UbuntuHelp:EncryptedFilesystemOnFeisty
来自Ubuntu中文
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
<<Include(Tag/Unsupported)>>
| {i} Please refer to EncryptedFilesystems for further documentation. |
Consider reading through EncryptedRootWithInstallerOnFeisty along with this page. Here's the requirements for this howto:
- Should be based on FeistyFawn.
- Encrypt everything, except /boot.
- For fresh installations only. The entire disk will be erased.
- No temporary installation either. We want to install directly to the encrypted disk.
- Network-based installation. A live-cd will only be used to set up the encrypted disks and bootstrap the installation.
- No theoretical explanations. You will find whatever you need in the other HOWTOs.
- Everything in one filesystem. No separate /home.
Before we begin, a few warnings:
- This HOWTO will tell you to wipe any existing installation. Back-up all your data!
- There may be errors in this HOWTO. You should NOT follow this HOWTO without enough understanding to get yourself out of unexpected trouble. Reading the other HOWTOs is a good start...
- This HOWTO has now been tested with VMware Workstation 6. Other hardware may or may not give the same results.
- Older versions of this HOWTO included some bugs that made it impossible to boot the newly installed system. Make sure you're using the latest version.
Ok, then... Let's start.
The livecd
First, boot from a live CD. I guess an Edgy-disc should work, but I have only tested with Feisty.
Configure networking, keyboard, proxy and whatever you need to have Internet access and a way to work with a terminal. (Hint: If you're behind a proxy, set the http_proxy environment variable: export http_proxy=http://proxy:port/)
Start a terminal and edit /etc/apt/sources.list to add the universe repository. (Remember sudo!) You may want to change to a mirror close to you instead of archive.ubuntu.com. To me, it's no.archive.ubuntu.com.
Install cryptsetup, gparted and debootstrap:
sudo aptitude update && sudo aptitude install cryptsetup gparted debootstrap
Use gparted to partition your drive. You will need >= 100 MB for /boot (ext3), twice your amount of RAM for swap and the usual minimum for your encrypted root filesystem. From now on, I assume /boot is /dev/sda1, encrypted swap is /dev/sda5 and the encrypted root is /dev/sda6. Exit gparted and unmount the newly created filesystems by right-clicking on them on your desktop. Then load some modules:
sudo modprobe dm_crypt sudo modprobe sha256 sudo modprobe aes_i586 # or... for mod in dm_crypt sha256 aes_i586; do modprobe $mod; done
Use LUKS to encrypt your root partition. If you want key storage on an USB-disk, smartcard or anything else, see the other LUKS-based guides mentioned at the top of this document. Remember to choose a good passphrase, as this probably will be the weakest link in the setup...
sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=128 luksFormat /dev/sda6 sudo cryptsetup luksOpen /dev/sda6 root
If cryptsetup fails, you probably forgot to unmount the automounted partitions. Create a filesystem and mount it and the /boot partition:
sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/root sudo mkdir /mnt/newroot sudo mount /dev/mapper/root /mnt/newroot sudo mkdir /mnt/newroot/boot sudo mount /dev/sda1 /mnt/newroot/boot
Basic installation
It's time to do the installation, but don't start the wizard at your desktop. You need to use debootstrap.
sudo debootstrap feisty /mnt/newroot http://no.archive.ubuntu.com/ubuntu # Choose a mirror close to you.
After a few minutes, you should have a basic installation of FeistyFawn in your encrypted root. But don't pat yourself on your back yet, as the installation is too basic to even boot. All you can do is chroot into it and start configuring and installing packages:
sudo cp /etc/apt/sources.list /mnt/newroot/etc/apt/sources.list sudo /etc/init.d/acpid stop # Your chroot will eventually want to run it's own. sudo /etc/init.d/acpi-support stop sudo mount --bind /dev /mnt/newroot/dev sudo mount --bind /proc /mnt/newroot/proc sudo mount --bind /sys /mnt/newroot/sys sudo umount /mnt/newroot/boot sudo chroot /mnt/newroot export LANG=C mount /dev/sda1 /boot mkdir /home/ubuntu # To get rid of some annoying vim errors. Skip if wanted, and delete when done.
Set up /etc/kernel-img.conf:
do_symlinks = yes relative_links = yes do_bootloader = no do_bootfloppy = no do_initrd = yes link_in_boot = no postinst_hook = update-grub postrm_hook = update-grub
Install and upgrade basic packages:
aptitude update aptitude upgrade aptitude install grub linux-image-generic bsdmainutils cryptsetup
Set up /etc/crypttab: (Make sure you're using the same name for the root filesystem as you did with the luksOpen-command above. If not, cryptsetup will fail at first boot.)
# <target name> <source device> <key file> <options> swap /dev/sda5 /dev/random swap root /dev/sda6 none luks
/etc/fstab: (Again, double-check the names used.)
proc /proc proc defaults 0 0 /dev/mapper/root / ext3 defaults,errors=remount-ro 0 0 /dev/sda1 /boot ext3 defaults 0 1 /dev/mapper/swap swap swap defaults 0 0
/etc/network/interfaces:
auto lo iface lo inet loopback
Configure the console:
dpkg-reconfigure console-setup # Install if needed
Make sure your initramfs is correct:
update-initramfs -u
Install grub:
grub-install --recheck hd0,0 update-grub grub-install hd0
Remove quiet and splash from the defoptions-line in /boot/grub/menu.lst and run update-grub again.
Install some important packages:
aptitude install ubuntu-standard ubuntu-minimal
You may want to install openssh-server, too. :) Install (k)ubuntu-desktop:
aptitude install ubuntu-desktop killall acpid dpkg --configure -a # Make sure this does not return any errors.
Create a user for yourself:
adduser --add_extra_groups username adduser username adm adduser username admin
Run visudo and add this just under the entry for root:
%admin ALL=(ALL) ALL
Boot your encrypted system
Restart (make sure your filesystems is unmounted) and boot into your new system. You should be asked for your passphrase by cryptsetup. If your boot partition is not the first partition on the first disk then you may need to edit the root line if Grub reports "Error 17: Cannot mount selected partition". Change it to hd(x,y) where x is the index of your disk and y is the index of the boot partition (first is zero, second is one, etc). You may also need to remove the "/boot" prefix from the kernel and initrd lines since the boot partition does not include a boot folder. If grub complains about a file it can't find, you may try to press ESC to edit the command, go down to savedefault and press d and b. Then, reinstall grub when booted. Your system may seem to hang while setting up encrypted devices. This is because it lacks random data. Press a few keys, and it will continue. Be aware that your new system is not as well configured as with a normal installation, so you have to do some configuration after first boot. Here's a list to get you started. You will find tools for this in the System menu in Ubuntu.
- Hostname.
- Other network parameters and DNS. (If you don't want to use network manager for that.)
- Web proxy if needed.
- Date, time and time zone. (NTP if wanted)
- Localization. (Language packs, default language.)
- Software repositories (multiverse, updates, backports...) and keys used to sign the archives.
- Non-free drivers. (NVIDIA/ATI-cards)
You may also want make sure your Mail Transfer Agent (exim, postfix, ...) is set up correctly.
When upgrading kernels, be sure to keep your old kernel. Some versions of the Linux kernel will change from /dev/hd* to /dev/sd* and others the other way. This will break /etc/cryptsetup. Installing Feisty kernel 2.6.20-16 appears to have this problem and installing that kernel while working from a 2.6.20-15 live CD may result in "cryptsetup: Source device /dev/sda* not found" at the end of the process.
