个人工具

“UbuntuHelp:EncryptedFilesystemHowto4”的版本间的差异

来自Ubuntu中文

跳转至: 导航, 搜索
第5行: 第5行:
 
this method:
 
this method:
 
* Uses RSA keys and thus is ready for smartcards (although in this howto
 
* Uses RSA keys and thus is ready for smartcards (although in this howto
  the RSA private key is still stored on disk as encrypted file)
+
the RSA private key is still stored on disk as encrypted file)
 
* Password changes are possible. With LUKS that would be possible too (but no smart card support), with cryptsetup it would not.
 
* Password changes are possible. With LUKS that would be possible too (but no smart card support), with cryptsetup it would not.
  
第13行: 第13行:
  
 
== How to install Ubuntu encrypted ==
 
== How to install Ubuntu encrypted ==
+
 
## Boot from desktop CD  
+
** Boot from desktop CD  
    Download this text to the ubuntu system, so you can cut and paste. Open in vi (not less, with less you get cut&paste problems on long    lines).  
+
Download this text to the ubuntu system, so you can cut and paste. Open in vi (not less, with less you get cut&paste problems on long    lines).  
+
 
## Start an xterm  
+
** Start an xterm  
+
 
## Get a root shell   
+
** Get a root shell   
    <code><nowiki>sudo bash</nowiki></code>
+
<code><nowiki>sudo bash</nowiki></code>
+
 
## load dm-crypt  
+
** load dm-crypt  
    <code><nowiki>modprobe dm-crypt</nowiki></code>
+
<code><nowiki>modprobe dm-crypt</nowiki></code>
+
 
## Partition the system  
+
** Partition the system  
    <code><nowiki>cfdisk /dev/sda</nowiki></code>  # or /dev/hda  
+
<code><nowiki>cfdisk /dev/sda</nowiki></code>  # or /dev/hda  
    Create three partitions:  
+
Create three partitions:  
      * first partition: linux, 100mb, bootable (/boot)  
+
* first partition: linux, 100mb, bootable (/boot)  
      * second parition: linux, what you prefer (2GB?) (swap)  
+
* second parition: linux, what you prefer (2GB?) (swap)  
      * third partition: root, rest of the disk (or leave space - however you prefer)
+
* third partition: root, rest of the disk (or leave space - however you prefer)
+
 
    Do not set the second partition to swap, as ubuntu will automatically enable it and thus cause problems.  
+
Do not set the second partition to swap, as ubuntu will automatically enable it and thus cause problems.  
+
 
    In this document we will assume:  
+
In this document we will assume:  
      * /dev/sda1      /boot partition  
+
* /dev/sda1      /boot partition  
      * /dev/sda2      swap partition  
+
* /dev/sda2      swap partition  
      * /dev/sda3      root partition  
+
* /dev/sda3      root partition  
+
 
## Create crypto keys in /tmp (tmpfs, never written anywhere)  
+
** Create crypto keys in /tmp (tmpfs, never written anywhere)  
    <pre><nowiki>cd /tmp  
+
<pre><nowiki>cd /tmp  
 
openssl genrsa -aes256 -out privkey.pem 2048  
 
openssl genrsa -aes256 -out privkey.pem 2048  
 
dd if=/dev/urandom of=swapkey bs=32 count=1  
 
dd if=/dev/urandom of=swapkey bs=32 count=1  
第47行: 第47行:
 
openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt  
 
openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt  
 
rm swapkey rootkey  
 
rm swapkey rootkey  
+
 
 
SWAPKEY=`openssl rsautl -in swapkey.enc -decrypt -inkey privkey.pem \  
 
SWAPKEY=`openssl rsautl -in swapkey.enc -decrypt -inkey privkey.pem \  
                      | hexdump -e '"" 32/1 "%02x" "\n"'`  
+
| hexdump -e '"" 32/1 "%02x" "\n"'`  
 
ROOTKEY=`openssl rsautl -in rootkey.enc -decrypt -inkey privkey.pem \  
 
ROOTKEY=`openssl rsautl -in rootkey.enc -decrypt -inkey privkey.pem \  
                      | hexdump -e '"" 32/1 "%02x" "\n"'`  
+
| hexdump -e '"" 32/1 "%02x" "\n"'`  
 
echo 0 `blockdev --getsize /dev/sda2` crypt aes-cbc-essiv:sha256 \  
 
echo 0 `blockdev --getsize /dev/sda2` crypt aes-cbc-essiv:sha256 \  
              $SWAPKEY 0 /dev/sda2 0 |dmsetup create swap  
+
$SWAPKEY 0 /dev/sda2 0 |dmsetup create swap  
 
echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \  
 
echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \  
              $ROOTKEY 0 /dev/sda3 0 |dmsetup create root  
+
$ROOTKEY 0 /dev/sda3 0 |dmsetup create root  
 
</nowiki></pre>
 
</nowiki></pre>
+
 
## Create filesystems  
+
** Create filesystems  
    <pre><nowiki>mkfs.ext3 /dev/sda1            # /boot  
+
<pre><nowiki>mkfs.ext3 /dev/sda1            # /boot  
 
mkswap /dev/mapper/swap        # swap  
 
mkswap /dev/mapper/swap        # swap  
 
mkfs.ext3 /dev/mapper/root      # root  
 
mkfs.ext3 /dev/mapper/root      # root  
 
</nowiki></pre>
 
</nowiki></pre>
+
 
## Mount filesystems  
+
** Mount filesystems  
    <pre><nowiki>mount /dev/mapper/root /mnt  
+
<pre><nowiki>mount /dev/mapper/root /mnt  
 
mkdir /mnt/boot  
 
mkdir /mnt/boot  
 
mount /dev/sda1 /mnt/boot
 
mount /dev/sda1 /mnt/boot
 
</nowiki></pre>
 
</nowiki></pre>
+
 
## Download ar and debootstrap  
+
** Download ar and debootstrap  
    <pre><nowiki>cd /tmp  
+
<pre><nowiki>cd /tmp  
 
mkdir download  
 
mkdir download  
 
cd download  
 
cd download  
第79行: 第79行:
 
dpkg -x debootstrap*deb x  
 
dpkg -x debootstrap*deb x  
 
</nowiki></pre>
 
</nowiki></pre>
+
 
## install dapper on the crypto root  
+
** install dapper on the crypto root  
    <pre><nowiki>export LD_LIBRARY_PATH=/tmp/download/x/usr/lib  
+
<pre><nowiki>export LD_LIBRARY_PATH=/tmp/download/x/usr/lib  
 
export PATH=/tmp/download/x/usr/bin:$PATH  
 
export PATH=/tmp/download/x/usr/bin:$PATH  
 
export DEBOOTSTRAP_DIR=/tmp/download/x/usr/lib/debootstrap  
 
export DEBOOTSTRAP_DIR=/tmp/download/x/usr/lib/debootstrap  
第87行: 第87行:
 
</nowiki></pre>
 
</nowiki></pre>
  
## create an fstab in the chroot  
+
** create an fstab in the chroot  
    <pre><nowiki>chroot /mnt  
+
<pre><nowiki>chroot /mnt  
 
vi /etc/fstab  
 
vi /etc/fstab  
 
/dev/sda1              /boot          ext3    defaults  0  0
 
/dev/sda1              /boot          ext3    defaults  0  0
第99行: 第99行:
 
none                    /dev/pts        devpts  defaults  0  0
 
none                    /dev/pts        devpts  defaults  0  0
 
</nowiki></pre>
 
</nowiki></pre>
+
 
## create an apt config file in the chroot  
+
** create an apt config file in the chroot  
    <pre><nowiki>chroot /mnt  
+
<pre><nowiki>chroot /mnt  
 
vi /etc/apt/sources.list  
 
vi /etc/apt/sources.list  
 
deb http://de.archive.ubuntu.com/ubuntu/ dapper main restricted  
 
deb http://de.archive.ubuntu.com/ubuntu/ dapper main restricted  
第111行: 第111行:
 
deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted
 
deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted
 
</nowiki></pre>
 
</nowiki></pre>
+
 
## update packages, install dselect and kubuntu-destkop  
+
** update packages, install dselect and kubuntu-destkop  
    <pre><nowiki>chroot /mnt  
+
<pre><nowiki>chroot /mnt  
 
apt-get update  
 
apt-get update  
 
apt-get upgrade  
 
apt-get upgrade  
第120行: 第120行:
 
</nowiki></pre>
 
</nowiki></pre>
  
## configure initramfs-tools for crypt root and swap  
+
** configure initramfs-tools for crypt root and swap  
    <pre><nowiki>chroot /mnt  
+
<pre><nowiki>chroot /mnt  
 
cd /etc/mkinitramfs  
 
cd /etc/mkinitramfs  
 
echo dm-crypt >> modules  
 
echo dm-crypt >> modules  
第127行: 第127行:
 
echo sha256 >> modules  
 
echo sha256 >> modules  
 
vi hooks/cryptroot (copy till EOF)  
 
vi hooks/cryptroot (copy till EOF)  
+
#!/bin/sh
 +
 
 
. /usr/share/initramfs-tools/hook-functions  
 
. /usr/share/initramfs-tools/hook-functions  
+
 
 
mkdir -p ${DESTDIR}/boot  
 
mkdir -p ${DESTDIR}/boot  
 
mkdir -p ${DESTDIR}/sbin  
 
mkdir -p ${DESTDIR}/sbin  
 
mkdir -p ${DESTDIR}/usr/bin  
 
mkdir -p ${DESTDIR}/usr/bin  
+
 
 
cp -p /boot/privkey.pem /boot/rootkey.enc /boot/swapkey.enc ${DESTDIR}/boot  
 
cp -p /boot/privkey.pem /boot/rootkey.enc /boot/swapkey.enc ${DESTDIR}/boot  
+
 
 
copy_exec /sbin/blockdev /sbin  
 
copy_exec /sbin/blockdev /sbin  
 
copy_exec /sbin/dmsetup /sbin  
 
copy_exec /sbin/dmsetup /sbin  
第141行: 第142行:
 
copy_exec /usr/bin/hexdump /usr/bin  
 
copy_exec /usr/bin/hexdump /usr/bin  
 
EOF  
 
EOF  
+
 
 
chmod +x hooks/cryptroot  
 
chmod +x hooks/cryptroot  
+
 
 
vi scripts/local-top/cryptroot (copy till EOF)  
 
vi scripts/local-top/cryptroot (copy till EOF)  
+
#!/bin/sh
 +
 
 
PREREQ="udev"  
 
PREREQ="udev"  
+
 
 +
# Output pre-requisites
 
prereqs()  
 
prereqs()  
 
{  
 
{  
        echo "$PREREQ"  
+
echo "$PREREQ"  
 
}  
 
}  
+
 
 
case "$1" in  
 
case "$1" in  
    prereqs)  
+
prereqs)  
        prereqs  
+
prereqs  
        exit 0  
+
exit 0  
        ;;  
+
;;  
 
esac  
 
esac  
+
 
 
modprobe aes  
 
modprobe aes  
 
modprobe sha256  
 
modprobe sha256  
 
modprobe dm-crypt  
 
modprobe dm-crypt  
+
 
 
echo "Waiting for crypted root device..."  
 
echo "Waiting for crypted root device..."  
+
 
 
slumber=1800  
 
slumber=1800  
 
while [ ${slumber} -gt 0 -a ! -e "/dev/sda3" ]; do  
 
while [ ${slumber} -gt 0 -a ! -e "/dev/sda3" ]; do  
        /bin/sleep 0.1  
+
/bin/sleep 0.1  
        slumber=$(( ${slumber} - 1 ))  
+
slumber=$(( ${slumber} - 1 ))  
 
done  
 
done  
+
 
 
while test -z "$ROOTKEY"  
 
while test -z "$ROOTKEY"  
 
do  
 
do  
        ROOTKEY=`openssl rsautl -in /boot/rootkey.enc -decrypt
+
ROOTKEY=`openssl rsautl -in /boot/rootkey.enc -decrypt
 
-inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1
 
-inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1
 
"%02x" "\n"' `  
 
"%02x" "\n"' `  
 
done  
 
done  
+
 
 
SECTORS=`blockdev --getsize /dev/sda3`  
 
SECTORS=`blockdev --getsize /dev/sda3`  
+
 
 
echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $ROOTKEY 0 /dev/sda3 0 \  
 
echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $ROOTKEY 0 /dev/sda3 0 \  
        |dmsetup create root  
+
|dmsetup create root  
+
 
 
echo "Waiting for crypted swap device..."  
 
echo "Waiting for crypted swap device..."  
+
 
 
slumber=1800  
 
slumber=1800  
 
while [ ${slumber} -gt 0 -a ! -e "/dev/sda2" ]; do  
 
while [ ${slumber} -gt 0 -a ! -e "/dev/sda2" ]; do  
        /bin/sleep 0.1  
+
/bin/sleep 0.1  
        slumber=$(( ${slumber} - 1 ))  
+
slumber=$(( ${slumber} - 1 ))  
 
done  
 
done  
+
 
 
while test -z "$SWAPKEY"  
 
while test -z "$SWAPKEY"  
 
do  
 
do  
        SWAPKEY=`openssl rsautl -in /boot/swapkey.enc -decrypt
+
SWAPKEY=`openssl rsautl -in /boot/swapkey.enc -decrypt
 
-inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1
 
-inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1
 
"%02x" "\n"' `  
 
"%02x" "\n"' `  
 
done  
 
done  
+
 
 
SECTORS=`blockdev --getsize /dev/sda2`  
 
SECTORS=`blockdev --getsize /dev/sda2`  
+
 
 
echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $SWAPKEY 0 /dev/sda2 0 \  
 
echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $SWAPKEY 0 /dev/sda2 0 \  
        |dmsetup create swap
+
|dmsetup create swap
 
EOF  
 
EOF  
 
chmod +x scripts/local-top/cryptroot  
 
chmod +x scripts/local-top/cryptroot  
 
</nowiki></pre>
 
</nowiki></pre>
+
 
## put the crypto keys in place and create a new initramfs  
+
** put the crypto keys in place and create a new initramfs  
    <pre><nowiki>mv /tmp/privkey.pem /tmp/swapkey.enc /tmp/rootkey.enc /mnt/boot/  
+
<pre><nowiki>mv /tmp/privkey.pem /tmp/swapkey.enc /tmp/rootkey.enc /mnt/boot/  
 
chroot /mnt  
 
chroot /mnt  
 
update-initramfs -u  
 
update-initramfs -u  
 
</nowiki></pre>
 
</nowiki></pre>
+
 
## install grub  
+
** install grub  
    <pre><nowiki>chroot /mnt  
+
<pre><nowiki>chroot /mnt  
 
update-grub  
 
update-grub  
 
apt-get install kubuntu-grub-splashimages  
 
apt-get install kubuntu-grub-splashimages  
+
 
 
cd /boot/grub  
 
cd /boot/grub  
 
cp /lib/grub/i386-pc/* .  
 
cp /lib/grub/i386-pc/* .  
+
 
 
grub  
 
grub  
 
root (hd0,0)  
 
root (hd0,0)  
第226行: 第229行:
 
quit  
 
quit  
 
</nowiki></pre>
 
</nowiki></pre>
+
 
## configure grub  
+
** configure grub  
 
****** vi /boot/grub/menu.lst  
 
****** vi /boot/grub/menu.lst  
 
****** add "acpi=off"  
 
****** add "acpi=off"  
第237行: 第240行:
 
****** remove all "savedefault" lines  
 
****** remove all "savedefault" lines  
 
****** remove splash as you want a console to enter your password
 
****** remove splash as you want a console to enter your password
+
 
## finish installation, reboot  
+
** finish installation, reboot  
    <pre><nowiki>umount /mnt/boot  
+
<pre><nowiki>umount /mnt/boot  
 
fuser -k /mnt  
 
fuser -k /mnt  
 
umount /mnt  
 
umount /mnt  
 
sync  
 
sync  
 
</nowiki></pre>  
 
</nowiki></pre>  
      press ctrl-alt-del and select reboot  
+
press ctrl-alt-del and select reboot  
+
 
 
=== Tools ===
 
=== Tools ===
+
 
# change password on rsa key  
+
* change password on rsa key  
    <pre><nowiki>su root  
+
<pre><nowiki>su root  
 
cd /boot  
 
cd /boot  
 
openssl rsa -in privkey.pem -out privkey.new.pem -aes256  
 
openssl rsa -in privkey.pem -out privkey.new.pem -aes256  
第256行: 第259行:
 
update-initramfs -u  
 
update-initramfs -u  
 
</nowiki></pre>
 
</nowiki></pre>
+
 
# replace rsa key  
+
* replace rsa key  
    <pre><nowiki>su root  
+
<pre><nowiki>su root  
 
cd /tmp  
 
cd /tmp  
 
openssl rsautl -in /boot/rootkey.enc -inkey /boot/privkey.pem \  
 
openssl rsautl -in /boot/rootkey.enc -inkey /boot/privkey.pem \  
        -decrypt -out rootkey  
+
-decrypt -out rootkey  
 
openssl rsautl -in /boot/swapkey.enc -inkey /boot/privkey.pem \  
 
openssl rsautl -in /boot/swapkey.enc -inkey /boot/privkey.pem \  
        -decrypt -out swapkey  
+
-decrypt -out swapkey  
 
openssl genrsa -aes256 -out privkey.pem 2048  
 
openssl genrsa -aes256 -out privkey.pem 2048  
 
openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt  
 
openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt  
第271行: 第274行:
 
update-initramfs -u  
 
update-initramfs -u  
 
</nowiki></pre>
 
</nowiki></pre>
+
 
# recover with bootcd  
+
* recover with bootcd  
 
****** boot kubuntu cd  
 
****** boot kubuntu cd  
 
****** start xterm  
 
****** start xterm  
    <pre><nowiki>sudo bash  
+
<pre><nowiki>sudo bash  
 
mount /dev/sda1 /mnt  
 
mount /dev/sda1 /mnt  
 
echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \  
 
echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \  
        `openssl rsautl -in /mnt/rootkey.enc -decrypt -inkey \  
+
`openssl rsautl -in /mnt/rootkey.enc -decrypt -inkey \  
        /mnt/privkey.pem |hexdump -e '"" 32/1 "%02x" "\n"'` \  
+
/mnt/privkey.pem |hexdump -e '"" 32/1 "%02x" "\n"'` \  
                0 /dev/sda3 0 | dmsetup create root  
+
0 /dev/sda3 0 | dmsetup create root  
 
umount mnt  
 
umount mnt  
 
mount /dev/mapper/root /mnt  
 
mount /dev/mapper/root /mnt  
 
mount /dev/sda1 /mnt/boot  
 
mount /dev/sda1 /mnt/boot  
+
 
 
chroot /mnt  
 
chroot /mnt  
 
...  
 
...  
+
 
 
update-initramfs -u  
 
update-initramfs -u  
+
 
 
umount /mnt/boot  
 
umount /mnt/boot  
 
umount /mnt  
 
umount /mnt  
 
sync  
 
sync  
 
</nowiki></pre>
 
</nowiki></pre>
+
 
        * press ctrl-alt-del and select reboot  
+
* press ctrl-alt-del and select reboot  
+
 
 
=== Other changes ===
 
=== Other changes ===
+
 
## set root password  
+
** set root password  
      * boot   
+
* boot   
      * switch to text console  
+
* switch to text console  
      * login as "root" (no password)  
+
* login as "root" (no password)  
      * shadowconfig on  
+
* shadowconfig on  
      * passwd root  
+
* passwd root  
+
 
## create user  
+
** create user  
    <pre><nowiki>adduser user  
+
<pre><nowiki>adduser user  
 
vigr  
 
vigr  
      video, scanner, scard  
+
# add user to dialout, fax, voice, cdrom, floppy, sudo, audio,
 +
video, scanner, scard  
 
</nowiki></pre>
 
</nowiki></pre>
  
 
[[category:UbuntuHelp]]
 
[[category:UbuntuHelp]]

2007年5月24日 (四) 09:37的版本

Geographylogo.png 文章出处: 

https://help.ubuntu.com/community/EncryptedFilesystemHowto4

Geographylogo.png 点击翻译: 

English

请不要直接编辑翻译本页,本页将定期与来源同步。

Here is yet another HOWTO for installing (k)ubuntu 6.06 LTS (dapper) with encrypted root and swap partition. Why yet another? Some highlights of this method:

  • Uses RSA keys and thus is ready for smartcards (although in this howto

the RSA private key is still stored on disk as encrypted file)

  • Password changes are possible. With LUKS that would be possible too (but no smart card support), with cryptsetup it would not.

Encrypting valuable data is very important for many companies, and it feels a lot better if the whole filesystem is encrypted, not only some partitions (e.g. home - what if you start using some webserver, database etc.). Of course a full encryption of root and swap has significant impact on latency for reading/writing and increased cpu usage for that. But for normal desktop it is not a big deal, but if you copy hundereds of MB of data you will notice it.

This howto is very long, because you need to do many steps yourself that are normaly done by the automatic installer.

How to install Ubuntu encrypted

    • Boot from desktop CD

Download this text to the ubuntu system, so you can cut and paste. Open in vi (not less, with less you get cut&paste problems on long lines).

    • Start an xterm
    • Get a root shell

sudo bash

    • load dm-crypt

modprobe dm-crypt

    • Partition the system

cfdisk /dev/sda # or /dev/hda Create three partitions:

  • first partition: linux, 100mb, bootable (/boot)
  • second parition: linux, what you prefer (2GB?) (swap)
  • third partition: root, rest of the disk (or leave space - however you prefer)

Do not set the second partition to swap, as ubuntu will automatically enable it and thus cause problems.

In this document we will assume:

  • /dev/sda1 /boot partition
  • /dev/sda2 swap partition
  • /dev/sda3 root partition
    • Create crypto keys in /tmp (tmpfs, never written anywhere) 
cd /tmp 
openssl genrsa -aes256 -out privkey.pem 2048 
dd if=/dev/urandom of=swapkey bs=32 count=1 
dd if=/dev/urandom of=rootkey bs=32 count=1 
openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt 
openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt 
rm swapkey rootkey 

SWAPKEY=`openssl rsautl -in swapkey.enc -decrypt -inkey privkey.pem \ 
| hexdump -e '"" 32/1 "%02x" "\n"'` 
ROOTKEY=`openssl rsautl -in rootkey.enc -decrypt -inkey privkey.pem \ 
| hexdump -e '"" 32/1 "%02x" "\n"'` 
echo 0 `blockdev --getsize /dev/sda2` crypt aes-cbc-essiv:sha256 \ 
$SWAPKEY 0 /dev/sda2 0 |dmsetup create swap 
echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \ 
$ROOTKEY 0 /dev/sda3 0 |dmsetup create root
    • Create filesystems 
mkfs.ext3 /dev/sda1             # /boot 
mkswap /dev/mapper/swap         # swap 
mkfs.ext3 /dev/mapper/root      # root
    • Mount filesystems 
mount /dev/mapper/root /mnt 
mkdir /mnt/boot 
mount /dev/sda1 /mnt/boot
    • Download ar and debootstrap 
cd /tmp 
mkdir download 
cd download 
wget http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.16.1cvs20060117-1ubuntu2.1_i386.deb 
wget http://de.archive.ubuntu.com/ubuntu/pool/main/d/debootstrap/debootstrap_0.3.3.0ubuntu2_all.deb 
dpkg -x binutils*deb x 
dpkg -x debootstrap*deb x
    • install dapper on the crypto root 
export LD_LIBRARY_PATH=/tmp/download/x/usr/lib 
export PATH=/tmp/download/x/usr/bin:$PATH 
export DEBOOTSTRAP_DIR=/tmp/download/x/usr/lib/debootstrap 
/tmp/download/x/usr/sbin/debootstrap dapper /mnt http://de.archive.ubuntu.com/ubuntu/
    • create an fstab in the chroot 
chroot /mnt 
vi /etc/fstab 
/dev/sda1               /boot           ext3    defaults  0  0
/dev/mapper/root        /               ext3    defaults  0  0
/dev/mapper/swap        swap            swap    defaults  0  0
none                    /proc           proc    defaults  0  0
none                    /proc/bus/usb   usbfs   defaults  0  0
none                    /sys            sysfs   defaults  0  0
none                    /dev/shm        tmpfs   defaults  0  0 
none                    /dev/pts        devpts  defaults  0  0
    • create an apt config file in the chroot 
chroot /mnt 
vi /etc/apt/sources.list 
deb http://de.archive.ubuntu.com/ubuntu/ dapper main restricted 
deb http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
deb http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted

deb-src http://de.archive.ubuntu.com/ubuntu/ dapper main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted
    • update packages, install dselect and kubuntu-destkop 
chroot /mnt 
apt-get update 
apt-get upgrade 
apt-get install grub linux-image-686 dmsetup bsdmainutils wipe 
apt-get install kubuntu-desktop
    • configure initramfs-tools for crypt root and swap 
chroot /mnt 
cd /etc/mkinitramfs 
echo dm-crypt >> modules 
echo aes >> modules 
echo sha256 >> modules 
vi hooks/cryptroot (copy till EOF) 
#!/bin/sh 

. /usr/share/initramfs-tools/hook-functions 

mkdir -p ${DESTDIR}/boot 
mkdir -p ${DESTDIR}/sbin 
mkdir -p ${DESTDIR}/usr/bin 

cp -p /boot/privkey.pem /boot/rootkey.enc /boot/swapkey.enc ${DESTDIR}/boot 

copy_exec /sbin/blockdev /sbin 
copy_exec /sbin/dmsetup /sbin 
copy_exec /usr/bin/openssl /usr/bin 
copy_exec /usr/bin/hexdump /usr/bin 
EOF 

chmod +x hooks/cryptroot 

vi scripts/local-top/cryptroot (copy till EOF) 
#!/bin/sh 

PREREQ="udev" 

# Output pre-requisites 
prereqs() 
{ 
echo "$PREREQ" 
} 

case "$1" in 
prereqs) 
prereqs 
exit 0 
;; 
esac 

modprobe aes 
modprobe sha256 
modprobe dm-crypt 

echo "Waiting for crypted root device..." 

slumber=1800 
while [ ${slumber} -gt 0 -a ! -e "/dev/sda3" ]; do 
/bin/sleep 0.1 
slumber=$(( ${slumber} - 1 )) 
done 

while test -z "$ROOTKEY" 
do 
ROOTKEY=`openssl rsautl -in /boot/rootkey.enc -decrypt
-inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1
"%02x" "\n"' ` 
done 

SECTORS=`blockdev --getsize /dev/sda3` 

echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $ROOTKEY 0 /dev/sda3 0 \ 
|dmsetup create root 

echo "Waiting for crypted swap device..." 

slumber=1800 
while [ ${slumber} -gt 0 -a ! -e "/dev/sda2" ]; do 
/bin/sleep 0.1 
slumber=$(( ${slumber} - 1 )) 
done 

while test -z "$SWAPKEY" 
do 
SWAPKEY=`openssl rsautl -in /boot/swapkey.enc -decrypt
-inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1
"%02x" "\n"' ` 
done 

SECTORS=`blockdev --getsize /dev/sda2` 

echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $SWAPKEY 0 /dev/sda2 0 \ 
|dmsetup create swap
EOF 
chmod +x scripts/local-top/cryptroot
    • put the crypto keys in place and create a new initramfs 
mv /tmp/privkey.pem /tmp/swapkey.enc /tmp/rootkey.enc /mnt/boot/ 
chroot /mnt 
update-initramfs -u
    • install grub 
chroot /mnt 
update-grub 
apt-get install kubuntu-grub-splashimages 

cd /boot/grub 
cp /lib/grub/i386-pc/* . 

grub 
root (hd0,0) 
setup (hd0) 
quit
    • configure grub
            • vi /boot/grub/menu.lst
            • add "acpi=off"
            • change "root=/dev/mapper/root"
            • splash (hd0,0)/grub/splashimages/kubuntugood.xpm.gz
            • timeout 15
            • default 0
            • remove all the unwanted settings
            • remove all "savedefault" lines
            • remove splash as you want a console to enter your password
    • finish installation, reboot 
umount /mnt/boot 
fuser -k /mnt 
umount /mnt 
sync

press ctrl-alt-del and select reboot

Tools

  • change password on rsa key 
su root 
cd /boot 
openssl rsa -in privkey.pem -out privkey.new.pem -aes256 
wipe privkey.pem 
mv privkey.new.pem privkey.pem 
update-initramfs -u
  • replace rsa key 
su root 
cd /tmp 
openssl rsautl -in /boot/rootkey.enc -inkey /boot/privkey.pem \ 
-decrypt -out rootkey 
openssl rsautl -in /boot/swapkey.enc -inkey /boot/privkey.pem \ 
-decrypt -out swapkey 
openssl genrsa -aes256 -out privkey.pem 2048 
openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt 
openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt 
rm swapkey rootkey 
mv swapkey.enc rootkey.enc privkey.pem boot 
update-initramfs -u
  • recover with bootcd
            • boot kubuntu cd
            • start xterm 
sudo bash 
mount /dev/sda1 /mnt 
echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \ 
`openssl rsautl -in /mnt/rootkey.enc -decrypt -inkey \ 
/mnt/privkey.pem |hexdump -e '"" 32/1 "%02x" "\n"'` \ 
0 /dev/sda3 0 | dmsetup create root 
umount mnt 
mount /dev/mapper/root /mnt 
mount /dev/sda1 /mnt/boot 

chroot /mnt 
... 

update-initramfs -u 

umount /mnt/boot 
umount /mnt 
sync
  • press ctrl-alt-del and select reboot

Other changes

    • set root password
  • boot
  • switch to text console
  • login as "root" (no password)
  • shadowconfig on
  • passwd root
    • create user 
adduser user 
vigr 
# add user to dialout, fax, voice, cdrom, floppy, sudo, audio, 
video, scanner, scard
取自“https://wiki.ubuntu.org.cn/index.php?title=UbuntuHelp:EncryptedFilesystemHowto4&oldid=19235