特殊:Badtitle/NS100:EncryptedFilesystemHowto4

来自Ubuntu中文
Oneleaf留言 | 贡献2007年5月13日 (日) 11:34的版本 (New page: {{From|https://help.ubuntu.com/community/EncryptedFilesystemHowto4}} {{Languages|php5}} Here is yet another HOWTO for installing (k)ubuntu 6.06 LTS (dapper) with encrypted root and swap pa...)
(差异) ←上一版本 | 最后版本 (差异) | 下一版本→ (差异)
跳到导航跳到搜索

{{#ifexist: :EncryptedFilesystemHowto4/zh | | {{#ifexist: EncryptedFilesystemHowto4/zh | | {{#ifeq: {{#titleparts:EncryptedFilesystemHowto4|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:EncryptedFilesystemHowto4|1|-1|}} | zh | | }}

Here is yet another HOWTO for installing (k)ubuntu 6.06 LTS (dapper) with encrypted root and swap partition. Why yet another? Some highlights of this method:

  • Uses RSA keys and thus is ready for smartcards (although in this howto
  the RSA private key is still stored on disk as encrypted file)
  • Password changes are possible. With LUKS that would be possible too (but no smart card support), with cryptsetup it would not.

Encrypting valuable data is very important for many companies, and it feels a lot better if the whole filesystem is encrypted, not only some partitions (e.g. home - what if you start using some webserver, database etc.). Of course a full encryption of root and swap has significant impact on latency for reading/writing and increased cpu usage for that. But for normal desktop it is not a big deal, but if you copy hundereds of MB of data you will notice it.

This howto is very long, because you need to do many steps yourself that are normaly done by the automatic installer.

How to install Ubuntu encrypted

 1. Boot from desktop CD 
    Download this text to the ubuntu system, so you can cut and paste. Open in vi (not less, with less you get cut&paste problems on long     lines). 

 1. Start an xterm 

 1. Get a root shell  
    sudo bash

 1. load dm-crypt 
    modprobe dm-crypt

 1. Partition the system 
    cfdisk /dev/sda  # or /dev/hda 
    Create three partitions: 
      * first partition: linux, 100mb, bootable (/boot) 
      * second parition: linux, what you prefer (2GB?) (swap) 
      * third partition: root, rest of the disk (or leave space - however you prefer)

    Do not set the second partition to swap, as ubuntu will automatically enable it and thus cause problems. 

    In this document we will assume: 
      * /dev/sda1       /boot partition 
      * /dev/sda2       swap partition 
      * /dev/sda3       root partition 

 1. Create crypto keys in /tmp (tmpfs, never written anywhere) 
cd /tmp 
openssl genrsa -aes256 -out privkey.pem 2048 
dd if=/dev/urandom of=swapkey bs=32 count=1 
dd if=/dev/urandom of=rootkey bs=32 count=1 
openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt 
openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt 
rm swapkey rootkey 
 
SWAPKEY=`openssl rsautl -in swapkey.enc -decrypt -inkey privkey.pem \ 
                      | hexdump -e '"" 32/1 "%02x" "\n"'` 
ROOTKEY=`openssl rsautl -in rootkey.enc -decrypt -inkey privkey.pem \ 
                      | hexdump -e '"" 32/1 "%02x" "\n"'` 
echo 0 `blockdev --getsize /dev/sda2` crypt aes-cbc-essiv:sha256 \ 
              $SWAPKEY 0 /dev/sda2 0 |dmsetup create swap 
echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \ 
              $ROOTKEY 0 /dev/sda3 0 |dmsetup create root 

 
  1. Create filesystems 
     
mkfs.ext3 /dev/sda1             # /boot 
mkswap /dev/mapper/swap         # swap 
mkfs.ext3 /dev/mapper/root      # root 

 
  1. Mount filesystems 
     
mount /dev/mapper/root /mnt 
mkdir /mnt/boot 
mount /dev/sda1 /mnt/boot

 
  1. Download ar and debootstrap 
     
cd /tmp 
mkdir download 
cd download 
wget http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.16.1cvs20060117-1ubuntu2.1_i386.deb 
wget http://de.archive.ubuntu.com/ubuntu/pool/main/d/debootstrap/debootstrap_0.3.3.0ubuntu2_all.deb 
dpkg -x binutils*deb x 
dpkg -x debootstrap*deb x 

 
  1. install dapper on the crypto root 
     
export LD_LIBRARY_PATH=/tmp/download/x/usr/lib 
export PATH=/tmp/download/x/usr/bin:$PATH 
export DEBOOTSTRAP_DIR=/tmp/download/x/usr/lib/debootstrap 
/tmp/download/x/usr/sbin/debootstrap dapper /mnt http://de.archive.ubuntu.com/ubuntu/ 


  1. create an fstab in the chroot 
     
chroot /mnt 
vi /etc/fstab 
/dev/sda1               /boot           ext3    defaults  0  0
/dev/mapper/root        /               ext3    defaults  0  0
/dev/mapper/swap        swap            swap    defaults  0  0
none                    /proc           proc    defaults  0  0
none                    /proc/bus/usb   usbfs   defaults  0  0
none                    /sys            sysfs   defaults  0  0
none                    /dev/shm        tmpfs   defaults  0  0 
none                    /dev/pts        devpts  defaults  0  0

 
  1. create an apt config file in the chroot 
     
chroot /mnt 
vi /etc/apt/sources.list 
deb http://de.archive.ubuntu.com/ubuntu/ dapper main restricted 
deb http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
deb http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted

deb-src http://de.archive.ubuntu.com/ubuntu/ dapper main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted

 
  1. update packages, install dselect and kubuntu-destkop 
     
chroot /mnt 
apt-get update 
apt-get upgrade 
apt-get install grub linux-image-686 dmsetup bsdmainutils wipe 
apt-get install kubuntu-desktop


  1. configure initramfs-tools for crypt root and swap 
     
chroot /mnt 
cd /etc/mkinitramfs 
echo dm-crypt >> modules 
echo aes >> modules 
echo sha256 >> modules 
vi hooks/cryptroot (copy till EOF) 
#!/bin/sh 
 
. /usr/share/initramfs-tools/hook-functions 
 
mkdir -p ${DESTDIR}/boot 
mkdir -p ${DESTDIR}/sbin 
mkdir -p ${DESTDIR}/usr/bin 
 
cp -p /boot/privkey.pem /boot/rootkey.enc /boot/swapkey.enc ${DESTDIR}/boot 
 
copy_exec /sbin/blockdev /sbin 
copy_exec /sbin/dmsetup /sbin 
copy_exec /usr/bin/openssl /usr/bin 
copy_exec /usr/bin/hexdump /usr/bin 
EOF 
 
chmod +x hooks/cryptroot 
 
vi scripts/local-top/cryptroot (copy till EOF) 
#!/bin/sh 
 
PREREQ="udev" 
 
# Output pre-requisites 
prereqs() 
{ 
        echo "$PREREQ" 
} 
 
case "$1" in 
    prereqs) 
        prereqs 
        exit 0 
        ;; 
esac 
 
modprobe aes 
modprobe sha256 
modprobe dm-crypt 
 
echo "Waiting for crypted root device..." 
 
slumber=1800 
while [ ${slumber} -gt 0 -a ! -e "/dev/sda3" ]; do 
        /bin/sleep 0.1 
        slumber=$(( ${slumber} - 1 )) 
done 
 
while test -z "$ROOTKEY" 
do 
        ROOTKEY=`openssl rsautl -in /boot/rootkey.enc -decrypt
-inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1
"%02x" "\n"' ` 
done 
 
SECTORS=`blockdev --getsize /dev/sda3` 
 
echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $ROOTKEY 0 /dev/sda3 0 \ 
        |dmsetup create root 
 
echo "Waiting for crypted swap device..." 
 
slumber=1800 
while [ ${slumber} -gt 0 -a ! -e "/dev/sda2" ]; do 
        /bin/sleep 0.1 
        slumber=$(( ${slumber} - 1 )) 
done 
 
while test -z "$SWAPKEY" 
do 
        SWAPKEY=`openssl rsautl -in /boot/swapkey.enc -decrypt
-inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1
"%02x" "\n"' ` 
done 
 
SECTORS=`blockdev --getsize /dev/sda2` 
 
echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $SWAPKEY 0 /dev/sda2 0 \ 
        |dmsetup create swap
EOF 
chmod +x scripts/local-top/cryptroot 

 
  1. put the crypto keys in place and create a new initramfs 
     
mv /tmp/privkey.pem /tmp/swapkey.enc /tmp/rootkey.enc /mnt/boot/ 
chroot /mnt 
update-initramfs -u 

 
  1. install grub 
     
chroot /mnt 
update-grub 
apt-get install kubuntu-grub-splashimages 
 
cd /boot/grub 
cp /lib/grub/i386-pc/* . 
 
grub 
root (hd0,0) 
setup (hd0) 
quit 

 
  1. configure grub 
****** vi /boot/grub/menu.lst 
****** add "acpi=off" 
****** change "root=/dev/mapper/root" 
****** splash (hd0,0)/grub/splashimages/kubuntugood.xpm.gz 
****** timeout 15 
****** default 0 
****** remove all the unwanted settings
****** remove all "savedefault" lines 
****** remove splash as you want a console to enter your password
 
  1. finish installation, reboot 
     
umount /mnt/boot 
fuser -k /mnt 
umount /mnt 
sync 
 
      press ctrl-alt-del and select reboot 
 

Tools

1. change password on rsa key
su root 
cd /boot 
openssl rsa -in privkey.pem -out privkey.new.pem -aes256 
wipe privkey.pem 
mv privkey.new.pem privkey.pem 
update-initramfs -u 

 
 1. replace rsa key 
     
su root 
cd /tmp 
openssl rsautl -in /boot/rootkey.enc -inkey /boot/privkey.pem \ 
        -decrypt -out rootkey 
openssl rsautl -in /boot/swapkey.enc -inkey /boot/privkey.pem \ 
        -decrypt -out swapkey 
openssl genrsa -aes256 -out privkey.pem 2048 
openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt 
openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt 
rm swapkey rootkey 
mv swapkey.enc rootkey.enc privkey.pem boot 
update-initramfs -u 

 
 1. recover with bootcd 
****** boot kubuntu cd 
****** start xterm 
    
sudo bash 
mount /dev/sda1 /mnt 
echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \ 
         `openssl rsautl -in /mnt/rootkey.enc -decrypt -inkey \ 
         /mnt/privkey.pem |hexdump -e '"" 32/1 "%02x" "\n"'` \ 
                0 /dev/sda3 0 | dmsetup create root 
umount mnt 
mount /dev/mapper/root /mnt 
mount /dev/sda1 /mnt/boot 
 
chroot /mnt 
... 
 
update-initramfs -u 
 
umount /mnt/boot 
umount /mnt 
sync 

 
        * press ctrl-alt-del and select reboot 
 

Other changes

1. set root password * boot * switch to text console * login as "root" (no password) * shadowconfig on * passwd root 1. create user
adduser user 
vigr 
# add user to dialout, fax, voice, cdrom, floppy, sudo, audio, 
       video, scanner, scard