EncryptedFilesystemHowto3
Differences between revisions 4 and 15 (spanning 11 versions)
7149
Comment: add cat doc
|
← Revision 15 as of 2008-08-06 16:19:41 ⇥
69
converted to 1.6 markup
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
= Encrypted Swap and Home with LUKS (on Ubuntu 6.06 and 5.10) = by Stefano Spinucci virgo977virgo at <googlemail> dot com == introduction == '''WARNING''': encrypting a partition is a destructive operation; then, partitions to be encrypted must be empty, because all data on them will be erased. '''NOTE#1''': DM-Crypt works by transparently translating (in the kernel) between a physical on-disk partition (which is encrypted) and a logical partition which you can then mount and use as normal; the important thing to mention is that whenever you operate on your partition, you must do so by using /dev/mapper/home instead of /dev/hda3. '''NOTE#2''': in this tutorial encrypted swap will be in in '/dev/hda2' and encrypted home will be in '/dev/hda3'; replace '/dev/hda2' with your swap partition and '/dev/hda3' with your home partition. == install cryptsetup == enable 'community maintained' (universe) repository from the Synaptic package manager or modifying the file /etc/apt/sources.list (apt sources list). install cryptsetup: {{{ # apt-get install cryptsetup }}} == encrypted swap == before setting the encrypted swap, the file /etc/fstab should have a swap entry like this: {{{ # <file system> <mount point> <type> <options> <dump> <pass> /dev/hda2 none swap sw 0 0 }}} now just replace in /etc/fstab /dev/hda2 with the new device name /dev/mapper/cswap: {{{ # <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/cswap none swap sw 0 0 }}} after that, add an entry in /etc/crypttab: {{{ # <target device> <source device> <key file> <options> cswap /dev/hda2 /dev/random swap }}} reboot, and that's it! the encrypted swap device is done; confirm it worked: {{{ # cat /proc/swaps Filename Type Size Used Priority /dev/mapper/cswap partition 3148700 0 -1 # sudo cryptsetup status cswap /dev/mapper/cswap is active: cipher: aes-cbc-plain keysize: 256 bits device: /dev/.static/dev/hda2 offset: 0 sectors size: 6297417 sectors mode: read/write }}} read the crypttab(5) manpage for more information == encrypted home == unmount (if mounted) /dev/hda3 {{{ sudo umount /dev/hda3 }}} check the partition for errors (and wait several minutes...): {{{ # sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/hda3 }}} fill the disk with random data (and wait many more minutes...); /dev/urandom won't be as random as /dev/random, but it is the best practical solution available: {{{ # sudo dd if=/dev/urandom of=/dev/hda3 }}} create a LUKS partition: {{{ # sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/hda3 }}} set up the device mapper: {{{ # sudo cryptsetup luksOpen /dev/hda3 home }}} confirm it worked: {{{ # sudo cryptsetup status home /dev/mapper/home is active: cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/.static/dev/hda3 offset: 2056 sectors size: 20962706 sectors mode: read/write }}} create the filesystem (e.g. ext3): {{{ # sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/home }}} temporary mount, to copy data from old home: {{{ # sudo mount -t ext3 /dev/mapper/home /mnt }}} copy data from old home: {{{ # sudo cp -axv /home/* /mnt/ }}} unmount the temporary mount: {{{ sudo umount /mnt }}} === permanent mounting === ==== Ubuntu 6.06 ==== insert in /etc/fstab : {{{ # <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/home /home ext3 defaults 1 2 }}} after that, add an entry in /etc/crypttab: {{{ # <target device> <source device> <key file> <options> home /dev/hda3 none luks }}} reboot, and the encrypted home is done. ==== Ubuntu 5.10 ==== because 'crypttab' in Ubuntu 5.10 doesn't support LUKS encrypted partitions, automatic mounting of home with Ubuntu 5.10 is a bit more difficult. create a file named 'cryptinit' in /etc/init.d/ with the following content: {{{ #! /bin/sh # if this script is executed when home is opened, tries to close it; # otherwise, tries to open it, for three times, then continue without # opening it if [ -b /dev/mapper/home ]; then /sbin/cryptsetup luksClose home else i=3 while [ $i -gt 0 ]; do let "i -= 1" /sbin/cryptsetup luksOpen /dev/hda3 home && i=0 done fi }}} make 'cryptinit' executable {{{ sudo chmod 755 /etc/init.d/cryptinit }}} then, create a symlink to 'cryptinit' in /etc/rcS.d {{{ # cd /etc/rcS.d # sudo ln -s ../init.d/cryptinit S28cryptinit }}} insert in /etc/fstab : {{{ # <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/home /home ext3 defaults 1 2 }}} reboot, and the encrypted home is done. === manual mounting and unmounting === if you have encrypted other partitions than home and you don't want to unlock those partitions on boot, then you need to manually mount and unmount them. ==== mounting ==== set up the device mapper: {{{ # cryptsetup luksOpen /dev/hda4 data }}} mounting: {{{ # mount /dev/mapper/data /media/data }}} ==== unmounting ==== umounting: {{{ # umount /media/data }}} delete the device mapper: {{{ # cryptsetup luksClose data }}} == tools == * [http://sourceforge.net/projects/cryptmount/ cryptmount] == references == * [http://luks.endorphin.org/dm-crypt LUKS on dm-crypt] * [http://www.saout.de/misc/dm-crypt/ dm-crypt] * [http://www.saout.de/tikiwiki/tiki-index.php dm-crypt wiki] * [http://news.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt dm-crypt mailing list] * [http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS Encrypted Device Using LUKS] * {{{/usr/share/doc/cryptsetup/CryptoSwap.HowTo}}} How to configure an encrypted swap partition on Debian systems * [https://wiki.ubuntu.com/EncryptedFilesystemHowto Encrypted filesystem howto (Ubuntu)] * [https://wiki.ubuntu.com/EncryptedFilesystemHowto2 Encrypted filesystem howto 2 (Ubuntu)] * [http://deb.riseup.net/storage/encryption/dmcrypt/ dmcrypt (Debian)] * [http://www.raoul.shacknet.nu/2005/11/10/encrypt-devices-using-dm-crypt-and-luks/ Encrypt devices using dm-crypt and LUKS (Fedora Core)] * [http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS SECURITY System Encryption DM-Crypt with LUKS (Gentoo)] * [http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUKS SECURITY Encrypting Root Filesystem with DM-Crypt with LUKS (Gentoo)] * [http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt SECURITY Encrypting Root Filesystem with DM-Crypt (Gentoo)] ---- CategoryCleanup CategoryDocumentation |
#REFRESH 0 http://help.ubuntu.com/community/EncryptedFilesystemHowto3 |
EncryptedFilesystemHowto3 (last edited 2008-08-06 16:19:41 by localhost)