个人工具

UbuntuHelp:EncryptedFilesystemHowto5

来自Ubuntu中文

跳转至: 导航, 搜索
  1. title Encrypted root, swap, and home using LUKS with no unencrypted key files available anywhere after boot
{i} Please refer to EncryptedFilesystems for further documentation.

submitted by John Bindel, [email protected]. Please consider using the EncryptedFilesystemLVMHowto instead of these instructions. I may be able to help more with that, and it's a far better solution than this. This is even another procedure for encrypting a disk with Ubuntu 6.06. It uses a server installation, but the desktop could be used as long as the initial root filesystem is at least 2.6 GB to hold all of the normal installation files. We will mount /keys encrypted partition from initrd script with a passphrase. We will then unlock our encrypted partitions via initrd using the encrypted keys partition so that they can be mounted during bootup. This how-to is similar to other how-tos in this wiki, but I wanted to make sure that no keys were visible even to root at run time rather than having the home partition keys available in /etc. We could put the /keys partition on a USB thumb drive as well, but that's less convenient though possibly even more secure because an attacker would need to have access to the thumb drive. Some sources EncryptedFilesystemHowto3 EncryptedFilesystem

Partition and Install

Install the server version of Ubuntu with /dev/sda5 as /boot, /dev/sda7 as /, and no swap. NOTICE: We do not initially use the final root and home partitions shown below because we will need to copy the initial installation to its encrypted destination after we install the operating system. Manually edit the partition table.

UE /dev/sda1   primary, "do not use"                   Future Windows partition for dual boot or vmware
UE /dev/sda5   0.2  GB logical, ext3, /boot, bootable
EK /dev/sda6   >3   GB logical, "do not use"           Future root partition.
ER /dev/sda7   1.5  GB logical, ext3, "/"              Future swap partition.
EK /dev/sda8   1GB  GB logical, "do not use"           Future hibernation swap partition
EK /dev/sda9   lots GB logical, "do not use"		 Future home partition.
EP /dev/sda10  0.1  GB logical, "do not use"           Future keys partition.

The hibernation swap partition should be at least as big as your RAM size. Commit changes to disk. Enter user information and let the installer put the OS on the disk. Reboot when done.

Create New Initrd Image

Login and edit /etc/apt/sources.list. $ sudo vi /etc/apt/sources.list Uncomment the "universe" repository lines. There are two for "dapper universe" and two for "dapper-security universe." Update the apt list. $ sudo apt-get update Install cryptsetup, hashalot, and initramfs-tools. $ sudo apt-get install cryptsetup hashalot initramfs-tools Add the following line to /etc/kernel-img.conf: ramdisk = /usr/sbin/mkinitramfs Add the following lines to /etc/mkinitramfs/modules:

dm_mod
dm_crypt
sha256
aes_i586

Create file /etc/mkinitramfs/hooks/cryptokeys. This script is executed when the init ramdisk image is built.

#!/bin/sh

PREREQ=""

prereqs()
{
        echo "$PREREQ"
}

case $1 in
prereqs)
        prereqs
        exit 0
        ;;
esac

if [ ! -x /sbin/cryptsetup ]; then
        exit 0
fi

. /usr/share/initramfs-tools/hook-functions

mkdir ${DESTDIR}/etc/console
cp /etc/console/boottime.kmap.gz ${DESTDIR}/etc/console
copy_exec /bin/loadkeys /bin
copy_exec /usr/bin/chvt /bin
copy_exec /sbin/cryptsetup /sbin

Create file /etc/mkinitramfs/scripts/local-top/cryptokeys. This script is executed during the init bootup.

#!/bin/sh

PREREQ="udev"

prereqs()
{
        echo "$PREREQ"
}

case $1 in
# get pre-requisites
prereqs)
        prereqs
        exit 0
        ;;
esac

/bin/loadkeys /etc/console/boottime.kmap.gz
modprobe -Qb dm_crypt
modprobe -Qb aes_i586
modprobe -Qb sha256
if grep -q splash /proc/cmdline; then
    /bin/chvt 1
fi
sleep 3

while ! /sbin/cryptsetup luksOpen /dev/sda10 cryptokeys; do
       echo "Try again..."
done

if grep -q splash /proc/cmdline; then
       /sbin/usplash -c &
       sleep 1
fi
mkdir /cryptokeys
mount -t ext3 /dev/mapper/cryptokeys /cryptokeys
/sbin/cryptsetup luksOpen /dev/sda6 cryptoroot --key-file=/cryptokeys/root-key
/sbin/cryptsetup luksOpen /dev/sda9 cryptohome --key-file=/cryptokeys/home-key
umount /cryptokeys
/sbin/cryptsetup luksClose cryptokeys

Make the scripts executable:

$ sudo chmod +x /etc/mkinitramfs/hooks/cryptokeys
$ sudo chmod +x /etc/mkinitramfs/scripts/local-top/cryptokeys

Build a new initrd image: $ sudo update-initramfs -u ALL

Create Encrypted Partitions

Check for bad blocks. This will take several minutes for each partition. This fills each partition with pseudorandom data from the not-so-random libc pseudorandom source.

$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda6
$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda8
$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda9
$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda10

Fill the partitions with random data. This may take hours for the larger partitions, but is necessary if you're paranoid. The /dev/urandom source is a good source of randomization that should prevent attackers from being able to determine where data actually resides on the encrypted filesystem, which would help them know what they should try to decrypt. The /dev/random source is even better, but it might take hundreds of years to fill the disk from it.

$ sudo dd if=/dev/urandom of=/dev/sda6
$ sudo dd if=/dev/urandom of=/dev/sda8
$ sudo dd if=/dev/urandom of=/dev/sda9
$ sudo dd if=/dev/urandom of=/dev/sda10

Make the encrypted keys filesystem. It is protected with a passphrase.

$ sudo modprobe dm_crypt
$ sudo modprobe sha256
$ sudo modprobe aes_i586
$ sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sda10
$ sudo cryptsetup luksOpen /dev/sda10 cryptokeys
$ sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/cryptokeys
$ sudo tune2fs -c 0 -i 0 /dev/mapper/cryptokeys
$ sudo mkdir /mnt/cryptokeys
$ sudo mount -t ext3 /dev/mapper/cryptokeys /mnt/cryptokeys

Make keyfiles for the other partitions. This can sometimes take several seconds. If it pauses, press the shift key and the space bar a few times to introduce some entropy into the system. Reading from /dev/random will block when the kernel runs out of usable entropy.

$ sudo dd if=/dev/random of=/mnt/cryptokeys/root-key bs=1 count=256
$ sudo dd if=/dev/random of=/mnt/cryptokeys/home-key bs=1 count=256
$ sudo chmod 600 /mnt/cryptokeys/*-key

Make the encrypted root and home filesystems.

$ sudo cryptsetup --verbose --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sda6 /mnt/cryptokeys/root-key
$ sudo cryptsetup --verbose --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sda9 /mnt/cryptokeys/home-key
$ sudo cryptsetup --key-file=/mnt/cryptokeys/root-key luksOpen /dev/sda6 cryptoroot
$ sudo cryptsetup --key-file=/mnt/cryptokeys/home-key luksOpen /dev/sda9 cryptohome
$ sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/cryptoroot
$ sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/cryptohome

You should add passphrase access to your encrypted root and home partitions in case your keys partition becomes unusable. Otherwise your data will be inaccessible.

$ sudo cryptsetup --key-file=/mnt/cryptokeys/root-key luksAddKey /dev/sda6
$ sudo cryptsetup --key-file=/mnt/cryptokeys/home-key luksAddKey /dev/sda9

Populate the new encrypted filesystems.

$ sudo mkdir /mnt/root
$ sudo mkdir /mnt/home
$ sudo mount /dev/mapper/cryptoroot /mnt/root
$ sudo mount /dev/mapper/cryptohome /mnt/home
$ sudo cp -ax / /mnt/root
$ sudo rm -rf /mnt/root/home/*
$ sudo cp -ax /home/* /mnt/home
$ sudo chown -R $(whoami):$(whoami) /mnt/home/$(whoami)

Edit /mnt/root/etc/fstab. Make sure the swap line is commented out with a #. First change this line /dev/sda7 / ext3 defaults,errors=remount-ro 0 1 to /dev/mapper/cryptoroot / ext3 defaults,errors=remount-ro 0 1 And add these lines

/dev/mapper/cryptohome /home	ext3	defaults			0	1
#/dev/mapper/cryptoswap	none	swap	sw				0	0

Edit /mnt/root/etc/crypttab to look like this:

# <target name>		<source device>		<key file>	<options>
#cryptoswap		/dev/sda7		/dev/random	swap
cryptoroot		/dev/sda6		none	luks
cryptohome		/dev/sda9		none	luks

Test the Configuration

Add this to the bottom of /boot/grub/menu.lst. (hd0,4) refers to the boot partition.

title           Cryptotest
root            (hd0,4)
kernel          /vmlinuz-<your kernel version here> root=/dev/mapper/cryptoroot ro
initrd          /initrd.img-<your kernel version here>
savedefault
boot

Find the kernel version with the command: $ uname -r For example, it might be "2.6.15-26-server". Reboot to test by typing sudo reboot. Press ESC to enter the GRUB menu and select Cryptotest. The boot process will stop waiting for the keys partition's passphrase. If all goes well, then continue. Otherwise seek help or figure out what went wrong. Enable swap for the future by uncommenting the swap lines in /etc/fstab and /etc/crypttab. Then fill the old / partition, which will be the swap partition with random data and enable swap.

$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda7
$ sudo dd if=/dev/urandom of=/dev/sda7
$ sudo invoke-rc.d cryptdisks restart
$ sudo swapon /dev/mapper/cryptoswap

Edit /boot/grub/menu.lst to remove the lines we added at the end, and change the line that has # kopt=root=/dev/sda7 ro to # kopt=root=/dev/mapper/cryptoroot ro Then run $ sudo update-grub

Finish

Install a desktop. $ sudo apt-get install ubuntu-desktop Use something else if you don't like Gnome. You can chose kubuntu-desktop or xubuntu-desktop for other standard desktops. Finally backup your key files for safe keeping. This will require you to open and to mount the encrypted keys partition and then unmount and close it.

$ sudo cryptsetup luksOpen /dev/sda10 cryptokeys
$ sudo mount /dev/mapper/cryptokeys /mnt/cryptokeys
$ sudo cp /mnt/cryptokeys/*key <destination usb drive>
$ sudo umount /mnt/cryptokeys
$ sudo cryptsetup luksClose cryptokeys

The last line is necessary to make the system unable to access your precious keys for root and home without reentering the passphrase.

Notes

If your system seems to hang while booting, try pressing a few keys. Since we use /dev/random for the swap encryption key, the system may have run out of usable entropy while making the random swap encryption key. Pressing keys will give it some entropy to use. The initrd image is rebuilt automatically when a kernel upgrade is installed. This appears to work just fine without requiring us to make new images ourselves.