EncryptedFilesystem

来自Ubuntu中文
跳到导航跳到搜索

Encrypted Root and Swap with LUKS (on Ubuntu 6.06)

使用 LUKS 加密 Root 和 Swap (Ubuntu 6.06)

by Mikhail Lukyanchenko < [email protected] >

授权许可:创作共用协议Attribution-ShareAlike 2.0 GNU自由文档许可证

翻译人员:yusy

校对人员:

贡献者:

适用版本:Ubuntu 6.06


Introduction

简介

This is the way I did to get an Ubuntu 6.06 (Dapper Drake) with full encrypted file system: root (/) and swap. Since Ubuntu installer does not support yet this option, this process concerns, first, installing Ubuntu on a temporary partition and then, inside that installation, preparing all the encrypted partitions for the OS. The old root which I used in the beginning is turned into a swap partition.

这是我得到一个全面加密的Ubuntu 6.06(Dapper Drake)系统的方法:root (/) and swap.因为Ubuntu 安装文件还不支持这个选项,这个程序关注于:1,安装Ubuntu到一个临时分区,然后在这个安装过程中,会为操作系统准备一个全面加密的分区。在最开始时使用的root分区被变成swap分区.

Notes

注意

In this tutorial we assume that:

  • old (unencrypted) and the new (encrypted) swap is in the partition '/dev/hda2'
  • new home (encrypted) is in the partition '/dev/hda3'

replace '/dev/hda2' with your real swap partition and '/dev/hda3' with an empty partition that will become your new encrypted home partition.

本指导手册中,做如下假定:

  • 旧的(未加密的)和新的(加密的)swap分区为'/dev/hda2'
  • 新的的home(加密的)分区为'/dev/hda3'

将'/dev/hda2'替换为你的真实的swap分区,将'/dev/hda3'替换为一个空分区,这个分区将会成为你的新的加密的home分区。

Warnings

警告

Encrypting a partition is a destructive operation; then, your new root partition (/dev/hda3) must be empty, because all data on it will be erased.

Also be warned, that this HOWTO is at beta state. I would not recommend to use it on production system. But it would be greatly appreciated if you test it and send me some feedback.

加密分区是危险操作,你的新root分区(/dev/hda3)一定要是空分区,因为所有的数据都将别擦除。

还要注意,这个指南还是在测试阶段。我不建议把它用在生产系统上。 感谢所有测试这个指南,以及给我反馈的人。

Ubuntu installation

安装 Ubuntu

Note that you should install a server profile at this step even if you need a desktop profile at the end. The switch between the two profiles will be realized later on.

注意,在这一步,你需要安装server profile,尽管到最后你需要desktop profile。稍后将提到两个profiles的转换。

Install Ubuntu with the following initial partitioning scheme:

用下面的分区方案安装Ubuntu:

/dev/hda1   /boot  100 MB   ext3
/dev/hda2   /      512 MB   ext3

Mark that 512 MB is really the shortest size you can set for a server type of installation. A complete Ubuntu installation requires at least 2.4 GB. Make your choice now. In addition, create one more space to hold your future encrypted root, so as the following:

如果安装sever模式,512MB是最小的分区。完整的Ubuntu安装,需要至少2.4GB。自己决定。此外,为你的新的加密的root建立一个新的分区:

/dev/hda3   future   /        10GB

Set this partition in the installer option for filesystem as "do not use the partition". Just ignore the alert about not having a swap partition and keep walking.

在安装选项中,设置这个分区为“do not use the partition”。忽略没有swap分区的警告,继续安装。

Cryptography software installation

安装加密软件

Configures your apt to use all the optional repositories which come with Ubuntu. This is done by modifying /etc/apt/sources.list, uncommenting all the “deb” repositories.
配置你的apt,应用所有的Ubuntu的可选软件库。可以通过更改/etc/apt/sources.list实现:去掉所有的“deb”软件库的注释“#”。

After adding the repositories above don't forget to update so the packages below will be available:
加好了上面的软件库以后,不要忘了更新你的软件包:

$ sudo apt-get update
$ sudo apt-get install cryptsetup hashalot initramfs-tools

Setting up mkinitramfs

配置mkinitramfs

Edit /etc/kernel-img.conf. Add the following line:
编辑 /etc/Kernel-img.conf。加入下面这行:

ramdisk = /usr/sbin/mkinitramfs

Edit /etc/mkinitramfs/modules. Add folowing lines:
编辑 /etc/mkinitramfs/modules。加入下面的内容:

dm_mod
dm_crypt
sha256
aes_i586

Create file /etc/mkinitramfs/hooks/cryptoroot:
创建文件 /etc/mkinitramfs/hooks/cryptoroot

#!/bin/sh
PREREQ=""
prereqs()
{
echo "$PREREQ"
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
if [ ! -x /sbin/cryptsetup ]; then
exit 0
fi
. /usr/share/initramfs-tools/hook-functions
mkdir ${DESTDIR}/etc/console
cp /etc/console/boottime.kmap.gz ${DESTDIR}/etc/console
copy_exec /bin/loadkeys /bin
copy_exec /usr/bin/chvt /bin
copy_exec /sbin/cryptsetup /sbin

Create file /etc/mkinitramfs/scripts/local-top/cryptoroot:
创建文件 /etc/mkinitramfs/scripts/local-top/cryptoroot

#!/bin/sh
PREREQ="udev"
prereqs()
{
echo "$PREREQ"
}
case $1 in
# get pre-requisites
prereqs)
prereqs
exit 0
;;
esac
/bin/loadkeys /etc/console/boottime.kmap.gz
modprobe -Qb dm_crypt
modprobe -Qb aes_i586
modprobe -Qb sha256
if grep -q splash /proc/cmdline; then
/bin/chvt 1
fi
/sbin/cryptsetup luksOpen /dev/hda3 cryptoroot

TODO: find a way to switch back to bootsplash after password prompt.
TODO:在提示输入密码后,退回到bootsplash状态。(没有跟着做,所以不清楚这句话究竟指什么--yusy)

Make created files executable:
更改新建的文件的属性为可执行:

$ sudo chmod +x /etc/mkinitramfs/hooks/cryptoroot
$ sudo chmod +x /etc/mkinitramfs/scripts/local-top/cryptoroot

Update initrd image:
更新 initrd 镜像:

$ sudo update-initramfs -u ALL

Creating the encrypted system

创建加密系统

Now it is time to create the cryptography devices.
现在开始建立一个加密的设备。

$ sudo modprobe dm_crypt
$ sudo modprobe sha256
$ sudo modprobe aes_i586
$ sudo luksformat -t ext3 /dev/hda3

The following dialog should look like this:
接下来的显示因该像如下的样子:

Creating encrypted device on /dev/hda3...
WARNING!
========
This will owerwrite data on /dev/hda3 irrevocably.
Are you shure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successfull.
Please enter your passphrase again to verify it
Enter LUKS passphrase:
key slot 0 unlocked.
Command successfull.
mke2fs 1.38 (30-Jun-2005)
.....

Your encrypted partition is now created and formated. It's time to populate it:
现在,你的加密分区已经建立并且被格式化好了。可以把整个系统转移过去了:

$ sudo cryptsetup luksOpen /dev/hda3 cryptoroot
$ sudo mkdir /mnt/target
$ sudo mount /dev/mapper/cryptoroot /mnt/target
$ sudo cp -avx / /mnt/target
$ sudo chown -R $(whoami):$(whoami) /mnt/target/home/$(whoami)

The copy process should take about two minutes for a server profile (depends on your hardware).
拷贝server profile 的过程差不多要2分钟(取决于你的硬件)。

Then you need to correct /mnt/target/etc/fstab.
然后你需要更正你的 /mnt/target/etc/fstab

Find
找到

/dev/hda2                      /               ext3    defaults,errors=remount-ro 0       1

Replace with
更改为

/dev/mapper/cryptoroot        /               ext3    defaults,errors=remount-ro 0       1

Configuring Grub

配置 Grub

Edit /boot/grub/menu.lst. Add following after the line containing ### END DEBIAN AUTOMAGIC KERNELS LIST:
编辑 /boot/grub/menu.lst。将下面的内容加到 ### END DEBIAN AUTOMAGIC KERNELS LIST 行下面:

title           Cryptotest
root            (hd0,0)
kernel          /vmlinuz-<your kernel version here> root=/dev/mapper/cryptoroot ro
initrd          /initrd.img-<your kernel version here>
savedefault
boot

You may find your kernel version by running:
用下面的命令查看你的Kernel 版本:

$ uname -r

Rebooting and testing configuration

重启并测试配置

As simple as it should be:
如下命令重启:

$ sudo reboot

Now, after all your BIOS mumbo-jumbo, you should look very carefully and when you see following prompt:
等你的BIOS重启以后,仔细的观察下面出现的提示:

GRUB Loading stage 1.5.
GRUB Loading, please wait...
Press `ESC` to enter the menu

Press ESC and select last option, namely "Cryptotest"

Now you will see lots of kernel debugging info, since we didn't add quiet option to kernel options. It's ok.
按 ESC ,选择最后一个选项,名字带“Cryptotest”。 现在你看到一大堆Kernel debugging信息,因为我们没有加入quiet选项。一切正常。


At some point you will see the promt:
过一会,你会看到提示:

Enter LUKS passphrase:

Go on! Enter it. Now you have booted from crypted partition.
继续!填入LUKS passphrase,现在你已经进入了加密的分区。


If something geos Very Wrong Way (tm), don't panic. Any way you still have unencrypted partition to boot from.
如果出了什么错误,不要紧张。你始终可以从非加密的分区启动。

Finishing

结束

Let's enable swap partition.
现在启用swap分区。

Edit /etc/crypttab: 编辑 /etc/crypttab

cryptoswap      /dev/hda2       /dev/urandom    swap

Edit /etc/fstab. Add following line:
编辑 /etc/fstab。加入下面的内容:

/dev/mapper/cryptoswap  none    swap    sw      0       0
$ sudo invoke-rc.d cryptdisks restart
$ sudo swapon /dev/mapper/cryptoswap

Edit /boot/grub/menu.lst and remove lines, you previously added after the line containing ### END DEBIAN AUTOMAGIC KERNELS LIST.
编辑 /boot/grub/menu.lst,删除刚刚加入在 ### END DEBIAN AUTOMAGIC KERNELS LIST 后面的那几条。

In the same file find line containing
在这个文件里面,找到下面这一行

# kopt=root=/dev/hda2 ro

Change this to
更改为

# kopt=root=/dev/mapper/cryptoroot ro

Run
运行

$ sudo update-grub

Now you have an operational server profile with encrypted root and swap. If what you need is a desktop profile (i.e. a complete graphical environment like Gnome or KDE and lots of applications), you can install it now with the single command:
现在你有了一个带有加密的root和swap的运行的server profile。如果你需要的是desktop profile(比如,像Gnome或者KDE一样的完全的图形环境,更多的应用程序),你可以用一个命令安装它:

$ sudo apt-get install ubuntu-desktop

Replace ubuntu-desktop with kubuntu-desktop, or xubuntu-desktop, or edubuntu-desktop according to your needs.
根据你的需要更改 ubuntu-desktopkubuntu-desktop,或者 xubuntu-desktop,或者 edubuntu-desktop

That's all. Finished.
任务完成!



文章来源:官方WIKI
翻译人员:yusy
校对人员:
文章状态:等待校对