(i) Please refer to EncryptedFilesystems for further documentation.

Please, be careful when using this guide on newer versions of Ubuntu (7.04 and onwards), as all info might not be the same on these versions.

by Mikhail Lukyanchenko <ml@akabos.com>

Info: another, more detailed and explanatory guide is here: https://help.ubuntu.com/community/EncryptedFilesystemHowto

Introduction

This is the way I got Ubuntu 6.06 (Dapper Drake) with fully encrypted file system: root (/) and swap. Since Ubuntu installer does not support yet this option, this process concerns, first, installing Ubuntu on a temporary partition and then, inside that installation, preparing all the encrypted partitions for the OS. The old root which I used in the beginning is turned into a swap partition.

Please, be warned, that this HOWTO can not be used on later versions of Ubuntu without modifications. For more info, have a look at cryptsetup package documentation (/usr/share/doc/cryptsetup/CryptoRoot.HowTo) and at the discussion thread at ubuntuforums.org.

Notes

In this tutorial we assume that:

  • old (unencrypted) and the new (encrypted) swap is in the partition '/dev/hda2'
  • new home (encrypted) is in the partition '/dev/hda3'

replace '/dev/hda2' with your real swap partition and '/dev/hda3' with an empty partition that will become your new encrypted home partition.

Warnings

Encrypting a partition is a destructive operation; then, your new root partition (/dev/hda3) must be empty, because all data on it will be erased.

Also be warned, that this HOWTO is at beta state. I would not recommend to use it on production system. But it would be greatly appreciated if you test it and send me some feedback.

Ubuntu installation

Note that you should install a server profile at this step even if you need a desktop profile at the end. The switch between the two profiles will be realized later on.

Install Ubuntu with the following initial partitioning scheme:

/dev/hda1   /boot  100 MB   ext3
/dev/hda2   /      512 MB   ext3

Note that 512 MB is really the smallest size you can set for a server type installation. A complete Ubuntu installation requires at least 2.4 GB. Make your choice now. In addition, create one more space to hold your future encrypted root, so as the following:

/dev/hda3   future   /        10GB

Set this partition in the installer option for filesystem as "do not use the partition". Just ignore the alert about not having a swap partition and keep walking.

Cryptography software installation

Enable the Universe repository. See here

After adding the universe repository, don't forget to update so the packages below will be available:

Use any method to install the following packages:

cryptsetup hashalot initramfs-tools

Setting up mkinitramfs

Edit /etc/kernel-img.conf. Add the following line:

ramdisk = /usr/sbin/mkinitramfs

Edit /etc/mkinitramfs/modules (note, this and other files move to /etc/initramfs-tools in Edgy). Add folowing lines:

dm_mod
dm_crypt
sha256
aes_i586

Create file /etc/mkinitramfs/hooks/cryptoroot:

PREREQ=""

prereqs()
{
        echo "$PREREQ"
}

case $1 in
prereqs)
        prereqs
        exit 0
        ;;
esac

if [ ! -x /sbin/cryptsetup ]; then
        exit 0
fi

. /usr/share/initramfs-tools/hook-functions

mkdir ${DESTDIR}/etc/console
cp /etc/console/boottime.kmap.gz ${DESTDIR}/etc/console
copy_exec /bin/loadkeys /bin
copy_exec /usr/bin/chvt /bin
copy_exec /sbin/cryptsetup /sbin

If you use Ubuntu 6.10, you have to add the following line to the above script (at the end):

copy_exec /sbin/vol_id /sbin

Create file /etc/mkinitramfs/scripts/local-top/cryptoroot:

PREREQ="udev"

prereqs()
{
        echo "$PREREQ"
}

case $1 in
# get pre-requisites
prereqs)
        prereqs
        exit 0
        ;;
esac

/bin/loadkeys /etc/console/boottime.kmap.gz
modprobe -Qb dm_crypt
modprobe -Qb aes_i586
modprobe -Qb sha256
if grep -q splash /proc/cmdline; then
    /bin/chvt 1
fi
/sbin/cryptsetup luksOpen /dev/hda3 cryptoroot
if grep -q splash /proc/cmdline; then
       /sbin/usplash -c &
       sleep 1
fi

If you use Ubuntu 6.10, add the following line directly below "/sbin/cryptsetup luksOpen /dev/hda3 cryptoroot":

ln -s ../../mapper/cryptoroot /dev/disk/by-uuid/`vol_id -u /dev/mapper/cryptoroot`

Also, if you use Ubuntu 6.10, replace the following line:

/bin/loadkeys /etc/console/boottime.kmap.gz

with the following line:

/bin/loadkeys /etc/console-setup/boottime.kmap.gz

Make created files executable:

$ sudo chmod +x /etc/mkinitramfs/hooks/cryptoroot
$ sudo chmod +x /etc/mkinitramfs/scripts/local-top/cryptoroot

Update initrd image:

$ sudo update-initramfs -u ALL

Creating the encrypted system

Now it is time to create the cryptography devices.

$ sudo modprobe dm_crypt
$ sudo modprobe sha256
$ sudo modprobe aes_i586
$ sudo luksformat -t ext3 /dev/hda3

The following dialog should look like this:

Creating encrypted device on /dev/hda3...

WARNING!
========
This will owerwrite data on /dev/hda3 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
Please enter your passphrase again to verify it
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
mke2fs 1.38 (30-Jun-2005)
.....

Your encrypted partition is now created and formated. It's time to populate it:

$ sudo cryptsetup luksOpen /dev/hda3 cryptoroot
$ sudo mkdir /mnt/target
$ sudo mount /dev/mapper/cryptoroot /mnt/target
$ sudo cp -avx / /mnt/target
$ sudo chown -R $(whoami):$(whoami) /mnt/target/home/$(whoami)

The copy process should take about two minutes for a server profile (depends on your hardware).

Then you need to correct /mnt/target/etc/fstab.

Find

/dev/hda2                      /               ext3    defaults,errors=remount-ro 0       1

Replace with

/dev/mapper/cryptoroot        /               ext3    defaults,errors=remount-ro 0       1

If you use Ubuntu 6.10, your fstab won't use /dev/* anymore, but instead UUIDs. Therefore, you need to find out the UUID by using the following command:

$ sudo vol_id -u /dev/mapper/cryptoroot

Instead of the "/dev/mapper/cryptoroot", you enter the UUID - hence the line in your /mnt/target/etc/fstab will look similar to this one:

UUID=25e3f85a-3488-d58e-9372-f31a45789035 /               ext3    defaults,errors=remount-ro 0       1

Configuring Grub

Edit /boot/grub/menu.lst. Add following after the line containing ### END DEBIAN AUTOMAGIC KERNELS LIST:

title           Cryptotest
root            (hd0,0)
kernel          /vmlinuz-<your kernel version here> root=/dev/mapper/cryptoroot ro
initrd          /initrd.img-<your kernel version here>
savedefault
boot

Again, if you use Ubuntu 6.10, you'll have to replace root=/dev/mapper/cryptoroot by your UUID - i.e. sth. similar to root=UUID=25e3f85a-3488-d58e-9372-f31a45789035 (of course, YOUR ID will be different!).

You may find your kernel version by running:

$ uname -r

Rebooting and testing configuration

As simple as it should be:

$ sudo reboot

Now, after all your BIOS mumbo-jumbo, you should look very carefully and when you see following prompt:

GRUB Loading stage 1.5.

GRUB Loading, please wait...
Press `ESC` to enter the menu

Press ESC and select last option, namely "Cryptotest"

Now you will see lots of kernel debugging info, since we didn't add quiet option to kernel options. It's ok.

At some point you will see the promt:

Enter LUKS passphrase:

Go on! Enter it. Now you have booted from crypted partition.

If something goes Very Wrong Way (tm), don't panic. Any way you still have unencrypted partition to boot from.

Cryptoswap

Let's enable swap partition.

Edit /etc/crypttab:

cryptoswap      /dev/hda2       /dev/urandom    swap

Edit /etc/fstab. Add following line:

/dev/mapper/cryptoswap  none    swap    sw      0       0

Now, you need to destroy your filesystem on /dev/hda2 (if you don't destroy it explicitely, the safety check of the following command will refuse to create your "cryptoswap" on it):

$ sudo dd if=/dev/urandom of=/dev/hda2 count=100

Finally, create the swap and activate it:

$ sudo invoke-rc.d cryptdisks restart
$ sudo swapon /dev/mapper/cryptoswap

Finishing

Edit /boot/grub/menu.lst and remove lines, you previously added after the line containing ### END DEBIAN AUTOMAGIC KERNELS LIST.

In the same file find line containing

# kopt=root=/dev/hda2 ro

Change this to

# kopt=root=/dev/mapper/cryptoroot ro

Run

$ sudo update-grub

Now you have an operational server profile with encrypted root and swap. If what you need is a desktop profile (i.e. a complete graphical environment like Gnome or KDE and lots of applications), you can install it now with the single command:

$ sudo apt-get install ubuntu-desktop

Replace ubuntu-desktop with kubuntu-desktop, or xubuntu-desktop, or edubuntu-desktop according to your needs.

That's all. Finished.

EncryptedFilesystem (last edited 2013-11-04 11:21:43 by uptimebox)