“UbuntuHelp:FullDiskEncryptionHowto”的版本间的差异
来自Ubuntu中文
小 (新页面: {{From|https://help.ubuntu.com/community/FullDiskEncryptionHowto}} {{Languages|UbuntuHelp:FullDiskEncryptionHowto}} == How to set up a fully encrypted disk with Ubuntu == This page descr...) |
小 |
||
| 第2行: | 第2行: | ||
{{Languages|UbuntuHelp:FullDiskEncryptionHowto}} | {{Languages|UbuntuHelp:FullDiskEncryptionHowto}} | ||
== How to set up a fully encrypted disk with Ubuntu == | == How to set up a fully encrypted disk with Ubuntu == | ||
| − | |||
This page describes a way to setup an Ubuntu installation with a encrypted root partition and encrypted Swap. | This page describes a way to setup an Ubuntu installation with a encrypted root partition and encrypted Swap. | ||
{|border="1" cellspacing="0" | {|border="1" cellspacing="0" | ||
|<#ccaaaa> WARNING! We use the cryptoloop module in this howto. This module has well-known weaknesses. This howto should be adopted to use dm_crypt. If someone tries to implement this howto with dm_crypt, it would be cool if they would change it accordingly. | |<#ccaaaa> WARNING! We use the cryptoloop module in this howto. This module has well-known weaknesses. This howto should be adopted to use dm_crypt. If someone tries to implement this howto with dm_crypt, it would be cool if they would change it accordingly. | ||
|} | |} | ||
| − | |||
=== Encryption with dm_crypt === | === Encryption with dm_crypt === | ||
| − | |||
If you'd like to use the newer and stronger dm_crypt method you should: | If you'd like to use the newer and stronger dm_crypt method you should: | ||
<pre><nowiki> | <pre><nowiki> | ||
| 第15行: | 第12行: | ||
sudo modprobe dm_crypt | sudo modprobe dm_crypt | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
For each method of encryption, follow the listed howto: | For each method of encryption, follow the listed howto: | ||
| − | |||
* CryptoRoot - `/usr/share/doc/cryptsetup/CryptoRoot.HowTo` | * CryptoRoot - `/usr/share/doc/cryptsetup/CryptoRoot.HowTo` | ||
* CryptoSwap - `/usr/share/doc/cryptsetup/CryptoSwap.HowTo` | * CryptoSwap - `/usr/share/doc/cryptsetup/CryptoSwap.HowTo` | ||
* Encrypted non-root HD partition - [http://www.cryptocity.net/blog/2006/02/07/encrypted-filesystems/#more-163] | * Encrypted non-root HD partition - [http://www.cryptocity.net/blog/2006/02/07/encrypted-filesystems/#more-163] | ||
| − | |||
Other possibilities are listed at the dm_crypt wiki, including encryption across RAID devices, encrypting only a home directory (slightly harder), and encryption using LUKS: [http://www.saout.de/tikiwiki/tiki-index.php] | Other possibilities are listed at the dm_crypt wiki, including encryption across RAID devices, encrypting only a home directory (slightly harder), and encryption using LUKS: [http://www.saout.de/tikiwiki/tiki-index.php] | ||
| − | |||
=== Encryption with Cryptoloop === | === Encryption with Cryptoloop === | ||
| − | |||
=== Prearrangement === | === Prearrangement === | ||
| − | |||
To set up Ubuntu the described way, you will need | To set up Ubuntu the described way, you will need | ||
| − | |||
* a KNOPPIX CD | * a KNOPPIX CD | ||
* internet access | * internet access | ||
| − | |||
Insert the KNOPPIX CD into your computer and boot. Set up KNOPPIX so that it is able to connect to the internet. | Insert the KNOPPIX CD into your computer and boot. Set up KNOPPIX so that it is able to connect to the internet. | ||
| − | |||
=== Setting up the harddisk === | === Setting up the harddisk === | ||
| − | |||
We need three partitions: | We need three partitions: | ||
| − | |||
{|border="1" cellspacing="0" | {|border="1" cellspacing="0" | ||
| '''Size''' || '''Mountpoint''' || '''Encrypted?''' || '''Purpose''' | | '''Size''' || '''Mountpoint''' || '''Encrypted?''' || '''Purpose''' | ||
| 第48行: | 第34行: | ||
| * || swap || YES || Swap. The partition size depends on the used RAM. | | * || swap || YES || Swap. The partition size depends on the used RAM. | ||
|} | |} | ||
| − | |||
You can use <code><nowiki>fdisk</nowiki></code> to set up the partition table. The results should look similiar to | You can use <code><nowiki>fdisk</nowiki></code> to set up the partition table. The results should look similiar to | ||
| − | |||
<pre><nowiki> | <pre><nowiki> | ||
Disk /dev/hda: 20.0 GB, 20003880960 bytes | Disk /dev/hda: 20.0 GB, 20003880960 bytes | ||
255 heads, 63 sectors/track, 2432 cylinders | 255 heads, 63 sectors/track, 2432 cylinders | ||
Units == cylinders of 16065 * 512 == 8225280 bytes | Units == cylinders of 16065 * 512 == 8225280 bytes | ||
| − | |||
Device Boot Start End Blocks Id System | Device Boot Start End Blocks Id System | ||
/dev/hda1 * 1 2 16033+ 83 Linux | /dev/hda1 * 1 2 16033+ 83 Linux | ||
| 第61行: | 第44行: | ||
/dev/hda3 2313 2432 963900 82 Linux swap / Solaris | /dev/hda3 2313 2432 963900 82 Linux swap / Solaris | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Now we check the partition for badblocks while filling it with random garbage, set up the encryption with <code><nowiki>losetup</nowiki></code> and format the encrypted partition. We will then mount it to install Ubuntu. | Now we check the partition for badblocks while filling it with random garbage, set up the encryption with <code><nowiki>losetup</nowiki></code> and format the encrypted partition. We will then mount it to install Ubuntu. | ||
| − | |||
<pre><nowiki> | <pre><nowiki> | ||
sudo badblocks -c 10240 -s -w -t random -v /dev/hda2 | sudo badblocks -c 10240 -s -w -t random -v /dev/hda2 | ||
| 第71行: | 第52行: | ||
mount /dev/loop0 /mnt/ubuntu | mount /dev/loop0 /mnt/ubuntu | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
=== Installing Ubuntu === | === Installing Ubuntu === | ||
| − | |||
The installation procedure from KNOPPIX is described in [[UbuntuHelp:Installation/FromKnoppix#head-d373af719615b01a8733cbea9d477dc493df420c|Installation/FromKnoppix]]. | The installation procedure from KNOPPIX is described in [[UbuntuHelp:Installation/FromKnoppix#head-d373af719615b01a8733cbea9d477dc493df420c|Installation/FromKnoppix]]. | ||
| − | |||
You need a different <code><nowiki>fstab</nowiki></code>. Instead of a normal partition, the device for the <code><nowiki>/</nowiki></code> mountpoint is <code><nowiki>/dev/loop0</nowiki></code>. The swap entry needs more arguments to provide encrypted swap. | You need a different <code><nowiki>fstab</nowiki></code>. Instead of a normal partition, the device for the <code><nowiki>/</nowiki></code> mountpoint is <code><nowiki>/dev/loop0</nowiki></code>. The swap entry needs more arguments to provide encrypted swap. | ||
| − | |||
<pre><nowiki> | <pre><nowiki> | ||
/proc /proc proc defaults 0 0 | /proc /proc proc defaults 0 0 | ||
/sys /sys sysfs defaults 0 0 | /sys /sys sysfs defaults 0 0 | ||
| − | |||
/dev/hda1 /osloader ext3 defaults,noauto 0 0 | /dev/hda1 /osloader ext3 defaults,noauto 0 0 | ||
/dev/loop0 / reiserfs defaults 0 1 | /dev/loop0 / reiserfs defaults 0 1 | ||
/dev/hda3 none swap sw,loop=/dev/loop1,encryption=aes128 0 0 | /dev/hda3 none swap sw,loop=/dev/loop1,encryption=aes128 0 0 | ||
| − | |||
/dev/cdrom /mnt/cdrom auto user,noauto,exec,ro 0 0 | /dev/cdrom /mnt/cdrom auto user,noauto,exec,ro 0 0 | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
After setting up the base system, install <code><nowiki>loop-aes-utils</nowiki></code>. | After setting up the base system, install <code><nowiki>loop-aes-utils</nowiki></code>. | ||
| − | |||
<pre><nowiki> | <pre><nowiki> | ||
apt-get install loop-aes-utils | apt-get install loop-aes-utils | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
When installing the kernel and GRUB, quit the GRUB configuration assistent. | When installing the kernel and GRUB, quit the GRUB configuration assistent. | ||
| − | |||
=== Setting up the OS loader === | === Setting up the OS loader === | ||
| − | |||
After installing the base system, we set up a small partition that mounts the encrypted root and kicks off <code><nowiki>init</nowiki></code>. | After installing the base system, we set up a small partition that mounts the encrypted root and kicks off <code><nowiki>init</nowiki></code>. | ||
| − | |||
<pre><nowiki> | <pre><nowiki> | ||
mke2fs -j /dev/hda1 | mke2fs -j /dev/hda1 | ||
| 第106行: | 第75行: | ||
mount /dev/hda1 /osloader | mount /dev/hda1 /osloader | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Copy the kernel image there. | Copy the kernel image there. | ||
| − | |||
<pre><nowiki> | <pre><nowiki> | ||
cp /vmlinuz /osloader/vmlinuz | cp /vmlinuz /osloader/vmlinuz | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
We need to edit the <code><nowiki>mkinitrd</nowiki></code> configuration so that it supports loading the encrypted root partition. | We need to edit the <code><nowiki>mkinitrd</nowiki></code> configuration so that it supports loading the encrypted root partition. | ||
| − | |||
First edit <code><nowiki>/etc/mkinitrd/mkinitrd.conf</nowiki></code>, set <code><nowiki>ROOT=probe</nowiki></code> to <code><nowiki>ROOT=</nowiki></code> since it would complain about our <code><nowiki>/dev/loop0</nowiki></code> root. | First edit <code><nowiki>/etc/mkinitrd/mkinitrd.conf</nowiki></code>, set <code><nowiki>ROOT=probe</nowiki></code> to <code><nowiki>ROOT=</nowiki></code> since it would complain about our <code><nowiki>/dev/loop0</nowiki></code> root. | ||
| − | |||
Add some required modules to <code><nowiki>/etc/mkinitrd/modules</nowiki></code>: | Add some required modules to <code><nowiki>/etc/mkinitrd/modules</nowiki></code>: | ||
| − | |||
<pre><nowiki> | <pre><nowiki> | ||
ide-generic | ide-generic | ||
| 第127行: | 第90行: | ||
reiserfs | reiserfs | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Then we add a script that handles the <code><nowiki>losetup</nowiki></code> stuff while booting. Create a file <code><nowiki>/etc/mkinitrd/scripts/losetup</nowiki></code> that has the following content: | Then we add a script that handles the <code><nowiki>losetup</nowiki></code> stuff while booting. Create a file <code><nowiki>/etc/mkinitrd/scripts/losetup</nowiki></code> that has the following content: | ||
| − | |||
<pre><nowiki> | <pre><nowiki> | ||
#!/bin/sh | #!/bin/sh | ||
| − | |||
mknod -m 600 $INITRDDIR/dev/loop0 b 7 0 | mknod -m 600 $INITRDDIR/dev/loop0 b 7 0 | ||
mknod -m 600 $INITRDDIR/dev/hda2 b 3 2 | mknod -m 600 $INITRDDIR/dev/hda2 b 3 2 | ||
| − | |||
mkdir $INITRDDIR/loopcheck | mkdir $INITRDDIR/loopcheck | ||
| − | |||
cat > $INITRDDIR/scripts/losetup.sh << EOF | cat > $INITRDDIR/scripts/losetup.sh << EOF | ||
#!/bin/sh | #!/bin/sh | ||
| − | |||
mount -nt proc proc proc | mount -nt proc proc proc | ||
| − | |||
losetup -e aes128 /dev/loop0 /dev/hda2 | losetup -e aes128 /dev/loop0 /dev/hda2 | ||
mount -nr /dev/loop0 /loopcheck >/dev/null 2>/dev/null | mount -nr /dev/loop0 /loopcheck >/dev/null 2>/dev/null | ||
| − | |||
while [ \$? -ne 0 ] | while [ \$? -ne 0 ] | ||
do | do | ||
| 第153行: | 第108行: | ||
mount -nr /dev/loop0 /loopcheck >/dev/null 2>/dev/null | mount -nr /dev/loop0 /loopcheck >/dev/null 2>/dev/null | ||
done | done | ||
| − | |||
umount -n /loopcheck | umount -n /loopcheck | ||
| − | |||
# loop0 = 7, 0 | # loop0 = 7, 0 | ||
echo 1792 > /proc/sys/kernel/real-root-dev | echo 1792 > /proc/sys/kernel/real-root-dev | ||
umount -n proc | umount -n proc | ||
EOF | EOF | ||
| − | |||
chmod a+x $INITRDDIR/scripts/losetup.sh | chmod a+x $INITRDDIR/scripts/losetup.sh | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
<pre><nowiki> | <pre><nowiki> | ||
chmod a+x /etc/mkinitrd/scripts/losetup | chmod a+x /etc/mkinitrd/scripts/losetup | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Now generate the initial ram disk with <code><nowiki>mkinitrd -o /osloader/initrd 2.6.10-5-386</nowiki></code>. | Now generate the initial ram disk with <code><nowiki>mkinitrd -o /osloader/initrd 2.6.10-5-386</nowiki></code>. | ||
| − | |||
Configure GRUB: | Configure GRUB: | ||
| − | |||
<pre><nowiki> | <pre><nowiki> | ||
mkdir /osloader/boot | mkdir /osloader/boot | ||
mkdir /osloader/boot/grub | mkdir /osloader/boot/grub | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Add <code><nowiki>/osloader/boot/grub/menu.lst</nowiki></code> | Add <code><nowiki>/osloader/boot/grub/menu.lst</nowiki></code> | ||
| − | |||
<pre><nowiki> | <pre><nowiki> | ||
default 0 | default 0 | ||
| 第188行: | 第134行: | ||
boot | boot | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Install the MBR by running <code><nowiki>grub-install --root-directory=/osloader /dev/hda</nowiki></code>. | Install the MBR by running <code><nowiki>grub-install --root-directory=/osloader /dev/hda</nowiki></code>. | ||
| − | |||
To make sure the osloader partition is clean, add a little check script to <code><nowiki>/etc/rcS.d/S00checkosloader</nowiki></code>. | To make sure the osloader partition is clean, add a little check script to <code><nowiki>/etc/rcS.d/S00checkosloader</nowiki></code>. | ||
| − | |||
<pre><nowiki> | <pre><nowiki> | ||
#!/bin/sh | #!/bin/sh | ||
| − | |||
if [ "`md5sum /dev/hda1`" != "`cat /etc/osloader_checksum`" ] | if [ "`md5sum /dev/hda1`" != "`cat /etc/osloader_checksum`" ] | ||
then | then | ||
| − | |||
echo "** FATAL SECURITY ERROR ************************************" | echo "** FATAL SECURITY ERROR ************************************" | ||
echo "* *" | echo "* *" | ||
| 第207行: | 第148行: | ||
echo "* Press Enter to boot up the system. *" | echo "* Press Enter to boot up the system. *" | ||
echo "************************************************************" | echo "************************************************************" | ||
| − | |||
read junk | read junk | ||
fi | fi | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
<pre><nowiki> | <pre><nowiki> | ||
chmod a+x /etc/rcS.d/S00checkosloader | chmod a+x /etc/rcS.d/S00checkosloader | ||
md5sum /dev/hda1 > /etc/osloader_checksum | md5sum /dev/hda1 > /etc/osloader_checksum | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
Now exit the chroot, reboot and you should have a fully encrypted environment. | Now exit the chroot, reboot and you should have a fully encrypted environment. | ||
---- | ---- | ||
2007年11月30日 (五) 17:23的版本
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
目录
How to set up a fully encrypted disk with Ubuntu
This page describes a way to setup an Ubuntu installation with a encrypted root partition and encrypted Swap.
| <#ccaaaa> WARNING! We use the cryptoloop module in this howto. This module has well-known weaknesses. This howto should be adopted to use dm_crypt. If someone tries to implement this howto with dm_crypt, it would be cool if they would change it accordingly. |
Encryption with dm_crypt
If you'd like to use the newer and stronger dm_crypt method you should:
sudo apt-get install cryptsetup sudo modprobe dm_crypt
For each method of encryption, follow the listed howto:
- CryptoRoot - `/usr/share/doc/cryptsetup/CryptoRoot.HowTo`
- CryptoSwap - `/usr/share/doc/cryptsetup/CryptoSwap.HowTo`
- Encrypted non-root HD partition - [1]
Other possibilities are listed at the dm_crypt wiki, including encryption across RAID devices, encrypting only a home directory (slightly harder), and encryption using LUKS: [2]
Encryption with Cryptoloop
Prearrangement
To set up Ubuntu the described way, you will need
- a KNOPPIX CD
- internet access
Insert the KNOPPIX CD into your computer and boot. Set up KNOPPIX so that it is able to connect to the internet.
Setting up the harddisk
We need three partitions:
| Size | Mountpoint | Encrypted? | Purpose |
| 10M | /osloader | NO | Holds the initrd and kernel image needed to mount and load the rest of the system. GRUB will boot from this partition. |
| * | / | YES | Root partition. Holds a normal Ubuntu installation that will be launched by initrd. The partition size depends on the available harddisk space but shouldn't be smaller than 2G. |
| * | swap | YES | Swap. The partition size depends on the used RAM. |
You can use fdisk to set up the partition table. The results should look similiar to
Disk /dev/hda: 20.0 GB, 20003880960 bytes 255 heads, 63 sectors/track, 2432 cylinders Units == cylinders of 16065 * 512 == 8225280 bytes Device Boot Start End Blocks Id System /dev/hda1 * 1 2 16033+ 83 Linux /dev/hda2 3 2312 18555075 83 Linux /dev/hda3 2313 2432 963900 82 Linux swap / Solaris
Now we check the partition for badblocks while filling it with random garbage, set up the encryption with losetup and format the encrypted partition. We will then mount it to install Ubuntu.
sudo badblocks -c 10240 -s -w -t random -v /dev/hda2 losetup -T -e aes128 /dev/loop0 /dev/hda2 mkreiserfs /dev/loop0 mkdir /mnt/ubuntu mount /dev/loop0 /mnt/ubuntu
Installing Ubuntu
The installation procedure from KNOPPIX is described in Installation/FromKnoppix.
You need a different fstab. Instead of a normal partition, the device for the / mountpoint is /dev/loop0. The swap entry needs more arguments to provide encrypted swap.
/proc /proc proc defaults 0 0 /sys /sys sysfs defaults 0 0 /dev/hda1 /osloader ext3 defaults,noauto 0 0 /dev/loop0 / reiserfs defaults 0 1 /dev/hda3 none swap sw,loop=/dev/loop1,encryption=aes128 0 0 /dev/cdrom /mnt/cdrom auto user,noauto,exec,ro 0 0
After setting up the base system, install loop-aes-utils.
apt-get install loop-aes-utils
When installing the kernel and GRUB, quit the GRUB configuration assistent.
Setting up the OS loader
After installing the base system, we set up a small partition that mounts the encrypted root and kicks off init.
mke2fs -j /dev/hda1 mkdir /osloader mount /dev/hda1 /osloader
Copy the kernel image there.
cp /vmlinuz /osloader/vmlinuz
We need to edit the mkinitrd configuration so that it supports loading the encrypted root partition.
First edit /etc/mkinitrd/mkinitrd.conf, set ROOT=probe to ROOT= since it would complain about our /dev/loop0 root.
Add some required modules to /etc/mkinitrd/modules:
ide-generic loop cryptoloop aes sha256 reiserfs
Then we add a script that handles the losetup stuff while booting. Create a file /etc/mkinitrd/scripts/losetup that has the following content:
#!/bin/sh mknod -m 600 $INITRDDIR/dev/loop0 b 7 0 mknod -m 600 $INITRDDIR/dev/hda2 b 3 2 mkdir $INITRDDIR/loopcheck cat > $INITRDDIR/scripts/losetup.sh << EOF #!/bin/sh mount -nt proc proc proc losetup -e aes128 /dev/loop0 /dev/hda2 mount -nr /dev/loop0 /loopcheck >/dev/null 2>/dev/null while [ \$? -ne 0 ] do echo "Try again." losetup -d /dev/loop0 2>/dev/null losetup -e aes128 /dev/loop0 /dev/hda2 mount -nr /dev/loop0 /loopcheck >/dev/null 2>/dev/null done umount -n /loopcheck # loop0 = 7, 0 echo 1792 > /proc/sys/kernel/real-root-dev umount -n proc EOF chmod a+x $INITRDDIR/scripts/losetup.sh
chmod a+x /etc/mkinitrd/scripts/losetup
Now generate the initial ram disk with mkinitrd -o /osloader/initrd 2.6.10-5-386.
Configure GRUB:
mkdir /osloader/boot mkdir /osloader/boot/grub
Add /osloader/boot/grub/menu.lst
default 0 timeout 0 title Ubuntu root (hd0,0) kernel /vmlinuz ro quiet splash root=/dev/loop0 acpi=off nolapic initrd /initrd boot
Install the MBR by running grub-install --root-directory=/osloader /dev/hda.
To make sure the osloader partition is clean, add a little check script to /etc/rcS.d/S00checkosloader.
#!/bin/sh if [ "`md5sum /dev/hda1`" != "`cat /etc/osloader_checksum`" ] then echo "** FATAL SECURITY ERROR ************************************" echo "* *" echo "* The OS loader was modified! *" echo "* This could have leaked your encryption password. You are *" echo "* advised to install a new encryption setup. *" echo "* *" echo "* Press Enter to boot up the system. *" echo "************************************************************" read junk fi
chmod a+x /etc/rcS.d/S00checkosloader md5sum /dev/hda1 > /etc/osloader_checksum
Now exit the chroot, reboot and you should have a fully encrypted environment.
