EncryptedFilesystemHowto3

Differences between revisions 11 and 13 (spanning 2 versions)
Revision 11 as of 2006-06-12 15:56:04
Size: 9144
Editor: host70-95
Comment: fixed link names
Revision 13 as of 2006-06-17 01:31:32
Size: 10245
Editor: 110
Comment: Added a method for decryption password at the gnome login
Deletions are marked like this. Additions are marked like this.
Line 153: Line 153:
there are two techniques for permanently mounting the encrypted partition. the first technique means that you will get the password request during the loading of the kernel. the second (which many prefer) asks you for the password right at the end of the booting process, at the gnome login.

=== password during kernel load ===
Line 169: Line 173:


==== Ubuntu 5.10 ====
=== password at gnome login ===

do not make any modifications to /etc/fstab or /etc/crypttab

add the encrypted partition to /etc/pmount.allow (ie. /dev/hda3).

when gnome loads, it will recognise the encrypted partition and ask you for the password.

this will give you the convenience of entering the password at the end of the boot process rather than in the middle. however, a pmount (?) bug means that your encrypted drive will always be called 'usbdisk' whether it is a usbdisk or not. if you are willing to live with this minor bug, then so be it.

note also that this method may not be compatible with the encrypted swap method described below. if you want an encrypted swap partition, you may need to use the password during kernel load technique.


=== Ubuntu 5.10 ===

Encrypted Swap and Home with LUKS (on Ubuntu 6.06 and 5.10)

by Stefano Spinucci virgo977virgo at <googlemail> dot com

introduction

notes

NOTE#1 in this tutorial we assume that:

  • old (unencrypted) and the new (encrypted) swap is in the partition '/dev/hda2'
  • new home (encrypted) is in the partition '/dev/hda3'

replace '/dev/hda2' with your real swap partition and '/dev/hda3' with an empty partition that will become your new encrypted home partition.

NOTE#2 DM-Crypt works by transparently translating (in the kernel) between a physical on-disk partition (which is encrypted) and a logical partition which you can then mount and use as normal; then, for example, to operate on your home partition you must do so by using /dev/mapper/home instead of /dev/hda3.

warnings

encrypting a partition is a destructive operation; then, your new home partition (/dev/hda3) must be empty, because all data on it will be erased.

unencrypted data on the old home directory won’t be deleted and will be accessible, for example, with a live CD; then, you shouldn't put any sensible data on home before encrypting.

otherwise, if you have sensible data to delete securely from the old unencrypted home, you should shred the old home directory.

if the partition containing the old home directory is formatted with a journaled file system (JFS, ReiserFS, XFS, Ext3, etc.), you must boot with a live CD and shred the entire partition containing the old home directory.

if the shredded partition is the partition containing the OS, reinstall ubuntu, and finally mount the previously created encrypted home.

references for secure deletion:

strong passwords

remember that a chain is only as strong as its weakest link, and in the encryption chain the password is always the weakest link.

then, choose a strong password, or your data won't be more secure than without encryption.

references for strong passwords:

install cryptsetup

enable 'community maintained' (universe) repository from the Synaptic package manager or modifying the file /etc/apt/sources.list (apt sources list).

install cryptsetup:

# apt-get install cryptsetup

encrypted home

unmount (if mounted) /dev/hda3

sudo umount /dev/hda3

check the partition for errors (and wait several minutes...):

# sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/hda3

fill the disk with random data (and wait many more minutes...); /dev/urandom won't be as random as /dev/random, but it is the best practical solution available:

# sudo dd if=/dev/urandom of=/dev/hda3

create a LUKS partition:

# sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/hda3

NOTE: if you get errors that the kernel may not use dm-crypt, try the command modprobe dm-crypt and retry to create the LUKS partition; if that helps, you may also want to add the module dm-crypt to the file /etc/modules.

set up the device mapper:

# sudo cryptsetup luksOpen /dev/hda3 home

confirm it worked:

# sudo cryptsetup status home
/dev/mapper/home is active:
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  device:  /dev/.static/dev/hda3
  offset:  2056 sectors
  size:    20962706 sectors
  mode:    read/write

create the filesystem (e.g. ext3):

# sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/home

temporary mount, to copy data from old home:

# sudo mount -t ext3 /dev/mapper/home /mnt

copy data from old home:

# sudo cp -axv /home/* /mnt/

unmount the temporary mount:

sudo umount /mnt

permanent mounting

there are two techniques for permanently mounting the encrypted partition. the first technique means that you will get the password request during the loading of the kernel. the second (which many prefer) asks you for the password right at the end of the booting process, at the gnome login.

password during kernel load

Ubuntu 6.06

insert in /etc/fstab :

# <file system>    <mount point>   <type>   <options>   <dump>  <pass>
/dev/mapper/home   /home           ext3     defaults    1       2

after that, add an entry in /etc/crypttab:

# <target device>   <source device>   <key file>   <options>
home                /dev/hda3         none         luks

reboot, and the encrypted home is done.

password at gnome login

do not make any modifications to /etc/fstab or /etc/crypttab

add the encrypted partition to /etc/pmount.allow (ie. /dev/hda3).

when gnome loads, it will recognise the encrypted partition and ask you for the password.

this will give you the convenience of entering the password at the end of the boot process rather than in the middle. however, a pmount (?) bug means that your encrypted drive will always be called 'usbdisk' whether it is a usbdisk or not. if you are willing to live with this minor bug, then so be it.

note also that this method may not be compatible with the encrypted swap method described below. if you want an encrypted swap partition, you may need to use the password during kernel load technique.

Ubuntu 5.10

because 'crypttab' in Ubuntu 5.10 doesn't support LUKS encrypted partitions, automatic mounting of home with Ubuntu 5.10 is a bit more difficult.

create a file named 'cryptinit' in /etc/init.d/ with the following content:

# if this script is executed when home is opened, tries to close it;
# otherwise, tries to open it, for three times, then continue without
# opening it
if [ -b /dev/mapper/home ]; then
    /sbin/cryptsetup luksClose home
else
    i=3
    while [ $i -gt 0 ]; do
        let "i -= 1"
        /sbin/cryptsetup luksOpen /dev/hda3 home && i=0
    done
fi

make 'cryptinit' executable

sudo chmod 755 /etc/init.d/cryptinit

then, create a symlink to 'cryptinit' in /etc/rcS.d

# cd /etc/rcS.d
# sudo ln -s ../init.d/cryptinit S28cryptinit

insert in /etc/fstab :

# <file system>    <mount point>   <type>   <options>   <dump>   <pass>
/dev/mapper/home   /home           ext3     defaults    1        2

reboot, and the encrypted home is done.

manual mounting and unmounting

if you have encrypted other partitions than home and you don't want to unlock those partitions on boot, then you need to manually mount and unmount them.

mounting

set up the device mapper:

# cryptsetup luksOpen /dev/hda4 data

mounting:

# mount /dev/mapper/data /media/data

unmounting

umounting:

# umount /media/data

delete the device mapper:

# cryptsetup luksClose data

encrypted swap

before setting the encrypted swap, the file /etc/fstab should have a swap entry like this:

# <file system>   <mount point>   <type>   <options>   <dump>  <pass>
/dev/hda2         none            swap     sw          0       0

now just replace in /etc/fstab /dev/hda2 with the new device name /dev/mapper/cswap:

# <file system>     <mount point>   <type>   <options>   <dump>  <pass>
/dev/mapper/cswap   none            swap     sw          0       0

after that, add an entry in /etc/crypttab:

# <target device>   <source device>   <key file>    <options>
cswap               /dev/hda2         /dev/random   swap

reboot, and that's it! the encrypted swap device is done; confirm it worked:

# cat /proc/swaps
Filename                                Type            Size    Used    Priority
/dev/mapper/cswap                       partition       3148700 0       -1

# sudo cryptsetup status cswap
/dev/mapper/cswap is active:
  cipher:  aes-cbc-plain
  keysize: 256 bits
  device:  /dev/.static/dev/hda2
  offset:  0 sectors
  size:    6297417 sectors
  mode:    read/write

read the crypttab(5) manpage for more information

tools

references


CategoryCleanup CategoryDocumentation

EncryptedFilesystemHowto3 (last edited 2008-08-06 16:19:41 by localhost)