UbuntuHelp:EncryptedFilesystemOnIntrepid

1. title Encrypted Root and Swap with LUKS on Ubuntu 8.10

{i} Please refer to EncryptedFilesystems for further documentation.

This guide will help you install Ubuntu 8.10, the Intrepid Ibex, to an encrypted partition. The swap partition is also encrypted. When it's finished, you will need to enter the passphrase when the system boots. There is more indepth information about encrypted filesystems here: EncryptedFilesystemHowto NOTE: You can also achieve the same setup using the Alternate Installer which allows encryption of the root file system and swap, all through an easy-to-use graphical interface. If you wish to install using your entire hard drive, there's even an automatic option in which the installer will create the necessary LVM volumes and partition your drive for you. Download Alternate Installer Here Alternatively, the EncryptedFilesystemLVMHowto will allow you to create the encrypted partitions, install Ubuntu, and configure the system all from the Live CD without the need for a minimal install.

Summary

Steps to perform:

• Perform a minimal server install
• Create encrypted partition and copy minimal install to it
• Modify grub's menu.lst and fstab

Files to create and modify:

• /etc/initramfs-tools/modules
• /etc/initramfs-tools/hooks/cryptoroot
• /etc/initramfs-tools/scripts/local-top/cryptoroot
• /etc/fstab
• /boot/grub/menu.lst
• /etc/crypttab

Extra packages that will be installed:

• cryptsetup
• hashalot
• initramfs-tools

Changes from the 8.04 version:

• chvt has moved from /usr/bin/chvt to /bin/chvt, so /etc/initramfs-tools/hooks/cryptoroot needed to be modified.

Gather materials

You will need:

• Computer
• Ubuntu server install CD
• Paper and writing instrument
• Internet access

Make a partition plan

You need to establish four partitions for this operation. They may be created in addition to Windows partitions or other operating systems. Some knowledge of hard disk devices and partitioning is necessary. Note the the "miniroot" partition is where a minimal system will first be installed. It's small, because it only needs to be operational long enough to set up the final, encrypted root partition.

Purpose	Initial mount point	Size	Format
Boot	/boot	100 MB	ext3
Swap	n/a	Double the amount of RAM on the system	swap
Cryptoroot	"do not use"	10 GB+, up to all free space	n/a
Miniroot	/	512 MB	ext3

You will create these partitions while running the Ubuntu installer (if not before). It's ok to wait until that point before figuring out what you're going to do. However, once they created, you should definitely write down the device names of all four. You will need this information later on. I will refer to these partitions in bold, italic capital letters: CRYPTOROOT, MINIROOT, SWAP, and BOOT. When you see them in the instructions below, substitute the correct device name. Here is an example, using a system that was entirely devoted to Ubuntu. It had 256 MB RAM, so the size of the swap partition was 512 MB. After the boot, swap, and miniroot partitions were created, the remainder of the disk was set aside for the eventual encrypted root partition.

Partition	Initial mount point	Size	Format
/dev/sda1	/boot	100 MB	ext3
/dev/sda2	swap	512 MB	swap
/dev/sda3	/	512 MB	ext3
/dev/sda4	"do not use"	18.9 GB	n/a

In this example, CRYPTOROOT would be replaced with /dev/sda4.

Perform initial install

• Boot up the system using the server install CD.
• Create the partitions as advised above, and write them down.
• Complete the installation. Don't install any extra software (such as DNS server, etc.).

Become root

• Reboot to the newly-installed system.
• Log in as the user you created.
• Enter "sudo -i" in order to become root.

The rest of the commands in this guide need to be executed with root privileges. "sudo -i" allows you to do that without typing "sudo" before each one.

Install additional packages

• Enable the universe repository (see CommandLine)
• Install the following packages (see InstallingSoftware)

apt-get install cryptsetup hashalot initramfs-tools

Set up the initial ramdisk

Explanation: When your system is fully set up, it won't be able to boot directly to the encrypted partition because, well, it's encrypted. Software and the decryption key would both be needed. The solution is to have a small unencrypted partition that boots at first. It contains only system software (not your data), so it's alright for it to be unencrypted. The form of this software is a ramdisk. It's a mini-system that can do things like initialize devices and ask you for the passphrase to decrypt the main root partition.

• Edit /etc/initramfs-tools/modules. Add the following lines:

dm_mod
dm_crypt
sha256

Note: if using Ubuntu 9.04 (9.10) sha256 is named sha256_generic. Replace every occurrence you find in this article.

• Create /etc/initramfs-tools/hooks/cryptoroot:

#!/bin/sh

PREREQ=""

prereqs()
{
        echo "$PREREQ"
}

case $1 in
prereqs)
        prereqs
        exit 0
        ;;
esac

if [ ! -x /sbin/cryptsetup ]; then
        exit 0
fi

. /usr/share/initramfs-tools/hook-functions

mkdir -p ${DESTDIR}/etc/console-setup
cp /etc/console-setup/boottime.kmap.gz ${DESTDIR}/etc/console
copy_exec /bin/loadkeys /bin
copy_exec /bin/chvt /bin
copy_exec /sbin/cryptsetup /sbin
copy_exec /sbin/vol_id /sbin

Note: if using Ubuntu 9.10 /sbin/vol_id is replaced with /sbin/blkid. Replace every occurrence you find in this article.

• Create /etc/initramfs-tools/scripts/local-top/cryptoroot, be careful if using Ubuntu 9.04 or newer version and change the -Q option at the modprobe line for -q:

#!/bin/sh

PREREQ="udev"

prereqs()
{
        echo "$PREREQ"
}

case $1 in
# get pre-requisites
prereqs)
        prereqs
        exit 0
        ;;
esac

/bin/loadkeys -q /etc/console-setup/boottime.kmap.gz
modprobe -Qb dm_crypt
modprobe -Qb sha256

# The following command will ensure that the kernel is aware of
# the partition before we attempt to open it with cryptsetup.
/sbin/udevadm settle

if grep -q splash /proc/cmdline; then
    /bin/chvt 1
fi
/sbin/cryptsetup luksOpen CRYPTOROOT cryptoroot
if grep -q splash /proc/cmdline; then
       /sbin/usplash -c &
       sleep 1
fi

• Make the created files executable:

chmod +x /etc/initramfs-tools/hooks/cryptoroot
chmod +x /etc/initramfs-tools/scripts/local-top/cryptoroot

• Update the initrd:

update-initramfs -u

Create the encrypted partition

• Load up the appropriate kernel modules:

modprobe dm_crypt
modprobe sha256

• Format and encrypt your partition:

luksformat -t ext3 CRYPTOROOT

You should see something like this:

Creating encrypted device on /dev/hda3...

WARNING!
========
This will owerwrite data on /dev/hda3 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
Please enter your passphrase again to verify it
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
mke2fs 1.38 (30-Jun-2005)
.....

Your encrypted partition is now created and formated.

Mount the partition for setup

cryptsetup luksOpen CRYPTOROOT cryptoroot
mkdir /mnt/target
mount /dev/mapper/cryptoroot /mnt/target
cp -avx / /mnt/target

The copy process should take about two minutes for a server profile (depends on your hardware).

Change target's fstab to mount the encrypted root

You need to modify /mnt/target/etc/fstab. You should find a section that refers to the "miniroot" partition, and mounts it at /. This must be changed to use the cryptoroot device instead. It looks something like this:

# MINIROOT
UUID=43d7895d-e74c-4483-a55a-9b73de17f19e /               ext3    defaults,errors=remount-ro 0     1

That UUID must be replaced with the one that refers to your cryptoroot device.

• Determine the UUID of your cryptoroot device.

vol_id -u /dev/mapper/cryptoroot

• Determine the UUID of your cryptoroot device on Ububtu 9.10.

blkid | grep /dev/mapper/cryptoroot

• Edit /mnt/target/etc/fstab. In the section that mounts /, replace the UUID with the one you just got for /dev/mapper/cryptoroot.

Configure grub for testing

This will only allow you to test the cryptoroot - it won't be installed as the default boot option yet.

• Edit /boot/grub/menu.lst. Add following after the line containing ### END DEBIAN AUTOMAGIC KERNELS LIST:

title           Cryptotest
root            GRUB-ROOT
kernel          /vmlinuz-<your kernel version here> root=CRYPTOROOT-UUID ro
initrd          /initrd.img-<your kernel version here>
savedefault
boot

Three of the above values can be copied from boot stanzas in the automatic section, before "### END DEBIAN AUTOMAGIC KERNELS LIST":

• GRUB-ROOT - this is something like (hd0,0)
• The kernel - something like /vmlinuz-VERSION-server
• The initrd - something like /initrd.img-VERSION-server

The CRYPTOROOT-UUID is the same as the one you put into /etc/fstab, which was retrieved by entering "vol_id -u /dev/mapper/cryptoroot".

Reboot for testing

reboot

Now, after all your BIOS mumbo-jumbo, you should look very carefully and when you see following prompt:

GRUB Loading stage 1.5.

GRUB Loading, please wait...
Press `ESC` to enter the menu

Press ESC and select last option, namely "Cryptotest" Now you will see lots of kernel debugging info, since we didn't add quiet option to kernel options. It's ok. At some point you will see the prompt:

Enter LUKS passphrase:

Enter it. Now you have booted from crypted partition. If something goes Very Wrong (tm), don't panic. You still have unencrypted partition to boot from. Note :if you are installing the encrypted root on a USB stick or other slow devices LUKS may fail complaining about a filesystem not found and the kernel will eventually drop you in a shell. This is due to the long setting time of the device. To solve it reboot with the unencrypted partition, go back to the steps needed to setup the initial ramdisk and add (interval may change depending on device speed):

sleep 10

in the file

/etc/initramfs-tools/scripts/local-top/cryptoroot

just before the line

/sbin/cryptsetup luksOpen CRYPTOROOT cryptoroot

thus giving to the USB filesytem enough time to settle. Copy the modified file on the encrypted partition, otherwise the same problem will happen at every kernel upgrade.

Cryptoswap

Let's enable the swap partition. Firstly, your current /etc/fstab may have been set to enable the swap partition. Therefore, it has already been mounted (unencrypted) and must be unmounted before you can proceed.

umount SWAP

Edit /etc/crypttab. Use the name of the partition you set aside for swap in place of SWAP.

cryptoswap      SWAP       /dev/urandom    swap

Edit /etc/fstab. Add following lines:

# Encrypted swap partition
/dev/mapper/cryptoswap  none    swap    sw      0       0

Now, you need to destroy your filesystem on the swap partition (if you don't destroy it explicitely, the safety check of the following command will refuse to create your "cryptoswap" on it):

dd if=/dev/urandom of=SWAP count=100

Finally, create the swap and activate it:

invoke-rc.d cryptdisks restart
swapon /dev/mapper/cryptoswap

Did it work? Check it:

swapon -s

You should see:

Filename                           Type           Size         Used  Priority
/dev/mapper/cryptoswap             partition      XXXXXXXX     0     -2

The exact details don't matter. You just want to ensure that "/dev/mapper/cryptoswap" is in there.

• Edit /etc/fstab.
• If the swap partition was enabled automatically, you need to turn that off. (Reason: it now has the wrong UUID and won't work.) Comment out the existing swap line.
• Add your own line:

/dev/mapper/cryptoswap none swap sw 0 0

Finishing

Now that the system is tested, it's time to set it up as the default in grub.

• Edit /boot/grub/menu.lst.
• Remove the "Cryptotest" stanza that you added earlier.
• Look above to find a line like this (with a specific UUID instead of XXXs):

# kopt=root=UUID=XXXXXXXXXXXXXXXXXXXXXXXXXXXX ro

• • Replace this with the following, using the actual UUID of /dev/mapper/cryptoroot:

# kopt=root=UUID=CRYPTOROOT-UUID ro

Reinstall grub:

update-grub

Reboot:

reboot

---