'''DISCLAIMER: Doing this is an unsupported configuration for Ubuntu, and may cause up-to and including boot breakage on upgrades. If possible please use the password based or TPM FDE options provided by the Ubuntu installer.''' <> <> = How to set up a fully encrypted disk with Ubuntu = This page describes a way to set up an Ubuntu installation with a encrypted root partition and encrypted Swap. || {i} Please refer to EncryptedFilesystems for further documentation.|| || {i} The document [[https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019|Full Disk Encryption]] might supersede this document.|| == New installations of Ubuntu 12.10 and later == During installation, check the checkbox “Encrypt the new Ubuntu installation for security”. [[https://www.eff.org/deeplinks/2012/11/privacy-ubuntu-1210-full-disk-encryption|See also the Electronic Frontier Foundation's notes]]. == Encryption with dm_crypt == If you'd like to use the newer and stronger dm_crypt method you should: {{{ sudo apt-get install cryptsetup sudo modprobe dm_crypt }}} For each method of encryption, follow the listed howto: * CryptoRoot - `/usr/share/doc/cryptsetup/CryptoRoot.HowTo` * CryptoSwap - `/usr/share/doc/cryptsetup/CryptoSwap.HowTo` * Encrypted non-root HD partition - [[https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_a_non-root_file_system]] Other possibilities are listed at the dm_crypt wiki, including encryption across RAID devices, encrypting only a home directory (slightly harder), and encryption using LUKS: [[http://www.saout.de/tikiwiki/tiki-index.php]] == Encryption with Cryptoloop == ||<#ccaaaa> WARNING! We use the cryptoloop module in this howto. This module has well-known weaknesses. || === Prearrangement === To set up Ubuntu the described way, you will need * a KNOPPIX CD * internet access Insert the KNOPPIX CD into your computer and boot. Set up KNOPPIX so that it is able to connect to the internet. === Setting up the harddisk === We need three partitions: || '''Size''' || '''Mountpoint''' || '''Encrypted?''' || '''Purpose''' || || 10M || /osloader || NO || Holds the ''initrd'' and kernel image needed to mount and load the rest of the system. GRUB will boot from this partition. || || * || / || YES || Root partition. Holds a normal Ubuntu installation that will be launched by ''initrd''. The partition size depends on the available harddisk space but shouldn't be smaller than 2G. || || * || swap || YES || Swap. The partition size depends on the used RAM. || You can use {{{fdisk}}} to set up the partition table. The results should look similiar to {{{ Disk /dev/hda: 20.0 GB, 20003880960 bytes 255 heads, 63 sectors/track, 2432 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/hda1 * 1 2 16033+ 83 Linux /dev/hda2 3 2312 18555075 83 Linux /dev/hda3 2313 2432 963900 82 Linux swap / Solaris }}} Now we check the partition for badblocks while filling it with random garbage, set up the encryption with {{{losetup}}} and format the encrypted partition. We will then mount it to install Ubuntu. {{{ sudo badblocks -c 10240 -s -w -t random -v /dev/hda2 losetup -T -e aes128 /dev/loop0 /dev/hda2 mkreiserfs /dev/loop0 mkdir /mnt/ubuntu mount /dev/loop0 /mnt/ubuntu }}} === Installing Ubuntu === The installation procedure from KNOPPIX is described in [[Installation/FromKnoppix#head-d373af719615b01a8733cbea9d477dc493df420c|Installation/FromKnoppix]]. You need a different {{{fstab}}}. Instead of a normal partition, the device for the {{{/}}} mountpoint is {{{/dev/loop0}}}. The swap entry needs more arguments to provide encrypted swap. {{{ /proc /proc proc defaults 0 0 /sys /sys sysfs defaults 0 0 /dev/hda1 /osloader ext3 defaults,noauto 0 0 /dev/loop0 / reiserfs defaults 0 1 /dev/hda3 none swap sw,loop=/dev/loop1,encryption=aes128 0 0 /dev/cdrom /mnt/cdrom auto user,noauto,exec,ro 0 0 }}} After setting up the base system, install {{{loop-aes-utils}}}. {{{ apt-get install loop-aes-utils }}} When installing the kernel and GRUB, quit the GRUB configuration assistent. === Setting up the OS loader === After installing the base system, we set up a small partition that mounts the encrypted root and kicks off {{{init}}}. {{{ mke2fs -j /dev/hda1 mkdir /osloader mount /dev/hda1 /osloader }}} Copy the kernel image there. {{{ cp /vmlinuz /osloader/vmlinuz }}} We need to edit the {{{mkinitrd}}} configuration so that it supports loading the encrypted root partition. First edit {{{/etc/mkinitrd/mkinitrd.conf}}}, set {{{ROOT=probe}}} to {{{ROOT=}}} since it would complain about our {{{/dev/loop0}}} root. Add some required modules to {{{/etc/mkinitrd/modules}}}: {{{ ide-generic loop cryptoloop aes sha256 reiserfs }}} Then we add a script that handles the {{{losetup}}} stuff while booting. Create a file {{{/etc/mkinitrd/scripts/losetup}}} that has the following content: {{{ #!/bin/sh mknod -m 600 $INITRDDIR/dev/loop0 b 7 0 mknod -m 600 $INITRDDIR/dev/hda2 b 3 2 mkdir $INITRDDIR/loopcheck cat > $INITRDDIR/scripts/losetup.sh << EOF #!/bin/sh mount -nt proc proc proc losetup -e aes128 /dev/loop0 /dev/hda2 mount -nr /dev/loop0 /loopcheck >/dev/null 2>/dev/null while [ \$? -ne 0 ] do echo "Try again." losetup -d /dev/loop0 2>/dev/null losetup -e aes128 /dev/loop0 /dev/hda2 mount -nr /dev/loop0 /loopcheck >/dev/null 2>/dev/null done umount -n /loopcheck # loop0 = 7, 0 echo 1792 > /proc/sys/kernel/real-root-dev umount -n proc EOF chmod a+x $INITRDDIR/scripts/losetup.sh }}} {{{ chmod a+x /etc/mkinitrd/scripts/losetup }}} Now generate the initial ram disk with {{{mkinitrd -o /osloader/initrd 2.6.10-5-386}}}. Configure GRUB: {{{ mkdir /osloader/boot mkdir /osloader/boot/grub }}} Add {{{/osloader/boot/grub/menu.lst}}} {{{ default 0 timeout 0 title Ubuntu root (hd0,0) kernel /vmlinuz ro quiet splash root=/dev/loop0 acpi=off nolapic initrd /initrd boot }}} Install the MBR by running {{{grub-install --root-directory=/osloader /dev/hda}}}. To make sure the osloader partition is clean, add a little check script to {{{/etc/rcS.d/S00checkosloader}}}. {{{ #!/bin/sh if [ "`md5sum /dev/hda1`" != "`cat /etc/osloader_checksum`" ] then echo "** FATAL SECURITY ERROR ************************************" echo "* *" echo "* The OS loader was modified! *" echo "* This could have leaked your encryption password. You are *" echo "* advised to install a new encryption setup. *" echo "* *" echo "* Press Enter to boot up the system. *" echo "************************************************************" read junk fi }}} {{{ chmod a+x /etc/rcS.d/S00checkosloader md5sum /dev/hda1 > /etc/osloader_checksum }}} Now exit the chroot, reboot and you should have a fully encrypted environment. ----