Duplicate Article
This article covers the same material as another article. More info...


Needs Updating
This article needs updating to include the latest versions of Ubuntu. More info...


Candidate for Deletion
This article may not be appropriate for this wiki, and may be deleted. More info...


Unsupported Version
This article applies to an unsupported version of Ubuntu. More info...

#title Encrypted root and swap partition with dm-crypt on Ubuntu 6.06 LTS

(i) Please refer to EncryptedFilesystems for further documentation.

Highlights of the following guide:

  • Uses RSA keys and thus is ready for smartcards (although in this howto
    • the RSA private key is still stored on disk as encrypted file)
  • Password changes are possible. With LUKS that would be possible too (but no smart card support), with cryptsetup it would not.

Encrypting valuable data is very important for many companies, and it feels a lot better if the whole filesystem is encrypted, not only some partitions (e.g. home - what if you start using some webserver, database etc.). Of course a full encryption of root and swap has significant impact on latency for reading/writing and increased cpu usage for that. But for normal desktop it is not a big deal, but if you copy hundereds of MB of data you will notice it.

This howto is very long, because you need to do many steps yourself that are normaly done by the automatic installer.

How to install Ubuntu encrypted

Boot from desktop CD

  • Download this text to the ubuntu system, so you can cut and paste. Open in vi (not less, with less you get cut&paste problems on long lines).

Start an xterm and get a root shell

  • sudo bash

Load dm-crypt

  • modprobe dm-crypt

Partition the system

  • cfdisk /dev/sda # or /dev/hda Create three partitions:

    • first partition: linux, 100mb, bootable (/boot)
    • second parition: linux, what you prefer (2GB?) (swap)
    • third partition: root, rest of the disk (or leave space - however you prefer)
    Do not set the second partition to swap, as ubuntu will automatically enable it and thus cause problems. In this document we will assume:
    • /dev/sda1 /boot partition
    • /dev/sda2 swap partition
    • /dev/sda3 root partition

Create crypto keys in /tmp (tmpfs, never written anywhere)

  • cd /tmp 
    openssl genrsa -aes256 -out privkey.pem 2048 
    dd if=/dev/urandom of=swapkey bs=32 count=1 
    dd if=/dev/urandom of=rootkey bs=32 count=1 
    openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt 
    openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt 
    rm swapkey rootkey 
    SWAPKEY=`openssl rsautl -in swapkey.enc -decrypt -inkey privkey.pem \ 
                          | hexdump -e '"" 32/1 "%02x" "\n"'` 
    ROOTKEY=`openssl rsautl -in rootkey.enc -decrypt -inkey privkey.pem \ 
                          | hexdump -e '"" 32/1 "%02x" "\n"'` 
    echo 0 `blockdev --getsize /dev/sda2` crypt aes-cbc-essiv:sha256 \ 
                  $SWAPKEY 0 /dev/sda2 0 |dmsetup create swap 
    echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \ 
                  $ROOTKEY 0 /dev/sda3 0 |dmsetup create root 

Create filesystems

  • mkfs.ext3 /dev/sda1             # /boot 
    mkswap /dev/mapper/swap         # swap 
    mkfs.ext3 /dev/mapper/root      # root 

Mount filesystems

  • mount /dev/mapper/root /mnt 
    mkdir /mnt/boot 
    mount /dev/sda1 /mnt/boot

Download ar and debootstrap

  • cd /tmp 
    mkdir download 
    cd download 
    wget http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.16.1cvs20060117-1ubuntu2.1_i386.deb 
    wget http://de.archive.ubuntu.com/ubuntu/pool/main/d/debootstrap/debootstrap_0.3.3.0ubuntu2_all.deb 
    dpkg -x binutils*deb x 
    dpkg -x debootstrap*deb x 

Install dapper on the crypto root

  • export LD_LIBRARY_PATH=/tmp/download/x/usr/lib 
    export PATH=/tmp/download/x/usr/bin:$PATH 
    export DEBOOTSTRAP_DIR=/tmp/download/x/usr/lib/debootstrap 
    /tmp/download/x/usr/sbin/debootstrap dapper /mnt http://de.archive.ubuntu.com/ubuntu/ 

Create an fstab in the chroot

  • chroot /mnt 
    vi /etc/fstab 
    /dev/sda1               /boot           ext3    defaults  0  0
    /dev/mapper/root        /               ext3    defaults  0  0
    /dev/mapper/swap        swap            swap    defaults  0  0
    none                    /proc           proc    defaults  0  0
    none                    /proc/bus/usb   usbfs   defaults  0  0
    none                    /sys            sysfs   defaults  0  0
    none                    /dev/shm        tmpfs   defaults  0  0 
    none                    /dev/pts        devpts  defaults  0  0

Create an apt config file in the chroot

  • chroot /mnt 
    vi /etc/apt/sources.list 
    deb http://de.archive.ubuntu.com/ubuntu/ dapper main restricted 
    deb http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
    deb http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted
    deb-src http://de.archive.ubuntu.com/ubuntu/ dapper main restricted
    deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
    deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted

Update packages, install dselect and kubuntu-destkop

  • chroot /mnt 
    apt-get update 
    apt-get upgrade 
    apt-get install grub linux-image-686 dmsetup bsdmainutils wipe 
    apt-get install kubuntu-desktop

Configure initramfs-tools for crypt root and swap

  • chroot /mnt 
    cd /etc/mkinitramfs 
    echo dm-crypt >> modules 
    echo aes >> modules 
    echo sha256 >> modules 
    vi hooks/cryptroot (copy till EOF) 


  • # !/bin/sh 
    . /usr/share/initramfs-tools/hook-functions 
    mkdir -p ${DESTDIR}/boot 
    mkdir -p ${DESTDIR}/sbin 
    mkdir -p ${DESTDIR}/usr/bin 
    cp -p /boot/privkey.pem /boot/rootkey.enc /boot/swapkey.enc ${DESTDIR}/boot 
    copy_exec /sbin/blockdev /sbin 
    copy_exec /sbin/dmsetup /sbin 
    copy_exec /usr/bin/openssl /usr/bin 
    copy_exec /usr/bin/hexdump /usr/bin 
    chmod +x hooks/cryptroot 
    vi scripts/local-top/cryptroot (copy till EOF) 


  • # !/bin/sh 
    # Output pre-requisites 
            echo "$PREREQ" 
    case "$1" in 
            exit 0 
    modprobe aes 
    modprobe sha256 
    modprobe dm-crypt 
    echo "Waiting for crypted root device..." 
    while [ ${slumber} -gt 0 -a ! -e "/dev/sda3" ]; do 
            /bin/sleep 0.1 
            slumber=$(( ${slumber} - 1 )) 
    while test -z "$ROOTKEY" 
            ROOTKEY=`openssl rsautl -in /boot/rootkey.enc -decrypt
    -inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1
    "%02x" "\n"' ` 
    SECTORS=`blockdev --getsize /dev/sda3` 
    echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $ROOTKEY 0 /dev/sda3 0 \ 
            |dmsetup create root 
    echo "Waiting for crypted swap device..." 
    while [ ${slumber} -gt 0 -a ! -e "/dev/sda2" ]; do 
            /bin/sleep 0.1 
            slumber=$(( ${slumber} - 1 )) 
    while test -z "$SWAPKEY" 
            SWAPKEY=`openssl rsautl -in /boot/swapkey.enc -decrypt
    -inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1
    "%02x" "\n"' ` 
    SECTORS=`blockdev --getsize /dev/sda2` 
    echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $SWAPKEY 0 /dev/sda2 0 \ 
            |dmsetup create swap
    chmod +x scripts/local-top/cryptroot 

Put the crypto keys in place and create a new initramfs

  • mv /tmp/privkey.pem /tmp/swapkey.enc /tmp/rootkey.enc /mnt/boot/ 
    chroot /mnt 
    update-initramfs -u 

Install grub

  • chroot /mnt 
    apt-get install kubuntu-grub-splashimages 
    cd /boot/grub 
    cp /lib/grub/i386-pc/* . 
    root (hd0,0) 
    setup (hd0) 

Configure grub

  • vi /boot/grub/menu.lst
  • add "acpi=off"
  • change "root=/dev/mapper/root"
  • splash (hd0,0)/grub/splashimages/kubuntugood.xpm.gz
  • timeout 15
  • default 0
  • remove all the unwanted settings
  • remove all "savedefault" lines
  • remove splash as you want a console to enter your password

Finish installation, reboot

  • umount /mnt/boot 
    fuser -k /mnt 
    umount /mnt 
    • press ctrl-alt-del and select reboot


Change password on rsa key

  • su root 
    cd /boot 
    openssl rsa -in privkey.pem -out privkey.new.pem -aes256 
    wipe privkey.pem 
    mv privkey.new.pem privkey.pem 
    update-initramfs -u 

Replace rsa key

  • su root 
    cd /tmp 
    openssl rsautl -in /boot/rootkey.enc -inkey /boot/privkey.pem \ 
            -decrypt -out rootkey 
    openssl rsautl -in /boot/swapkey.enc -inkey /boot/privkey.pem \ 
            -decrypt -out swapkey 
    openssl genrsa -aes256 -out privkey.pem 2048 
    openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt 
    openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt 
    rm swapkey rootkey 
    mv swapkey.enc rootkey.enc privkey.pem boot 
    update-initramfs -u 

Recover with bootcd

  • boot kubuntu cd
  • start xterm
  • sudo bash 
    mount /dev/sda1 /mnt 
    echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \ 
             `openssl rsautl -in /mnt/rootkey.enc -decrypt -inkey \ 
             /mnt/privkey.pem |hexdump -e '"" 32/1 "%02x" "\n"'` \ 
                    0 /dev/sda3 0 | dmsetup create root 
    umount mnt 
    mount /dev/mapper/root /mnt 
    mount /dev/sda1 /mnt/boot 
    chroot /mnt 
    update-initramfs -u 
    umount /mnt/boot 
    umount /mnt 
    • press ctrl-alt-del and select reboot

Other changes

Set root password

  • boot
  • switch to text console
  • login as "root" (no password)
  • shadowconfig on
  • passwd root

Create User

  • adduser user 
    # add user to dialout, fax, voice, cdrom, floppy, sudo, audio, 
           video, scanner, scard 

EncryptedFilesystemHowto4 (last edited 2013-12-08 02:03:15 by cprofitt)