1 partition. Make the sda1 partition your /boot, and click "New Partition Table" for your volumes and set the mount point and filesystem type. I heard you should use ext2 if you have a netbook with a solid state drive. Otherwise, go nuts

    8. When the installer finishes, don't reboot the machine just yet. If you do accidentally, just boot from the UNR installer again and do just Step 5 again, but don't run the installer.

    9. Go back to the open terminal window and enter the following:
    Code:
    # mkdir /target
    # mount /dev/mapper/VolGroup00-LogVol00 /target/
    # mount /dev/sda1 /target/boot
    # chroot /target
    # mount -t proc proc /proc
    # mount -t sysfs sys /sys
    # apt-get install lvm2 cryptsetup
    10. Using your favorite text editor (I used nano), enter the following entry in /etc/crypttab:
    Code:
    sda2_crypt     /dev/sda2     none      luks
    11. Now put the following in /etc/initramfs-tools/modules:

    Code:
    aes-i586
    dm-crypt
    dm-mod
    sha256
    12. Now edit /etc/fstab. What you need to do here is comment out or delete the UUID that is associated with your encrypted volumes and put in the actual path for the volume. Apparently, the UUID's might be wrong, so you need to use the path instead.

    So, for example, it might say in the comment "Was on /dev/mapper/VolGroup00-LogVol00 during installation." You should see the UUID below. So, replace the UUID with /dev/mapper/VolGroup00-LogVol00. Repeat for the encrypted swap volume as well. There's no need to do this for any other partition in the fstab file.

    13. Finally, save and close the fstab file and enter one final command:
    Code:
    # update-initramfs -k all -c
    14. Once that's done, go ahead and reboot and take out your USB key. You now should see UNR magically prompt you for your password and load up your newly encrypted Ubuntu Netbook Remix!

    I've only tried this on Virtual Box so far. Once I get a netbook, I'll report back if it worked, but I don't see why not.

    I hope this works out for some of you. Feel free to take this, repost it, improve on it, etc.

    Good Luck!

  7. #7
    Join Date
    Jul 2006
    Beans
    8

    Re: Ubuntu Netbook Remix 9.04 and Whole Disk encryption

    Thanks LonelyAppleHater for the steps to getting root encrypted. I've done this successfully on my EeePC 702 today and I get the unlock prompt at boot during the splash.

    No need to do 2 installs. Just boot off the Ubuntu Netbook Remix image on a USB stick and in the terminal, repartition your drives with a tool such as cfdisk. Only /boot needs to be un-encrypted - I chose to use only 64Mb for it - though you may want to double that for comfort.

    As my system only has an SSD I chose not to use a swap partition, and I've chosen to format my partitions with ext2 as that reduces the writes. You may want to consider having a swap partition as I believe it would also be used in hibernation.

    Here's an update to step 5 including the command to initially create the crypt'd volume, then use it for LV's. Complete these steps before entering the partitioner in the installer and you won't have to create a new partition table on each LV (step 7) - allowing you to take advantage of the resizing features of LVM.

    Code:
    # sudo -i
    # cfdisk /dev/sda
    ### Create first partition with type 83 (Linux) for /boot
    ### Create second partition with type 8e (Linux LVM) for our encrypted volumes
    Setup the encrypted volume to contain our LV's
    Code:
    # apt-get install lvm2 cryptsetup
    # modprobe dm-crypt
    # modprobe aes
    # cryptsetup -y -s 256 -c aes-cbc-essiv:sha256 luksFormat /dev/sda2
    # cryptsetup luksOpen /dev/sda2 sda2_crypt  
    (enter password)
    Now the encrypted volume is ready - let's use it for Logical Volumes.
    Code:
    # pvcreate /dev/mapper/sda2_crypt
    # vgcreate vg /dev/mapper/sda2_crypt
    # vgchange -a y vg
    # lvcreate -L 3G -n root vg
    # lvcreate -l 100%FREE -n home vg
    Finally format the volumes so the installer partitioner recognizes them. There's no need to format again in the partitioner after this.
    Code:
    # mkfs.ext2 -L boot -M /boot /dev/sda1
    # mkfs.ext2 -L root -M / /dev/vg/root
    # mkfs.ext2 -L home -M /home /dev/vg/home
    Last edited by jinnk; May 1st, 2009 at 11:23 PM. Reason: Add cfdisk step to avoid using Fedora.

  8. #8
    Join Date
    Sep 2008
    Beans
    21

    Re: Ubuntu Netbook Remix 9.04 and Whole Disk encryption

    Thanks jinnk! Now I don't have to fool around with Fedora. I tried to Google on how to setup the encrypted volumes via the CLI, but no luck.

    And I like the cfdisk utility better, too!

    A couple of questions:

    1. I'm planning on getting a netbook with an SSD as well. I know that using swap on the SSD is a bad idea, but can you really just not have a swap at all without any issues? I've seen tutorials where they just change a config file to use the swap space very sparingly, but I haven't heard of not having a swap space at all.

    2. I've seen a couple of posts of people using ext4 on their SSD drives, and said that it improves performance. Is ext4 SSD friendly, or should I just play it safe and stick with ext2?

    Thanks in advance.

  9. #9
    Join Date
    Jul 2006
    Beans
    8

    Re: Ubuntu Netbook Remix 9.04 and Whole Disk encryption

    Good questions LonelyAppleHater. I did a bit or research on both these topics recently and came to the following conclusions.

    The jury is still out on which is the best filesystem for SSDs. Any journaling filesystem will perform more writes, which in theory will wear out the flash storage quicker, however, how soon the flash storage will fail is down to several different factors and still is not clear. There is a trade off between the resilience of journaling and the simplicity of not. I've read that the upcoming BtrFS will address some of the needs of SSDs. I've also read that ReiserFS currently performs well on SSDs. I believe I can live without journaling and so chose the simplest filesystem - ext2, with the thought that if not having journaling becomes a problem there's an easy upgrade path to ext3/4 using the tune2fs tool.

    Swap is not essential for a system to function normally. On small devices the main benefit is being able to hibernate, in which case you need unencrypted swap that has at least as much space as there is RAM. First off, having unencrypted swap compromises the security of having an encrypted system. Additionally, losing this much space on the already conservative SSDs may not be ideal for many folks. Having swap space means the kernel will write to it, which brings us back to the question of how long will the SSD last? Sure you can disable swappiness, but if you're pushing your little netbook to the limit that it needs swap, then perhaps you should consider using a bigger system.

    On my EeePC 702 (8G SSD, 1G RAM) Ubuntu Jaunty NBR runs well without swap. The system responds well with ext2 on an encrypted volume, though if the system were to shutdown ungracefully there would be a rather long fsck on the next boot.

    There are some other tweaks that can be done to improve SSD life - the EeePC Community Ubuntu Docs is a good place to start.

  10. #10
    Join Date
    Nov 2008
    Beans
    74

    Lightbulb Re: Ubuntu Netbook Remix 9.04 and Whole Disk encryption

    Great posts. Hopefully in the near future Ubuntu will integrate whole disk encryption into the GUI installers of every variant of Ubuntu. In this day and age there is no excuse for any operating system to not offer easy-to-use whole disk encryption.

    For whole disk encryption via the command line here is a nice guide from the Linux Mint forums:

    http://forums.linuxmint.com/viewtopic.php?f=42&t=18743

    Quote Originally Posted by wuying_ren
    Updated on 13 Nov 2008: Made some minor corrections.
    Updated on 25 Nov 2008: Made some more minor corrections.

    Hi!

    This is my first howto ever! First of all I would like to advise that all the work has been done by others and all the credits are for them. This howto is just a little summary for those who get confused...or are too lazy Please, check the links at the end of the post. The intro is mine, but almost all the steps of the howto are based on them.

    I hope many people would find it useful. I think that if you install Ubuntu with the alternate cd, it gives you the possibility of encrypting the root filesystem. But if you use the desktop cd (the LiveCD like Mint's one) you don't have this option, and you can only encrypt a folder onto your /home after installation. Fedora also lets you encrypt the whole system during installation...but we want to install Mint, didn't we?


    Some people thinks encryption is not necessary for the average user, but that's not true. If you lose your laptop, or if anyone stoles it, the personal information (yes, last picnic pics included ) on it can be used against you. Sometimes we don't realise that we don't protect some personal information at all. Think of it, how many times do you let your browser store your passwords so you don't have to remember them? Is the one for accessing your bank's webpage included? If someone uses your browser and "accidentally" gets to one of these webpages...dangerous, huh? Well, maybe I'm getting paranoic...

    Anyway, encryption is not the holy grail...specially while the computer is running. Encryption will lock your computer and if anyone gets physical access to your computer, it is possible to take the hard drive and connect it to another computer but, if the cipher is good and the password is strong enough, it will take years to decrypt it.

    OK, here is the recipe...I don't want to scare you. It has been tested on Felicia RC1, but it should work in older releases. It will also work if you are dual-booting and also if you have your windows partition encrypted with Truecrypt (Truecrypt bootloader can chainload partitions).

    1 - First of all, make a backup of your data. Then, boot your Mint LiveCD. Make sure you have Internet connection, we need to install a package. Once at the desktop, type on a terminal (press Alt+F2 and type "xterm"):

    Code:
    sudo apt-get install cryptsetup

    2 - OK, now you should fill your hard disk with random data. This will destroy your partition scheme and all your data on the disk. To do this, type:

    Code:
    dd if=/dev/urandom of=/dev/sda
    Change sda for the name of the hard disk you want to use. Use sudo if needed. It can take hours because random data has to be "prepared"...so you can use /dev/zero, which will fill it with zeros instead of random data:

    Code:
    dd if=/dev/zero of=/dev/sda
    Now partition your hard drive as normal. Take point that we will need a separate /boot partition (about 50-100 mb) because it's not possible to boot from encrypted partitions. So, for example:
    /dev/sda1 /boot
    /dev/sda2 swap
    /dev/sda3 /
    /dev/sda4 /home
    If you like your actual partition scheme, just make room for /boot (if you don't have it yet) and use dd commands above with them separately so you don't need to repartition.

    3 - Now, we need to load some modules for crypto...things to work

    Code:
    sudo modprobe dm-crypt
    sudo modprobe aes-i586
    4 - It's time to encrypt / and /home partitions. Change XX to the correct parameters as needed and, please, CHECK THEM TWICE...i've lost my data lots of times... Also, don't use the same password for both partitions. If you want, use a shorter password for your /home partition. If you are afraid of forgetting them, use a sentence from a film, or a verse from a song...whatever lets you remember them without having to write them on paper (NEVER do this). Passwords should also be hard to guess, your name, your birthday or names/birthdays from your family do not work here

    Code:
    sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sdXX
    In our example, we will do:

    Code:
    sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda3
    Code:
    sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda4
    Remember, /boot is not going to be encrypted. And the swap partition will be "dynamically" encrypted. I mean, we will configure cryptsetup to execute the command above on every boot, so swap will have a random key...so, dd it!

    5 - Now we have two encrypted containers. One in /dev/sda3 and one in /dev/sda4. Once finished, we must open them in order to format them. In our example:

    Code:
    sudo cryptsetup luksOpen /dev/sda3 croot
    Code:
    sudo cryptsetup luksOpen /dev/sda4 chome
    "croot" and "chome" are just names, you can change them if you want. But remember them, they will be used lately.

    6 - Format them.

    Code:
    mkfs.ext2 -j /dev/mapper/croot
    mkfs.ext2 -j /dev/mapper/chome
    I warned you, "they will be used lately".


    7 - Install as normal. When the installer asks you for partitioning, select "Manual". In our example we should set mountpoints like this:

    /dev/mapper/croot /
    /dev/mapper/chome /home
    /dev/sda1 /boot
    Do nothing with /dev/sda2, /dev/sda3, /dev/sda4. If you have windows partitions or other like /usr, /var, ... mount them as normal (If you want /usr, /var, to be encrypted proceed as for / and /home).

    Note for Truecrypt users: If you have your windows system partition encrypted with Truecrypt, remember to install grub to /boot. To do this, click "Advanced" on the last step of the installer and type /dev/sdXX (your /boot partition) on the "Install grub to..." field. On our example, we would type /dev/sda1.

    Click "Install", and let it be.

    8 - Once the installation has finished, let the installer know that you want to keep using the LiveCD. We need to work some more.

    Go back to the terminal and create a temporal mountpoint:

    Code:
    cd /mnt
    
    sudo mkdir root
    Mount your / and /boot partitions:

    Code:
    sudo mount -t ext3 /dev/mapper/croot /mnt/root
    
    sudo mount -t ext2 /dev/sda1 /mnt/root/boot
    And chroot onto your new system:

    Code:
    sudo chroot /mnt/root
    We need to mount proc, sys and /dev/pts to get it work properly:

    Code:
    mount -t proc proc /proc
    
    mount -t sysfs sys /sys
    
    mount -t devpts devpts /dev/pts

    9 - Update your apt and install cryptsetup and initramfs-tools:

    Code:
    apt-get update
    
    apt-get install cryptsetup initramfs-tools
    10 - Finally we need to set up some config files. Remeber to change partitions as needed:

    nano /etc/crypttab

    cswap /dev/sda2 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap # this line auto-mounts the swap partition at boot and ciphers it with a random key
    croot /dev/sda3 none luks
    chome /dev/sda4 none luks
    nano /etc/fstab

    Remove the swap line added by the installer and add this:

    /dev/mapper/cswap none swap sw 0 0
    /dev/mapper/croot / ext3 relatime,errors=remount-ro 0 1
    /dev/mapper/chome /home ext3 relatime 0 2
    The lines added by the installer for croot and chome didn't work for me. I think it's because of using UUIDs. So, don't use them.

    nano /etc/initramfs-tools/modules

    dm_mod
    dm_crypt
    sha256_generic
    aes-i586
    11 - Update your initramfs:

    Code:
    update-initramfs -k all -c

    12 - Exit chroot environment (CTRL+D) and umount /boot and /:

    Code:
    umount /mnt/root/boot
    
    umount /mnt/root
    13 - Reboot You may loose your usplash...I wonder if there's a solution for this...

    Extra (get your /home partition mounted automatically when you log in): (Credits for http://blog.gnist.org/article.php?st...pAndHomeUbuntu)

    14 - Remove entries for chome on /etc/fstab

    15 - Change chome entry on /etc/crypttab to:

    chome /dev/sda4 noauto luks
    16 - Install pam_mount

    Code:
    sudo apt-get install libpam-mount
    (Don't use sudo if you're still on chroot session)

    17 - Update config files as seen:

    nano /etc/security/pam_mount.conf.xml (add it at the end of the file, before </pam_mount>)

    <volume user="yourusername" fstype="crypt" path="/dev/sda4" mountpoint="/home" />
    Note: Don't forget to replace yourusername with...your username

    nano /etc/pam.d/common-auth (add the line at the end of the file)

    auth optional pam_mount.so use_first_pass
    nano /etc/pam.d/common-session (add the line at the end of the file)

    session optional pam_mount.so
    18 - Finally, change your user's password to match the one you put on your /home encrypted partition:

    Code:
    sudo passwd <yourusername>
    Now you will be asked for your / partition password at early boot. Then, you'll logon as normal with your new password and /home will be mounted for you automatically 8)

    If it does not work for any of you, or you have questions, etc just tell me. And I'm sure this howto is full of mistakes, tell me so

    This Howto is based on information from:

    http://blog.gnist.org/article.php?st...pAndHomeUbuntu
    http://www.hacktimes.com/?q=node/48/print
    https://help.ubuntu.com/community/En...ilesystemHowto
    https://help.ubuntu.com/community/En...systemLVMHowto
    http://wiki.archlinux.org/index.php/LUKS_Encrypted_Root
    https://help.ubuntu.com/community/En...stemOnIntrepid

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •