UbuntuHelp:EncryptedFilesystemHowto3

文章出处:

https://help.ubuntu.com/community/EncryptedFilesystemHowto3

点击翻译:

English

Encrypted Swap and Home with LUKS (on Ubuntu 6.06 and 5.10)

by Stefano Spinucci virgo977virgo at <googlemail> dot com

introduction

notes

NOTE#1 in this tutorial we assume that:

• old (unencrypted) and the new (encrypted) swap is in the partition '/dev/hda2'
• new home (encrypted) is in the partition '/dev/hda3'

replace '/dev/hda2' with your real swap partition and '/dev/hda3' with an empty partition that will become your new encrypted home partition.

NOTE#2 DM-Crypt works by transparently translating (in the kernel) between a physical on-disk partition (which is encrypted) and a logical partition which you can then mount and use as normal; then, for example, to operate on your home partition you must do so by using /dev/mapper/home instead of /dev/hda3.

warnings

encrypting a partition is a destructive operation; then, your new home partition (/dev/hda3) must be empty, because all data on it will be erased.

unencrypted data on the old home directory won’t be deleted and will be accessible, for example, with a live CD; then, you shouldn't put any sensitive data on home before encrypting.

otherwise, if you have sensitive data to delete securely from the old unencrypted home, you should shred the old home directory.

if the partition containing the old home directory is formatted with a journaled file system (JFS, ReiserFS, XFS, Ext3, etc.), you must boot with a live CD and shred the entire partition containing the old home directory.

if the shredded partition is the partition containing the OS, reinstall ubuntu, and finally mount the previously created encrypted home.

references for secure deletion:

• shred man page
• Secure Deletion of Data - by Peter Gutmann

strong passwords

remember that a chain is only as strong as its weakest link, and in the encryption chain the password is always the weakest link.

then, choose a strong password, or your data won't be more secure than without encryption.

references for strong passwords:

• Strong Passwords (Ubuntu wiki)
• The Diceware Passphrase Home Page
• Password strength (Wikipedia)
• Password cracking (Wikipedia)
• Key size (Wikipedia)

install cryptsetup

enable 'community maintained' (universe) repository from the Synaptic package manager or modifying the file /etc/apt/sources.list (apt sources list).

install cryptsetup:

# apt-get install cryptsetup
</code>



=== encrypted home ===

unmount (if mounted) /dev/hda3
<pre>
sudo umount /dev/hda3
</code>

check the partition for errors (and wait several minutes...):
<pre>
# sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/hda3
</code>

fill the disk with random data (and wait many more minutes...);
/dev/urandom won't be as random as /dev/random, but it is the best
practical solution available:
<pre>
# sudo dd if=/dev/urandom of=/dev/hda3
</code>

create a LUKS partition:
<pre>
# sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/hda3
</code>

'''NOTE''': if you get errors that the kernel may not use dm-crypt, try the command <code>modprobe dm-crypt</code> and retry to create the LUKS partition; if that helps, you may also want to add the module <code>dm-crypt</code> to the file <code>/etc/modules</code>.

set up the device mapper:
<pre>
# sudo cryptsetup luksOpen /dev/hda3 home
</code>

confirm it worked:
<pre>
# sudo cryptsetup status home
/dev/mapper/home is active:
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/.static/dev/hda3
  offset:  2056 sectors
  size:    20962706 sectors
  mode:    read/write
</code>

create the filesystem (e.g. ext3):
<pre>
# sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/home
</code>

temporary mount, to copy data from old home:
<pre>
# sudo mount -t ext3 /dev/mapper/home /mnt
</code>

copy data from old home:
<pre>
# sudo cp -axv /home/* /mnt/
</code>

unmount the temporary mount:
<pre>
# sudo umount /mnt
</code>



==== permanent mounting ====

===== Ubuntu 6.06 =====

insert in /etc/fstab :
<pre>
# <file system>    <mount point>   <type>   <options>   <dump>  <pass>
/dev/mapper/home   /home           ext3     defaults    1       2
</code>

after that, add an entry in /etc/crypttab:
<pre>
# <target device>   <source device>   <key file>   <options>
home                /dev/hda3         none         luks
</code>

reboot, and the encrypted home is done.



===== Ubuntu 5.10 =====

because 'crypttab' in Ubuntu 5.10 doesn't support LUKS encrypted
partitions, automatic mounting of home with Ubuntu 5.10 is a bit more
difficult.

create a file named 'cryptinit' in /etc/init.d/ with the following content:
<pre>
#! /bin/sh
# if this script is executed when home is opened, tries to close it;
# otherwise, tries to open it, for three times, then continue without
# opening it
if [ -b /dev/mapper/home ]; then
    /sbin/cryptsetup luksClose home
else
    i=3
    while [ $i -gt 0 ]; do
        let "i -= 1"
        /sbin/cryptsetup luksOpen /dev/hda3 home && i=0
    done
fi
</code>

make 'cryptinit' executable
<pre>
sudo chmod 755 /etc/init.d/cryptinit
</code>

then, create a symlink to 'cryptinit' in /etc/rcS.d
<pre>
# cd /etc/rcS.d
# sudo ln -s ../init.d/cryptinit S28cryptinit
</code>

insert in /etc/fstab :
<pre>
# <file system>    <mount point>   <type>   <options>   <dump>   <pass>
/dev/mapper/home   /home           ext3     defaults    1        2
</code>

reboot, and the encrypted home is done.



===== notes =====

with the instructions above about encrypting home you can also encrypt
generic data partitions (other than home), and you can permanently mount
them in two ways.

the first technique is shown above for mounting home, and requests the
password during the loading of the kernel.

the second technique we explain here asks you for the password right at
the end of the booting process, at the gnome login:

* do not make any modifications to /etc/fstab or /etc/crypttab
* add the encrypted partition to /etc/pmount.allow (ie. <code>/dev/hda3</code>)

this will give you the convenience of entering the password at the end of
the boot process rather than in the middle. however, a
[https://launchpad.net/distros/ubuntu/+ticket/985 bug] means that your
encrypted partition will always be called 'usbdisk' whether it is a usbdisk
or not.



==== manual mounting and unmounting ====

if you have encrypted other partitions than home and you don't want to
unlock those partitions on boot, then you need to manually mount and
unmount them.



===== mounting =====

set up the device mapper:
<pre>
# cryptsetup luksOpen /dev/hda4 data
</code>

mounting:
<pre>
# mount /dev/mapper/data /media/data
</code>



===== unmounting =====

umounting:
<pre>
# umount /media/data
</code>

delete the device mapper:
<pre>
# cryptsetup luksClose data
</code>



=== encrypted swap ===

before setting the encrypted swap, the file /etc/fstab should have a swap
entry like this:
<pre>
# <file system>   <mount point>   <type>   <options>   <dump>  <pass>
/dev/hda2         none            swap     sw          0       0
</code>

now just replace in /etc/fstab /dev/hda2 with the new device name
/dev/mapper/cswap:
<pre>
# <file system>     <mount point>   <type>   <options>   <dump>  <pass>
/dev/mapper/cswap   none            swap     sw          0       0
</code>

after that, add an entry in /etc/crypttab:
<pre>
# <target device>   <source device>   <key file>    <options>
cswap               /dev/hda2         /dev/random   swap
</code>

reboot, and that's it! the encrypted swap device is done; confirm it worked:
<pre>
# cat /proc/swaps
Filename                                Type            Size    Used    Priority
/dev/mapper/cswap                       partition       3148700 0       -1

# sudo cryptsetup status cswap
/dev/mapper/cswap is active:
  cipher:  aes-cbc-plain
  keysize: 256 bits
  device:  /dev/.static/dev/hda2
  offset:  0 sectors
  size:    6297417 sectors
  mode:    read/write
</code>

read the crypttab(5) manpage for more information



=== encrypting with keyfiles ===

with LUKS you can encrypt/decrypt with keyfiles instead of passphrases.

you can add a keyfile with the command luksFormat or with the command
luksAddKey.

for example, you can add with luksFormat a passphrase on slot 0 and with
luksAddKey a keyfile on slot 1; then, you can open your encrypted device
with the keyfile and, if you lose the keyfile, you can always use the
passphrase.

for better security you can store your keyfiles on a USB stick, maybe
encrypting the USB stick with a passphrase.

you can use every file you like as keyfile; for example, to generate a
2048bit random key:
<pre>
# dd if=/dev/random of=keyfile bs=1 count=256
</code>

then, to add the generated keyfile to an existing encrypted partition:
<pre>
the following command will require you to enter two times the passphrase
stored on slot 0...
# sudo cryptsetup luksAddKey /dev/hda4 keyfile
</code>

finally, to open the encrypted partition with the keyfile:
<pre>
# sudo cryptsetup luksOpen /dev/hda4 data --key-file keyfile
</code>

if you like to disable (delete) the keyfile on slot 1:
<pre>
# sudo cryptsetup luksDelKey /dev/hda4 1
</code>



=== tools ===

* [http://sourceforge.net/projects/cryptmount/ cryptmount]



=== references ===

* [http://luks.endorphin.org/dm-crypt LUKS on dm-crypt]
* [http://www.saout.de/misc/dm-crypt/ dm-crypt]
* [http://www.saout.de/tikiwiki/tiki-index.php dm-crypt wiki]
* [http://news.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt dm-crypt mailing list]
* [http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS Encrypted Device Using LUKS]
* <code>/usr/share/doc/cryptsetup/CryptoSwap.HowTo</code> How to configure an encrypted swap partition on Debian systems
* [https://wiki.ubuntu.com/EncryptedFilesystemHowto Encrypted filesystem howto (Ubuntu)]
* [https://wiki.ubuntu.com/EncryptedFilesystemHowto2 Encrypted filesystem howto 2 (Ubuntu)]
* [http://deb.riseup.net/storage/encryption/dmcrypt/ dmcrypt (Debian)]
* [http://www.raoul.shacknet.nu/2005/11/10/encrypt-devices-using-dm-crypt-and-luks/ Encrypt devices using dm-crypt and LUKS (Fedora Core)]
* [http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS SECURITY System Encryption DM-Crypt with LUKS (Gentoo)]
* [http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUKS SECURITY Encrypting Root Filesystem with DM-Crypt with LUKS (Gentoo)]
* [http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt SECURITY Encrypting Root Filesystem with DM-Crypt (Gentoo)]

----
CategoryCleanup CategorySecurity

[[category:UbuntuHelp]]