“UbuntuHelp:EncryptedFilesystemHowto4”的版本间的差异
来自Ubuntu中文
小 |
小 |
||
(未显示同一用户的3个中间版本) | |||
第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/EncryptedFilesystemHowto4}} | {{From|https://help.ubuntu.com/community/EncryptedFilesystemHowto4}} | ||
{{Languages|UbuntuHelp:EncryptedFilesystemHowto4}} | {{Languages|UbuntuHelp:EncryptedFilesystemHowto4}} | ||
− | + | #title Encrypted root and swap partition with dm-crypt on Ubuntu 6.06 LTS | |
− | + | {|border="1" cellspacing="0" | |
− | + | | {i} Please refer to [[UbuntuHelp:EncryptedFilesystems|EncryptedFilesystems]] for further documentation. | |
+ | |} | ||
+ | Highlights of the following guide: | ||
* Uses RSA keys and thus is ready for smartcards (although in this howto | * Uses RSA keys and thus is ready for smartcards (although in this howto | ||
the RSA private key is still stored on disk as encrypted file) | the RSA private key is still stored on disk as encrypted file) | ||
第10行: | 第12行: | ||
This howto is very long, because you need to do many steps yourself that are normaly done by the automatic installer. | This howto is very long, because you need to do many steps yourself that are normaly done by the automatic installer. | ||
== How to install Ubuntu encrypted == | == How to install Ubuntu encrypted == | ||
− | + | === Boot from desktop CD === | |
Download this text to the ubuntu system, so you can cut and paste. Open in vi (not less, with less you get cut&paste problems on long lines). | Download this text to the ubuntu system, so you can cut and paste. Open in vi (not less, with less you get cut&paste problems on long lines). | ||
− | + | === Start an xterm and get a root shell === | |
− | + | ||
<code><nowiki>sudo bash</nowiki></code> | <code><nowiki>sudo bash</nowiki></code> | ||
− | + | === Load dm-crypt === | |
<code><nowiki>modprobe dm-crypt</nowiki></code> | <code><nowiki>modprobe dm-crypt</nowiki></code> | ||
− | + | === Partition the system === | |
<code><nowiki>cfdisk /dev/sda</nowiki></code> # or /dev/hda | <code><nowiki>cfdisk /dev/sda</nowiki></code> # or /dev/hda | ||
Create three partitions: | Create three partitions: | ||
第25行: | 第26行: | ||
Do not set the second partition to swap, as ubuntu will automatically enable it and thus cause problems. | Do not set the second partition to swap, as ubuntu will automatically enable it and thus cause problems. | ||
In this document we will assume: | In this document we will assume: | ||
− | * /dev/sda1 /boot partition | + | * /dev/sda1 /boot partition |
− | * /dev/sda2 swap partition | + | * /dev/sda2 swap partition |
− | * /dev/sda3 root partition | + | * /dev/sda3 root partition |
− | + | === Create crypto keys in /tmp (tmpfs, never written anywhere) === | |
− | <pre><nowiki>cd /tmp | + | <pre><nowiki> |
+ | cd /tmp | ||
openssl genrsa -aes256 -out privkey.pem 2048 | openssl genrsa -aes256 -out privkey.pem 2048 | ||
dd if=/dev/urandom of=swapkey bs=32 count=1 | dd if=/dev/urandom of=swapkey bs=32 count=1 | ||
第36行: | 第38行: | ||
openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt | openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt | ||
rm swapkey rootkey | rm swapkey rootkey | ||
+ | |||
SWAPKEY=`openssl rsautl -in swapkey.enc -decrypt -inkey privkey.pem \ | SWAPKEY=`openssl rsautl -in swapkey.enc -decrypt -inkey privkey.pem \ | ||
− | | hexdump -e '"" 32/1 "%02x" "\n"'` | + | | hexdump -e '"" 32/1 "%02x" "\n"'` |
ROOTKEY=`openssl rsautl -in rootkey.enc -decrypt -inkey privkey.pem \ | ROOTKEY=`openssl rsautl -in rootkey.enc -decrypt -inkey privkey.pem \ | ||
− | | hexdump -e '"" 32/1 "%02x" "\n"'` | + | | hexdump -e '"" 32/1 "%02x" "\n"'` |
echo 0 `blockdev --getsize /dev/sda2` crypt aes-cbc-essiv:sha256 \ | echo 0 `blockdev --getsize /dev/sda2` crypt aes-cbc-essiv:sha256 \ | ||
− | $SWAPKEY 0 /dev/sda2 0 |dmsetup create swap | + | $SWAPKEY 0 /dev/sda2 0 |dmsetup create swap |
echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \ | echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \ | ||
− | $ROOTKEY 0 /dev/sda3 0 |dmsetup create root | + | $ROOTKEY 0 /dev/sda3 0 |dmsetup create root |
</nowiki></pre> | </nowiki></pre> | ||
− | + | === Create filesystems === | |
− | <pre><nowiki>mkfs.ext3 /dev/sda1 # /boot | + | <pre><nowiki> |
+ | mkfs.ext3 /dev/sda1 # /boot | ||
mkswap /dev/mapper/swap # swap | mkswap /dev/mapper/swap # swap | ||
mkfs.ext3 /dev/mapper/root # root | mkfs.ext3 /dev/mapper/root # root | ||
</nowiki></pre> | </nowiki></pre> | ||
− | + | === Mount filesystems === | |
− | <pre><nowiki>mount /dev/mapper/root /mnt | + | <pre><nowiki> |
+ | mount /dev/mapper/root /mnt | ||
mkdir /mnt/boot | mkdir /mnt/boot | ||
mount /dev/sda1 /mnt/boot | mount /dev/sda1 /mnt/boot | ||
</nowiki></pre> | </nowiki></pre> | ||
− | + | === Download ar and debootstrap === | |
− | <pre><nowiki>cd /tmp | + | <pre><nowiki> |
+ | cd /tmp | ||
mkdir download | mkdir download | ||
cd download | cd download | ||
第64行: | 第70行: | ||
dpkg -x debootstrap*deb x | dpkg -x debootstrap*deb x | ||
</nowiki></pre> | </nowiki></pre> | ||
− | + | === Install dapper on the crypto root === | |
− | <pre><nowiki>export LD_LIBRARY_PATH=/tmp/download/x/usr/lib | + | <pre><nowiki> |
+ | export LD_LIBRARY_PATH=/tmp/download/x/usr/lib | ||
export PATH=/tmp/download/x/usr/bin:$PATH | export PATH=/tmp/download/x/usr/bin:$PATH | ||
export DEBOOTSTRAP_DIR=/tmp/download/x/usr/lib/debootstrap | export DEBOOTSTRAP_DIR=/tmp/download/x/usr/lib/debootstrap | ||
/tmp/download/x/usr/sbin/debootstrap dapper /mnt http://de.archive.ubuntu.com/ubuntu/ | /tmp/download/x/usr/sbin/debootstrap dapper /mnt http://de.archive.ubuntu.com/ubuntu/ | ||
</nowiki></pre> | </nowiki></pre> | ||
− | + | === Create an fstab in the chroot === | |
− | <pre><nowiki>chroot /mnt | + | <pre><nowiki> |
+ | chroot /mnt | ||
vi /etc/fstab | vi /etc/fstab | ||
/dev/sda1 /boot ext3 defaults 0 0 | /dev/sda1 /boot ext3 defaults 0 0 | ||
第82行: | 第90行: | ||
none /dev/pts devpts defaults 0 0 | none /dev/pts devpts defaults 0 0 | ||
</nowiki></pre> | </nowiki></pre> | ||
− | + | === Create an apt config file in the chroot === | |
− | <pre><nowiki>chroot /mnt | + | <pre><nowiki> |
+ | chroot /mnt | ||
vi /etc/apt/sources.list | vi /etc/apt/sources.list | ||
deb http://de.archive.ubuntu.com/ubuntu/ dapper main restricted | deb http://de.archive.ubuntu.com/ubuntu/ dapper main restricted | ||
deb http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted | deb http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted | ||
deb http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted | deb http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted | ||
+ | |||
deb-src http://de.archive.ubuntu.com/ubuntu/ dapper main restricted | deb-src http://de.archive.ubuntu.com/ubuntu/ dapper main restricted | ||
deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted | deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted | ||
deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted | deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted | ||
</nowiki></pre> | </nowiki></pre> | ||
− | + | === Update packages, install dselect and kubuntu-destkop === | |
− | <pre><nowiki>chroot /mnt | + | <pre><nowiki> |
+ | chroot /mnt | ||
apt-get update | apt-get update | ||
apt-get upgrade | apt-get upgrade | ||
第99行: | 第110行: | ||
apt-get install kubuntu-desktop | apt-get install kubuntu-desktop | ||
</nowiki></pre> | </nowiki></pre> | ||
− | + | === Configure initramfs-tools for crypt root and swap === | |
− | <pre><nowiki>chroot /mnt | + | <pre><nowiki> |
+ | chroot /mnt | ||
cd /etc/mkinitramfs | cd /etc/mkinitramfs | ||
echo dm-crypt >> modules | echo dm-crypt >> modules | ||
第106行: | 第118行: | ||
echo sha256 >> modules | echo sha256 >> modules | ||
vi hooks/cryptroot (copy till EOF) | vi hooks/cryptroot (copy till EOF) | ||
− | #!/bin/sh | + | </nowiki></pre> |
+ | hooks/cryptroot | ||
+ | <pre><nowiki> | ||
+ | # !/bin/sh | ||
+ | |||
. /usr/share/initramfs-tools/hook-functions | . /usr/share/initramfs-tools/hook-functions | ||
+ | |||
mkdir -p ${DESTDIR}/boot | mkdir -p ${DESTDIR}/boot | ||
mkdir -p ${DESTDIR}/sbin | mkdir -p ${DESTDIR}/sbin | ||
mkdir -p ${DESTDIR}/usr/bin | mkdir -p ${DESTDIR}/usr/bin | ||
+ | |||
cp -p /boot/privkey.pem /boot/rootkey.enc /boot/swapkey.enc ${DESTDIR}/boot | cp -p /boot/privkey.pem /boot/rootkey.enc /boot/swapkey.enc ${DESTDIR}/boot | ||
+ | |||
copy_exec /sbin/blockdev /sbin | copy_exec /sbin/blockdev /sbin | ||
copy_exec /sbin/dmsetup /sbin | copy_exec /sbin/dmsetup /sbin | ||
第117行: | 第136行: | ||
copy_exec /usr/bin/hexdump /usr/bin | copy_exec /usr/bin/hexdump /usr/bin | ||
EOF | EOF | ||
+ | </nowiki></pre> | ||
+ | <pre><nowiki> | ||
chmod +x hooks/cryptroot | chmod +x hooks/cryptroot | ||
+ | |||
vi scripts/local-top/cryptroot (copy till EOF) | vi scripts/local-top/cryptroot (copy till EOF) | ||
− | #!/bin/sh | + | </nowiki></pre> |
+ | scripts/local-top/cryptroot | ||
+ | <pre><nowiki> | ||
+ | # !/bin/sh | ||
+ | |||
PREREQ="udev" | PREREQ="udev" | ||
+ | |||
# Output pre-requisites | # Output pre-requisites | ||
prereqs() | prereqs() | ||
{ | { | ||
− | echo "$PREREQ" | + | echo "$PREREQ" |
} | } | ||
+ | |||
case "$1" in | case "$1" in | ||
− | prereqs) | + | prereqs) |
− | prereqs | + | prereqs |
− | exit 0 | + | exit 0 |
− | ;; | + | ;; |
esac | esac | ||
+ | |||
modprobe aes | modprobe aes | ||
modprobe sha256 | modprobe sha256 | ||
modprobe dm-crypt | modprobe dm-crypt | ||
+ | |||
echo "Waiting for crypted root device..." | echo "Waiting for crypted root device..." | ||
+ | |||
slumber=1800 | slumber=1800 | ||
while [ ${slumber} -gt 0 -a ! -e "/dev/sda3" ]; do | while [ ${slumber} -gt 0 -a ! -e "/dev/sda3" ]; do | ||
− | /bin/sleep 0.1 | + | /bin/sleep 0.1 |
− | slumber=$(( ${slumber} - 1 )) | + | slumber=$(( ${slumber} - 1 )) |
done | done | ||
+ | |||
while test -z "$ROOTKEY" | while test -z "$ROOTKEY" | ||
do | do | ||
− | ROOTKEY=`openssl rsautl -in /boot/rootkey.enc -decrypt | + | ROOTKEY=`openssl rsautl -in /boot/rootkey.enc -decrypt |
-inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1 | -inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1 | ||
"%02x" "\n"' ` | "%02x" "\n"' ` | ||
done | done | ||
+ | |||
SECTORS=`blockdev --getsize /dev/sda3` | SECTORS=`blockdev --getsize /dev/sda3` | ||
+ | |||
echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $ROOTKEY 0 /dev/sda3 0 \ | echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $ROOTKEY 0 /dev/sda3 0 \ | ||
− | |dmsetup create root | + | |dmsetup create root |
+ | |||
echo "Waiting for crypted swap device..." | echo "Waiting for crypted swap device..." | ||
+ | |||
slumber=1800 | slumber=1800 | ||
while [ ${slumber} -gt 0 -a ! -e "/dev/sda2" ]; do | while [ ${slumber} -gt 0 -a ! -e "/dev/sda2" ]; do | ||
− | /bin/sleep 0.1 | + | /bin/sleep 0.1 |
− | slumber=$(( ${slumber} - 1 )) | + | slumber=$(( ${slumber} - 1 )) |
done | done | ||
+ | |||
while test -z "$SWAPKEY" | while test -z "$SWAPKEY" | ||
do | do | ||
− | SWAPKEY=`openssl rsautl -in /boot/swapkey.enc -decrypt | + | SWAPKEY=`openssl rsautl -in /boot/swapkey.enc -decrypt |
-inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1 | -inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1 | ||
"%02x" "\n"' ` | "%02x" "\n"' ` | ||
done | done | ||
+ | |||
SECTORS=`blockdev --getsize /dev/sda2` | SECTORS=`blockdev --getsize /dev/sda2` | ||
+ | |||
echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $SWAPKEY 0 /dev/sda2 0 \ | echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $SWAPKEY 0 /dev/sda2 0 \ | ||
− | |dmsetup create swap | + | |dmsetup create swap |
EOF | EOF | ||
+ | </nowiki></pre> | ||
+ | <pre><nowiki> | ||
chmod +x scripts/local-top/cryptroot | chmod +x scripts/local-top/cryptroot | ||
</nowiki></pre> | </nowiki></pre> | ||
− | + | === Put the crypto keys in place and create a new initramfs === | |
− | <pre><nowiki>mv /tmp/privkey.pem /tmp/swapkey.enc /tmp/rootkey.enc /mnt/boot/ | + | <pre><nowiki> |
+ | mv /tmp/privkey.pem /tmp/swapkey.enc /tmp/rootkey.enc /mnt/boot/ | ||
chroot /mnt | chroot /mnt | ||
update-initramfs -u | update-initramfs -u | ||
</nowiki></pre> | </nowiki></pre> | ||
− | + | === Install grub === | |
− | <pre><nowiki>chroot /mnt | + | <pre><nowiki> |
+ | chroot /mnt | ||
update-grub | update-grub | ||
apt-get install kubuntu-grub-splashimages | apt-get install kubuntu-grub-splashimages | ||
+ | |||
cd /boot/grub | cd /boot/grub | ||
cp /lib/grub/i386-pc/* . | cp /lib/grub/i386-pc/* . | ||
+ | |||
grub | grub | ||
root (hd0,0) | root (hd0,0) | ||
第184行: | 第229行: | ||
quit | quit | ||
</nowiki></pre> | </nowiki></pre> | ||
− | + | === Configure grub === | |
− | + | * vi /boot/grub/menu.lst | |
− | + | * add "acpi=off" | |
− | + | * change "root=/dev/mapper/root" | |
− | + | * splash (hd0,0)/grub/splashimages/kubuntugood.xpm.gz | |
− | + | * timeout 15 | |
− | + | * default 0 | |
− | + | * remove all the unwanted settings | |
− | + | * remove all "savedefault" lines | |
− | + | * remove splash as you want a console to enter your password | |
− | + | === Finish installation, reboot === | |
− | <pre><nowiki>umount /mnt/boot | + | <pre><nowiki> |
+ | umount /mnt/boot | ||
fuser -k /mnt | fuser -k /mnt | ||
umount /mnt | umount /mnt | ||
第201行: | 第247行: | ||
</nowiki></pre> | </nowiki></pre> | ||
press ctrl-alt-del and select reboot | press ctrl-alt-del and select reboot | ||
− | + | == Tools == | |
− | + | === Change password on rsa key === | |
− | <pre><nowiki>su root | + | <pre><nowiki> |
+ | su root | ||
cd /boot | cd /boot | ||
openssl rsa -in privkey.pem -out privkey.new.pem -aes256 | openssl rsa -in privkey.pem -out privkey.new.pem -aes256 | ||
第210行: | 第257行: | ||
update-initramfs -u | update-initramfs -u | ||
</nowiki></pre> | </nowiki></pre> | ||
− | + | === Replace rsa key === | |
− | <pre><nowiki>su root | + | <pre><nowiki> |
+ | su root | ||
cd /tmp | cd /tmp | ||
openssl rsautl -in /boot/rootkey.enc -inkey /boot/privkey.pem \ | openssl rsautl -in /boot/rootkey.enc -inkey /boot/privkey.pem \ | ||
− | -decrypt -out rootkey | + | -decrypt -out rootkey |
openssl rsautl -in /boot/swapkey.enc -inkey /boot/privkey.pem \ | openssl rsautl -in /boot/swapkey.enc -inkey /boot/privkey.pem \ | ||
− | -decrypt -out swapkey | + | -decrypt -out swapkey |
openssl genrsa -aes256 -out privkey.pem 2048 | openssl genrsa -aes256 -out privkey.pem 2048 | ||
openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt | openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt | ||
第224行: | 第272行: | ||
update-initramfs -u | update-initramfs -u | ||
</nowiki></pre> | </nowiki></pre> | ||
− | + | === Recover with bootcd === | |
− | + | * boot kubuntu cd | |
− | + | * start xterm | |
− | <pre><nowiki>sudo bash | + | <pre><nowiki> |
+ | sudo bash | ||
mount /dev/sda1 /mnt | mount /dev/sda1 /mnt | ||
echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \ | echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \ | ||
− | `openssl rsautl -in /mnt/rootkey.enc -decrypt -inkey \ | + | `openssl rsautl -in /mnt/rootkey.enc -decrypt -inkey \ |
− | /mnt/privkey.pem |hexdump -e '"" 32/1 "%02x" "\n"'` \ | + | /mnt/privkey.pem |hexdump -e '"" 32/1 "%02x" "\n"'` \ |
− | 0 /dev/sda3 0 | dmsetup create root | + | 0 /dev/sda3 0 | dmsetup create root |
umount mnt | umount mnt | ||
mount /dev/mapper/root /mnt | mount /dev/mapper/root /mnt | ||
mount /dev/sda1 /mnt/boot | mount /dev/sda1 /mnt/boot | ||
+ | |||
chroot /mnt | chroot /mnt | ||
... | ... | ||
+ | |||
update-initramfs -u | update-initramfs -u | ||
+ | |||
umount /mnt/boot | umount /mnt/boot | ||
umount /mnt | umount /mnt | ||
第244行: | 第296行: | ||
</nowiki></pre> | </nowiki></pre> | ||
* press ctrl-alt-del and select reboot | * press ctrl-alt-del and select reboot | ||
− | + | == Other changes == | |
− | + | === Set root password === | |
− | + | * boot | |
− | + | * switch to text console | |
− | + | * login as "root" (no password) | |
− | + | * shadowconfig on | |
− | + | * passwd root | |
− | + | === Create User === | |
− | <pre><nowiki>adduser user | + | <pre><nowiki> |
+ | adduser user | ||
vigr | vigr | ||
# add user to dialout, fax, voice, cdrom, floppy, sudo, audio, | # add user to dialout, fax, voice, cdrom, floppy, sudo, audio, | ||
− | video, scanner, scard | + | video, scanner, scard |
</nowiki></pre> | </nowiki></pre> | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2008年12月16日 (二) 18:25的最新版本
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
- title Encrypted root and swap partition with dm-crypt on Ubuntu 6.06 LTS
{i} Please refer to EncryptedFilesystems for further documentation. |
Highlights of the following guide:
- Uses RSA keys and thus is ready for smartcards (although in this howto
the RSA private key is still stored on disk as encrypted file)
- Password changes are possible. With LUKS that would be possible too (but no smart card support), with cryptsetup it would not.
Encrypting valuable data is very important for many companies, and it feels a lot better if the whole filesystem is encrypted, not only some partitions (e.g. home - what if you start using some webserver, database etc.). Of course a full encryption of root and swap has significant impact on latency for reading/writing and increased cpu usage for that. But for normal desktop it is not a big deal, but if you copy hundereds of MB of data you will notice it. This howto is very long, because you need to do many steps yourself that are normaly done by the automatic installer.
目录
- 1 How to install Ubuntu encrypted
- 1.1 Boot from desktop CD
- 1.2 Start an xterm and get a root shell
- 1.3 Load dm-crypt
- 1.4 Partition the system
- 1.5 Create crypto keys in /tmp (tmpfs, never written anywhere)
- 1.6 Create filesystems
- 1.7 Mount filesystems
- 1.8 Download ar and debootstrap
- 1.9 Install dapper on the crypto root
- 1.10 Create an fstab in the chroot
- 1.11 Create an apt config file in the chroot
- 1.12 Update packages, install dselect and kubuntu-destkop
- 1.13 Configure initramfs-tools for crypt root and swap
- 1.14 Put the crypto keys in place and create a new initramfs
- 1.15 Install grub
- 1.16 Configure grub
- 1.17 Finish installation, reboot
- 2 Tools
- 3 Other changes
How to install Ubuntu encrypted
Boot from desktop CD
Download this text to the ubuntu system, so you can cut and paste. Open in vi (not less, with less you get cut&paste problems on long lines).
Start an xterm and get a root shell
sudo bash
Load dm-crypt
modprobe dm-crypt
Partition the system
cfdisk /dev/sda
# or /dev/hda
Create three partitions:
- first partition: linux, 100mb, bootable (/boot)
- second parition: linux, what you prefer (2GB?) (swap)
- third partition: root, rest of the disk (or leave space - however you prefer)
Do not set the second partition to swap, as ubuntu will automatically enable it and thus cause problems. In this document we will assume:
- /dev/sda1 /boot partition
- /dev/sda2 swap partition
- /dev/sda3 root partition
Create crypto keys in /tmp (tmpfs, never written anywhere)
cd /tmp openssl genrsa -aes256 -out privkey.pem 2048 dd if=/dev/urandom of=swapkey bs=32 count=1 dd if=/dev/urandom of=rootkey bs=32 count=1 openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt rm swapkey rootkey SWAPKEY=`openssl rsautl -in swapkey.enc -decrypt -inkey privkey.pem \ | hexdump -e '"" 32/1 "%02x" "\n"'` ROOTKEY=`openssl rsautl -in rootkey.enc -decrypt -inkey privkey.pem \ | hexdump -e '"" 32/1 "%02x" "\n"'` echo 0 `blockdev --getsize /dev/sda2` crypt aes-cbc-essiv:sha256 \ $SWAPKEY 0 /dev/sda2 0 |dmsetup create swap echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \ $ROOTKEY 0 /dev/sda3 0 |dmsetup create root
Create filesystems
mkfs.ext3 /dev/sda1 # /boot mkswap /dev/mapper/swap # swap mkfs.ext3 /dev/mapper/root # root
Mount filesystems
mount /dev/mapper/root /mnt mkdir /mnt/boot mount /dev/sda1 /mnt/boot
Download ar and debootstrap
cd /tmp mkdir download cd download wget http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.16.1cvs20060117-1ubuntu2.1_i386.deb wget http://de.archive.ubuntu.com/ubuntu/pool/main/d/debootstrap/debootstrap_0.3.3.0ubuntu2_all.deb dpkg -x binutils*deb x dpkg -x debootstrap*deb x
Install dapper on the crypto root
export LD_LIBRARY_PATH=/tmp/download/x/usr/lib export PATH=/tmp/download/x/usr/bin:$PATH export DEBOOTSTRAP_DIR=/tmp/download/x/usr/lib/debootstrap /tmp/download/x/usr/sbin/debootstrap dapper /mnt http://de.archive.ubuntu.com/ubuntu/
Create an fstab in the chroot
chroot /mnt vi /etc/fstab /dev/sda1 /boot ext3 defaults 0 0 /dev/mapper/root / ext3 defaults 0 0 /dev/mapper/swap swap swap defaults 0 0 none /proc proc defaults 0 0 none /proc/bus/usb usbfs defaults 0 0 none /sys sysfs defaults 0 0 none /dev/shm tmpfs defaults 0 0 none /dev/pts devpts defaults 0 0
Create an apt config file in the chroot
chroot /mnt vi /etc/apt/sources.list deb http://de.archive.ubuntu.com/ubuntu/ dapper main restricted deb http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted deb http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted deb-src http://de.archive.ubuntu.com/ubuntu/ dapper main restricted deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted
Update packages, install dselect and kubuntu-destkop
chroot /mnt apt-get update apt-get upgrade apt-get install grub linux-image-686 dmsetup bsdmainutils wipe apt-get install kubuntu-desktop
Configure initramfs-tools for crypt root and swap
chroot /mnt cd /etc/mkinitramfs echo dm-crypt >> modules echo aes >> modules echo sha256 >> modules vi hooks/cryptroot (copy till EOF)
hooks/cryptroot
# !/bin/sh . /usr/share/initramfs-tools/hook-functions mkdir -p ${DESTDIR}/boot mkdir -p ${DESTDIR}/sbin mkdir -p ${DESTDIR}/usr/bin cp -p /boot/privkey.pem /boot/rootkey.enc /boot/swapkey.enc ${DESTDIR}/boot copy_exec /sbin/blockdev /sbin copy_exec /sbin/dmsetup /sbin copy_exec /usr/bin/openssl /usr/bin copy_exec /usr/bin/hexdump /usr/bin EOF
chmod +x hooks/cryptroot vi scripts/local-top/cryptroot (copy till EOF)
scripts/local-top/cryptroot
# !/bin/sh PREREQ="udev" # Output pre-requisites prereqs() { echo "$PREREQ" } case "$1" in prereqs) prereqs exit 0 ;; esac modprobe aes modprobe sha256 modprobe dm-crypt echo "Waiting for crypted root device..." slumber=1800 while [ ${slumber} -gt 0 -a ! -e "/dev/sda3" ]; do /bin/sleep 0.1 slumber=$(( ${slumber} - 1 )) done while test -z "$ROOTKEY" do ROOTKEY=`openssl rsautl -in /boot/rootkey.enc -decrypt -inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1 "%02x" "\n"' ` done SECTORS=`blockdev --getsize /dev/sda3` echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $ROOTKEY 0 /dev/sda3 0 \ |dmsetup create root echo "Waiting for crypted swap device..." slumber=1800 while [ ${slumber} -gt 0 -a ! -e "/dev/sda2" ]; do /bin/sleep 0.1 slumber=$(( ${slumber} - 1 )) done while test -z "$SWAPKEY" do SWAPKEY=`openssl rsautl -in /boot/swapkey.enc -decrypt -inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1 "%02x" "\n"' ` done SECTORS=`blockdev --getsize /dev/sda2` echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $SWAPKEY 0 /dev/sda2 0 \ |dmsetup create swap EOF
chmod +x scripts/local-top/cryptroot
Put the crypto keys in place and create a new initramfs
mv /tmp/privkey.pem /tmp/swapkey.enc /tmp/rootkey.enc /mnt/boot/ chroot /mnt update-initramfs -u
Install grub
chroot /mnt update-grub apt-get install kubuntu-grub-splashimages cd /boot/grub cp /lib/grub/i386-pc/* . grub root (hd0,0) setup (hd0) quit
Configure grub
- vi /boot/grub/menu.lst
- add "acpi=off"
- change "root=/dev/mapper/root"
- splash (hd0,0)/grub/splashimages/kubuntugood.xpm.gz
- timeout 15
- default 0
- remove all the unwanted settings
- remove all "savedefault" lines
- remove splash as you want a console to enter your password
Finish installation, reboot
umount /mnt/boot fuser -k /mnt umount /mnt sync
press ctrl-alt-del and select reboot
Tools
Change password on rsa key
su root cd /boot openssl rsa -in privkey.pem -out privkey.new.pem -aes256 wipe privkey.pem mv privkey.new.pem privkey.pem update-initramfs -u
Replace rsa key
su root cd /tmp openssl rsautl -in /boot/rootkey.enc -inkey /boot/privkey.pem \ -decrypt -out rootkey openssl rsautl -in /boot/swapkey.enc -inkey /boot/privkey.pem \ -decrypt -out swapkey openssl genrsa -aes256 -out privkey.pem 2048 openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt rm swapkey rootkey mv swapkey.enc rootkey.enc privkey.pem boot update-initramfs -u
Recover with bootcd
- boot kubuntu cd
- start xterm
sudo bash mount /dev/sda1 /mnt echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \ `openssl rsautl -in /mnt/rootkey.enc -decrypt -inkey \ /mnt/privkey.pem |hexdump -e '"" 32/1 "%02x" "\n"'` \ 0 /dev/sda3 0 | dmsetup create root umount mnt mount /dev/mapper/root /mnt mount /dev/sda1 /mnt/boot chroot /mnt ... update-initramfs -u umount /mnt/boot umount /mnt sync
- press ctrl-alt-del and select reboot
Other changes
Set root password
- boot
- switch to text console
- login as "root" (no password)
- shadowconfig on
- passwd root
Create User
adduser user vigr # add user to dialout, fax, voice, cdrom, floppy, sudo, audio, video, scanner, scard