特殊:Badtitle/NS100:EncryptedFilesystemHowto4
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/EncryptedFilesystemHowto4 }} |
点击翻译: |
English {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/af | • {{#if: php5|Afrikaans| [[::EncryptedFilesystemHowto4/af|Afrikaans]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/ar | • {{#if: php5|العربية| [[::EncryptedFilesystemHowto4/ar|العربية]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/az | • {{#if: php5|azərbaycanca| [[::EncryptedFilesystemHowto4/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/bcc | • {{#if: php5|جهلسری بلوچی| [[::EncryptedFilesystemHowto4/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/bg | • {{#if: php5|български| [[::EncryptedFilesystemHowto4/bg|български]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/br | • {{#if: php5|brezhoneg| [[::EncryptedFilesystemHowto4/br|brezhoneg]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/ca | • {{#if: php5|català| [[::EncryptedFilesystemHowto4/ca|català]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/cs | • {{#if: php5|čeština| [[::EncryptedFilesystemHowto4/cs|čeština]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/de | • {{#if: php5|Deutsch| [[::EncryptedFilesystemHowto4/de|Deutsch]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/el | • {{#if: php5|Ελληνικά| [[::EncryptedFilesystemHowto4/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/es | • {{#if: php5|español| [[::EncryptedFilesystemHowto4/es|español]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/fa | • {{#if: php5|فارسی| [[::EncryptedFilesystemHowto4/fa|فارسی]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/fi | • {{#if: php5|suomi| [[::EncryptedFilesystemHowto4/fi|suomi]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/fr | • {{#if: php5|français| [[::EncryptedFilesystemHowto4/fr|français]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/gu | • {{#if: php5|ગુજરાતી| [[::EncryptedFilesystemHowto4/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/he | • {{#if: php5|עברית| [[::EncryptedFilesystemHowto4/he|עברית]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/hu | • {{#if: php5|magyar| [[::EncryptedFilesystemHowto4/hu|magyar]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/id | • {{#if: php5|Bahasa Indonesia| [[::EncryptedFilesystemHowto4/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/it | • {{#if: php5|italiano| [[::EncryptedFilesystemHowto4/it|italiano]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/ja | • {{#if: php5|日本語| [[::EncryptedFilesystemHowto4/ja|日本語]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/ko | • {{#if: php5|한국어| [[::EncryptedFilesystemHowto4/ko|한국어]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/ksh | • {{#if: php5|Ripoarisch| [[::EncryptedFilesystemHowto4/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/mr | • {{#if: php5|मराठी| [[::EncryptedFilesystemHowto4/mr|मराठी]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/ms | • {{#if: php5|Bahasa Melayu| [[::EncryptedFilesystemHowto4/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/nl | • {{#if: php5|Nederlands| [[::EncryptedFilesystemHowto4/nl|Nederlands]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/no | • {{#if: php5|norsk| [[::EncryptedFilesystemHowto4/no|norsk]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/oc | • {{#if: php5|occitan| [[::EncryptedFilesystemHowto4/oc|occitan]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/pl | • {{#if: php5|polski| [[::EncryptedFilesystemHowto4/pl|polski]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/pt | • {{#if: php5|português| [[::EncryptedFilesystemHowto4/pt|português]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/ro | • {{#if: php5|română| [[::EncryptedFilesystemHowto4/ro|română]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/ru | • {{#if: php5|русский| [[::EncryptedFilesystemHowto4/ru|русский]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/si | • {{#if: php5|සිංහල| [[::EncryptedFilesystemHowto4/si|සිංහල]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/sq | • {{#if: php5|shqip| [[::EncryptedFilesystemHowto4/sq|shqip]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/sr | • {{#if: php5|српски / srpski| [[::EncryptedFilesystemHowto4/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/sv | • {{#if: php5|svenska| [[::EncryptedFilesystemHowto4/sv|svenska]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/th | • {{#if: php5|ไทย| [[::EncryptedFilesystemHowto4/th|ไทย]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/tr | • {{#if: php5|Türkçe| [[::EncryptedFilesystemHowto4/tr|Türkçe]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/vi | • {{#if: php5|Tiếng Việt| [[::EncryptedFilesystemHowto4/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/yue | • {{#if: php5|粵語| [[::EncryptedFilesystemHowto4/yue|粵語]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/zh | • {{#if: php5|中文| [[::EncryptedFilesystemHowto4/zh|中文]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/zh-hans | • {{#if: php5|中文(简体)| [[::EncryptedFilesystemHowto4/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemHowto4}}/zh-hant | • {{#if: php5|中文(繁體)| [[::EncryptedFilesystemHowto4/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:php5|:EncryptedFilesystemHowto4|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :EncryptedFilesystemHowto4/zh | | {{#ifexist: EncryptedFilesystemHowto4/zh | | {{#ifeq: {{#titleparts:EncryptedFilesystemHowto4|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:EncryptedFilesystemHowto4|1|-1|}} | zh | | }}
Here is yet another HOWTO for installing (k)ubuntu 6.06 LTS (dapper) with encrypted root and swap partition. Why yet another? Some highlights of this method:
- Uses RSA keys and thus is ready for smartcards (although in this howto
the RSA private key is still stored on disk as encrypted file)
- Password changes are possible. With LUKS that would be possible too (but no smart card support), with cryptsetup it would not.
Encrypting valuable data is very important for many companies, and it feels a lot better if the whole filesystem is encrypted, not only some partitions (e.g. home - what if you start using some webserver, database etc.). Of course a full encryption of root and swap has significant impact on latency for reading/writing and increased cpu usage for that. But for normal desktop it is not a big deal, but if you copy hundereds of MB of data you will notice it.
This howto is very long, because you need to do many steps yourself that are normaly done by the automatic installer.
How to install Ubuntu encrypted
1. Boot from desktop CD Download this text to the ubuntu system, so you can cut and paste. Open in vi (not less, with less you get cut&paste problems on long lines). 1. Start an xterm 1. Get a root shellsudo bash
1. load dm-cryptmodprobe dm-crypt
1. Partition the systemcfdisk /dev/sda
# or /dev/hda Create three partitions: * first partition: linux, 100mb, bootable (/boot) * second parition: linux, what you prefer (2GB?) (swap) * third partition: root, rest of the disk (or leave space - however you prefer) Do not set the second partition to swap, as ubuntu will automatically enable it and thus cause problems. In this document we will assume: * /dev/sda1 /boot partition * /dev/sda2 swap partition * /dev/sda3 root partition 1. Create crypto keys in /tmp (tmpfs, never written anywhere)
cd /tmp openssl genrsa -aes256 -out privkey.pem 2048 dd if=/dev/urandom of=swapkey bs=32 count=1 dd if=/dev/urandom of=rootkey bs=32 count=1 openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt rm swapkey rootkey SWAPKEY=`openssl rsautl -in swapkey.enc -decrypt -inkey privkey.pem \ | hexdump -e '"" 32/1 "%02x" "\n"'` ROOTKEY=`openssl rsautl -in rootkey.enc -decrypt -inkey privkey.pem \ | hexdump -e '"" 32/1 "%02x" "\n"'` echo 0 `blockdev --getsize /dev/sda2` crypt aes-cbc-essiv:sha256 \ $SWAPKEY 0 /dev/sda2 0 |dmsetup create swap echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \ $ROOTKEY 0 /dev/sda3 0 |dmsetup create root 1. Create filesystemsmkfs.ext3 /dev/sda1 # /boot mkswap /dev/mapper/swap # swap mkfs.ext3 /dev/mapper/root # root 1. Mount filesystemsmount /dev/mapper/root /mnt mkdir /mnt/boot mount /dev/sda1 /mnt/boot 1. Download ar and debootstrapcd /tmp mkdir download cd download wget http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.16.1cvs20060117-1ubuntu2.1_i386.deb wget http://de.archive.ubuntu.com/ubuntu/pool/main/d/debootstrap/debootstrap_0.3.3.0ubuntu2_all.deb dpkg -x binutils*deb x dpkg -x debootstrap*deb x 1. install dapper on the crypto rootexport LD_LIBRARY_PATH=/tmp/download/x/usr/lib export PATH=/tmp/download/x/usr/bin:$PATH export DEBOOTSTRAP_DIR=/tmp/download/x/usr/lib/debootstrap /tmp/download/x/usr/sbin/debootstrap dapper /mnt http://de.archive.ubuntu.com/ubuntu/ 1. create an fstab in the chrootchroot /mnt vi /etc/fstab /dev/sda1 /boot ext3 defaults 0 0 /dev/mapper/root / ext3 defaults 0 0 /dev/mapper/swap swap swap defaults 0 0 none /proc proc defaults 0 0 none /proc/bus/usb usbfs defaults 0 0 none /sys sysfs defaults 0 0 none /dev/shm tmpfs defaults 0 0 none /dev/pts devpts defaults 0 0 1. create an apt config file in the chrootchroot /mnt vi /etc/apt/sources.list deb http://de.archive.ubuntu.com/ubuntu/ dapper main restricted deb http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted deb http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted deb-src http://de.archive.ubuntu.com/ubuntu/ dapper main restricted deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted 1. update packages, install dselect and kubuntu-destkopchroot /mnt apt-get update apt-get upgrade apt-get install grub linux-image-686 dmsetup bsdmainutils wipe apt-get install kubuntu-desktop 1. configure initramfs-tools for crypt root and swapchroot /mnt cd /etc/mkinitramfs echo dm-crypt >> modules echo aes >> modules echo sha256 >> modules vi hooks/cryptroot (copy till EOF) #!/bin/sh . /usr/share/initramfs-tools/hook-functions mkdir -p ${DESTDIR}/boot mkdir -p ${DESTDIR}/sbin mkdir -p ${DESTDIR}/usr/bin cp -p /boot/privkey.pem /boot/rootkey.enc /boot/swapkey.enc ${DESTDIR}/boot copy_exec /sbin/blockdev /sbin copy_exec /sbin/dmsetup /sbin copy_exec /usr/bin/openssl /usr/bin copy_exec /usr/bin/hexdump /usr/bin EOF chmod +x hooks/cryptroot vi scripts/local-top/cryptroot (copy till EOF) #!/bin/sh PREREQ="udev" # Output pre-requisites prereqs() { echo "$PREREQ" } case "$1" in prereqs) prereqs exit 0 ;; esac modprobe aes modprobe sha256 modprobe dm-crypt echo "Waiting for crypted root device..." slumber=1800 while [ ${slumber} -gt 0 -a ! -e "/dev/sda3" ]; do /bin/sleep 0.1 slumber=$(( ${slumber} - 1 )) done while test -z "$ROOTKEY" do ROOTKEY=`openssl rsautl -in /boot/rootkey.enc -decrypt -inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1 "%02x" "\n"' ` done SECTORS=`blockdev --getsize /dev/sda3` echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $ROOTKEY 0 /dev/sda3 0 \ |dmsetup create root echo "Waiting for crypted swap device..." slumber=1800 while [ ${slumber} -gt 0 -a ! -e "/dev/sda2" ]; do /bin/sleep 0.1 slumber=$(( ${slumber} - 1 )) done while test -z "$SWAPKEY" do SWAPKEY=`openssl rsautl -in /boot/swapkey.enc -decrypt -inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1 "%02x" "\n"' ` done SECTORS=`blockdev --getsize /dev/sda2` echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $SWAPKEY 0 /dev/sda2 0 \ |dmsetup create swap EOF chmod +x scripts/local-top/cryptroot 1. put the crypto keys in place and create a new initramfsmv /tmp/privkey.pem /tmp/swapkey.enc /tmp/rootkey.enc /mnt/boot/ chroot /mnt update-initramfs -u 1. install grubchroot /mnt update-grub apt-get install kubuntu-grub-splashimages cd /boot/grub cp /lib/grub/i386-pc/* . grub root (hd0,0) setup (hd0) quit 1. configure grub ****** vi /boot/grub/menu.lst ****** add "acpi=off" ****** change "root=/dev/mapper/root" ****** splash (hd0,0)/grub/splashimages/kubuntugood.xpm.gz ****** timeout 15 ****** default 0 ****** remove all the unwanted settings ****** remove all "savedefault" lines ****** remove splash as you want a console to enter your password 1. finish installation, rebootumount /mnt/boot fuser -k /mnt umount /mnt sync press ctrl-alt-del and select rebootTools
1. change password on rsa keysu root cd /boot openssl rsa -in privkey.pem -out privkey.new.pem -aes256 wipe privkey.pem mv privkey.new.pem privkey.pem update-initramfs -u 1. replace rsa keysu root cd /tmp openssl rsautl -in /boot/rootkey.enc -inkey /boot/privkey.pem \ -decrypt -out rootkey openssl rsautl -in /boot/swapkey.enc -inkey /boot/privkey.pem \ -decrypt -out swapkey openssl genrsa -aes256 -out privkey.pem 2048 openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt rm swapkey rootkey mv swapkey.enc rootkey.enc privkey.pem boot update-initramfs -u 1. recover with bootcd ****** boot kubuntu cd ****** start xtermsudo bash mount /dev/sda1 /mnt echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \ `openssl rsautl -in /mnt/rootkey.enc -decrypt -inkey \ /mnt/privkey.pem |hexdump -e '"" 32/1 "%02x" "\n"'` \ 0 /dev/sda3 0 | dmsetup create root umount mnt mount /dev/mapper/root /mnt mount /dev/sda1 /mnt/boot chroot /mnt ... update-initramfs -u umount /mnt/boot umount /mnt sync * press ctrl-alt-del and select rebootOther changes
1. set root password * boot * switch to text console * login as "root" (no password) * shadowconfig on * passwd root 1. create useradduser user vigr # add user to dialout, fax, voice, cdrom, floppy, sudo, audio, video, scanner, scard