特殊:Badtitle/NS100:EncryptedFilesystem
 |
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/EncryptedFilesystem }} |
|
点击翻译: |
English {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/af | • {{#if: php5|Afrikaans| [[::EncryptedFilesystem/af|Afrikaans]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/ar | • {{#if: php5|العربية| [[::EncryptedFilesystem/ar|العربية]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/az | • {{#if: php5|azərbaycanca| [[::EncryptedFilesystem/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/bcc | • {{#if: php5|جهلسری بلوچی| [[::EncryptedFilesystem/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/bg | • {{#if: php5|български| [[::EncryptedFilesystem/bg|български]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/br | • {{#if: php5|brezhoneg| [[::EncryptedFilesystem/br|brezhoneg]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/ca | • {{#if: php5|català| [[::EncryptedFilesystem/ca|català]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/cs | • {{#if: php5|čeština| [[::EncryptedFilesystem/cs|čeština]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/de | • {{#if: php5|Deutsch| [[::EncryptedFilesystem/de|Deutsch]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/el | • {{#if: php5|Ελληνικά| [[::EncryptedFilesystem/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/es | • {{#if: php5|español| [[::EncryptedFilesystem/es|español]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/fa | • {{#if: php5|فارسی| [[::EncryptedFilesystem/fa|فارسی]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/fi | • {{#if: php5|suomi| [[::EncryptedFilesystem/fi|suomi]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/fr | • {{#if: php5|français| [[::EncryptedFilesystem/fr|français]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/gu | • {{#if: php5|ગુજરાતી| [[::EncryptedFilesystem/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/he | • {{#if: php5|עברית| [[::EncryptedFilesystem/he|עברית]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/hu | • {{#if: php5|magyar| [[::EncryptedFilesystem/hu|magyar]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/id | • {{#if: php5|Bahasa Indonesia| [[::EncryptedFilesystem/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/it | • {{#if: php5|italiano| [[::EncryptedFilesystem/it|italiano]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/ja | • {{#if: php5|日本語| [[::EncryptedFilesystem/ja|日本語]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/ko | • {{#if: php5|한국어| [[::EncryptedFilesystem/ko|한국어]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/ksh | • {{#if: php5|Ripoarisch| [[::EncryptedFilesystem/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/mr | • {{#if: php5|मराठी| [[::EncryptedFilesystem/mr|मराठी]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/ms | • {{#if: php5|Bahasa Melayu| [[::EncryptedFilesystem/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/nl | • {{#if: php5|Nederlands| [[::EncryptedFilesystem/nl|Nederlands]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/no | • {{#if: php5|norsk| [[::EncryptedFilesystem/no|norsk]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/oc | • {{#if: php5|occitan| [[::EncryptedFilesystem/oc|occitan]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/pl | • {{#if: php5|polski| [[::EncryptedFilesystem/pl|polski]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/pt | • {{#if: php5|português| [[::EncryptedFilesystem/pt|português]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/ro | • {{#if: php5|română| [[::EncryptedFilesystem/ro|română]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/ru | • {{#if: php5|русский| [[::EncryptedFilesystem/ru|русский]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/si | • {{#if: php5|සිංහල| [[::EncryptedFilesystem/si|සිංහල]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/sq | • {{#if: php5|shqip| [[::EncryptedFilesystem/sq|shqip]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/sr | • {{#if: php5|српски / srpski| [[::EncryptedFilesystem/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/sv | • {{#if: php5|svenska| [[::EncryptedFilesystem/sv|svenska]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/th | • {{#if: php5|ไทย| [[::EncryptedFilesystem/th|ไทย]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/tr | • {{#if: php5|Türkçe| [[::EncryptedFilesystem/tr|Türkçe]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/vi | • {{#if: php5|Tiếng Việt| [[::EncryptedFilesystem/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/yue | • {{#if: php5|粵語| [[::EncryptedFilesystem/yue|粵語]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/zh | • {{#if: php5|中文| [[::EncryptedFilesystem/zh|中文]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/zh-hans | • {{#if: php5|中文(简体)| [[::EncryptedFilesystem/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: php5 | php5 | {{#if: | :}}EncryptedFilesystem}}/zh-hant | • {{#if: php5|中文(繁體)| [[::EncryptedFilesystem/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:php5|:EncryptedFilesystem|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :EncryptedFilesystem/zh | | {{#ifexist: EncryptedFilesystem/zh | | {{#ifeq: {{#titleparts:EncryptedFilesystem|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:EncryptedFilesystem|1|-1|}} | zh | | }}
Encrypted Root and Swap with LUKS (on Ubuntu 6.06)
by Mikhail Lukyanchenko <[email protected]>
Info: another, more detailed and explanatory guide is here: https://help.ubuntu.com/community/EncryptedFilesystemHowto
Introduction
This is the way I got Ubuntu 6.06 (Dapper Drake) with fully encrypted file system: root (/) and swap. Since Ubuntu installer does not support yet this option, this process concerns, first, installing Ubuntu on a temporary partition and then, inside that installation, preparing all the encrypted partitions for the OS. The old root which I used in the beginning is turned into a swap partition.
Notes
In this tutorial we assume that:
- old (unencrypted) and the new (encrypted) swap is in the partition '/dev/hda2'
- new home (encrypted) is in the partition '/dev/hda3'
replace '/dev/hda2' with your real swap partition and '/dev/hda3' with an empty partition that will become your new encrypted home partition.
Warnings
Encrypting a partition is a destructive operation; then, your new root partition (/dev/hda3) must be empty, because all data on it will be erased.
Also be warned, that this HOWTO is at beta state. I would not recommend to use it on production system. But it would be greatly appreciated if you test it and send me some feedback.
Ubuntu installation
Note that you should install a server profile at this step even if you need a desktop profile at the end. The switch between the two profiles will be realized later on.
Install Ubuntu with the following initial partitioning scheme:
/dev/hda1 /boot 100 MB ext3 /dev/hda2 / 512 MB ext3 Mark that 512 MB is really the shortest size you can set for a server type of installation. A complete Ubuntu installation requires at least 2.4 GB. Make your choice now. In addition, create one more space to hold your future encrypted root, so as the following:/dev/hda3 future / 10GB Set this partition in the installer option for filesystem as "do not use the partition". Just ignore the alert about not having a swap partition and keep walking.Cryptography software installation
Enable the Universe repository. See here After adding the universe repository, don't forget to update so the packages below will be available: Use any method to install the following packages:cryptsetup hashalot initramfs-toolsSetting up mkinitramfs
Edit/etc/kernel-img.conf. Add the following line:ramdisk = /usr/sbin/mkinitramfs Edit/etc/mkinitramfs/modules(note, this and other files move to/etc/initramfs-toolsin Edgy). Add folowing lines:dm_mod dm_crypt sha256 aes_i586 Create file/etc/mkinitramfs/hooks/cryptoroot:#!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac if [ ! -x /sbin/cryptsetup ]; then exit 0 fi . /usr/share/initramfs-tools/hook-functions mkdir ${DESTDIR}/etc/console cp /etc/console/boottime.kmap.gz ${DESTDIR}/etc/console copy_exec /bin/loadkeys /bin copy_exec /usr/bin/chvt /bin copy_exec /sbin/cryptsetup /sbin If you use Ubuntu 6.10, you have to add the following line to the above script (at the end):copy_exec /sbin/vol_id /sbin Create file/etc/mkinitramfs/scripts/local-top/cryptoroot:#!/bin/sh PREREQ="udev" prereqs() { echo "$PREREQ" } case $1 in # get pre-requisites prereqs) prereqs exit 0 ;; esac /bin/loadkeys /etc/console/boottime.kmap.gz modprobe -Qb dm_crypt modprobe -Qb aes_i586 modprobe -Qb sha256 if grep -q splash /proc/cmdline; then /bin/chvt 1 fi /sbin/cryptsetup luksOpen /dev/hda3 cryptoroot if grep -q splash /proc/cmdline; then /sbin/usplash -c & sleep 1 fi If you use Ubuntu 6.10, add the following line directly below "/sbin/cryptsetup luksOpen /dev/hda3 cryptoroot":ln -s ../../mapper/cryptoroot /dev/disk/by-uuid/`vol_id -u /dev/mapper/cryptoroot` Also, if you use Ubuntu 6.10, replace the following line:/bin/loadkeys /etc/console/boottime.kmap.gz with the following line:/bin/loadkeys /etc/console-setup/boottime.kmap.gz Make created files executable:$ sudo chmod +x /etc/mkinitramfs/hooks/cryptoroot $ sudo chmod +x /etc/mkinitramfs/scripts/local-top/cryptoroot Update initrd image:$ sudo update-initramfs -u ALLCreating the encrypted system
Now it is time to create the cryptography devices.$ sudo modprobe dm_crypt $ sudo modprobe sha256 $ sudo modprobe aes_i586 $ sudo luksformat -t ext3 /dev/hda3 The following dialog should look like this:Creating encrypted device on /dev/hda3... WARNING! ======== This will owerwrite data on /dev/hda3 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful. Please enter your passphrase again to verify it Enter LUKS passphrase: key slot 0 unlocked. Command successful. mke2fs 1.38 (30-Jun-2005) ..... Your encrypted partition is now created and formated. It's time to populate it:$ sudo cryptsetup luksOpen /dev/hda3 cryptoroot $ sudo mkdir /mnt/target $ sudo mount /dev/mapper/cryptoroot /mnt/target $ sudo cp -avx / /mnt/target $ sudo chown -R $(whoami):$(whoami) /mnt/target/home/$(whoami) The copy process should take about two minutes for a server profile (depends on your hardware). Then you need to correct/mnt/target/etc/fstab. Find/dev/hda2 / ext3 defaults,errors=remount-ro 0 1 Replace with/dev/mapper/cryptoroot / ext3 defaults,errors=remount-ro 0 1 If you use Ubuntu 6.10, your fstab won't use /dev/* anymore, but instead UUIDs. Therefore, you need to find out the UUID by using the following command:$ sudo vol_id -u /dev/mapper/cryptoroot Instead of the "/dev/mapper/cryptoroot", you enter the UUID - hence the line in your/mnt/target/etc/fstabwill look similar to this one:UUID=25e3f85a-3488-d58e-9372-f31a45789035 / ext3 defaults,errors=remount-ro 0 1Configuring Grub
Edit/boot/grub/menu.lst. Add following after the line containing<pre><nowiki> title Cryptotest root (hd0,0) kernel /vmlinuz-<your kernel version here> root=/dev/mapper/cryptoroot ro initrd /initrd.img-<your kernel version here> savedefault boot Again, if you use Ubuntu 6.10, you'll have to replaceroot=/dev/mapper/cryptorootby your UUID - i.e. sth. similar toroot=UUID=25e3f85a-3488-d58e-9372-f31a45789035(of course, YOUR ID will be different!). You may find your kernel version by running:$ uname -rRebooting and testing configuration
As simple as it should be:$ sudo reboot Now, after all your BIOS mumbo-jumbo, you should look very carefully and when you see following prompt:GRUB Loading stage 1.5. GRUB Loading, please wait... Press `ESC` to enter the menu Press ESC and select last option, namely "Cryptotest" Now you will see lots of kernel debugging info, since we didn't addquietoption to kernel options. It's ok. At some point you will see the promt:Enter LUKS passphrase: Go on! Enter it. Now you have booted from crypted partition. If something goes Very Wrong Way (tm), don't panic. Any way you still have unencrypted partition to boot from.Cryptoswap
Let's enable swap partition. Edit/etc/crypttab:cryptoswap /dev/hda2 /dev/urandom swap Edit/etc/fstab. Add following line:/dev/mapper/cryptoswap none swap sw 0 0 Now, you need to destroy your filesystem on/dev/hda2(if you don't destroy it explicitely, the safety check of the following command will refuse to create your "cryptoswap" on it):$ sudo dd if=/dev/urandom of=/dev/hda2 count=100 Finally, create the swap and activate it:$ sudo invoke-rc.d cryptdisks restart $ sudo swapon /dev/mapper/cryptoswapFinishing
Edit/boot/grub/menu.lstand remove lines, you previously added after the line containingIn the same file find line containing <pre><nowiki> # kopt=root=/dev/hda2 ro Change this to# kopt=root=/dev/mapper/cryptoroot ro Run$ sudo update-grub Now you have an operational server profile with encrypted root and swap. If what you need is a desktop profile (i.e. a complete graphical environment like Gnome or KDE and lots of applications), you can install it now with the single command:$ sudo apt-get install ubuntu-desktop Replaceubuntu-desktopwithkubuntu-desktop, orxubuntu-desktop, oredubuntu-desktopaccording to your needs. That's all. Finished.
