特殊:Badtitle/NS100:EncryptedFilesystemHowto6:修订间差异
小 新页面: {{From|https://help.ubuntu.com/community/EncryptedFilesystemHowto6}} {{Languages|UbuntuHelp:EncryptedFilesystemHowto6}} This is the ninth encrypted filesystem HOWTO. You may wonder why we... |
小无编辑摘要 |
||
(未显示同一用户的5个中间版本) | |||
第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/EncryptedFilesystemHowto6}} | {{From|https://help.ubuntu.com/community/EncryptedFilesystemHowto6}} | ||
{{Languages|UbuntuHelp:EncryptedFilesystemHowto6}} | {{Languages|UbuntuHelp:EncryptedFilesystemHowto6}} | ||
{|border="1" cellspacing="0" | |||
| {i} Please refer to [[UbuntuHelp:EncryptedFilesystems|EncryptedFilesystems]] for further documentation. | |||
|} | |||
Consider reading through [[UbuntuHelp:EncryptedRootWithInstallerOnFeisty|EncryptedRootWithInstallerOnFeisty]] along with this page. | |||
* Should be based on FeistyFawn. | Here's the requirements for this howto: | ||
* Should be based on [[UbuntuHelp:FeistyFawn|FeistyFawn]]. | |||
* Encrypt everything, except /boot. | * Encrypt everything, except /boot. | ||
* For fresh installations only. The entire disk will be erased. | * For fresh installations only. The entire disk will be erased. | ||
第12行: | 第13行: | ||
* No theoretical explanations. You will find whatever you need in the other HOWTOs. | * No theoretical explanations. You will find whatever you need in the other HOWTOs. | ||
* Everything in one filesystem. No separate /home. | * Everything in one filesystem. No separate /home. | ||
Before we begin, a few warnings: | Before we begin, a few warnings: | ||
* This HOWTO will tell you to wipe any existing installation. '''Back-up all your data'''! | * This HOWTO will tell you to wipe any existing installation. '''Back-up all your data'''! | ||
* There may be errors in this HOWTO. You should '''NOT''' follow this HOWTO without enough understanding to get yourself out of unexpected trouble. Reading the other HOWTOs is a good start... | * There may be errors in this HOWTO. You should '''NOT''' follow this HOWTO without enough understanding to get yourself out of unexpected trouble. Reading the other HOWTOs is a good start... | ||
* This HOWTO has now been tested with VMware Workstation 6. Other hardware may or may not give the same results. | * This HOWTO has now been tested with [[UbuntuHelp:VMware|VMware]] Workstation 6. Other hardware may or may not give the same results. | ||
* Older versions of this HOWTO included some bugs that made it impossible to boot the newly installed system. Make sure you're using the latest version. | * Older versions of this HOWTO included some bugs that made it impossible to boot the newly installed system. Make sure you're using the latest version. | ||
Ok, then... Let's start. | Ok, then... Let's start. | ||
=== The livecd === | === The livecd === | ||
First, boot from a live CD. I guess an Edgy-disc should work, but I have only tested with Feisty. | First, boot from a live CD. I guess an Edgy-disc should work, but I have only tested with Feisty. | ||
Configure networking, keyboard, proxy and whatever you need to have Internet access and a way to work with a terminal. (Hint: If you're behind a proxy, set the http_proxy environment variable: <code><nowiki>export http_proxy=http://proxy:port/</nowiki></code>) | Configure networking, keyboard, proxy and whatever you need to have Internet access and a way to work with a terminal. (Hint: If you're behind a proxy, set the http_proxy environment variable: <code><nowiki>export http_proxy=http://proxy:port/</nowiki></code>) | ||
Start a terminal and edit /etc/apt/sources.list to add the universe repository. (Remember sudo!) You may want to change to a mirror close to you instead of archive.ubuntu.com. To me, it's no.archive.ubuntu.com. | Start a terminal and edit /etc/apt/sources.list to add the universe repository. (Remember sudo!) You may want to change to a mirror close to you instead of archive.ubuntu.com. To me, it's no.archive.ubuntu.com. | ||
Install cryptsetup, gparted and debootstrap: | Install cryptsetup, gparted and debootstrap: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo aptitude update && sudo aptitude install cryptsetup gparted debootstrap | sudo aptitude update && sudo aptitude install cryptsetup gparted debootstrap | ||
</nowiki></pre> | </nowiki></pre> | ||
Use gparted to partition your drive. You will need >= 100 MB for /boot (ext3), twice your amount of RAM for swap and the usual minimum for your encrypted root filesystem. From now on, I assume /boot is /dev/sda1, encrypted swap is /dev/sda5 and the encrypted root is /dev/sda6. | Use gparted to partition your drive. You will need >= 100 MB for /boot (ext3), twice your amount of RAM for swap and the usual minimum for your encrypted root filesystem. From now on, I assume /boot is /dev/sda1, encrypted swap is /dev/sda5 and the encrypted root is /dev/sda6. | ||
Exit gparted and unmount the newly created filesystems by right-clicking on them on your desktop. | Exit gparted and unmount the newly created filesystems by right-clicking on them on your desktop. | ||
Then load some modules: | Then load some modules: | ||
<pre><nowiki> | <pre><nowiki> | ||
第46行: | 第34行: | ||
sudo modprobe sha256 | sudo modprobe sha256 | ||
sudo modprobe aes_i586 | sudo modprobe aes_i586 | ||
# or... | |||
for mod in dm_crypt sha256 aes_i586; do modprobe $mod; done | |||
</nowiki></pre> | </nowiki></pre> | ||
Use LUKS to encrypt your root partition. If you want key storage on an USB-disk, smartcard or anything else, see the other LUKS-based guides mentioned at the top of this document. Remember to choose a good passphrase, as this probably will be the weakest link in the setup... | Use LUKS to encrypt your root partition. If you want key storage on an USB-disk, smartcard or anything else, see the other LUKS-based guides mentioned at the top of this document. Remember to choose a good passphrase, as this probably will be the weakest link in the setup... | ||
<pre><nowiki> | <pre><nowiki> | ||
第53行: | 第42行: | ||
sudo cryptsetup luksOpen /dev/sda6 root | sudo cryptsetup luksOpen /dev/sda6 root | ||
</nowiki></pre> | </nowiki></pre> | ||
If cryptsetup fails, you probably forgot to unmount the automounted partitions. | |||
Create a filesystem and mount it and the /boot partition: | Create a filesystem and mount it and the /boot partition: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/root | sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/root | ||
第63行: | 第51行: | ||
sudo mount /dev/sda1 /mnt/newroot/boot | sudo mount /dev/sda1 /mnt/newroot/boot | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Basic installation === | === Basic installation === | ||
It's time to do the installation, but don't start the wizard at your desktop. You need to use debootstrap. | It's time to do the installation, but don't start the wizard at your desktop. You need to use debootstrap. | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo debootstrap feisty /mnt/newroot http://no.archive.ubuntu.com/ubuntu # Choose a mirror close to you. | sudo debootstrap feisty /mnt/newroot http://no.archive.ubuntu.com/ubuntu # Choose a mirror close to you. | ||
</nowiki></pre> | </nowiki></pre> | ||
After a few minutes, you should have a basic installation of [[UbuntuHelp:FeistyFawn|FeistyFawn]] in your encrypted root. But don't pat yourself on your back yet, as the installation is ''too'' basic to even boot. All you can do is chroot into it and start configuring and installing packages: | |||
After a few minutes, you should have a basic installation of FeistyFawn in your encrypted root. But don't pat yourself on your back yet, as the installation is ''too'' basic to even boot. All you can do is chroot into it and start configuring and installing packages: | |||
<pre><nowiki> | <pre><nowiki> | ||
sudo cp /etc/apt/sources.list /mnt/newroot/etc/apt/sources.list | sudo cp /etc/apt/sources.list /mnt/newroot/etc/apt/sources.list | ||
第86行: | 第70行: | ||
mkdir /home/ubuntu # To get rid of some annoying vim errors. Skip if wanted, and delete when done. | mkdir /home/ubuntu # To get rid of some annoying vim errors. Skip if wanted, and delete when done. | ||
</nowiki></pre> | </nowiki></pre> | ||
Set up /etc/kernel-img.conf: | |||
Install basic packages: | <pre><nowiki> | ||
do_symlinks = yes | |||
relative_links = yes | |||
do_bootloader = no | |||
do_bootfloppy = no | |||
do_initrd = yes | |||
link_in_boot = no | |||
postinst_hook = update-grub | |||
postrm_hook = update-grub | |||
</nowiki></pre> | |||
Install and upgrade basic packages: | |||
<pre><nowiki> | <pre><nowiki> | ||
aptitude update | aptitude update | ||
aptitude upgrade | |||
aptitude install grub linux-image-generic bsdmainutils cryptsetup | aptitude install grub linux-image-generic bsdmainutils cryptsetup | ||
</nowiki></pre> | </nowiki></pre> | ||
Set up /etc/crypttab: (Make sure you're using the same name for the root filesystem as you did with the luksOpen-command above. If not, cryptsetup will fail at first boot.) | Set up /etc/crypttab: (Make sure you're using the same name for the root filesystem as you did with the luksOpen-command above. If not, cryptsetup will fail at first boot.) | ||
<pre><nowiki> | <pre><nowiki> | ||
第101行: | 第93行: | ||
root /dev/sda6 none luks | root /dev/sda6 none luks | ||
</nowiki></pre> | </nowiki></pre> | ||
/etc/fstab: (Again, double-check the names used.) | /etc/fstab: (Again, double-check the names used.) | ||
<pre><nowiki> | <pre><nowiki> | ||
第109行: | 第100行: | ||
/dev/mapper/swap swap swap defaults 0 0 | /dev/mapper/swap swap swap defaults 0 0 | ||
</nowiki></pre> | </nowiki></pre> | ||
/etc/network/interfaces: | /etc/network/interfaces: | ||
<pre><nowiki> | <pre><nowiki> | ||
第115行: | 第105行: | ||
iface lo inet loopback | iface lo inet loopback | ||
</nowiki></pre> | </nowiki></pre> | ||
Configure the console: | Configure the console: | ||
<pre><nowiki> | <pre><nowiki> | ||
dpkg-reconfigure console-setup # Install if needed | dpkg-reconfigure console-setup # Install if needed | ||
</nowiki></pre> | </nowiki></pre> | ||
Make sure your initramfs is correct: | Make sure your initramfs is correct: | ||
<pre><nowiki> | <pre><nowiki> | ||
update-initramfs -u | update-initramfs -u | ||
</nowiki></pre> | </nowiki></pre> | ||
Install grub: | Install grub: | ||
<pre><nowiki> | <pre><nowiki> | ||
第132行: | 第119行: | ||
grub-install hd0 | grub-install hd0 | ||
</nowiki></pre> | </nowiki></pre> | ||
Remove ''quiet'' and ''splash'' from the ''defoptions''-line in /boot/grub/menu.lst and run <code><nowiki>update-grub</nowiki></code> again. | Remove ''quiet'' and ''splash'' from the ''defoptions''-line in /boot/grub/menu.lst and run <code><nowiki>update-grub</nowiki></code> again. | ||
Install some important packages: | |||
<pre><nowiki> | |||
aptitude install ubuntu-standard ubuntu-minimal | |||
</nowiki></pre> | |||
You may want to install openssh-server, too. :) | |||
Install (k)ubuntu-desktop: | Install (k)ubuntu-desktop: | ||
<pre><nowiki> | <pre><nowiki> | ||
第141行: | 第131行: | ||
dpkg --configure -a # Make sure this does not return any errors. | dpkg --configure -a # Make sure this does not return any errors. | ||
</nowiki></pre> | </nowiki></pre> | ||
Create a user for yourself: | Create a user for yourself: | ||
<pre><nowiki> | <pre><nowiki> | ||
第148行: | 第137行: | ||
adduser username admin | adduser username admin | ||
</nowiki></pre> | </nowiki></pre> | ||
Run <code><nowiki>visudo</nowiki></code> and add this just under the entry for root: | Run <code><nowiki>visudo</nowiki></code> and add this just under the entry for root: | ||
<pre><nowiki> | <pre><nowiki> | ||
%admin ALL=(ALL) ALL | %admin ALL=(ALL) ALL | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Boot your encrypted system === | === Boot your encrypted system === | ||
Restart (make sure your filesystems is unmounted) and boot into your new system. You should be asked for your passphrase by cryptsetup. | Restart (make sure your filesystems is unmounted) and boot into your new system. You should be asked for your passphrase by cryptsetup. | ||
If your boot partition is not the first partition on the first disk then you may need to edit the root line if Grub reports "Error 17: Cannot mount selected partition". Change it to hd(x,y) where x is the index of your disk and y is the index of the boot partition (first is zero, second is one, etc). | |||
You may also need to remove the "/boot" prefix from the kernel and initrd lines since the boot partition does not include a boot folder. | |||
If grub complains about a file it can't find, you may try to press ESC to edit the command, go down to ''savedefault'' and press '''d''' and '''b'''. Then, reinstall grub when booted. | If grub complains about a file it can't find, you may try to press ESC to edit the command, go down to ''savedefault'' and press '''d''' and '''b'''. Then, reinstall grub when booted. | ||
Your system may seem to hang while setting up encrypted devices. This is because it lacks random data. Press a few keys, and it will continue. | Your system may seem to hang while setting up encrypted devices. This is because it lacks random data. Press a few keys, and it will continue. | ||
Be aware that your new system is not as well configured as with a normal installation, so you have to do some configuration after first boot. Here's a list to get you started. You will find tools for this in the System menu in Ubuntu. | Be aware that your new system is not as well configured as with a normal installation, so you have to do some configuration after first boot. Here's a list to get you started. You will find tools for this in the System menu in Ubuntu. | ||
* Hostname. | * Hostname. | ||
* Other network parameters and DNS. (If you don't want to use network manager for that.) | * Other network parameters and DNS. (If you don't want to use network manager for that.) | ||
第171行: | 第155行: | ||
* Software repositories (multiverse, updates, backports...) and keys used to sign the archives. | * Software repositories (multiverse, updates, backports...) and keys used to sign the archives. | ||
* Non-free drivers. (NVIDIA/ATI-cards) | * Non-free drivers. (NVIDIA/ATI-cards) | ||
You may also want make sure your Mail Transfer Agent (exim, postfix, ...) is set up correctly. | You may also want make sure your Mail Transfer Agent (exim, postfix, ...) is set up correctly. | ||
When upgrading kernels, be sure to keep your old kernel. Some versions of the Linux kernel will change from <code><nowiki>/dev/hd*</nowiki></code> to <code><nowiki>/dev/sd*</nowiki></code> and others the other way. This will break /etc/cryptsetup. Installing Feisty kernel 2.6.20-16 appears to have this problem and installing that kernel while working from a 2.6.20-15 live CD may result in "cryptsetup: Source device /dev/sda* not found" at the end of the process. | |||
When upgrading kernels, be sure to keep your old kernel. Some versions of the Linux kernel will change from <code><nowiki>/dev/hd*</nowiki></code> to <code><nowiki>/dev/sd*</nowiki></code> and others the other way. This will break /etc/cryptsetup. | |||
---- | ---- | ||
[[category:CategorySecurity]] | [[category:CategorySecurity]] | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2009年5月18日 (一) 15:39的最新版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/EncryptedFilesystemHowto6 }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/af | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|Afrikaans| [[::EncryptedFilesystemHowto6/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/ar | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|العربية| [[::EncryptedFilesystemHowto6/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/az | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|azərbaycanca| [[::EncryptedFilesystemHowto6/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/bcc | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|جهلسری بلوچی| [[::EncryptedFilesystemHowto6/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/bg | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|български| [[::EncryptedFilesystemHowto6/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/br | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|brezhoneg| [[::EncryptedFilesystemHowto6/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/ca | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|català| [[::EncryptedFilesystemHowto6/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/cs | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|čeština| [[::EncryptedFilesystemHowto6/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/de | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|Deutsch| [[::EncryptedFilesystemHowto6/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/el | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|Ελληνικά| [[::EncryptedFilesystemHowto6/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/es | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|español| [[::EncryptedFilesystemHowto6/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/fa | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|فارسی| [[::EncryptedFilesystemHowto6/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/fi | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|suomi| [[::EncryptedFilesystemHowto6/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/fr | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|français| [[::EncryptedFilesystemHowto6/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/gu | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|ગુજરાતી| [[::EncryptedFilesystemHowto6/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/he | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|עברית| [[::EncryptedFilesystemHowto6/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/hu | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|magyar| [[::EncryptedFilesystemHowto6/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/id | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|Bahasa Indonesia| [[::EncryptedFilesystemHowto6/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/it | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|italiano| [[::EncryptedFilesystemHowto6/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/ja | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|日本語| [[::EncryptedFilesystemHowto6/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/ko | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|한국어| [[::EncryptedFilesystemHowto6/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/ksh | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|Ripoarisch| [[::EncryptedFilesystemHowto6/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/mr | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|मराठी| [[::EncryptedFilesystemHowto6/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/ms | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|Bahasa Melayu| [[::EncryptedFilesystemHowto6/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/nl | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|Nederlands| [[::EncryptedFilesystemHowto6/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/no | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|norsk| [[::EncryptedFilesystemHowto6/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/oc | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|occitan| [[::EncryptedFilesystemHowto6/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/pl | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|polski| [[::EncryptedFilesystemHowto6/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/pt | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|português| [[::EncryptedFilesystemHowto6/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/ro | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|română| [[::EncryptedFilesystemHowto6/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/ru | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|русский| [[::EncryptedFilesystemHowto6/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/si | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|සිංහල| [[::EncryptedFilesystemHowto6/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/sq | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|shqip| [[::EncryptedFilesystemHowto6/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/sr | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|српски / srpski| [[::EncryptedFilesystemHowto6/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/sv | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|svenska| [[::EncryptedFilesystemHowto6/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/th | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|ไทย| [[::EncryptedFilesystemHowto6/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/tr | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|Türkçe| [[::EncryptedFilesystemHowto6/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/vi | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|Tiếng Việt| [[::EncryptedFilesystemHowto6/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/yue | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|粵語| [[::EncryptedFilesystemHowto6/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/zh | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|中文| [[::EncryptedFilesystemHowto6/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/zh-hans | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|中文(简体)| [[::EncryptedFilesystemHowto6/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto6 | UbuntuHelp:EncryptedFilesystemHowto6 | {{#if: | :}}EncryptedFilesystemHowto6}}/zh-hant | • {{#if: UbuntuHelp:EncryptedFilesystemHowto6|中文(繁體)| [[::EncryptedFilesystemHowto6/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:EncryptedFilesystemHowto6|:EncryptedFilesystemHowto6|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :EncryptedFilesystemHowto6/zh | | {{#ifexist: EncryptedFilesystemHowto6/zh | | {{#ifeq: {{#titleparts:EncryptedFilesystemHowto6|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:EncryptedFilesystemHowto6|1|-1|}} | zh | | }}
{i} Please refer to EncryptedFilesystems for further documentation. |
Consider reading through EncryptedRootWithInstallerOnFeisty along with this page. Here's the requirements for this howto:
- Should be based on FeistyFawn.
- Encrypt everything, except /boot.
- For fresh installations only. The entire disk will be erased.
- No temporary installation either. We want to install directly to the encrypted disk.
- Network-based installation. A live-cd will only be used to set up the encrypted disks and bootstrap the installation.
- No theoretical explanations. You will find whatever you need in the other HOWTOs.
- Everything in one filesystem. No separate /home.
Before we begin, a few warnings:
- This HOWTO will tell you to wipe any existing installation. Back-up all your data!
- There may be errors in this HOWTO. You should NOT follow this HOWTO without enough understanding to get yourself out of unexpected trouble. Reading the other HOWTOs is a good start...
- This HOWTO has now been tested with VMware Workstation 6. Other hardware may or may not give the same results.
- Older versions of this HOWTO included some bugs that made it impossible to boot the newly installed system. Make sure you're using the latest version.
Ok, then... Let's start.
The livecd
First, boot from a live CD. I guess an Edgy-disc should work, but I have only tested with Feisty.
Configure networking, keyboard, proxy and whatever you need to have Internet access and a way to work with a terminal. (Hint: If you're behind a proxy, set the http_proxy environment variable: export http_proxy=http://proxy:port/
)
Start a terminal and edit /etc/apt/sources.list to add the universe repository. (Remember sudo!) You may want to change to a mirror close to you instead of archive.ubuntu.com. To me, it's no.archive.ubuntu.com.
Install cryptsetup, gparted and debootstrap:
sudo aptitude update && sudo aptitude install cryptsetup gparted debootstrap
Use gparted to partition your drive. You will need >= 100 MB for /boot (ext3), twice your amount of RAM for swap and the usual minimum for your encrypted root filesystem. From now on, I assume /boot is /dev/sda1, encrypted swap is /dev/sda5 and the encrypted root is /dev/sda6. Exit gparted and unmount the newly created filesystems by right-clicking on them on your desktop. Then load some modules:
sudo modprobe dm_crypt sudo modprobe sha256 sudo modprobe aes_i586 # or... for mod in dm_crypt sha256 aes_i586; do modprobe $mod; done
Use LUKS to encrypt your root partition. If you want key storage on an USB-disk, smartcard or anything else, see the other LUKS-based guides mentioned at the top of this document. Remember to choose a good passphrase, as this probably will be the weakest link in the setup...
sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=128 luksFormat /dev/sda6 sudo cryptsetup luksOpen /dev/sda6 root
If cryptsetup fails, you probably forgot to unmount the automounted partitions. Create a filesystem and mount it and the /boot partition:
sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/root sudo mkdir /mnt/newroot sudo mount /dev/mapper/root /mnt/newroot sudo mkdir /mnt/newroot/boot sudo mount /dev/sda1 /mnt/newroot/boot
Basic installation
It's time to do the installation, but don't start the wizard at your desktop. You need to use debootstrap.
sudo debootstrap feisty /mnt/newroot http://no.archive.ubuntu.com/ubuntu # Choose a mirror close to you.
After a few minutes, you should have a basic installation of FeistyFawn in your encrypted root. But don't pat yourself on your back yet, as the installation is too basic to even boot. All you can do is chroot into it and start configuring and installing packages:
sudo cp /etc/apt/sources.list /mnt/newroot/etc/apt/sources.list sudo /etc/init.d/acpid stop # Your chroot will eventually want to run it's own. sudo /etc/init.d/acpi-support stop sudo mount --bind /dev /mnt/newroot/dev sudo mount --bind /proc /mnt/newroot/proc sudo mount --bind /sys /mnt/newroot/sys sudo umount /mnt/newroot/boot sudo chroot /mnt/newroot export LANG=C mount /dev/sda1 /boot mkdir /home/ubuntu # To get rid of some annoying vim errors. Skip if wanted, and delete when done.
Set up /etc/kernel-img.conf:
do_symlinks = yes relative_links = yes do_bootloader = no do_bootfloppy = no do_initrd = yes link_in_boot = no postinst_hook = update-grub postrm_hook = update-grub
Install and upgrade basic packages:
aptitude update aptitude upgrade aptitude install grub linux-image-generic bsdmainutils cryptsetup
Set up /etc/crypttab: (Make sure you're using the same name for the root filesystem as you did with the luksOpen-command above. If not, cryptsetup will fail at first boot.)
# <target name> <source device> <key file> <options> swap /dev/sda5 /dev/random swap root /dev/sda6 none luks
/etc/fstab: (Again, double-check the names used.)
proc /proc proc defaults 0 0 /dev/mapper/root / ext3 defaults,errors=remount-ro 0 0 /dev/sda1 /boot ext3 defaults 0 1 /dev/mapper/swap swap swap defaults 0 0
/etc/network/interfaces:
auto lo iface lo inet loopback
Configure the console:
dpkg-reconfigure console-setup # Install if needed
Make sure your initramfs is correct:
update-initramfs -u
Install grub:
grub-install --recheck hd0,0 update-grub grub-install hd0
Remove quiet and splash from the defoptions-line in /boot/grub/menu.lst and run update-grub
again.
Install some important packages:
aptitude install ubuntu-standard ubuntu-minimal
You may want to install openssh-server, too. :) Install (k)ubuntu-desktop:
aptitude install ubuntu-desktop killall acpid dpkg --configure -a # Make sure this does not return any errors.
Create a user for yourself:
adduser --add_extra_groups username adduser username adm adduser username admin
Run visudo
and add this just under the entry for root:
%admin ALL=(ALL) ALL
Boot your encrypted system
Restart (make sure your filesystems is unmounted) and boot into your new system. You should be asked for your passphrase by cryptsetup. If your boot partition is not the first partition on the first disk then you may need to edit the root line if Grub reports "Error 17: Cannot mount selected partition". Change it to hd(x,y) where x is the index of your disk and y is the index of the boot partition (first is zero, second is one, etc). You may also need to remove the "/boot" prefix from the kernel and initrd lines since the boot partition does not include a boot folder. If grub complains about a file it can't find, you may try to press ESC to edit the command, go down to savedefault and press d and b. Then, reinstall grub when booted. Your system may seem to hang while setting up encrypted devices. This is because it lacks random data. Press a few keys, and it will continue. Be aware that your new system is not as well configured as with a normal installation, so you have to do some configuration after first boot. Here's a list to get you started. You will find tools for this in the System menu in Ubuntu.
- Hostname.
- Other network parameters and DNS. (If you don't want to use network manager for that.)
- Web proxy if needed.
- Date, time and time zone. (NTP if wanted)
- Localization. (Language packs, default language.)
- Software repositories (multiverse, updates, backports...) and keys used to sign the archives.
- Non-free drivers. (NVIDIA/ATI-cards)
You may also want make sure your Mail Transfer Agent (exim, postfix, ...) is set up correctly.
When upgrading kernels, be sure to keep your old kernel. Some versions of the Linux kernel will change from /dev/hd*
to /dev/sd*
and others the other way. This will break /etc/cryptsetup. Installing Feisty kernel 2.6.20-16 appears to have this problem and installing that kernel while working from a 2.6.20-15 live CD may result in "cryptsetup: Source device /dev/sda* not found" at the end of the process.