个人工具

UbuntuHelp:EncryptedFilesystemLVMHowto

来自Ubuntu中文

跳转至: 导航, 搜索
  1. title Encrypted LVM for Root, Swap, and Home using LUKS on Ubuntu 6.06 and 7.04
{i} Please refer to EncryptedFilesystems for further documentation.

Current versions (since 7.10) of the Ubuntu alternate installation CD provide options for automatically installing to an encrypted partition. The support for this in 8.04 LTS is well integrated, so the directions here may be used for historical purposes or when the options on the installation CD are not sufficient. The alternate installation CD uses LUKS for key management, and it does some kind of disk clearing, (hopefully) writing pseudorandom data to the entire encrypted partition. I recommend using the alternate installation CD rather than manually going through the encrypted installation procedure. -- John Bindel For more information about setting up an encrypted system using the alternate install CD see: Encrypted LVM for Root, Home and Swap using Manual Partitioning Encrypted LVM with Root and Swap using Guided Partitioning: This howto explains how to use the guided encrypted LVM partition mode to automatically partition an entire disk (erasing all data on the drive) and create an LVM with a root and swap partition. No manual partitioning or setup is necessary.

Installing Ubuntu 7.04 on an Encrypted LVM Partition For Root, Swap, and Home

by Nico Gulden and contributors This howto describes the aspects to be noticed installing Ubuntu 7.04 on an encrypted LVM partition. It is based on the howto below written by John Bindel. It gave me the inspiration to try it with Ubuntu 7.04. The steps are basically the same as for Ubuntu 6.06. First of all, I want to thank John Bindel for the inspiration and Ilkka Tuohela for the right hint to get everything working. /boot is the only unencrypted partition. The other partitions all reside on one volume group in lvm. The physical volume below the volume group is configured on top an encrypted partition.

Preparation with the live-cd

Follow the steps outline below for Ubuntu 6.06 using the Ubuntu 7.04 desktop install disk. Partition your harddisc using some partition editor, fdisk or System->Administration->Gnome Partition Editor. Make one partition of 100MB for /boot which is sda1 in this example. Create an extended partition for the left space on the disc. Create a logical partition with rest of the created extended partition, sda5 in this example. For further preparation you'll need a working internet connection. John suggested installing Ubuntu on an unencrypted primary partition. I did all necessary preparation with the live cd. First you'll need to edit your /etc/apt/sources.list and uncomment the universe repository entries, update your package list and install cryptsetup, initramfs-tools, hashalot, lvm2. You should activate the universe repository in your /etc/apt/sources.list

# sudo aptitude update
# sudo aptitude -y install cryptsetup initramfs-tools hashalot lvm2

After installing the needed packages, your are ready for the setup of lvm2 on your hard disk. Before you can start, you need to load the following modules:

# sudo modprobe aes-i586
# sudo modprobe dm-crypt
# sudo modprobe dm-mod

Encrypt data partition

From John's Tutorial: >>> Check the future encrypted LVM physical partition for errors. This will take several minutes for each partition. This fills each partition with pseudorandom data from the not-so-random libc pseudorandom source

# sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda5

Fill the partitions with random data. This may take MANY hours for the large partitions, on average 1.6M/sec of data is written to disk, so a 10GB partition might take around 2 hours, and 100GB partition might take a bit under 20 hours. . The /dev/urandom source is a good source of randomization that should prevent attackers from being able to determine where data actually resides on the encrypted filesystem, which would help them know what they should try to decrypt. The /dev/random source is even better, but it might take hundreds of years to fill the disk from it.

# sudo dd if=/dev/urandom of=/dev/sda5

<<< In the next step you create the encryption on the logical partition and unlock the partition.

# sudo cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda5
WARNING!
========
This will overwrite data on /dev/sda5 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: (enter passphrase)
Verify passphrase: (repeat passphrase)

# sudo cryptsetup luksOpen /dev/sda5 pvcrypt

Create LVM

Create a physical volume and on top of that the volume group with all necessary logical volumes.

# sudo pvcreate /dev/mapper/pvcrypt
# sudo vgcreate vg /dev/mapper/pvcrypt
# sudo lvcreate -n <lvname> -L <size> vg

Create logical volumes for /usr, /home/, /tmp, /var, /opt, root and swap using the lvcreate command according to the mentioned schema. Make sure you don't use any special characters like underscores or hyphens for the logical volume name. That will generate problems in the later setup. I got the following setup for my logical volumes.

# sudo lvdisplay -C
  home       vg   -wi-ao  10,00G
  swap       vg   -wi-ao 512,00M
  opt        vg   -wi-ao 200,00M
  root       vg   -wi-ao 300,00M
  tmp        vg   -wi-ao 200,00M
  usr        vg   -wi-ao   4,00G
  var        vg   -wi-ao   1,00G

Put a filesystem on each logical volume. Replace <lvname> with each logical volume name you used creating you logical volumes.

# sudo mkswap /dev/mapper/vg-swap
# sudo mkfs.ext3 /dev/mapper/vg-<lvname>

Install Ubuntu

Begin the installation of Ubuntu by clicking on the install icon on the desktop of the livecd. Follow the steps in the wizard until step four where it comes to the preparation of the hard disk. Choose manual partitioning, because you already have created all necessary partitions. You just need to map the partitions to the appropriate mount points, choose a filesystem and let the installer create the filesystem. MAKE SURE YOU MAP /dev/sda1 to /boot The next steps will continue just as an usual installation.

Final preparation

After the installation using the wizard, there are some steps to fulfill in order to let your fresh installed ubuntu come up correctly. The following steps have to be followed:

  • Mount partitions & chroot
  • Install missing software to fresh installed ubuntu
  • Customize /etc/crypttab, /etc/fstab, /boot/grub/menu.lst
  • Rebuild ramdisk

Mount Partitions & chroot

# cd /mnt
# sudo mkdir root
# sudo mount -t ext3 /dev/mapper/vg-root /mnt/root
# sudo mount -t ext3 /dev/sda1 /mnt/root/boot
# sudo mount -t ext3 /dev/mapper/vg-home /mnt/root/home
# sudo mount -t ext3 /dev/mapper/vg-opt /mnt/root/opt
# sudo mount -t ext3 /dev/mapper/vg-usr /mnt/root/usr
# sudo mount -t ext3 /dev/mapper/vg-var /mnt/root/var
# sudo mount -t ext3 /dev/mapper/vg-tmp /mnt/root/tmp

Chroot

# sudo chroot /mnt/root
#(chroot) sudo mount -t proc proc /proc
#(chroot) sudo mount -t sysfs sys /sys
#(chroot) sudo mount -t devpts devpts /dev/pts

Install missing software

#(chroot) sudo aptitude update
#(chroot) sudo aptitude install cryptsetup hashalot initramfs-tools lvm2

Customize files

Edit /etc/crypttab and enter the following line.

# <target name>		<source device>	<key file> 	<options>
pvcrypt		/dev/sda5	none		luks,retry=1,lvm=vg

You recognize the target name and the source device name. It comes from the cryptsetup luksOpen /dev/sda5 pvcrypt command. With the options you tell cryptsetup that it shall use the volume group name vg in this example. According to the example your /etc/fstab should look like this

# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            		/proc           proc    defaults        0       0
/dev/mapper/vg-root 		/               ext3    defaults,errors=remount-ro 0       1
/dev/sda1			/boot		ext3	defaults	0	2
/dev/mapper/vg-home		/home           ext3    defaults        0       2
/dev/mapper/vg-opt		/opt            ext3    defaults        0       2
/dev/mapper/vg-tmp 		/tmp            ext3    defaults        0       2
/dev/mapper/vg-usr	 	/usr            ext3    defaults        0       2
/dev/mapper/vg-var	 	/var            ext3    defaults        0       2
/dev/mapper/vg-swap 		none            swap    sw              0       0
/dev/scd0       		/media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0		        /media/floppy0  auto    rw,user,noauto  0       0

Your /boot/grub/menu.lst should have the following or similar entry

title	Ubuntu
root	(hd0,0)
kernel	/vmlinuz-2.6.20-16-generic root=/dev/mapper/vg-root ro quiet
initrd	/initrd.img-2.6.20-16-generic
quiet
savedefault

Rebuild ramdisk

Edit the file /etc/initramfs-tools/modules to make sure the correct modules are included in the ramdisk

aes-i586
dm-crypt
dm-mod
sha256

Run the following command to rebuild the ramdisk.

# sudo update-initramfs -k all -c

After building the ramdisk it should be checked.

#(chroot) cd /tmp
#(chroot) sudo mkdir foo
#(chroot) cd foo/
#(chroot) sudo zcat /boot/initrd.img-$(uname -r)|cpio -iv
#(chroot) sudo cat /tmp/foo/conf/conf.d/cryptroot

If initramfs-cryptsetup did not understand the setup, the /tmp/foo/conf/conf.d/cryptroot file is completely missing and it does not make even sense to try booting. The lvm lines here are just names it expects to be available after setup and really don't matter in your case. If everything went fine and the /tmp/foo/conf/conf.d/cryptroot is present you should give a try and reboot. Right at the beginning of the boot process you should be asked for the physical volume password.

Booting fails

If booting fails and you need to rebuild the ramdisk or fix some configuration files, follow these steps. I assume you know the details, therefore they are just outline.

  • Boot the ubuntu live cd
  • Uncomment the universe repository in the sources.list, update the package list and install cryptsetup, initramfs-tools, hashalot, lvm2
  • modprobe the modules aes-i586, dm-crypt and dm-mod
  • Unlock the physical volume: cryptsetup luksOpen /dev/sda5 pvcrypt
  • Detect the logical volume: vgscan; vgchange -a y vg
  • Mount the partitions to /mnt/root
  • Chroot into /mnt/root and mount proc and sysfs
  • Make your changes

Some Notes

  • Suspend or suspend2 don't work with this configuration. If you have a working configuration with suspend or suspend2, please append to this article or post a separate one. There might be some people out there looking for it. Thanks.

(This setup works for me in Ubuntu 8.10 (Intrepid) for both Suspend and Hibernate. Hibernate didn't work with the open-source nvidia drivers, but works well with the proprietary drivers.)

Advanced Encryption Modes

The article suggests using aes-cbc-essiv:sha256 which is the default encryption mode supported by the Ubuntu and Debian alternative installers. However, there are now more secure and faster encryption modes available that are specifically designed for hard disk encryption. Ubuntu Feisty (7.04) and Gutsy (7.10) support LRW while Hardy (8.04) and Intrepid (8.10) support XTS, which is a replacement for LRW, and is considered the most secure narrow-block encryption mode available for disk encryption. Instead of:

# sudo cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda5

For LRW do:

# sudo cryptsetup -y --cipher aes-lrw-benbi --key-size 384 luksFormat /dev/sda5

For XTS do:

# sudo cryptsetup -y --cipher aes-xts-plain --key-size 512 luksFormat /dev/sda5

(Note, LRW and XTS use two encryption keys - one key used to encrypt the data and another key called a "Tweak" key. For 256 bit AES, LRW uses a 256 bit data encryption key and a 128 bit tweak key (hence --key-size 384). XTS, however, uses two 256 bit keys.(hence --key-size 512)).

How to change your password, or add/remove a password or key

One of the great things about LUKS is that it allows you to access your encrypted volumes in a variety of ways. LUKS allows up to 8 passwords or keys per volume. So, for example you can encrypt a volume with a password and a key so that if you ever forget the password, you can decrypt the volume using the key (that you safely stored in your safety deposit box for example). Change your password: LUKS has eight key slots (0-7). To change a password, you first add a new password. Cryptsetup will inform you which Key Slot was used by the original password. You'll then remove that key slot, preventing that password from being used to decrypt the volume. Step 1: Add New Password

# sudo cryptsetup luksAddKey /dev/sda5
Enter any LUKS passphrase: 
key slot 0 unlocked.
Enter new passphrase for key slot: 
Verify passphrase: 
Command successful.

Step 2: Remove Old Password LUKS reported that the original password was on key slot 0. To remove it:

# sudo cryptsetup luksKillSlot /dev/sda5 0
Enter any remaining LUKS passphrase: 
key slot 0 verified.
Command successful.

Generate and Add a Key


# sudo dd if=/dev/random of=secret.key bs=256 count=1
# chmod 400 secret.key
# sudo cryptsetup luksAddKey /dev/sda5 secret.key

Add a Password

# sudo cryptsetup luksAddKey /dev/sda5

Delete a Key/Password

# sudo cryptsetup luksKillSlot /dev/sda5 <slot #>

Open a volume with a Key

# sudo cryptsetup luksOpen --key-file secret.key /dev/sda5 pvcrypt

Of course, use the appropriate device and key file on your system.

Notes on Howto have root outside of the encrypted partition

  • When creating your partitions, create an extra for your non-encrypted data (/dev/sda6 for my example). It's advisable to put it into the same logical partition as the encrypted one.
  • When creating the physical volume ('sudo pvcreate /dev/mapper/pvcrypt') also create for sda6 ('sudo pvcreate /dev/sda6')
  • Add both pv's to the vg on creation ('sudo vgcreate vg /dev/mapper/pvcrypt /dev/sda6') or extend the original group with the new pv ('sudo vgextend vg /dev/sda6').
  • Note! My lvm2 setup was reporting the wrong pv sizes. For whatever reason I had to remove all my pv's and vg, delete /dev/sda5, /dev/sda6, my extended partition, reboot and start from scratch.
  • When creating your logical volumes, the command now is sudo lvcreate -n <lvname> -L <size> vg </partition/path>. Use </partition/path> of '/dev/mapper/pvcrypt' to put the lv in the encrypted area or '/dev/sda6' in the non-encrypted area.
  • Depending on what you want secure, you may have various logical volumes in either the encrypted or non-encrypted partitions. To have an unencrypted root do this: 'sudo lvcreate -n root -L <size> vg /dev/sda6'
  • Everything else should work the same!

Notes for making it work in Kubuntu 7.10 AMD64

I had a few problems makeing this work on Kubuntu 7.10 AMD64. I'm not sure if the problems were due to Kubuntu, 7.10, or AMD64, but here's what I did to make it work. Problem 1: Use kernel module 'aes-x86_64' on AMD64 distro instead of 'aes-i586' Problem 2: The /tmp/foo/conf/conf.d/cryptroot wasn't being created by the 'update-initramfs' in the last main step. Manually create it: /etc/initramfs-tools/conf.d/cryptroot

CRYPTROOT=target=pvcrypt,source=/dev/sda5

Remember to run 'sudo update-initramfs -k all -c' This should let you boot. Problem 3: cryptosetup is run and asks for your password 3 times when booting. The first is necessary and done in usplash environment if you don't remove the splash option in /boot/grub/menu.lst. I'm not sure what's responsible for the first run, but the 2nd and 3rd are done by the init.d scripts after pvcrypt is uncrypted by the first run. They can be avoided by commenting out the line we added to /etc/crypttab earlier. With those 3 problems fixed, my system was working beautifully! A little note about solution for problem 3: Remember to uncomment the line added to /etc/crypttab earlier for each and every time when the update-initramfs is being executed, such as compiling vbox modules or nvidia proprietary modules or even upgrading kernel version, and comment it again. It would be nice to have a script to prevent doing this manually.

Notes for making it work in Xubuntu 8.04 (Hardy Heron Alpha 4) AMD64

The guide worked beautifully and everything is up an running INCLUDING SUSPEND!!! Here are a few of the customizations I performed. AES Kernel Module: Use the kernel module 'aes-x86_64' instead of aes-i586. Edit /etc/modprobe.d/aliases and add the line "alias aes aes-x86_64" Suspend\Resume: I can't use the basic suspend\resume functionality due to having an ATI FireGL card so to get suspend I installed uswsusp http://packages.ubuntu.com/hardy/utils/uswsusp. To get it working do the following

# sudo apt-get remove hibernate
# sudo apt-get install uswsusp
# sudo dpkg-divert --rename --divert /usr/sbin/pmi-disabled /usr/sbin/pmi

This information was found from a blog posting "http://blog.paulbetts.org/index.php/2007/02/11/fixing-software-suspend-hibernate-with-uswsusp-in-ubuntu-feisty-and-edgy/". Next modify your initramfs so it doesn't try the default resume, this isn't necessary but I felt it cleaned things up some.

# sudo vi /etc/initramfs-tools/conf.d/resume

Comment out the RESUME line and then rebuilt the initramfs

# sudo sudo update-initramfs -k all -c

And there you go, an encrypted LVM setup on x86_64 with Suspend\Resume.

Installing Ubuntu 6.06 on an Encrypted LVM Partition For Root, Swap, and Home

by John Bindel ([email protected]) This how-to explains the process of installing Ubuntu 6.06 on an encrypted LVM partition. One encrypted physical partition is used, and the logical volume manager is used to manage the operating system volumes. Only /boot is unencrypted.

Install

Boot the Ubuntu 6.06 desktop install disk. Partition the disk with System->Administration->Gnome Partition Editor Make 3GB ext3 primary partition (See NOTES at the bottom if you want to save room and use the server version, which only needs 600 MB). Make an extended partition with the rest. Make an ext3 logical partition of 200MB for /boot which is sda5 in this example. Make an ext3 logical parition with the rest as sda6. Click "apply" and then close the tool. It would be nice to install directly to encrypted LVM volumes, but the desktop installer does not seem to be capable of that. It fails after the manual paritioning step when I have tried. Double-click on "Install". Choose to manually edit partitions. Make no changes to partitions and click "forward". Set /dev/sda5 as the /boot mount point and /dev/sda1 as the "/" mount point. Clear all other mount points. Select reformat on these two and click "forward". Then click "install". Click "continue" when asked about not having a swap partition. We'll add one later. Let the system install and then reboot. Open a terminal and get root. $ sudo bash Add "universe" repositories by uncommenting lines in /etc/apt/sources.list. Install the cryptsetup, hashalot, and initramfs-tools packages.

# apt-get update
# apt-get install cryptsetup hashalot initramfs-tools

Build an initrd image

Load the modules that will be needed.

# modprobe dm_crypt
# modprobe aes_i586
# modprobe sha256

Add the following line to /etc/kernel-img.conf: ramdisk = /usr/sbin/mkinitramfs Add the following lines to /etc/mkinitramfs/modules:

dm_mod
dm_crypt
sha256
aes_i586

Create file /etc/mkinitramfs/hooks/pvcrypt. This script is executed when the init ramdisk image is built.

#!/bin/sh

PREREQ=""

prereqs()
{
        echo "$PREREQ"
}

case $1 in
prereqs)
        prereqs
        exit 0
        ;;
esac

if [ ! -x /sbin/cryptsetup ]; then
        exit 0
fi

. /usr/share/initramfs-tools/hook-functions

mkdir ${DESTDIR}/etc/console
cp /etc/console/boottime.kmap.gz ${DESTDIR}/etc/console
copy_exec /bin/loadkeys /bin
copy_exec /usr/bin/chvt /bin
copy_exec /sbin/cryptsetup /sbin

Create file /etc/mkinitramfs/scripts/local-top/pvcrypt. This script is executed during the init bootup.

#!/bin/sh

PREREQ="udev"

prereqs()
{
        echo "$PREREQ"
}

case $1 in
# get pre-requisites
prereqs)
        prereqs
        exit 0
        ;;
esac

/bin/loadkeys /etc/console/boottime.kmap.gz
modprobe -Qb dm_crypt
modprobe -Qb aes_i586
modprobe -Qb sha256
if grep -q splash /proc/cmdline; then
    /bin/chvt 1
fi
/sbin/cryptsetup luksOpen /dev/sda6 pvcrypt
if grep -q splash /proc/cmdline; then
       /sbin/usplash -c &
       sleep 1
fi

Make these scripts executable by root.

# chmod +x /etc/mkinitramfs/hooks/pvcrypt
# chmod +x /etc/mkinitramfs/scripts/local-top/pvcrypt

Now build a new initrd image: # update-initramfs -u ALL

Encrypt the data partition

Check the future encrypted LVM physical partition for errors. This will take several minutes for each partition. This fills each partition with pseudorandom data from the not-so-random libc pseudorandom sourc # /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda6 Fill the partitions with random data. This may take 4 hours for the large partition. The /dev/urandom source is a good source of randomization that should prevent attackers from being able to determine where data actually resides on the encrypted filesystem, which would help them know what they should try to decrypt. The /dev/random source is even better, but it might take hundreds of years to fill the disk from it. # dd if=/dev/urandom of=/dev/sda6 Create the encryption key for the partition.

# cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sda6
# cryptsetup luksOpen /dev/sda6 pvcrypt

Make an LVM physical volume, volume group, and logical volumes on the encrypted partition. The size of 9938 happens to be how much is left on my logical partition.

# pvcreate /dev/mapper/pvcrypt
  Physical volume "/dev/mapper/pvcrypt" successfully created
# vgcreate vgcrypt /dev/mapper/pvcrypt
  Volume group "vgcrypt" successfully created
# lvcreate -n lvroot -L 8G vgcrypt
  Logical volume "lvroot" created
# lvcreate -n lvswap -L 1G vgcrypt
  Logical volume "lvswap" created
# lvcreate -n lvhome -l 9938 vgcrypt
  Logical volume "lvhome" created

Put a filesystem on each volume.

# mkfs.ext3 /dev/mapper/vgcrypt-lvroot
# mkfs.ext3 /dev/mapper/vgcrypt-lvhome
# mkswap /dev/mapper/vgcrypt-lvswap

Populate the encrypted volumes.

# mkdir /mnt/root
# mkdir /mnt/home
# mount /dev/mapper/vgcrypt-lvroot /mnt/root
# mount /dev/mapper/vgcrypt-lvhome /mnt/home
# cp -ax / /mnt/root
# rm -rf /mnt/root/home/*
# cp -ax /home/* /mnt/home

Edit /mnt/root/etc/fstab. First change this line /dev/sda1 / ext3 defaults,errors=remount-ro 0 1 to /dev/mapper/vgcrypt-lvroot / ext3 defaults,errors=remount-ro 0 1 And add these lines:

/dev/mapper/vgcrypt-lvhome /home	ext3	defaults			0	1
/dev/mapper/vgcrypt-lvswap none	swap	sw				0	0

Add this to the bottom of /boot/grub/menu.lst. (hd0,4) refers to the boot partition, /dev/sda5.

title           Cryptotest
root            (hd0,4)
kernel          /vmlinuz-<your kernel version here> root=/dev/mapper/vgcrypt-lvroot ro
initrd          /initrd.img-<your kernel version here>
savedefault
boot

Check the kernel version with uname -r. For example, it may be "2.6.15-26-server". Reboot to test by typing sudo reboot. Press ESC to enter the GRUB menu and select Cryptotest. The boot process will stop waiting for the encrypted partition's passphrase. The prompt will probably be hard to see because of a lot of debugging information on the console. If all goes well, then continue. Otherwise seek help or figure out what went wrong. Edit /boot/grub/menu.lst to remove the lines we added at the end, and change the line that has # kopt=root=/dev/sda1 ro to # kopt=root=/dev/mapper/vgcrypt-lvroot ro Then run $sudo update-grub Finally make a backup key file for unencrypting the drive. Insert a blank USB thumb drive.

$ sudo dd if=/dev/random of=/media/<usbdrive>/pvcrypt-$(whoami)-key bs=1 count=256
$ sudo cryptsetup luksAddKey /dev/sda6 /media/<usbdrive>/pvcrypt-$(whomai)-key

Wipe the old partition. # /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda1

Notes

Those who do not want a large leftover partition on sda1 can make one as small as 600MB and install the server version of Ubuntu instead, or even make the /boot partition 600MB and just install the root partition there initially. Gnome will popup a notice that it has found an encrypted partition. Cancel the dialog. It seems that /sbin/partprobe causes this dialog to popup. Any advice on getting rid of this would be appreciated.