“UbuntuHelp:EncryptedFilesystemHowto8”的版本间的差异

2007年11月30日 (五) 17:07的版本

文章出处:

https://help.ubuntu.com/community/EncryptedFilesystemHowto8

点击翻译:

English

请不要直接编辑翻译本页，本页将定期与来源同步。

How to Setup Completely Encrypted System - Ubuntu Feisty

NOTE: this guide was written simply because all other guides about how to setup full system encrption are not complete. We were unable to setup the system following other guides, so we decided to write our own. This guide was tested many times on several different machines. However, use it at your own risk. By: Matej Kovačič and Jožko Škrablin, l33t slovenian h4ck3rz :) With small remarks by Rainer Perske, written like this line. Warning: using encryption can cause loss of data in case of disk errors. In some non-democratic countries use of strong encryption is illegal. Use at your own risk. Unfortunately Ubuntu does not have a support for encrypted disks during setup as Debian does. However, since we are using laptops and USB sticks more and more, our data are at constant risk of loss or theft. So there is a need for hard disk encryption support and that need also has a commercial value. We hope Ubuntu creators will recognise this area as a marketing advantage of Linux soon.

Why?

Read a story about Autistici and Inventati case;
Read a story about laptop border searches in USA
Read a story about laptop Seizures in Sudan

How?

We are going to need Ubuntu 7.04 Server. However, this will be desktop installation, we are using server edition just for a basic setup! We are also assuming your hard drive is hda. So let's download ubuntu-7.04-server-i386.iso first and burn it on a CD. If you do not have a fresh computer, it is good to think about erasing your hard disk before setting up encryption. Erasing is also good because an attacker will be unable to determine how much encrypted data do you have on your hard disk and how much is a free space. However, it can take a lot of time, typical several hours or even days. You can use DBAN tool or dd command:

dd if=/dev/urandom of=/dev/hda bs=16M

First step: instal Ubuntu Server Edition with proper partitions of your hard drive

When your hard drive is ready, put install CD into the CD-ROM unit, boot a computer from a CD and start the installation process. BTW: Because of an unresolved bug No. 71594 in Feisty Server kernel, installation of server in virtual machines like Vmware and VirtualBox is not successful. But if you use a second virtual hard disk with one partition of 4 GB for the temporary root, you may use this guide with Feisty Desktop. Just replace hda2 with hdb1 in this guide until before you create cswap. Afterwards, you can remove that hard disk from the configuration of your virtual machine. There is also unresolved bug No. 68843 in the Feisty Server installers, which disables use of slovenian, croatian and some other keyboard layouts. Warning: Be careful when setting in passwords, because at the startup (when you need to enter your master password to access your hard drive) your keyboard uses english layout. When you came to the disk partitioning step, you need to create four partitions:

partition /boot, 100 Mb - /hda1
partition temporary root (future cswap), 2 Gb - /hda2
not used partition (future croot partiton), 10 Gb - /hda3
not used partition (future chome partiton), all remained size - /hda4

Step two: setup the encryption

When installation is finished, and computer reboots, login and become administrator:

sudo su

Load needed modules:

modprobe dm-crypt
modprobe dm-mod
modprobe aes
modprobe sha256

Add modules into /etc/modules to be loaded automatically at the reboot:

echo dm-crypt >> /etc/modules
echo dm-mod >> /etc/modules
echo aes >> /etc/modules
echo sha256 >> /etc/modules

Install cryptsetup package:

apt-get install cryptsetup

Step three: setup encrypted root partition

Now format future root partition with luksformat (we are using ext3 file system)//)

luksformat -t ext3 /dev/hda3

You need to type YES and then twice your LUKS password. This password is very important, because you will need it to access your hard drive. It should be good and long enough, and don't forget it! Luksformat uses 128-bit key. We can use 256-bit key with the following command - in that case we will need to format it manually later:

sudo cryptsetup --key-size 256 luksFormat /dev/hda3

We get output like that:

Creating encrypted device on /dev/hda3...
WARNING!
========
This will overwrite data on /dev/hda3 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: 
Verify passphrase: 
Command successful.
Please enter your passphrase again to verify it
Enter LUKS passphrase: 
key slot 0 unlocked.
Command successful.
mke2fs 1.40-WIP (14-Nov-2006)
...
...
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 39 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

Now let's mount new crypto partition as croot:

cryptsetup luksOpen /dev/hda3 croot

We need to enter our LUKS password, and crypto partition is mounted:

Enter LUKS passphrase: 
key slot 0 unlocked.
Command successful.

If we did not used luksformat, we need to format new partition manually right now:

sudo mkfs.ext3 /dev/mapper/croot

Now mount it to the /mnt:

mount /dev/mapper/croot /mnt

Step four: prepare encrypted system

Now copy system on this new crypto partition (this can take a few minutes, you can use -v switch in cp command for verbose output):

cd /mnt
cp -xa / .

Chroot into the new system:

cd /
mount --bind proc mnt/proc
mount --bind sys mnt/sys
mount --bind dev mnt/dev
chroot /mnt

Mount /boot partition:

mount /dev/hda1 boot

Edit /etc/crypttab (last two entries should remain commented FOR NOW!):

nano etc/crypttab

Crypttab should look like this:

# <target name>   <source device>      <key file>           <options>
croot             /dev/hda3            none                 luks
#cswap             /dev/hda2            /dev/urandom         swap
#chome             /dev/hda4            /etc/keys/home.key   luks

Edit /etc/fstab (entries for cswap and chome should remain commenter FOR NOW!):

nano /etc/fstab

First comment active root entry (Don't forget this!). Then add:

/dev/mapper/croot       /       ext3    defaults,errors=remount-ro      0      1
#/dev/mapper/cswap       none    swap    sw      0       0
#/dev/mapper/chome       /home   ext3    defaults        0       2

File /etc/fstab now should look like this (UUID's are symbolic)

# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# /dev/hda2
#UUID=e8363198-819b-44e0-bba5-7b4dd58eef4e /               ext3    defaults,errors=remount-ro 0       1
/dev/mapper/croot       /       ext3    defaults,errors=remount-ro      0      1
# /dev/mapper/cswap       none    swap    sw      0       0
# /dev/mapper/chome       /home   ext3    defaults        0       2
# /dev/hda1
UUID=2fca8417-07de-4a7b-a8cb-4cfeddc89c7d /boot           ext3    defaults        0       2
/dev/hdc        /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

Make a key for encrypted home:

cd etc/keys
dd if=/dev/urandom of=home.key bs=1K count=1

Key will be stored on /etc/keys. Because of this you will see a warning at the boot time (INSECURE MODE FOR /etc/home/key). However, key is stored on encrypted root, so it is not so much unsecure. BTW: you can mount chome by typing password, but you will need to change /etc/crypttab entry. Now the important part - make new initrd script (this will take a few minutes):

cd /boot
update-initramfs -u

Now we need to repair Grub menu (look for kernel and add /dev/mapper/croot):

nano /boot/grub/menu.lst

Change menu entry like this:

title           Ubuntu, kernel 2.6.20-15-server
root            (hd0,0)
kernel          /vmlinuz-2.6.20-15-server root=/dev/mapper/croot ro quiet nosplash
initrd          /initrd.img-2.6.20-15-server
quiet
savedefault

To avoid further repairs of this file, also change two commented lines: Replace UUID=some-long-uuid-string with /dev/mapper/croot in the line # kopt=root=UUID=some-long-uuid-string ro Replace splash with nosplash in the line beginning with # defoptions=quiet splash Keep the comment sign at the beginning of these lines! Reboot the system:

press Ctrl-D to exit chroot enviroment

reboot

Step five: encrypted home and swap

At the very beginnig of the boot process you will get this text:

Starting up ...
Loading, please wait...
Setting up cryptographic volume croot (based on /dev/hda3)
Enter LUKS passphrase:

Enter your LUKS password (for croot), log-in and become administrator:

sudo su

You can rewrite old root partition with random data if you like (this can take a long time):

dd if=/dev/urandom of=/dev/hda2 bs=16M

If you do not do this, you need to format this partition with swap filesystem (if not, cswap will not mount at reboot):

mkswap /dev/hda2

Now there is again a nasty bug No. 105266 in Foobuntu, I mean Ubuntu, which can be easily solved by typing this command:

mkdir /dev/.static/dev/mapper

Now let's format future /home partition. For now we are using a passphrase and not a keyfile:

luksformat -t ext3 /dev/hda4

Mount this new partition (we need to enter LUKS password):

cryptsetup luksOpen /dev/hda4 chome
mount /dev/mapper/chome /mnt

Create user's directory for the current user (n my case for the user "matej"):

cd /mnt
mkdir matej
chown matej.matej matej

Add a keyfile to this crypto partition:

cryptsetup luksAddKey /dev/hda4 /etc/keys/home.key

(We can remove first passphrase with cryptsetup luksDelKey command.) Now uncomment cswap and chome entries in /etc/crypttab:

nano /etc/crypttab

Uncomment also cswap and chome entries in /etc/fstab.

nano /etc/fstab

Reboot the system:

reboot

Step six: enter fully encrypted system and setup desktop

After reboot log-in and check if crypto partitions are mounted:

ls /dev/mapper

We should get something like this:

chome  control  croot  cswap

Check the swap space:

cat /proc/swaps

We should get something like this:

Filename                                Type            Size    Used    Priority
/dev/mapper/cswap                       partition       1951888 0       -1

Now comment CD-ROM source in APT sources.list:

sudo nano /etc/apt/sources.list

Comment this:

# deb cdrom:[Ubuntu-Server 7.04 _Feisty Fawn_ - Release i386 (20070415)]/ feisty main restricted

Install Ubuntu desktop:

sudo apt-get update
sudo apt-get install ubuntu-desktop

You will need to configure X server (very easy, you need only to check the supported resolutions for your screen). Now we can install generic kernel if we like:

sudo apt-get install linux-image-generic

Before reboot we need to repair Grub menu manually (another stupid bug! - we MUST do this after EVERY kernel upgrade): This repair is perhaps not necessary if you changed the commented lines as said above. But I did not test it thoroughly, don't rely on this remark; please check it.

sudo nano /boot/grub/menu.lst

Repair this: root=/dev/mapper/croot and nosplash.

title           Ubuntu, kernel 2.6.20-16-generic
root            (hd0,0)
kernel          /vmlinuz-2.6.20-16-generic root=/dev/mapper/croot ro quiet nosplash
initrd          /initrd.img-2.6.20-16-generic
quiet
savedefault

After reboot your system will start in a graphic mode. Now we remove old server kernel...

sudo apt-get remove --purge linux-image-2.6.20-15-server linux-image-server linux-server

...and repair Grub menu AGAIN. ... if necessary

Conclusion

That's it. Now you have fully encrypted system (except /boot partition of course) and your system is using advanced LUKS encryption. You can add or delete (an therefore change) keys (passwords). You can mount your LUKS formatted partitions in other Linux or even Windows systems (for Windows, you need a program FreeOTFE and drivers for ext3). However:

full system encryption protects you only against offline attack (on-line attacker can still hack your system and access your data);
be caferul for your password (and use good password!);
do your backups regulary (if possible on encrypted media or in a safe place - BTW: LUKS formatted media can be easily mounted in Gnome. When you connect encrypted USB drive, you get fancy pop-up to enter your password and encrypted partition is magically automounted when right password provided)
be aware of possible attacka on /boot partition or hardware (someone can install you a keyboard sniffer program to /boot partition, keyboard sniffing device (hardware keylogger), PCI Rootkit, hacked USB device, hacked firewire device, etc.

But generally everything should work fine, just don't forget to repair Grub menu after each kernel upgrade/update. If you forget to do it, don't panic, you can do it during boot process - at boot time press Esc to enter Grub menu, then press e (to edit), select "kernel line" and press e again. Then edit the line, press enter and b to boot. This change is not saved, so you need to repair Grub menu after sucessfull boot manually. P. S. If you find this guide useful, please let us know. Dear Matej and Jožko, I found it extremely useful, thus I dared to enhance this page as given above. Feel free to incorporate my ideas as if they were your own. Rainer Perske

个人工具

“UbuntuHelp:EncryptedFilesystemHowto8”的版本间的差异 - Ubuntu中文

搜索

导航

编辑

工具