UbuntuHelp:EncryptedFilesystemForFullSystemOnFeisty
来自Ubuntu中文
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
- title How to Setup Completely Encrypted System - Ubuntu Feisty
<<Include(Tag/Unsupported)>>
| {i} Please refer to EncryptedFilesystems for further documentation. |
NOTE: this guide was written simply because all other Feisty guides about how to setup full system encrption are not complete. We were unable to setup the system following other guides, so we decided to write our own. This guide was tested many times on several different machines. However, use it at your own risk. By: Matej Kovačič and Jožko Škrablin, l33t slovenian h4ck3rz :) With small remarks by Rainer Perske, written like this line. Warning: using encryption can cause loss of data in case of disk errors. In some non-democratic countries use of strong encryption is illegal. Use at your own risk. Unfortunately Ubuntu does not have a support for encrypted disks during setup as Debian does. However, since we are using laptops and USB sticks more and more, our data are at constant risk of loss or theft. So there is a need for hard disk encryption support and that need also has a commercial value. We hope Ubuntu creators will recognise this area as a marketing advantage of Linux soon.
目录
- 1 Why?
- 2 How?
- 2.1 First step: instal Ubuntu Server Edition with proper partitions of your hard drive
- 2.2 Step two: setup the encryption
- 2.3 Step three: setup encrypted root partition
- 2.4 Step four: prepare encrypted system
- 2.5 Step five: encrypted home and swap
- 2.6 Step six: enter fully encrypted system and setup desktop
- 3 Conclusion
Why?
- Read a story about Autistici and Inventati case;
- Read a story about laptop border searches in USA
- Read a story about laptop Seizures in Sudan
How?
We are going to need Ubuntu 7.04 Server. However, this will be desktop installation, we are using server edition just for a basic setup! We are also assuming your hard drive is hda. So let's download ubuntu-7.04-server-i386.iso first and burn it on a CD. If you do not have a fresh computer, it is good to think about erasing your hard disk before setting up encryption. Erasing is also good because an attacker will be unable to determine how much encrypted data do you have on your hard disk and how much is a free space. However, it can take a lot of time, typical several hours or even days. You can use DBAN tool or dd command:
dd if=/dev/urandom of=/dev/hda bs=16M
In the above command use a block size that divides evenly into the size of your hard drive so that there won't be a partial block left over at the end of your drive that dd wouldn't write to because it couldn't fit an entire block in. For example instead of bs=16M you might need bs=5M. Block sizes of less than 1M may slow down the throughput.
First step: instal Ubuntu Server Edition with proper partitions of your hard drive
When your hard drive is ready, put install CD into the CD-ROM unit, boot a computer from a CD and start the installation process. BTW: Because of an unresolved bug No. 71594 in Feisty Server kernel, installation of server in virtual machines like Vmware and VirtualBox is not successful. But if you use a second virtual hard disk with one partition of 4 GB for the temporary root, you may use this guide with Feisty Desktop. Just replace hda2 with hdb1 in this guide until before you create cswap. Afterwards, you can remove that hard disk from the configuration of your virtual machine. There is also unresolved bug No. 68843 in the Feisty Server installers, which disables use of slovenian, croatian and some other keyboard layouts. Warning: Be careful when setting in passwords, because at the startup (when you need to enter your master password to access your hard drive) your keyboard uses english layout. When you came to the disk partitioning step, you need to create four partitions:
- partition /boot, 100 Mb - /hda1
- partition temporary root (future cswap), 2 Gb - /hda2
- not used partition (future croot partiton), 10 Gb - /hda3
- not used partition (future chome partiton), all remained size - /hda4
Step two: setup the encryption
When installation is finished, and computer reboots, login and become administrator:
sudo su
Load needed modules:
modprobe dm-crypt modprobe dm-mod modprobe aes modprobe sha256
Add modules into /etc/modules to be loaded automatically at the reboot:
echo dm-crypt >> /etc/modules echo dm-mod >> /etc/modules echo aes >> /etc/modules echo sha256 >> /etc/modules
Install cryptsetup package:
apt-get install cryptsetup
Step three: setup encrypted root partition
Now format future root partition with luksformat (we are using ext3 file system)//)luksformat -t ext3 /dev/hda3
You need to type YES and then twice your LUKS password. This password is very important, because you will need it to access your hard drive. It should be good and long enough, and don't forget it! If your password uses upper and lower case letters of the english alphabet and the ten digits, then that's 62 possibilities per character. Six binary bits can encode 64 possibilities, so each character, if it's random, gives about 6 bits of security. You want about 128 bits for good security, so you need about 21 random characters in your password. Words and phrases have surprisingly little randomness, so if you use words or phrases or anything non-random, you need a MUCH longer passphrase. An estimate by Shannon puts english words at about two bits per character, so you would need about sixty characters in your passphrase. Any passphrase that uses a quote from Bartlets quotes or a famous book would be easily broken. Luksformat uses 128-bit key. We can use 256-bit key with the following command - in that case we will need to format it manually later:
sudo cryptsetup --key-size 256 luksFormat /dev/hda3
We get output like that:
Creating encrypted device on /dev/hda3... WARNING! ======== This will overwrite data on /dev/hda3 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful. Please enter your passphrase again to verify it Enter LUKS passphrase: key slot 0 unlocked. Command successful. mke2fs 1.40-WIP (14-Nov-2006) ... ... Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 39 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override.
Now let's mount new crypto partition as croot:
cryptsetup luksOpen /dev/hda3 croot
We need to enter our LUKS password, and crypto partition is mounted:
Enter LUKS passphrase: key slot 0 unlocked. Command successful.
If we did not used luksformat, we need to format new partition manually right now:
sudo mkfs.ext3 /dev/mapper/croot
Now mount it to the /mnt:
mount /dev/mapper/croot /mnt
Step four: prepare encrypted system
Now copy system on this new crypto partition (this can take a few minutes, you can use -v switch in cp command for verbose output):
cd /mnt cp -xa / .
Chroot into the new system:
cd / mount --bind proc mnt/proc mount --bind sys mnt/sys mount --bind dev mnt/dev chroot /mnt
Mount /boot partition:
mount /dev/hda1 boot
Edit /etc/crypttab (last two entries should remain commented FOR NOW!):
nano etc/crypttab
Crypttab should look like this:
# <target name> <source device> <key file> <options> croot /dev/hda3 none luks #cswap /dev/hda2 /dev/urandom swap #chome /dev/hda4 /etc/keys/home.key luks
Edit /etc/fstab (entries for cswap and chome should remain commenter FOR NOW!):
nano /etc/fstab
First comment active root entry (Don't forget this!). Then add:
/dev/mapper/croot / ext3 defaults,errors=remount-ro 0 1 #/dev/mapper/cswap none swap sw 0 0 #/dev/mapper/chome /home ext3 defaults 0 2
File /etc/fstab now should look like this (UUID's are symbolic)
# /etc/fstab: static file system information. # # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc defaults 0 0 # /dev/hda2 #UUID=e8363198-819b-44e0-bba5-7b4dd58eef4e / ext3 defaults,errors=remount-ro 0 1 /dev/mapper/croot / ext3 defaults,errors=remount-ro 0 1 # /dev/mapper/cswap none swap sw 0 0 # /dev/mapper/chome /home ext3 defaults 0 2 # /dev/hda1 UUID=2fca8417-07de-4a7b-a8cb-4cfeddc89c7d /boot ext3 defaults 0 2 /dev/hdc /media/cdrom0 udf,iso9660 user,noauto 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto 0 0
Make a key for encrypted home:
cd etc/keys dd if=/dev/urandom of=home.key bs=1K count=1
Key will be stored on /etc/keys. Because of this you will see a warning at the boot time (INSECURE MODE FOR /etc/home/key). However, key is stored on encrypted root, so it is not so much unsecure. BTW: you can mount chome by typing password, but you will need to change /etc/crypttab entry. Now the important part - make new initrd script (this will take a few minutes):
cd /boot update-initramfs -u
Now we need to repair Grub menu (look for kernel and add /dev/mapper/croot):
nano /boot/grub/menu.lst
Change menu entry like this:
title Ubuntu, kernel 2.6.20-15-server root (hd0,0) kernel /vmlinuz-2.6.20-15-server root=/dev/mapper/croot ro quiet nosplash initrd /initrd.img-2.6.20-15-server quiet savedefault
To avoid further repairs of this file, also change two commented lines in the same file: Replace UUID=some-long-uuid-string with /dev/mapper/croot in the line # kopt=root=UUID=some-long-uuid-string ro Replace splash with nosplash in the line beginning with # defoptions=quiet splash Keep the comment sign at the beginning of these lines! Additional info by MatejKovačič: after upgrade to Gutsy and update of it, splash screen enables to enter LUKS passwords. Reboot the system:
- press Ctrl-D to exit chroot enviroment
reboot
Step five: encrypted home and swap
At the very beginnig of the boot process you will get this text:
Starting up ... Loading, please wait... Setting up cryptographic volume croot (based on /dev/hda3) Enter LUKS passphrase:
Enter your LUKS password (for croot), log-in and become administrator:
sudo su
You can rewrite old root partition with random data if you like (this can take a long time):
dd if=/dev/urandom of=/dev/hda2 bs=16M
If you do not do this, you need to format this partition with swap filesystem (if not, cswap will not mount at reboot):
mkswap /dev/hda2
Now there is again a nasty bug No. 105266 in Foobuntu, I mean Ubuntu, which can be easily solved by typing this command:
mkdir /dev/.static/dev/mapper
Now let's format future /home partition. For now we are using a passphrase and not a keyfile:
luksformat -t ext3 /dev/hda4
Mount this new partition (we need to enter LUKS password):
cryptsetup luksOpen /dev/hda4 chome mount /dev/mapper/chome /mnt
Create user's directory for the current user (n my case for the user "matej"):
cd /mnt mkdir matej chown matej.matej matej
Add a keyfile to this crypto partition:
cryptsetup luksAddKey /dev/hda4 /etc/keys/home.key
(We can remove first passphrase with cryptsetup luksDelKey command.) Now uncomment cswap and chome entries in /etc/crypttab:
nano /etc/crypttab
Uncomment also cswap and chome entries in /etc/fstab.
nano /etc/fstab
Reboot the system:
reboot
Step six: enter fully encrypted system and setup desktop
After reboot log-in and check if crypto partitions are mounted:
ls /dev/mapper
We should get something like this:
chome control croot cswap
Check the swap space:
cat /proc/swaps
We should get something like this:
Filename Type Size Used Priority /dev/mapper/cswap partition 1951888 0 -1
Now comment CD-ROM source in APT sources.list:
sudo nano /etc/apt/sources.list
Comment this:
# deb cdrom:[Ubuntu-Server 7.04 _Feisty Fawn_ - Release i386 (20070415)]/ feisty main restricted
Install Ubuntu desktop:
sudo apt-get update sudo apt-get install ubuntu-desktop
You will need to configure X server (very easy, you need only to check the supported resolutions for your screen). Now we can install generic kernel if we like:
sudo apt-get install linux-image-generic
After reboot your system will start in a graphic mode. Now we remove old server kernel...
sudo apt-get remove --purge linux-image-2.6.20-15-server linux-image-server linux-server
Conclusion
That's it. Now you have fully encrypted system (except /boot partition of course) and your system is using advanced LUKS encryption. You can add or delete (an therefore change) keys (passwords). You can mount your LUKS formatted partitions in other Linux or even Windows systems (for Windows, you need a program FreeOTFE and drivers for ext3). However:
- full system encryption protects you only against offline attack (on-line attacker can still hack your system and access your data);
- be caferul for your password (and use good password!);
- do your backups regulary (if possible on encrypted media or in a safe place - BTW: LUKS formatted media can be easily mounted in Gnome. When you connect encrypted USB drive, you get fancy pop-up to enter your password and encrypted partition is magically automounted when right password provided)
- be aware of possible attacka on /boot partition or hardware (someone can install you a keyboard sniffer program to /boot partition, keyboard sniffing device (hardware keylogger), PCI Rootkit, hacked USB device, hacked firewire device, etc.
But generally everything should work fine, just don't forget to repair Grub menu after each kernel upgrade/update. If you forget to do it, don't panic, you can do it during boot process - at boot time press Esc to enter Grub menu, then press e (to edit), select "kernel line" and press e again. Then edit the line, press enter and b to boot. This change is not saved, so you need to repair Grub menu after sucessfull boot manually. P. S. If you find this guide useful, please let us know.
Dear Matej and Jožko, I found it extremely useful, thus I dared to enhance this page as given above. Feel free to incorporate my ideas as if they were your own. Rainer Perske Thanks for update - we tested it, and it is working. However, as mentioned, in new Gutsy with updates splash screen is working. Matej Kovačič
