Page 1 of 9 123 ... LastLast
Results 1 to 10 of 86

Thread: HOWTO: Full encrypted system: root, home, swap

  1. #1
    Join Date
    Jan 2006

    HOWTO: Full encrypted system: root, home, swap

    Ubuntu 5.10 (Breezy Badger) with encrypted Root, Home and Swap
    by Rudá Moura (

    This is the way I did to get an Ubuntu 5.10 (Breezy) with full encrypted file system: root (/), home and swap. Since Ubuntu installer does not support yet this option, this process concerns, first, installing Ubuntu on a temporary partition and then, inside that instalation, preparing all the encrypted partitions for the OS. The old root which I used in the beginning is turnt into a swap partition.

    This fully encrypted filesystem method employs dm-crypt, linux kernel's devmapper and cryptography. The default algorithm is AES (aes-cbc-plain) with 256bits key. Mark that I am not a connoceur on the subject or even a crypto freak, I just can say that this worked for me.

    Part 1: Ubuntu installation

    Install Ubuntu with server profile with the following initial partitioning scheme:

    /dev/hda1 /boot 100 MB ext3
    /dev/hda2 / 512 MB ext3

    Mark that 512 MB is really the shortest size you can set for a server type of installation. A complete Ubuntu installation requires at least 2.4 GB. Make your choice now. In addition, I created two more spaces to hold my future encrypted root and /home partitions, so as the following:

    /dev/hda3 future / 10GB
    /dev/hda4 future /home 30GB

    Set these partitions in the installer option for filesystem as "do not use the partition". Note that it is not absolutely necessary to have an exclusive /home partition, so this is optional since you can have only one partition for a whole encrypted system. Just ignores the alert about not having a swap partition and keep walking.

    Part 2: Cryptography software installation

    Configures your apt to use all the optional repositories which come with Ubuntu. This is done by modifying /etc/apt/sources.list, uncommenting all the “deb” repositories. Since you are on a terminal with no gedit or something like that, you will need a pure text editor such as Vi. If you know how to use it, don't care for the following explanation for begginers: to edit text files on a terminal using the Vi command, follow this example:

    # vi /etc/apt/sources.list

    Press “i” to enter in the INSERT mode, make the alterations, press ESC to enter the COMMAND mode and then press SHIFT+zz (ZZ) to save and quit.

    Just install the following additional packages: crypsetup 1.0.1, hashalot 0.3, initrd-tools 1.78 e cramfsprogs 1.1 with the command:

    # apt-get install cryptsetup hashalot initrd-tools cramfsprogs

    Important: initrd-tools must be updated to 1.78 version, because the original one that comes with Ubuntu has a severe bug which makes it unusable.

    Part 3: Creating the encrypted system

    Now it is time to create the cryptography devices. First, root: choose a trustworthy password, so that you will not end with a weak security implementation. Do not even use your personal login password. Observe that it is hard to change this password later (you would need to re-encrypt the full system again) and this is not explained in this article. The password for /home can be more weak, because it will be stored encrypted inside the file /etc/keys/home (remember that / is being fully encrypted). This is necessary to avoid that /home password would be asked at every boot in order to be mounted.

    # cryptsetup -y create root /dev/hda3
    # sha256 > /etc/keys/home
    # cryptsetup -d /etc/keys/home create home /dev/hda4

    The password for root will be asked twice, but the one for /home will be asked only one time and it does not provide confirmation! The partitions with support for cryptography will be available at /dev/mapper/. Now create the filesystem. I prefer the XFS filesystem (this is the one for high performance boxes created by Silicom Graphics, with no undelete policies and 64bit technology. Also there are not tools for windows which can be used to mount a xfs system – but who cares since now we are going to be encrypted!) You can use any filesystem supported by Ubuntu and the one everyone use is ext3, but that's a matter of taste.

    # mkfs -t xfs /dev/mapper/root
    # mkfs -t xfs /dev/mapper/home

    Now mount the new partitions to /mnt and copy the old root to the new one at /mnt. This will be a perfect copy, preserving data, symbolic links and everything.

    # mount /dev/mapper/root /mnt
    # mkdir /mnt/home
    # mount /dev/mapper/home /mnt/home
    # cp -axv / /mnt

    The copy process took two minutes and a half for a server profile and sixteen for a complete installation. Mount /dev inside /mnt/dev to get access to the devices.

    # mount --bind /dev /mnt/dev

    Part 4: Adjusts inside chroot

    Enter the encrypted system by using the chroot command and mount /boot, /proc and /sys:

    # chroot /mnt
    # mount /boot
    # mount /proc
    # mount /sys

    This step must be done in order to fix a bug in Ubuntu, but do not ask me why..

    # ln -sf /lib/ /lib/

    Edit /etc/crypttab and add the following lines:

    root /dev/hda3
    home /dev/hda4 /etc/keys/home

    Edit /etc/fstab in order to change root to the new mounting point at /dev/mapper/root and add a line for /home. I did it this way:

    /dev/mapper/root / xfs defaults 0 1
    /dev/mapper/home /home xfs defaults 0 2

    Edit /etc/kernel-img.conf and add the following line:

    ramdisk = /usr/sbin/mkinitrd

    Edit /boot/grub/menu.lst, search for kopt and change this line to:

    # kopt=root=/dev/mapper/root devfs=mount ro

    Note that the initial # should NOT be removed!

    Asks it to reconfigure kernel so that it obtains a new file for grub and a new initrd image able to support cryptography.

    # dpkg-reconfigure linux-image-2.6.12-9-386

    This command takes into consideration that the installed kernel is the original one from the installation, but if it is NOT the case, substitute it properly – for example, 686 instead of 386, or any other updated version.

    Part 5: Finishing

    Unmount all chroot file systems, quit chroot and reboot:

    # umount -a
    # exit
    # reboot

    If everything worked fine, your system will ask for the password in order to mount /root and then the boot process will continue. If you type a wrong password the system will not output any alert and will fail drastically, probably with a Kernel Panic.

    Part 6: Encrypted Swap

    This process is like the other we done for /home, but the only difference is that the password will be different for every boot, since it will be read from /dev/random.

    # cryptsetup create swap /dev/hda2

    Type any **** as password, since it will not be used by the user.

    Edit /etc/crypttab and add the line for swap:

    swap /dev/hda2 /dev/random swap

    Edit /etc/fstab and add the file for swap:

    /dev/mapper/swap none swap sw 0 0

    To enable swap immediately:

    # cryptsetup remove swap
    # /etc/init.d/cryptdisks start
    # swapon -a

    From this moment your whole filesystem is encrypted. In order to turn your server instalation into a default and complete one, just do it:

    # apt-get install ubuntu-desktop

    The following sources were checked for writing this article: crypsetup(8), crypttab(5),

    Translation from Brazilian Portuguese to English: Heitor Capovilla (

  2. #2
    Join Date
    Sep 2005
    Oakland, CA, USA
    Ubuntu 7.10 Gutsy Gibbon

    Question Re: HOWTO: Full encrypted system: root, home, swap

    this is awesome! thanks!

    how would i change this if i only wanted to encrypt home directory (/home/user) and swap, but not root ?

    i understand how to do that in theory, but not sure exactly which lines to add, which to change, and which to remove.

    Last edited by sockrebel; February 3rd, 2006 at 06:31 PM.

  3. #3
    Join Date
    Nov 2004
    Dapper Drake

    Re: HOWTO: Full encrypted system: root, home, swap

    Wonderful Howto! Thanks for sharing!
    Linux user #392733
    You want to know what a computer really is, try Linux!

  4. #4
    Join Date
    Dec 2004
    Ubuntu 10.10 Maverick Meerkat

    Re: HOWTO: Full encrypted system: root, home, swap

    Woow amazing howto. Good job.

    Thanks a lot.
    Registered Linux User #371167

  5. #5
    Join Date
    Jan 2005
    Cornville, USA
    Ubuntu 6.06 Dapper

    Re: HOWTO: Full encrypted system: root, home, swap

    I have heard that if I do this on my laptop, I will lose my suspend function because the kernel cannot resume from a suspend to disk from an encypted partion. Can anyone comment? I would love to have full encrytion on my laptop. As a second question, how many people are running this setup?


  6. #6
    Join Date
    Jan 2005
    Ubuntu Breezy 5.10

    Re: HOWTO: Full encrypted system: root, home, swap

    Great guide! If anyone is double booting with Windows there is a good program called FreeOTFE that can mount partitions encrypted under Linux:

    And there is an ext2/3 driver for Windows as well.

    angrylittleman: I am running a similar setup on a desktop machine with encrypted root and swap, but I have no separate home partition.
    "From each according to his ability, to each according to his need"

  7. #7
    Join Date
    May 2005

    Re: HOWTO: Full encrypted system: root, home, swap

    Excellent how-to! Added to Thanks for sharing!

  8. #8
    Join Date
    Jan 2005
    Ubuntu Breezy 5.10

    Re: HOWTO: Full encrypted system: root, home, swap

    Two things to add:

    I am using a swedish keyboard and when I get prompted for the password the swedish key layout is not yet active. Instead the layout is the standard english one. This means that not all the keys are where I expect them to be. Anyone know how to fix this?

    Also, in case somebody doesn't already get this, you need a good password for this to be really secure. This means a long one, say 20 characters, with no real words or names and preferably including numbers, upper-case letters, and other types of characters.

    Of course, that depends on who you are trying to protect yourself against. That is if you are trying to hide your pr0n collection from your mom, this is not a big deal, but if you are a spy or something, it definitely is. In the latter case, you might want to think about using cipher=aes-cbc-essiv:sha256 instead of the defaults although I'm guessing that would mean a slightly increased cpu load.
    "From each according to his ability, to each according to his need"

  9. #9
    Join Date
    Feb 2006

    Re: HOWTO: Full encrypted system: root, home, swap

    I'm interested in storing the encryption keys on a USB thumb drive. I understand this would be pretty easy for /home and obviously swap but it would require an unencrypted root.

    Is there a way to do it with an encrypted root?

  10. #10
    Join Date
    Feb 2006
    Dapper Drake Testing/

    Re: HOWTO: Full encrypted system: root, home, swap

    I have a similar problem like docomo. My German key layout is not loaded when i want to enter my password. In the German keyboard layout Z and Y are exchanged. Is there any possibilty to load a kernek module or something else for german language before asking for the password?
    Last edited by SaLoMoN; February 13th, 2006 at 12:46 PM.

Page 1 of 9 123 ... LastLast


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts