个人工具

UbuntuHelp:EncryptedFilesystem

来自Ubuntu中文

Oneleaf讨论 | 贡献2007年5月13日 (日) 11:35的版本 (New page: {{From|https://help.ubuntu.com/community/EncryptedFilesystem}} {{Languages|php5}} == Encrypted Root and Swap with LUKS (on Ubuntu 6.06) == by Mikhail Lukyanchenko <[email protected]> I...)

(差异) ←上一版本 | 最后版本 (差异) | 下一版本→ (差异)
跳转至: 导航, 搜索
Geographylogo.png 文章出处: 

https://help.ubuntu.com/community/EncryptedFilesystem

Geographylogo.png 点击翻译: 

English

Encrypted Root and Swap with LUKS (on Ubuntu 6.06)

by Mikhail Lukyanchenko <[email protected]>

Info: another, more detailed and explanatory guide is here: https://help.ubuntu.com/community/EncryptedFilesystemHowto

Introduction

This is the way I got Ubuntu 6.06 (Dapper Drake) with fully encrypted file system: root (/) and swap. Since Ubuntu installer does not support yet this option, this process concerns, first, installing Ubuntu on a temporary partition and then, inside that installation, preparing all the encrypted partitions for the OS. The old root which I used in the beginning is turned into a swap partition.

Notes

In this tutorial we assume that:

  • old (unencrypted) and the new (encrypted) swap is in the partition '/dev/hda2'
  • new home (encrypted) is in the partition '/dev/hda3'

replace '/dev/hda2' with your real swap partition and '/dev/hda3' with an empty partition that will become your new encrypted home partition.

Warnings

Encrypting a partition is a destructive operation; then, your new root partition (/dev/hda3) must be empty, because all data on it will be erased.

Also be warned, that this HOWTO is at beta state. I would not recommend to use it on production system. But it would be greatly appreciated if you test it and send me some feedback.

Ubuntu installation

Note that you should install a server profile at this step even if you need a desktop profile at the end. The switch between the two profiles will be realized later on.

Install Ubuntu with the following initial partitioning scheme: 

/dev/hda1   /boot  100 MB   ext3
/dev/hda2   /      512 MB   ext3
</code>

Mark that 512 MB is really the shortest size you can set for a server type of installation. A complete Ubuntu installation requires at least 2.4 GB. Make your choice now. In addition, create one more space to hold your future encrypted root, so as the following:

<pre>
/dev/hda3   future   /        10GB
</code>

Set this partition in the installer option for filesystem as "do not use the partition". Just ignore the alert about not having a swap partition and keep walking.

=== Cryptography software installation ===

Enable the Universe repository.  See [https://help.ubuntu.com/community/Repositories/CommandLine here]

After adding the universe repository, don't forget to update so the packages below will be available:

Use [https://help.ubuntu.com/community/InstallingSoftware#head-d8f69d35d4730387415ca928210750f1eac75257 any method] to install the following packages:

<pre>
cryptsetup hashalot initramfs-tools
</code>

=== Setting up mkinitramfs ===

Edit <code>/etc/kernel-img.conf</code>. Add the following line:

<pre>
ramdisk = /usr/sbin/mkinitramfs
</code>

Edit <code>/etc/mkinitramfs/modules</code> (note, this and other files move to <code>/etc/initramfs-tools</code> in Edgy). Add folowing lines:

<pre>
dm_mod
dm_crypt
sha256
aes_i586
</code>

Create file <code>/etc/mkinitramfs/hooks/cryptoroot</code>:

<pre>
#!/bin/sh

PREREQ=""

prereqs()
{
        echo "$PREREQ"
}

case $1 in
prereqs)
        prereqs
        exit 0
        ;;
esac

if [ ! -x /sbin/cryptsetup ]; then
        exit 0
fi

. /usr/share/initramfs-tools/hook-functions

mkdir ${DESTDIR}/etc/console
cp /etc/console/boottime.kmap.gz ${DESTDIR}/etc/console
copy_exec /bin/loadkeys /bin
copy_exec /usr/bin/chvt /bin
copy_exec /sbin/cryptsetup /sbin
</code>

If you use Ubuntu 6.10, you have to add the following line to the above script (at the end):
<pre>
copy_exec /sbin/vol_id /sbin
</code>

Create file <code>/etc/mkinitramfs/scripts/local-top/cryptoroot</code>:

<pre>
#!/bin/sh

PREREQ="udev"

prereqs()
{
        echo "$PREREQ"
}

case $1 in
# get pre-requisites
prereqs)
        prereqs
        exit 0
        ;;
esac

/bin/loadkeys /etc/console/boottime.kmap.gz
modprobe -Qb dm_crypt
modprobe -Qb aes_i586
modprobe -Qb sha256
if grep -q splash /proc/cmdline; then
    /bin/chvt 1
fi
/sbin/cryptsetup luksOpen /dev/hda3 cryptoroot
if grep -q splash /proc/cmdline; then
       /sbin/usplash -c &
       sleep 1
fi
</code>

If you use Ubuntu 6.10, add the following line directly below "/sbin/cryptsetup luksOpen /dev/hda3 cryptoroot":
<pre>
ln -s ../../mapper/cryptoroot /dev/disk/by-uuid/`vol_id -u /dev/mapper/cryptoroot`
</code>

Also, if you use Ubuntu 6.10, replace the following line:
<pre>
/bin/loadkeys /etc/console/boottime.kmap.gz
</code>
with the following line:
<pre>
/bin/loadkeys /etc/console-setup/boottime.kmap.gz
</code>

Make created files executable:

<pre>
$ sudo chmod +x /etc/mkinitramfs/hooks/cryptoroot
$ sudo chmod +x /etc/mkinitramfs/scripts/local-top/cryptoroot
</code>

Update initrd image:
<pre>
$ sudo update-initramfs -u ALL
</code>

=== Creating the encrypted system ===

Now it is time to create the cryptography devices.

<pre>
$ sudo modprobe dm_crypt
$ sudo modprobe sha256
$ sudo modprobe aes_i586
$ sudo luksformat -t ext3 /dev/hda3
</code>

The following dialog should look like this:

<pre>
Creating encrypted device on /dev/hda3...

WARNING!
========
This will owerwrite data on /dev/hda3 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
Please enter your passphrase again to verify it
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
mke2fs 1.38 (30-Jun-2005)
.....
</code>

Your encrypted partition is now created and formated. It's time to populate it:

<pre>
$ sudo cryptsetup luksOpen /dev/hda3 cryptoroot
$ sudo mkdir /mnt/target
$ sudo mount /dev/mapper/cryptoroot /mnt/target
$ sudo cp -avx / /mnt/target
$ sudo chown -R $(whoami):$(whoami) /mnt/target/home/$(whoami)
</code>

The copy process should take about two minutes for a server profile (depends on your hardware).

Then you need to correct <code>/mnt/target/etc/fstab</code>.

Find 
<pre>
/dev/hda2                      /               ext3    defaults,errors=remount-ro 0       1
</code>

Replace with
<pre>
/dev/mapper/cryptoroot        /               ext3    defaults,errors=remount-ro 0       1
</code>

If you use Ubuntu 6.10, your fstab won't use /dev/* anymore, but instead UUIDs. Therefore, you need to find out the UUID by using the following command:
<pre>
$ sudo vol_id -u /dev/mapper/cryptoroot
</code>
Instead of the "/dev/mapper/cryptoroot", you enter the UUID - hence the line in your <code>/mnt/target/etc/fstab</code> will look similar to this one:
<pre>
UUID=25e3f85a-3488-d58e-9372-f31a45789035 /               ext3    defaults,errors=remount-ro 0       1
</code>

=== Configuring Grub ===

Edit <code>/boot/grub/menu.lst</code>. Add following after the line containing <pre>
<pre><nowiki>
title           Cryptotest
root            (hd0,0)
kernel          /vmlinuz-<your kernel version here> root=/dev/mapper/cryptoroot ro
initrd          /initrd.img-<your kernel version here>
savedefault
boot
</code>
Again, if you use Ubuntu 6.10, you'll have to replace <code>root=/dev/mapper/cryptoroot</code> by your UUID - i.e. sth. similar to <code>root=UUID=25e3f85a-3488-d58e-9372-f31a45789035</code> (of course, YOUR ID will be different!).

You may find your kernel version by running:
<pre>
$ uname -r
</code>

=== Rebooting and testing configuration ===

As simple as it should be:
<pre>
$ sudo reboot
</code>

Now, after all your BIOS mumbo-jumbo, you should look very carefully and when you see following prompt:

<pre>
GRUB Loading stage 1.5.

GRUB Loading, please wait...
Press `ESC` to enter the menu
</code>

Press ESC and select last option, namely "Cryptotest"

Now you will see lots of kernel debugging info, since we didn't add <code>quiet</code> option to kernel options. It's ok.

At some point you will see the promt:
<pre>
Enter LUKS passphrase:
</code>

Go on! Enter it. Now you have booted from crypted partition.

If something goes Very Wrong Way (tm), don't panic. Any way you still have unencrypted partition to boot from.

=== Cryptoswap ===

Let's enable swap partition.

Edit <code>/etc/crypttab</code>:
<pre>
cryptoswap	/dev/hda2	/dev/urandom	swap
</code>

Edit <code>/etc/fstab</code>. Add following line:
<pre>
/dev/mapper/cryptoswap	none	swap	sw	0	0
</code>

Now, you need to destroy your filesystem on <code>/dev/hda2</code> (if you don't destroy it explicitely, the safety check of the following command will refuse to create your "cryptoswap" on it):
<pre>
$ sudo dd if=/dev/urandom of=/dev/hda2 count=100
</code>

Finally, create the swap and activate it:
<pre>
$ sudo invoke-rc.d cryptdisks restart
$ sudo swapon /dev/mapper/cryptoswap
</code>

=== Finishing ===

Edit <code>/boot/grub/menu.lst</code> and remove lines, you previously added after the line containing <pre>
In the same file find line containing 
<pre><nowiki>
# kopt=root=/dev/hda2 ro
</code>

Change this to
<pre>
# kopt=root=/dev/mapper/cryptoroot ro
</code>

Run
<pre>
$ sudo update-grub
</code>

Now you have an operational server profile with encrypted root and swap. If what you need is a desktop profile (i.e. a complete graphical environment like Gnome or KDE and lots of applications), you can install it now with the single command:
<pre>
$ sudo apt-get install ubuntu-desktop
</code>

Replace <code>ubuntu-desktop</code> with <code>kubuntu-desktop</code>, or <code>xubuntu-desktop</code>, or <code>edubuntu-desktop</code> according to your needs.

That's all. Finished.

[[category:UbuntuHelp]]
取自“https://wiki.ubuntu.org.cn/index.php?title=UbuntuHelp:EncryptedFilesystem&oldid=1512