Tag/tag.png

Needs Expansion
This article is incomplete, and needs to be expanded. More info...

Tag/tag.png

Style Cleanup Required
This article does not follow the style standards in the Wiki Guide. More info...

How to set up a fully encrypted disk with Ubuntu

This page describes a way to set up an Ubuntu installation with a encrypted root partition and encrypted Swap.

(i) Please refer to EncryptedFilesystems for further documentation.

New installations of Ubuntu 12.10 and later

During installation, check the checkbox “Encrypt the new Ubuntu installation for security”. See also the Electronic Frontier Foundation's notes.

Encryption with dm_crypt

If you'd like to use the newer and stronger dm_crypt method you should:

sudo apt-get install cryptsetup
sudo modprobe dm_crypt

For each method of encryption, follow the listed howto:

Other possibilities are listed at the dm_crypt wiki, including encryption across RAID devices, encrypting only a home directory (slightly harder), and encryption using LUKS: http://www.saout.de/tikiwiki/tiki-index.php

Encryption with Cryptoloop

WARNING! We use the cryptoloop module in this howto. This module has well-known weaknesses.

Prearrangement

To set up Ubuntu the described way, you will need

  • a KNOPPIX CD
  • internet access

Insert the KNOPPIX CD into your computer and boot. Set up KNOPPIX so that it is able to connect to the internet.

Setting up the harddisk

We need three partitions:

Size

Mountpoint

Encrypted?

Purpose

10M

/osloader

NO

Holds the initrd and kernel image needed to mount and load the rest of the system. GRUB will boot from this partition.

*

/

YES

Root partition. Holds a normal Ubuntu installation that will be launched by initrd. The partition size depends on the available harddisk space but shouldn't be smaller than 2G.

*

swap

YES

Swap. The partition size depends on the used RAM.

You can use fdisk to set up the partition table. The results should look similiar to

Disk /dev/hda: 20.0 GB, 20003880960 bytes
255 heads, 63 sectors/track, 2432 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/hda1   *           1           2       16033+  83  Linux
/dev/hda2               3        2312    18555075   83  Linux
/dev/hda3            2313        2432      963900   82  Linux swap / Solaris

Now we check the partition for badblocks while filling it with random garbage, set up the encryption with losetup and format the encrypted partition. We will then mount it to install Ubuntu.

sudo badblocks -c 10240 -s -w -t random -v /dev/hda2
losetup -T -e aes128 /dev/loop0 /dev/hda2
mkreiserfs /dev/loop0
mkdir /mnt/ubuntu
mount /dev/loop0 /mnt/ubuntu

Installing Ubuntu

The installation procedure from KNOPPIX is described in Installation/FromKnoppix.

You need a different fstab. Instead of a normal partition, the device for the / mountpoint is /dev/loop0. The swap entry needs more arguments to provide encrypted swap.

/proc           /proc           proc            defaults                0 0
/sys            /sys            sysfs           defaults                0 0

/dev/hda1       /osloader       ext3            defaults,noauto         0 0
/dev/loop0      /               reiserfs        defaults                0 1
/dev/hda3       none            swap            sw,loop=/dev/loop1,encryption=aes128    0 0

/dev/cdrom      /mnt/cdrom      auto            user,noauto,exec,ro     0 0

After setting up the base system, install loop-aes-utils.

apt-get install loop-aes-utils

When installing the kernel and GRUB, quit the GRUB configuration assistent.

Setting up the OS loader

After installing the base system, we set up a small partition that mounts the encrypted root and kicks off init.

mke2fs -j /dev/hda1
mkdir /osloader
mount /dev/hda1 /osloader

Copy the kernel image there.

cp /vmlinuz /osloader/vmlinuz

We need to edit the mkinitrd configuration so that it supports loading the encrypted root partition.

First edit /etc/mkinitrd/mkinitrd.conf, set ROOT=probe to ROOT= since it would complain about our /dev/loop0 root.

Add some required modules to /etc/mkinitrd/modules:

ide-generic
loop
cryptoloop
aes
sha256
reiserfs

Then we add a script that handles the losetup stuff while booting. Create a file /etc/mkinitrd/scripts/losetup that has the following content:

mknod -m 600 $INITRDDIR/dev/loop0 b 7 0
mknod -m 600 $INITRDDIR/dev/hda2  b 3 2

mkdir $INITRDDIR/loopcheck

cat > $INITRDDIR/scripts/losetup.sh << EOF
#!/bin/sh

mount -nt proc proc proc

losetup -e aes128 /dev/loop0 /dev/hda2
mount -nr /dev/loop0 /loopcheck >/dev/null 2>/dev/null

while [ \$? -ne 0 ]
do
        echo "Try again."
        losetup -d /dev/loop0 2>/dev/null
        losetup -e aes128 /dev/loop0 /dev/hda2
        mount -nr /dev/loop0 /loopcheck >/dev/null 2>/dev/null
done

umount -n /loopcheck

# loop0 = 7, 0
echo 1792 > /proc/sys/kernel/real-root-dev
umount -n proc
EOF

chmod a+x $INITRDDIR/scripts/losetup.sh

chmod a+x /etc/mkinitrd/scripts/losetup

Now generate the initial ram disk with mkinitrd -o /osloader/initrd 2.6.10-5-386.

Configure GRUB:

mkdir /osloader/boot
mkdir /osloader/boot/grub

Add /osloader/boot/grub/menu.lst

default 0
timeout 0
title Ubuntu
        root (hd0,0)
        kernel /vmlinuz ro quiet splash root=/dev/loop0 acpi=off nolapic
        initrd /initrd
        boot

Install the MBR by running grub-install --root-directory=/osloader /dev/hda.

To make sure the osloader partition is clean, add a little check script to /etc/rcS.d/S00checkosloader.

if [ "`md5sum /dev/hda1`" != "`cat /etc/osloader_checksum`" ]
then

    echo "** FATAL SECURITY ERROR ************************************"
    echo "*                                                          *"
    echo "* The OS loader was modified!                              *"
    echo "* This could have leaked your encryption password. You are *"
    echo "* advised to install a new encryption setup.               *"
    echo "*                                                          *"
    echo "* Press Enter to boot up the system.                       *"
    echo "************************************************************"

    read junk
fi

chmod a+x /etc/rcS.d/S00checkosloader
md5sum /dev/hda1 > /etc/osloader_checksum

Now exit the chroot, reboot and you should have a fully encrypted environment.


FullDiskEncryptionHowto (last edited 2013-10-09 18:14:43 by gregknicholson)