(i) Please refer to EncryptedFilesystems for further documentation.

Tested on a VMware Workstation 6 computer with 512 MB RAM and i386 compatible CPU.

Outline of solution

  1. Start the LiveCD and set up working environment
  2. Use gparted or fdisk to partition the drive

  3. Use cryptsetup to set up LUKS-encrypted partitions

  4. Launch the installer and tell it to install to /dev/mapper/*

  5. Before reboot, chroot into /target and do the necessary changes

LiveCD

Download Ubuntu 7.04 Desktop Edition. This guide is not tested with other versions or variants of Ubuntu.

Boot the CD and set up keyboard, network, proxy and whatever you need. (Hint: If you're behind a proxy, set the http_proxy environment variable: export http_proxy=http://proxy:port/)

Start a terminal and run sudo -i to become root. Edit /etc/apt/sources.list to add the universe repository. You may want to change to a mirror close to you instead of archive.ubuntu.com. To me, it's no.archive.ubuntu.com.

Install cryptsetup and gparted. (Use fdisk or other utility if you prefer that.)

aptitude update && aptitude install cryptsetup gparted

Partitioning

Use gparted to partition your drive. You will need >= 100 MB for /boot (important: unformatted), twice your amount of RAM for swap (linux-swap) and the usual minimum for your encrypted root filesystem (important: unformatted). From now on, this guide assumes /boot is /dev/sda1, encrypted swap is /dev/sda5 and the encrypted root is /dev/sda6.

Exit gparted and unmount any auto-mounted filesystems by right-clicking on them on your desktop.

LUKS

Then load some modules:

for mod in dm_crypt sha256 aes_i586; do modprobe $mod; done

Use LUKS to encrypt your root partition. This is just an example using AES in CBC-mode and SHA-256 with a passphrase. Change these parameters at will, and use smartcards or whatever you want for better security. Remember to choose a good passphrase, as this probably will be the weakest link in the setup...

cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=128 luksFormat /dev/sda6
cryptsetup luksOpen /dev/sda6 root

Installer

Start the installer and choose language and time zone.

Choose manual partitioning.

/dev/mapper/root should be formatted and mounted as /, while /dev/sda1 should be used as ext3 and mounted as /boot.

Leave the swap partition as swap. We will fix that later.

/dev/sda6 (or any other encrypted partitons) should not be mounted.

Create a user and confirm your options. Go make some coffee.

Do not restart when the installer asks you to! Just click that you want to continue working with the LiveCD.

Chroot and configure

So now we have a luks partition, that was the easy part. Now we need it to boot. In my experience this has been a bit fiddly. Hopefully these instructions will help.

Mount everything:

mount /dev/mapper/root /target
mount /dev/sda1 /target/boot
for dir in proc dev sys; do mount --bind /$dir  /target/$dir; done

You need to MAKEDEV in the *rootfs* (will be copied over to your temp bind directory) to make sure you get a /dev/.static directory created, otherwise you will see errors on boot complaining it doesn't exist.

cd /dev; MAKEDEV generic

Chroot into the target:

chroot /target

I prefer to update everything, but there are probably a reason the installer doesn't do this:

aptitude update
aptitude -y dist-upgrade

Install cryptsetup:

aptitude install cryptsetup

Set up /etc/crypttab:

# <target name> <source device>         <key file>      <options>
swap            /dev/sda5               /dev/random     swap
root            /dev/sda6               none            luks

Edit /etc/fstab and change swap to /dev/mapper/swap (from some UUID-line).

Create /etc/initramfs-tools/conf.d/cryptroot and add: CRYPTOPTS=target=root,source=/dev/sda6

Copy over the pre-built cryptroot scripts (ignore other HOWTOs that tell you to create these):

cp /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/cryptroot
cp /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/cryptroot

You may want to alias aes to speed performance /etc/modprobe.d/aliases:

alias aes aes_i586

Edit /boot/grub/menu.lst and remove quiet splash from the defoptions-line:

# defoptions=

Run

update-grub
update-initramfs -u

.

Exit the chroot, umount /target/{proc,dev,sys,boot} and (if it works) /target and reboot.


CategorySecurity

FeistyEncryptedRootWithInstaller (last edited 2008-10-26 08:28:43 by naamanc)