| View previous topic :: View next topic |
| Author |
Message |
Yttrium
n00b
Joined: 22 Oct 2009
Posts: 29
Location: Germany
|
 Posted: Tue Feb 09, 2010 7:02 pm Post subject: [Tutorial] Quick Guide to setup an encrypted root partition |
 |
|
Tutorial: Quick and easy Step-by-Step Guide to setup an encrypted root partition
This guide shows how to encrypt your root partition using simple password authentication. Of course you are free to modify it so that it fits your specific needs. You might want to use gpg encrypted keyfiles stored on an external USB drive for example. However this guide only covers password authentication at the moment as this should be sufficient for the majority of users.
0. System setup:- 1 single HDD /dev/hda
- /dev/hda1 is the boot partition, which contains the bootloader, the kernel image (~2,7 MB) and the initial ramdisk (~1,6 MB).
- /dev/hda2 will become our encrypted root partition.
1. We encrypt our partition using LUKS. In this example I use Twofish in plain XTS mode with a key size of 256 bits as cipher and SHA-512 as hash function. Remember to switch to the standard US keyboard layout before setting your password. Otherwise you might get a hard time entering your password, when prompted on boot screen. 
| Code: | | cryptsetup -v --cipher twofish-xts-plain:sha512 --key-size 256 luksFormat /dev/hda2 |
Note: If cryptsetup isn't installed, follow steps 7-9 and return.
2. We open our new LUKS partition.
| Code: | | cryptsetup luksOpen /dev/hda2 root |
3. We create a file system. For example ext4.
| Code: | | mkfs.ext4 /dev/mapper/root |
4. Now that we've created a filesystem for the device /dev/mapper/root which transparently encrypts all data and finally writes it to the physical /dev/hda2 device, we can mount it like any other normal device.
| Code: | | mkdir -p /mnt/hda2 && mount -o noatime,nodiratime /dev/mapper/root /mnt/hda2 |
5. Now we are ready to install Gentoo, following the Gentoo Linux x86 Handbook. (This is the most time-consuming step perhaps  )
6. We have to modify the line describing the root partition in /etc/fstab
| Code: | | /dev/mapper/root / ext4 rw,noatime,nodiratime 0 1 |
7. We have to create the initial ramdisk. We need to emerge busybox and cryptsetup. Optionally if you want to use the latest (officially unstable) versions type:
| Code: | | echo -e "sys-apps/busybox\nsys-fs/cryptsetup" >> /etc/portage/package.keywords |
If the directory doesn't exist, create it with mkdir /etc/portage
8. We must enable the static use flag for busybox. To permanently activate it type:
| Code: | | echo "sys-apps/busybox static" >> /etc/portage/package.use |
9. We emerge the two packages.
| Code: | | emerge -av busybox cryptsetup |
10. We create a folder to store our ramdisk in. For example in the home folder of root.
| Code: | | mkdir -p /root/initramfs/bin |
11. We copy busybox and cryptsetup to our newly created bin folder.
| Code: | cp /sbin/cryptsetup /root/initramfs/bin/
cp /bin/busybox /root/initramfs/bin/ |
12. We need to create only one hard link (no need to create device nodes or anything else).
| Code: | cd /root/initramfs/bin
ln busybox sh |
13. Now we create the file /root/initramfs/init and fill it with the following short & sweet script.
| Code: | #!/bin/sh
#####Author: scandium at lavabit.com#####
export PATH=/bin
mkdir /new-root /sys /proc /sbin
mount -n -t sysfs sysfs /sys
mount -n -t proc proc /proc
busybox --install -s
echo /bin/mdev > /proc/sys/kernel/hotplug
mdev -s
for cmdline in $(cat /proc/cmdline); do
case $cmdline in
root=*) root=$(echo $cmdline | cut -d "=" -f 2) ;;
esac
done
cryptsetup luksOpen $root root
mount -n -o ro /dev/mapper/root /new-root
umount -n /sys /proc
exec switch_root /new-root /sbin/init |
14. Don't forget to make the init script executable.
| Code: | | chmod +x /root/initramfs/init |
WARNING: Don't run this script outside of the initial ramdisk at boot time. It will very likely damage your system if you execute it manually! It's not meant for that purpose.
15. We mount our boot partition and create the ramdisk image on it.
| Code: | mount /dev/hda1 /boot
cd /root/initramfs/
find . | cpio -o -H newc | gzip -9 > /boot/initramfs |
16. Finally we have to modify our bootloader. I use grub 0.9x and the relevant part of my /boot/grub/menu.lst looks like:
| Code: | title Gentoo linux-2.6.32-gentoo-r3 (LUKS, ext4, /dev/hda2)
root (hd0,0)
kernel /boot/linux-2.6.32-gentoo-r3 root=/dev/hda2
initrd /boot/initramfs |
The kernel command line root=... tells the initial ramdisk which LUKS partition to mount.
17. Unmount everything, reboot and enjoy your encrypted root file system. 
_________________
LILA - Live Iptables Log Analyzer |
|
| Back to top |
|
 |
dman777
l33t
Joined: 10 Jan 2007
Posts: 621
|
| Posted: Mon Mar 21, 2011 10:41 am Post subject: |
|
|
| If there is no passphrase prompt or a keyfile with passphrase required, how does this data encryption help since anyone could boot up the pc or steal the hard drive and mount/read into the partition? |
|
| Back to top |
|
|
tomk
Administrator
Joined: 23 Sep 2003
Posts: 6746
Location: Sat in front of my computer
|
| Posted: Mon Mar 21, 2011 10:43 am Post subject: |
|
|
Moved from Networking & Security to Documentation, Tips & Tricks as it fits better here.
_________________
Search | Read | Answer | Report | Strip |
|
| Back to top |
|
|
dman777
l33t
Joined: 10 Jan 2007
Posts: 621
|
| Posted: Mon Mar 21, 2011 11:59 pm Post subject: |
|
|
| kinda sux...i find threads in this forum that are old do not get replied to when they have been around for awhile. |
|
| Back to top |
|
|
truc
Advocate
Joined: 25 Jul 2005
Posts: 3045
|
| Posted: Tue Mar 22, 2011 3:45 am Post subject: |
|
|
| dman777 wrote: | | kindaIf there is no passphrase prompt |
| Code: | | cryptsetup luksOpen $root root |
cryptsetup will take care of that.
_________________
The End of the Internet! |
|
| Back to top |
|
|
marziods
Tux's lil' helper
Joined: 25 Jun 2009
Posts: 100
Location: <Padova>par lavor | Udine | Friul | Italie
|
| Posted: Sun Apr 03, 2011 10:23 am Post subject: |
|
|
Hi everybody,
just a question, if I want just my home encrypted what I have to do?
tnx in advance
Marzio
_________________
linux user #493115 |
|
| Back to top |
|
|
|
Documentation, Tips & Tricks
