特殊:Badtitle/NS100:EncryptedFilesystemLVMHowto
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/EncryptedFilesystemLVMHowto }} |
点击翻译: |
English {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/af | • {{#if: php5|Afrikaans| [[::EncryptedFilesystemLVMHowto/af|Afrikaans]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/ar | • {{#if: php5|العربية| [[::EncryptedFilesystemLVMHowto/ar|العربية]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/az | • {{#if: php5|azərbaycanca| [[::EncryptedFilesystemLVMHowto/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/bcc | • {{#if: php5|جهلسری بلوچی| [[::EncryptedFilesystemLVMHowto/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/bg | • {{#if: php5|български| [[::EncryptedFilesystemLVMHowto/bg|български]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/br | • {{#if: php5|brezhoneg| [[::EncryptedFilesystemLVMHowto/br|brezhoneg]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/ca | • {{#if: php5|català| [[::EncryptedFilesystemLVMHowto/ca|català]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/cs | • {{#if: php5|čeština| [[::EncryptedFilesystemLVMHowto/cs|čeština]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/de | • {{#if: php5|Deutsch| [[::EncryptedFilesystemLVMHowto/de|Deutsch]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/el | • {{#if: php5|Ελληνικά| [[::EncryptedFilesystemLVMHowto/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/es | • {{#if: php5|español| [[::EncryptedFilesystemLVMHowto/es|español]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/fa | • {{#if: php5|فارسی| [[::EncryptedFilesystemLVMHowto/fa|فارسی]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/fi | • {{#if: php5|suomi| [[::EncryptedFilesystemLVMHowto/fi|suomi]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/fr | • {{#if: php5|français| [[::EncryptedFilesystemLVMHowto/fr|français]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/gu | • {{#if: php5|ગુજરાતી| [[::EncryptedFilesystemLVMHowto/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/he | • {{#if: php5|עברית| [[::EncryptedFilesystemLVMHowto/he|עברית]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/hu | • {{#if: php5|magyar| [[::EncryptedFilesystemLVMHowto/hu|magyar]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/id | • {{#if: php5|Bahasa Indonesia| [[::EncryptedFilesystemLVMHowto/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/it | • {{#if: php5|italiano| [[::EncryptedFilesystemLVMHowto/it|italiano]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/ja | • {{#if: php5|日本語| [[::EncryptedFilesystemLVMHowto/ja|日本語]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/ko | • {{#if: php5|한국어| [[::EncryptedFilesystemLVMHowto/ko|한국어]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/ksh | • {{#if: php5|Ripoarisch| [[::EncryptedFilesystemLVMHowto/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/mr | • {{#if: php5|मराठी| [[::EncryptedFilesystemLVMHowto/mr|मराठी]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/ms | • {{#if: php5|Bahasa Melayu| [[::EncryptedFilesystemLVMHowto/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/nl | • {{#if: php5|Nederlands| [[::EncryptedFilesystemLVMHowto/nl|Nederlands]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/no | • {{#if: php5|norsk| [[::EncryptedFilesystemLVMHowto/no|norsk]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/oc | • {{#if: php5|occitan| [[::EncryptedFilesystemLVMHowto/oc|occitan]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/pl | • {{#if: php5|polski| [[::EncryptedFilesystemLVMHowto/pl|polski]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/pt | • {{#if: php5|português| [[::EncryptedFilesystemLVMHowto/pt|português]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/ro | • {{#if: php5|română| [[::EncryptedFilesystemLVMHowto/ro|română]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/ru | • {{#if: php5|русский| [[::EncryptedFilesystemLVMHowto/ru|русский]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/si | • {{#if: php5|සිංහල| [[::EncryptedFilesystemLVMHowto/si|සිංහල]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/sq | • {{#if: php5|shqip| [[::EncryptedFilesystemLVMHowto/sq|shqip]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/sr | • {{#if: php5|српски / srpski| [[::EncryptedFilesystemLVMHowto/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/sv | • {{#if: php5|svenska| [[::EncryptedFilesystemLVMHowto/sv|svenska]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/th | • {{#if: php5|ไทย| [[::EncryptedFilesystemLVMHowto/th|ไทย]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/tr | • {{#if: php5|Türkçe| [[::EncryptedFilesystemLVMHowto/tr|Türkçe]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/vi | • {{#if: php5|Tiếng Việt| [[::EncryptedFilesystemLVMHowto/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/yue | • {{#if: php5|粵語| [[::EncryptedFilesystemLVMHowto/yue|粵語]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/zh | • {{#if: php5|中文| [[::EncryptedFilesystemLVMHowto/zh|中文]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/zh-hans | • {{#if: php5|中文(简体)| [[::EncryptedFilesystemLVMHowto/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystemLVMHowto}}/zh-hant | • {{#if: php5|中文(繁體)| [[::EncryptedFilesystemLVMHowto/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:php5|:EncryptedFilesystemLVMHowto|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :EncryptedFilesystemLVMHowto/zh | | {{#ifexist: EncryptedFilesystemLVMHowto/zh | | {{#ifeq: {{#titleparts:EncryptedFilesystemLVMHowto|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:EncryptedFilesystemLVMHowto|1|-1|}} | zh | | }}
Installing Ubuntu 6.06 on an Encrypted LVM Partition For Root, Swap, and Home
by John Bindel (jbindel <at> googlemail <dot com>)
This how-to explains the process of installing Ubuntu 6.06 on an encrypted LVM partition. One encrypted physical partition is used, and the logical volume manager is used to manage the operating system volumes. Only /boot is unencrypted.
Install
Boot the Ubuntu 6.06 desktop install disk.
Partition the disk with System->Administration->Gnome Partition Editor
Make 3GB ext3 primary partition (See NOTES at the bottom if you want to save room and use the server version, which only needs 600 MB). Make an extended partition with the rest. Make an ext3 logical partition of 200MB for /boot which is sda5 in this example. Make an ext3 logical parition with the rest as sda6. Click "apply" and then close the tool. It would be nice to install directly to encrypted LVM volumes, but the desktop installer does not seem to be capable of that. It fails after the manual paritioning step when I have tried.
Double-click on "Install".
Choose to manually edit partitions. Make no changes to partitions and click "forward". Set /dev/sda5 as the /boot mount point and /dev/sda1 as the "/" mount point. Clear all other mount points. Select reformat on these two and click "forward". Then click "install".
Click "continue" when asked about not having a swap partition. We'll add one later.
Let the system install and then reboot.
Open a terminal and get root.
$ sudo bash
Add "universe" repositories by uncommenting lines in /etc/apt/sources.list.
Install the cryptsetup, hashalot, and initramfs-tools packages.
# apt-get update # apt-get install cryptsetup hashalot initramfs-toolsBuild an initrd image
Load the modules that will be needed.# modprobe dm_crypt # modprobe aes_i586 # modprobe sha256 Add the following line to /etc/kernel-img.conf:ramdisk = /usr/sbin/mkinitramfs
Add the following lines to /etc/mkinitramfs/modules:dm_mod dm_crypt sha256 aes_i586 Create file /etc/mkinitramfs/hooks/pvcrypt. This script is executed when the init ramdisk image is built.#!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac if [ ! -x /sbin/cryptsetup ]; then exit 0 fi . /usr/share/initramfs-tools/hook-functions mkdir ${DESTDIR}/etc/console cp /etc/console/boottime.kmap.gz ${DESTDIR}/etc/console copy_exec /bin/loadkeys /bin copy_exec /usr/bin/chvt /bin copy_exec /sbin/cryptsetup /sbin Create file /etc/mkinitramfs/scripts/local-top/pvcrypt. This script is executed during the init bootup.#!/bin/sh PREREQ="udev" prereqs() { echo "$PREREQ" } case $1 in # get pre-requisites prereqs) prereqs exit 0 ;; esac /bin/loadkeys /etc/console/boottime.kmap.gz modprobe -Qb dm_crypt modprobe -Qb aes_i586 modprobe -Qb sha256 if grep -q splash /proc/cmdline; then /bin/chvt 1 fi /sbin/cryptsetup luksOpen /dev/sda6 pvcrypt if grep -q splash /proc/cmdline; then /sbin/usplash -c & sleep 1 fi Make these scripts executable by root.# chmod +x /etc/mkinitramfs/hooks/pvcrypt # chmod +x /etc/mkinitramfs/scripts/local-top/pvcrypt Now build a new initrd image:# update-initramfs -u ALL
Encrypt the data partition
Check the future encrypted LVM physical partition for errors. This will take several minutes for each partition. This fills each partition with pseudorandom data from the not-so-random libc pseudorandom sourc# /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda6
Fill the partitions with random data. This may take 4 hours for the large partition. The /dev/urandom source is a good source of randomization that should prevent attackers from being able to determine where data actually resides on the encrypted filesystem, which would help them know what they should try to decrypt. The /dev/random source is even better, but it might take hundreds of years to fill the disk from it.# dd if=/dev/urandom of=/dev/sda6
Create the encryption key for the partition.# cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sda6 # cryptsetup luksOpen /dev/sda6 pvcrypt Make an LVM physical volume, volume group, and logical volumes on the encrypted partition. The size of 9938 happens to be how much is left on my logical partition.# pvcreate /dev/mapper/pvcrypt Physical volume "/dev/mapper/pvcrypt" successfully created # vgcreate vgcrypt /dev/mapper/pvcrypt Volume group "vgcrypt" successfully created # lvcreate -n lvroot -L 8G vgcrypt Logical volume "lvroot" created # lvcreate -n lvswap -L 1G vgcrypt Logical volume "lvswap" created # lvcreate -n lvhome -l 9938 vgcrypt Logical volume "lvhome" created Put a filesystem on each volume.# mkfs.ext3 /dev/mapper/vgcrypt-lvroot # mkfs.ext3 /dev/mapper/vgcrypt-lvhome # mkswap /dev/mapper/vgcrypt-lvswap Populate the encrypted volumes.# mkdir /mnt/root # mkdir /mnt/home # mount /dev/mapper/vgcrypt-lvroot /mnt/root # mount /dev/mapper/vgcrypt-lvhome /mnt/home # cp -ax / /mnt/root # rm -rf /mnt/root/home/* # cp -ax /home/* /mnt/home Edit /mnt/root/etc/fstab. First change this line/dev/sda1 / ext3 defaults,errors=remount-ro 0 1
to/dev/mapper/vgcrypt-lvroot / ext3 defaults,errors=remount-ro 0 1
And add these lines:/dev/mapper/vgcrypt-lvhome /home ext3 defaults 0 1 /dev/mapper/vgcrypt-lvswap none swap sw 0 0 Add this to the bottom of /boot/grub/menu.lst. (hd0,4) refers to the boot partition, /dev/sda5.title Cryptotest root (hd0,4) kernel /vmlinuz-<your kernel version here> root=/dev/mapper/vgcrypt-lvroot ro initrd /initrd.img-<your kernel version here> savedefault boot Check the kernel version withuname -r
. For example, it may be "2.6.15-26-server". Reboot to test by typingsudo reboot
. Press ESC to enter the GRUB menu and select Cryptotest. The boot process will stop waiting for the encrypted partition's passphrase. The prompt will probably be hard to see because of a lot of debugging information on the console. If all goes well, then continue. Otherwise seek help or figure out what went wrong. Edit /boot/grub/menu.lst to remove the lines we added at the end, and change the line that has# kopt=root=/dev/sda1 ro
to# kopt=root=/dev/mapper/vgcrypt-lvroot ro
Then run$sudo update-grub
Finally make a backup key file for unencrypting the drive. Insert a blank USB thumb drive.$ sudo dd if=/dev/random of=/media/<usbdrive>/pvcrypt-$(whoami)-key bs=1 count=256 $ sudo cryptsetup luksAddKey /dev/sda6 /media/<usbdrive>/pvcrypt-$(whomai)-key Wipe the old partition.# /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda1
Notes
Those who do not want a large leftover partition on sda1 can make one as small as 600MB and install the server version of Ubuntu instead, or even make the /boot partition 600MB and just install the root partition there initially. Gnome will popup a notice that it has found an encrypted partition. Cancel the dialog. It seems that /sbin/partprobe causes this dialog to popup. Any advice on getting rid of this would be appreciated.
CategorySecurity