UbuntuHelp:EncryptedFilesystemForFullSystemOnFeisty zz

文章出处:

1. title How to Setup Completely Encrypted System - Ubuntu Feisty

<>

{i} Please refer to for further documentation.

NOTE: this guide was written simply because all other Feisty guides about how to setup full system encrption are not complete. We were unable to setup the system following other guides, so we decided to write our own. This guide was tested many times on several different machines. However, use it at your own risk. By: and Jožko Škrablin, l33t slovenian h4ck3rz :) With small remarks by Rainer Perske, written like this line. Warning: using encryption can cause loss of data in case of disk errors. In some non-democratic countries use of strong encryption is illegal. Use at your own risk. Unfortunately Ubuntu does not have a support for encrypted disks during setup as Debian does. However, since we are using laptops and USB sticks more and more, our data are at constant risk of loss or theft. So there is a need for hard disk encryption support and that need also has a commercial value. We hope Ubuntu creators will recognise this area as a marketing advantage of Linux soon.

目录 []

[] Why?

• Read a story about ;
• Read a story about
• Read a story about laptop Seizures in Sudan

[] How?

We are going to need Ubuntu 7.04 Server. However, this will be desktop installation, we are using server edition just for a basic setup! We are also assuming your hard drive is hda. So let's download first and burn it on a CD. If you do not have a fresh computer, it is good to think about erasing your hard disk before setting up encryption. Erasing is also good because an attacker will be unable to determine how much encrypted data do you have on your hard disk and how much is a free space. However, it can take a lot of time, typical several hours or even days. You can use or dd command:

dd if=/dev/urandom of=/dev/hda bs=16M

In the above command use a block size that divides evenly into the size of your hard drive so that there won't be a partial block left over at the end of your drive that dd wouldn't write to because it couldn't fit an entire block in. For example instead of bs=16M you might need bs=5M. Block sizes of less than 1M may slow down the throughput.

[] First step: instal Ubuntu Server Edition with proper partitions of your hard drive

When your hard drive is ready, put install CD into the CD-ROM unit, boot a computer from a CD and start the installation process. BTW: Because of an unresolved in Feisty Server kernel, installation of server in virtual machines like Vmware and is not successful. But if you use a second virtual hard disk with one partition of 4 GB for the temporary root, you may use this guide with Feisty Desktop. Just replace hda2 with hdb1 in this guide until before you create cswap. Afterwards, you can remove that hard disk from the configuration of your virtual machine. There is also unresolved in the Feisty Server installers, which disables use of slovenian, croatian and some other keyboard layouts. Warning: Be careful when setting in passwords, because at the startup (when you need to enter your master password to access your hard drive) your keyboard uses english layout. When you came to the disk partitioning step, you need to create four partitions:

• partition /boot, 100 Mb - /hda1
• partition temporary root (future cswap), 2 Gb - /hda2
• not used partition (future croot partiton), 10 Gb - /hda3
• not used partition (future chome partiton), all remained size - /hda4

[] Step two: setup the encryption

When installation is finished, and computer reboots, login and become administrator:

sudo su

Load needed modules:

modprobe dm-crypt
modprobe dm-mod
modprobe aes
modprobe sha256

Add modules into /etc/modules to be loaded automatically at the reboot:

echo dm-crypt >> /etc/modules
echo dm-mod >> /etc/modules
echo aes >> /etc/modules
echo sha256 >> /etc/modules

Install cryptsetup package:

apt-get install cryptsetup

[] Step three: setup encrypted root partition

Now format future root partition with luksformat (we are using ext3 file system)//)

luksformat -t ext3 /dev/hda3

You need to type YES and then twice your LUKS password. This password is very important, because you will need it to access your hard drive. It should be good and long enough, and don't forget it! If your password uses upper and lower case letters of the english alphabet and the ten digits, then that's 62 possibilities per character. Six binary bits can encode 64 possibilities, so each character, if it's random, gives about 6 bits of security. You want about 128 bits for good security, so you need about 21 random characters in your password. Words and phrases have surprisingly little randomness, so if you use words or phrases or anything non-random, you need a MUCH longer passphrase. An estimate by Shannon puts english words at about two bits per character, so you would need about sixty characters in your passphrase. Any passphrase that uses a quote from Bartlets quotes or a famous book would be easily broken. Luksformat uses 128-bit key. We can use 256-bit key with the following command - in that case we will need to format it manually later:

sudo cryptsetup --key-size 256 luksFormat /dev/hda3

We get output like that:

  Creating encrypted device on /dev/hda3...
  
  WARNING!
  ========
  This will overwrite data on /dev/hda3 irrevocably.
  
  Are you sure? (Type uppercase yes): YES
  Enter LUKS passphrase: 
  Verify passphrase: 
  Command successful.
  Please enter your passphrase again to verify it
  Enter LUKS passphrase: 
  key slot 0 unlocked.
  Command successful.
  mke2fs 1.40-WIP (14-Nov-2006)
  ...
  ...
  Writing superblocks and filesystem accounting information: done
  
  This filesystem will be automatically checked every 39 mounts or
  180 days, whichever comes first.  Use tune2fs -c or -i to override.

Now let's mount new crypto partition as croot:

cryptsetup luksOpen /dev/hda3 croot

We need to enter our LUKS password, and crypto partition is mounted:

  Enter LUKS passphrase: 
  key slot 0 unlocked.
  Command successful.

If we did not used luksformat, we need to format new partition manually right now:

sudo mkfs.ext3 /dev/mapper/croot

Now mount it to the /mnt:

mount /dev/mapper/croot /mnt

[] Step four: prepare encrypted system

Now copy system on this new crypto partition (this can take a few minutes, you can use -v switch in cp command for verbose output):

cd /mnt
cp -xa / .

Chroot into the new system:

cd /
mount --bind proc mnt/proc
mount --bind sys mnt/sys
mount --bind dev mnt/dev
chroot /mnt

Mount /boot partition:

mount /dev/hda1 boot

Edit /etc/crypttab (last two entries should remain commented FOR NOW!):

nano etc/crypttab

Crypttab should look like this:

  #                     
  croot             /dev/hda3            none                 luks
  #cswap             /dev/hda2            /dev/urandom         swap
  #chome             /dev/hda4            /etc/keys/home.key   luks

Edit /etc/fstab (entries for cswap and chome should remain commenter FOR NOW!):

nano /etc/fstab

First comment active root entry (Don't forget this!). Then add:

  /dev/mapper/croot       /       ext3    defaults,errors=remount-ro      0      1
  #/dev/mapper/cswap       none    swap    sw      0       0
  #/dev/mapper/chome       /home   ext3    defaults        0       2

File /etc/fstab now should look like this (UUID's are symbolic)

  # /etc/fstab: static file system information.
  #
  #                
  proc            /proc           proc    defaults        0       0
  # /dev/hda2
  #UUID=e8363198-819b-44e0-bba5-7b4dd58eef4e /               ext3    defaults,errors=remount-ro 0       1
  /dev/mapper/croot       /       ext3    defaults,errors=remount-ro      0      1
  # /dev/mapper/cswap       none    swap    sw      0       0
  # /dev/mapper/chome       /home   ext3    defaults        0       2
  # /dev/hda1
  UUID=2fca8417-07de-4a7b-a8cb-4cfeddc89c7d /boot           ext3    defaults        0       2
  /dev/hdc        /media/cdrom0   udf,iso9660 user,noauto     0       0
  /dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

Make a key for encrypted home:

cd etc/keys
dd if=/dev/urandom of=home.key bs=1K count=1

Key will be stored on /etc/keys. Because of this you will see a warning at the boot time (INSECURE MODE FOR /etc/home/key). However, key is stored on encrypted root, so it is not so much unsecure. BTW: you can mount chome by typing password, but you will need to change /etc/crypttab entry. Now the important part - make new initrd script (this will take a few minutes):

cd /boot
update-initramfs -u

Now we need to repair Grub menu (look for kernel and add /dev/mapper/croot):

nano /boot/grub/menu.lst

Change menu entry like this:

  title           Ubuntu, kernel 2.6.20-15-server
  root            (hd0,0)
  kernel          /vmlinuz-2.6.20-15-server root=/dev/mapper/croot ro quiet nosplash
  initrd          /initrd.img-2.6.20-15-server
  quiet
  savedefault

To avoid further repairs of this file, also change two commented lines in the same file: Replace UUID=some-long-uuid-string with /dev/mapper/croot in the line # kopt=root=UUID=some-long-uuid-string ro Replace splash with nosplash in the line beginning with # defoptions=quiet splash Keep the comment sign at the beginning of these lines! Additional info by MatejKovačič: after upgrade to Gutsy and update of it, splash screen enables to enter LUKS passwords. Reboot the system:

• press Ctrl-D to exit chroot enviroment

reboot

[] Step five: encrypted home and swap

At the very beginnig of the boot process you will get this text:

  Starting up ...
  Loading, please wait...
  Setting up cryptographic volume croot (based on /dev/hda3)
  Enter LUKS passphrase: 

Enter your LUKS password (for croot), log-in and become administrator:

sudo su

You can rewrite old root partition with random data if you like (this can take a long time):

dd if=/dev/urandom of=/dev/hda2 bs=16M

If you do not do this, you need to format this partition with swap filesystem (if not, cswap will not mount at reboot):

mkswap /dev/hda2 

Now there is again a in Foobuntu, I mean Ubuntu, which can be easily solved by typing this command:

mkdir /dev/.static/dev/mapper

Now let's format future /home partition. For now we are using a passphrase and not a keyfile:

luksformat -t ext3 /dev/hda4

Mount this new partition (we need to enter LUKS password):

cryptsetup luksOpen /dev/hda4 chome
mount /dev/mapper/chome /mnt

Create user's directory for the current user (n my case for the user "matej"):

cd /mnt
mkdir matej
chown matej.matej matej

Add a keyfile to this crypto partition:

cryptsetup luksAddKey /dev/hda4 /etc/keys/home.key

(We can remove first passphrase with cryptsetup luksDelKey command.) Now uncomment cswap and chome entries in /etc/crypttab:

nano /etc/crypttab

Uncomment also cswap and chome entries in /etc/fstab.

nano /etc/fstab

Reboot the system:

reboot

[] Step six: enter fully encrypted system and setup desktop

After reboot log-in and check if crypto partitions are mounted:

ls /dev/mapper

We should get something like this:

  chome  control  croot  cswap

Check the swap space:

cat /proc/swaps

We should get something like this:

  Filename                                Type            Size    Used    Priority
  /dev/mapper/cswap                       partition       1951888 0       -1

Now comment CD-ROM source in APT sources.list:

sudo nano /etc/apt/sources.list

Comment this:

# deb cdrom:[Ubuntu-Server 7.04 _Feisty Fawn_ - Release i386 (20070415)]/ feisty main restricted

Install Ubuntu desktop:

sudo apt-get update
sudo apt-get install ubuntu-desktop

You will need to configure X server (very easy, you need only to check the supported resolutions for your screen). Now we can install generic kernel if we like:

sudo apt-get install linux-image-generic

After reboot your system will start in a graphic mode. Now we remove old server kernel...

sudo apt-get remove --purge linux-image-2.6.20-15-server linux-image-server linux-server

[] Conclusion

That's it. Now you have fully encrypted system (except /boot partition of course) and your system is using advanced LUKS encryption. You can add or delete (an therefore change) keys (passwords). You can mount your LUKS formatted partitions in other Linux or even Windows systems (for Windows, you need a program and drivers for ext3). However:

• full system encryption protects you only against offline attack (on-line attacker can still hack your system and access your data);
• be caferul for your password (and use good password!);
• do your backups regulary (if possible on encrypted media or in a safe place - BTW: LUKS formatted media can be easily mounted in Gnome. When you connect encrypted USB drive, you get fancy pop-up to enter your password and encrypted partition is magically automounted when right password provided)
• be aware of possible attacka on /boot partition or hardware (someone can install you a keyboard sniffer program to /boot partition, keyboard sniffing device (), , hacked USB device, hacked firewire device, etc.

But generally everything should work fine, just don't forget to repair Grub menu after each kernel upgrade/update. If you forget to do it, don't panic, you can do it during boot process - at boot time press Esc to enter Grub menu, then press e (to edit), select "kernel line" and press e again. Then edit the line, press enter and b to boot. This change is not saved, so you need to repair Grub menu after sucessfull boot manually. P. S. If you find this guide useful, please .

Dear Matej and Jožko, I found it extremely useful, thus I dared to enhance this page as given above. Feel free to incorporate my ideas as if they were your own. Rainer Perske Thanks for update - we tested it, and it is working. However, as mentioned, in new Gutsy with updates splash screen is working. Matej Kovačič