个人工具

UbuntuHelp:EncryptedFilesystemHowto2

来自Ubuntu中文

跳转至: 导航, 搜索

<<Include(Tag/ContentCleanup)>>

  1. title Encrypted Root, Home and Swap with dm-crypt on Ubuntu 5.10
{i} Please refer to EncryptedFilesystems for further documentation.

by Rudá Moura [email protected] This is the way I did to get an Ubuntu 5.10 (Breezy) with full encrypted file system: root (/), home and swap. Since Ubuntu installer does not support yet this option, this process concerns, first, installing Ubuntu on a temporary partition and then, inside that instalation, preparing all the encrypted partitions for the OS. The old root which I used in the beginning is turnt into a swap partition. This fully encrypted filesystem method employs dm-crypt, linux kernel's devmapper and cryptography. The default algorithm is AES (aes-cbc-plain) with 256bits key. Mark that I am not a connoceur on the subject or even a crypto freak, I just can say that this worked for me.

Part 1: Ubuntu installation

Install Ubuntu with server profile with the following initial partitioning scheme:

/dev/hda1   /boot  100 MB   ext3
/dev/hda2   /      512 MB   ext3

Mark that 512 MB is really the shortest size you can set for a server type of installation. A complete Ubuntu installation requires at least 2.4 GB. Make your choice now. In addition, I created two more spaces to hold my future encrypted root and /home partitions, so as the following:

/dev/hda3   future   /        10GB
/dev/hda4   future   /home    30GB

Set these partitions in the installer option for filesystem as "do not use the partition". Note that it is not absolutely necessary to have an exclusive /home partition, so this is optional since you can have only one partition for a whole encrypted system. Just ignores the alert about not having a swap partition and keep walking.

Part 2: Cryptography software installation

Configures your apt to use all the optional repositories which come with Ubuntu. This is done by modifying /etc/apt/sources.list, uncommenting all the “deb” repositories. Since you are on a terminal with no gedit or something like that, you will need a pure text editor such as Vi. If you know how to use it, don't care for the following explanation for begginers: to edit text files on a terminal using the Vi command, follow this example:

# vi /etc/apt/sources.list

Press “i” to enter in the INSERT mode, make the alterations, press ESC to enter the COMMAND mode and then press SHIFT+zz (ZZ) to save and quit. Now just install the following additional packages crypsetup 1.0.1, hashalot 0.3, initrd-tools 1.78 e cramfsprogs 1.1 with the command: After adding the repositories above don't forget to update so the packages below will be available:

# apt-get update
# apt-get install cryptsetup hashalot initrd-tools cramfsprogs

Important: initrd-tools must be updated to 1.78 version, because the original one that comes with Ubuntu has a severe bug which makes it unusable.

Part 3: Creating the encrypted system

Now it is time to create the cryptography devices. First, root: choose a trustworthy password, so that you will not end with a weak security implementation. Do not even use your personal login password. Observe that it is hard to change this password later (you would need to re-encrypt the full system again) and this is not explained in this article. The password for /home can be more weak, because it will be stored encrypted inside the file /etc/keys/home (remember that / is being fully encrypted). This is necessary to avoid that /home password would be asked at every boot in order to be mounted.

# cryptsetup -y create root /dev/hda3
# sha256 > /etc/keys/home
# cryptsetup -d /etc/keys/home create home /dev/hda4

The password for root will be asked twice, but the one for /home will be asked only one time and it does not provide confirmation! The partitions with support for cryptography will be available at /dev/mapper/. Now create the filesystem. I prefer the XFS filesystem and, before we continue, let me make a point on it: this is the one for high performance boxes created by Silicom Graphics, with no undelete policies and 64bit technology. Also there are not tools for Windows which can be used to mount a XFS filesystem. Anyway, who cares since now we are going to be encrypted! You can use any filesystem supported by Ubuntu and the one everyone use is ext3, but that's a matter of taste.

# mkfs -t xfs /dev/mapper/root
# mkfs -t xfs /dev/mapper/home

If you want to use an Ext3 filesystem, just change both xfs references above to ext3 so that it will be as the following:

# mkfs -t ext3 /dev/mapper/root
# mkfs -t ext3 /dev/mapper/home

Now mount the new partitions to /mnt and copy the old root to the new one at /mnt. This will be a perfect copy, preserving data, symbolic links and everything.

# mount /dev/mapper/root /mnt
# mkdir /mnt/home
# mount /dev/mapper/home /mnt/home
# cp -axv / /mnt

The copy process took two minutes and a half for a server profile and sixteen minutes for a complete installation. Mount /dev inside /mnt/dev to get access to the devices.

# mount --bind /dev /mnt/dev

Part 4: Adjusts inside chroot

Enter the encrypted system by using the chroot command and mount /boot, /proc and /sys:

# chroot /mnt
# mount /boot
# mount /proc
# mount /sys

This step must be done in order to fix a bug in Ubuntu, but do not ask me why..

# ln -sf /lib/libdevmapper.so.1.01 /lib/libdevmapper.so.1.00

Edit /etc/crypttab and add the following lines:

root /dev/hda3
home /dev/hda4 /etc/keys/home

Edit /etc/fstab in order to change root to the new mounting point at /dev/mapper/root and add a line for /home. I did it this way:

/dev/mapper/root /     xfs defaults 0 1
/dev/mapper/home /home xfs defaults 0 2

Edit /etc/kernel-img.conf and add the following line:

ramdisk = /usr/sbin/mkinitrd

Edit /boot/grub/menu.lst, search for kopt and change this line to:

# kopt=root=/dev/mapper/root devfs=mount ro

Note that the initial # should NOT be removed! The next step is to obtain a new initrd image with devmapper crypto support. (Read Part 7 below if you are trying to encrypt your root device which is on a software RAID array; without following those instructions, you'll render your system unbootable!)

# dpkg-reconfigure linux-image-2.6.12-9-386

This command takes into consideration that the installed kernel is the original one from the installation, but if it is NOT the case, substitute it properly – for example, 686 instead of 386, or any other updated version.

Part 5: Finishing

Unmount all chroot file systems, quit chroot and reboot:

# umount -a
# exit
# reboot

If everything worked fine, your system will ask for the password in order to mount /root and then the boot process will continue. If you type a wrong password the system will not output any alert and will fail drastically, probably with a Kernel Panic.

Part 6: Encrypted Swap

This process is like the other we done for /home, but the only difference is that the password will be different for every boot, since it will be read from /dev/random.

# cryptsetup create swap /dev/hda2

Type any garbage as password, since it will not be typed by the user. Edit /etc/crypttab and add the line for swap:

swap /dev/hda2 /dev/random swap

Edit /etc/fstab and add the file for swap:

/dev/mapper/swap none swap sw 0 0

To enable swap immediately:

# cryptsetup remove swap
# /etc/init.d/cryptdisks start
# swapon -a

From this moment your whole filesystem is encrypted. In order to turn your server instalation into a default and complete one, just do it:

# apt-get install ubuntu-desktop

Part 7: Notes

If your root device is a software RAID array (controlled by mdadm), it takes a very ugly hack to get things to work. Trying this is only advised for advanced users. Edit /sbin/mkinitrd; around line 178, there is a command that echoes the mdadm parameters for the root device into the md$minor-script file:

echo mdadm -A /devfs/md/$minor -R -u $uuid $devices \

The problem is that when you pass the 'devfs=mount' option to your kernel because of devmapper, the '$devices' variable suddenly contains unresolvable device paths. mdadm won't be able to create the root RAID array, rendering your machine unbootable. The hack is to manually replace $devices with the physical devices that make up your RAID array, in devfs notation, e.g.:

echo mdadm -A /devfs/md/$minor -R -u $uuid /dev/discs/disc0/part3 /dev/discs/disc1/part3

Those sample devices correspond to what you normally think of /dev/sda3 and /dev/sdb3, respectively. If you can't figure out the proper devfs notation for your physical devices, you can attempt to drop down into the shell during initrd and use 'echo' to list the available devices in /devfs. After changing this line in /sbin/mkinitrd, rerun the 'dpkg-reconfigure' command as given above. Obviously, you've just broken autodetection of the devices comprising the root array, so if these change, you have to manually update /sbin/mkinitrd accordingly, and then re-run the dpkg-reconfigure command. The following sources were checked for writing this article: cryptsetup(4), crypttab(5) <
> [1] Original article by Rudá Moura Translation from Brazilian Portuguese to English: <
> Heitor Capovilla [email protected]