EncryptedFilesystemHowto3

Differences between revisions 13 and 15 (spanning 2 versions)
Revision 13 as of 2006-06-17 01:31:32
Size: 10245
Editor: 110
Comment: Added a method for decryption password at the gnome login
Revision 15 as of 2008-08-06 16:19:41
Size: 69
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= Encrypted Swap and Home with LUKS (on Ubuntu 6.06 and 5.10) =

by Stefano Spinucci virgo977virgo at <googlemail> dot com



== introduction ==

=== notes ===

'''NOTE#1''' in this tutorial we assume that:
 * old (unencrypted) and the new (encrypted) swap is in the partition '/dev/hda2'
 * new home (encrypted) is in the partition '/dev/hda3'


replace '/dev/hda2' with your real swap partition and '/dev/hda3' with an
empty partition that will become your new encrypted home partition.


'''NOTE#2''' DM-Crypt works by transparently translating (in the kernel)
between a physical on-disk partition (which is encrypted) and a logical
partition which you can then mount and use as normal; then, for example,
to operate on your home partition you must do so by using /dev/mapper/home
instead of /dev/hda3.



=== warnings ===

encrypting a partition is a destructive operation; then, your new home
partition (/dev/hda3) must be empty, because all data on it will be erased.

unencrypted data on the old home directory won’t be deleted and will be
accessible, for example, with a live CD; then, you shouldn't put any
sensible data on home before encrypting.

otherwise, if you have sensible data to delete securely from the old
unencrypted home, you should {{{shred}}} the old home directory.

if the partition containing the old home directory is formatted with a
journaled file system (JFS, ReiserFS, XFS, Ext3, etc.), you must boot with
a live CD and {{{shred}}} the entire partition containing the old home
directory.

if the shredded partition is the partition containing the OS, reinstall
ubuntu, and finally mount the previously created encrypted home.

references for secure deletion:

 * [http://man.linuxquestions.org/index.php?query=shred&type=2&section=1 shred man page]
 * [http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html Secure Deletion of Data - by Peter Gutmann]



=== strong passwords ===

remember that ''a chain is only as strong as its weakest link'', and in
the encryption chain the password is always the weakest link.

then, choose a strong password, or your data won't be more secure than
without encryption.

references for strong passwords:

 * [https://wiki.ubuntu.com/StrongPasswords Strong Passwords (Ubuntu wiki)]
 * [http://diceware.com The Diceware Passphrase Home Page]
 * [http://en.wikipedia.org/wiki/Password_strength Password strength (Wikipedia)]
 * [http://en.wikipedia.org/wiki/Password_cracking Password cracking (Wikipedia)]
 * [http://en.wikipedia.org/wiki/Key_size Key size (Wikipedia)]



== install cryptsetup ==

enable 'community maintained' (universe) repository from the Synaptic
package manager or modifying the file /etc/apt/sources.list (apt sources
list).

install cryptsetup:
{{{
# apt-get install cryptsetup
}}}



== encrypted home ==

unmount (if mounted) /dev/hda3
{{{
sudo umount /dev/hda3
}}}

check the partition for errors (and wait several minutes...):
{{{
# sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/hda3
}}}

fill the disk with random data (and wait many more minutes...);
/dev/urandom won't be as random as /dev/random, but it is the best
practical solution available:
{{{
# sudo dd if=/dev/urandom of=/dev/hda3
}}}

create a LUKS partition:
{{{
# sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/hda3
}}}

'''NOTE''': if you get errors that the kernel may not use dm-crypt, try the command {{{modprobe dm-crypt}}} and retry to create the LUKS partition; if that helps, you may also want to add the module {{{dm-crypt}}} to the file {{{/etc/modules}}}.

set up the device mapper:
{{{
# sudo cryptsetup luksOpen /dev/hda3 home
}}}

confirm it worked:
{{{
# sudo cryptsetup status home
/dev/mapper/home is active:
  cipher: aes-cbc-essiv:sha256
  keysize: 256 bits
  device: /dev/.static/dev/hda3
  offset: 2056 sectors
  size: 20962706 sectors
  mode: read/write
}}}

create the filesystem (e.g. ext3):
{{{
# sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/home
}}}

temporary mount, to copy data from old home:
{{{
# sudo mount -t ext3 /dev/mapper/home /mnt
}}}

copy data from old home:
{{{
# sudo cp -axv /home/* /mnt/
}}}

unmount the temporary mount:
{{{
sudo umount /mnt
}}}



=== permanent mounting ===

there are two techniques for permanently mounting the encrypted partition. the first technique means that you will get the password request during the loading of the kernel. the second (which many prefer) asks you for the password right at the end of the booting process, at the gnome login.

=== password during kernel load ===

==== Ubuntu 6.06 ====

insert in /etc/fstab :
{{{
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/home /home ext3 defaults 1 2
}}}

after that, add an entry in /etc/crypttab:
{{{
# <target device> <source device> <key file> <options>
home /dev/hda3 none luks
}}}

reboot, and the encrypted home is done.

=== password at gnome login ===

do not make any modifications to /etc/fstab or /etc/crypttab

add the encrypted partition to /etc/pmount.allow (ie. /dev/hda3).

when gnome loads, it will recognise the encrypted partition and ask you for the password.

this will give you the convenience of entering the password at the end of the boot process rather than in the middle. however, a pmount (?) bug means that your encrypted drive will always be called 'usbdisk' whether it is a usbdisk or not. if you are willing to live with this minor bug, then so be it.

note also that this method may not be compatible with the encrypted swap method described below. if you want an encrypted swap partition, you may need to use the password during kernel load technique.


=== Ubuntu 5.10 ===

because 'crypttab' in Ubuntu 5.10 doesn't support LUKS encrypted
partitions, automatic mounting of home with Ubuntu 5.10 is a bit more
difficult.

create a file named 'cryptinit' in /etc/init.d/ with the following content:
{{{
#! /bin/sh
# if this script is executed when home is opened, tries to close it;
# otherwise, tries to open it, for three times, then continue without
# opening it
if [ -b /dev/mapper/home ]; then
    /sbin/cryptsetup luksClose home
else
    i=3
    while [ $i -gt 0 ]; do
        let "i -= 1"
        /sbin/cryptsetup luksOpen /dev/hda3 home && i=0
    done
fi
}}}

make 'cryptinit' executable
{{{
sudo chmod 755 /etc/init.d/cryptinit
}}}

then, create a symlink to 'cryptinit' in /etc/rcS.d
{{{
# cd /etc/rcS.d
# sudo ln -s ../init.d/cryptinit S28cryptinit
}}}

insert in /etc/fstab :
{{{
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/home /home ext3 defaults 1 2
}}}

reboot, and the encrypted home is done.



=== manual mounting and unmounting ===

if you have encrypted other partitions than home and you don't want to
unlock those partitions on boot, then you need to manually mount and
unmount them.



==== mounting ====

set up the device mapper:
{{{
# cryptsetup luksOpen /dev/hda4 data
}}}

mounting:
{{{
# mount /dev/mapper/data /media/data
}}}



==== unmounting ====

umounting:
{{{
# umount /media/data
}}}

delete the device mapper:
{{{
# cryptsetup luksClose data
}}}



== encrypted swap ==

before setting the encrypted swap, the file /etc/fstab should have a swap
entry like this:
{{{
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/hda2 none swap sw 0 0
}}}

now just replace in /etc/fstab /dev/hda2 with the new device name
/dev/mapper/cswap:
{{{
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/cswap none swap sw 0 0
}}}

after that, add an entry in /etc/crypttab:
{{{
# <target device> <source device> <key file> <options>
cswap /dev/hda2 /dev/random swap
}}}

reboot, and that's it! the encrypted swap device is done; confirm it worked:
{{{
# cat /proc/swaps
Filename Type Size Used Priority
/dev/mapper/cswap partition 3148700 0 -1

# sudo cryptsetup status cswap
/dev/mapper/cswap is active:
  cipher: aes-cbc-plain
  keysize: 256 bits
  device: /dev/.static/dev/hda2
  offset: 0 sectors
  size: 6297417 sectors
  mode: read/write
}}}

read the crypttab(5) manpage for more information



== tools ==

 * [http://sourceforge.net/projects/cryptmount/ cryptmount]



== references ==

 * [http://luks.endorphin.org/dm-crypt LUKS on dm-crypt]
 * [http://www.saout.de/misc/dm-crypt/ dm-crypt]
 * [http://www.saout.de/tikiwiki/tiki-index.php dm-crypt wiki]
 * [http://news.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt dm-crypt mailing list]
 * [http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS Encrypted Device Using LUKS]
 * {{{/usr/share/doc/cryptsetup/CryptoSwap.HowTo}}} How to configure an encrypted swap partition on Debian systems
 * [https://wiki.ubuntu.com/EncryptedFilesystemHowto Encrypted filesystem howto (Ubuntu)]
 * [https://wiki.ubuntu.com/EncryptedFilesystemHowto2 Encrypted filesystem howto 2 (Ubuntu)]
 * [http://deb.riseup.net/storage/encryption/dmcrypt/ dmcrypt (Debian)]
 * [http://www.raoul.shacknet.nu/2005/11/10/encrypt-devices-using-dm-crypt-and-luks/ Encrypt devices using dm-crypt and LUKS (Fedora Core)]
 * [http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS SECURITY System Encryption DM-Crypt with LUKS (Gentoo)]
 * [http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUKS SECURITY Encrypting Root Filesystem with DM-Crypt with LUKS (Gentoo)]
 * [http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt SECURITY Encrypting Root Filesystem with DM-Crypt (Gentoo)]
  
----
CategoryCleanup CategoryDocumentation		 #REFRESH 0 http://help.ubuntu.com/community/EncryptedFilesystemHowto3

EncryptedFilesystemHowto3 (last edited 2008-08-06 16:19:41 by localhost)