个人工具

UbuntuHelp:EncryptedFilesystemHowtoEdgy

来自Ubuntu中文

跳转至: 导航, 搜索
  1. title Encrypted Root with Cryptroot on Ubuntu 6.10

<<Include(Tag/Unsupported)>>

{i} Please refer to EncryptedFilesystems for further documentation.

This How To maybe incomplete..

Preamble

I use a Thinkpad T43 for everything I do. (Though nothing described here should be dependent on that.) My setup until now was an encrypted home partition and encrypted swap using cryptsetup-LUKS. If you follow this howto you should end up with:

  1. An unencrypted /boot partition containing all your kernels, their respective initramfs' and your grub config
  2. An encrypted partition which will be mounted as /
  3. One (or more) partition(s) to hold your users personal data

I assume you are familiar with the command line and Ubuntu/Debian in general, thus I will not elaborate every step in detail. ...and make sure you try 'man' if you don't understand something or want to know more, e.g. about crypttab.

System Installation

Install Edgy Eft on the target System. My scenario assumes a 100GB hard disk (/dev/sdb).

  • Create 4 partitions.
  1. sdb1, 500MB, fs: ext3, mountpoint: /boot (This will stay /boot)
  2. sdb2, 1500MB, fs: linux-swap (This will be our encrypted swap partition)
  3. sdb3, 15GB, fs ext3, mountpoint: none (This will be our encrypted root partition, keep it out of the way for now)
  4. sdb4, 73GB, fs ext3, mountpoint: / (This will be our encrypted /home. We will install our system here temporarily)
  • Finish the installation until you sit in front of a clean system.

Cryptroot

  • Install all necessary software (you might have to enable universe/multiverse): apt-get install cryptsetup libpam-mount initramfs-tools
  • Clean out our future encrypted / partition
  • Fill your future cryptroot with random data: sudo dd if=/dev/random of=/dev/sdb3
  • Use luksformat to create an encrypted filesystem on /dev/sdb3: luksformat -t ext3 /dev/sdb3 (Just follow the instructions. Use a good password!)
  • Add cryptroot to /etc/crypttab (This should not be necessary IMHO, because the initramfs will mount it as such, but I think without this something didn't work)

kbarrett: I needed to add the following modules to the edgy kernel to get luksformat to work at this point:

  • sudo modprobe dm_crypt
  • sudo modprobe sha256
  • sudo modprobe aes_i586

Then I created a /etc/mkinitramfs directory,and added these module names to /etc/mkintramfs/modules and ran:

  • sudo update-initramfs -u ALL

end edit

  • sudo echo "cryptroot /dev/sdb3 none luks,cipher=aes-cbc-essiv:sha256" > /etc/crypttab
  • While we're at it, we can also add our cryptswap
  • sudo echo "cryptswap /dev/sdb2 /dev/random swap" >> /etc/crypttab
  • Replace the entry for / from /etc/fstab with something for our cryptroot
  • /dev/mapper/cryptroot / ext3 defaults,errors=remount-ro 0 1
  • Replace the entry for the swap partition from /etc/fstab with something for our cryptswap
  • /dev/mapper/cryptswap none swap sw 0 0

kbarrett: When I edited /etc/fstab, I needed to dump back to the old style version, and specified actual partition devices, and commented out the LVM stuff. It might be possible to use the LVM volume names, but then this whole howto would need to be altered to match that. end edit

  • Switch off all swap: sudo swapoff -a
  • Fill your future cryptoswap with random data: sudo dd if=/dev/random of=/dev/sdb2
  • You can try your new cryptdisks by issuing 'sudo /etc/init.d/cryptdisks start'. You should be prompted for the password for your cryptroot.
  • Enable cryptswap: sudo swapon -a
  • Mount cryptroot: mkdir /tmp/cryptroot && sudo mount /dev/mapper/cryptroot /tmp/cryptroot
  • Copy your root content over: sudo cp -avx / /tmp/cryptroot
  • Now that everything should be in place, regenerate the initramfs: sudo update-initramfs -u ALL
  • (You might want to check if the cryptsetup and dmsetup tools are in there. I think the verbose mode for update-initramfs is broken...)
  • You should by now be ready to take your new cryptroot for a test drive
  • Read ALL these sub instructions first!
  • Reboot your system and interrupt grub
  • Edit the kernel command line to point to the new cryptoroot and remove 'splash': kernel /vmlinuz-2.6.17-10-generic root=/dev/mapper/sdb3 ro quiet
  • Enter your cryptroot password. (Now here's a thing: THE KEYBOARD LAYOUT IS ENGLISH! This one nearly got me mad...)
  • (It should also be possible to read a key-file from a USB-key and such...)
  • The system should boot up fine

kbarrett: I used an alternate method that did not require interrupting grub:

  • sudo vi /boot/grub/menu.lst
  • then copy the kernel line from the 2.6.17-10-generic boot stanza over the kernel line in the recovery mode stanza, and rename it from recovery to cleartext root. This will give you a way back in if everything blows up on you.
  • Then I replaced the main stanza kernel line with:
  • kernel /vmlinuz-2.6.17-10-generic root=/dev/mapper/cryptroot ro quiet

Using this instead of specifying the partition allows you to specify your cryptoroot in /etc/crypttab ... a better solution, IMO. The last thing you need to do is alter the #kopt root= line to point at cryptroot, so you don't get screwed up when some script runs update-grub on you. end edit

  • Check if cryptswap is active: cat /proc/swaps
  • Everything should work, now we'll set up pam-mount

pam-mount: Crypthomes for the masses

I like the idea of this one. It mounts your encrypted user home the instant you try to log in using your user password as the key (You have a good password, don't cha?). We have installed it already, so theres not much left to do but configure it.

  • Overwrite our old root partition with random data:
  • sudo dd if=/dev/random of=/dev/sdb4
  • Create an encrypted filesystem on our old root (/dev/sdb4) and make sure you use the same password as your login password:
  • sudo luksformat -t ext3 /dev/sdb4
  • Mount the cryptdisk and give it to the user (e.g robert):
  • sudo cryptsetup luksOpen /dev/sdb4 crypthome
  • mkdir /tmp/crypthome && sudo mount /dev/mapper/crypthome /tmp/crypthome
  • kbarrett: You need to copy your home directory over now.
  • sudo cp -avx /home/robert/* /tmp/crypthome
  • sudo chown -R robert:robert /tmp/crypthome
  • sudo umount /tmp/crypthome
  • sudo cryptsetup luksClose crypthome
  • Add an entry for your user in /etc/security/pam_mount.conf. Assuming your username is 'robert' it should work like this:
  • sudo echo "volume robert crypt - /dev/sdb4 /home/robert - - -" >> /etc/security/pam_mount.conf
  • There might be smarter ways to do this pam-mount thing, I'm not an expert...
  • Edit /etc/pam.d/(login|gdm):
  • sudo echo "@include common-pammount" >> /etc/pam.d/login
  • sudo echo "@include common-pammount" >> /etc/pam.d/gdm
  • Restart gdm
  • Login.