Linux and encrypted harddisks¶
As everything in the internet, people building up stuff on other people’s stuff.
Since I’ve recently reinstalled a system and wanted to take the chance to encrypt the whole hard disk, this is how it works.
What you basically need is a Live-CD like Linux Mint or Ubuntu and boot your system from it. Ubuntu provides you the full disk encryption already within the installation procedure, but Linux Mint e.g. doesn’t.
During the Installation I was using Linux Mint, booted from a USB-Stick. Oh, and I’m not going to start about the meaning of having encryption. Either you know that you want it or not. I’m not trying to convince you here. Other people have written enough about that topic.
This receipt is assuming the following:
Disk to install to is
/dev/sda
$ = Command line Shell
First of all: make a backup of your data. If you’re sure about that you don’t have any relevant data on the hard disk you want to install to, then never-mind. Then, boot your Mint LiveCD. There might be a booting problem which I encountered on version 12 (md5sum: ee3d6e2ca498bc7685b7f17cdb5f2eea) booting from a USB-Stick. It just started to the command line on the CD. Type in live to bring up the system.
Make sure you have Internet connection (Wifi or Cable), we need to install a package.
Once at the desktop, type on a terminal (press Alt+F2 and type xterm):
$ sudo apt-get install -y cryptsetup
If this is your old machine you should fill your hard disk with either random data or zeros. This will destroy your partition scheme and all your data on the disk. The whole procedure may take a couple of hours. Do this with
$ dd if=/dev/urandom of=/dev/sda # Filling with random data (takes longer) $ dd if=/dev/zero of=/dev/sda # Filling with zeros
Change
sda
for the name of the hard disk you want to install to. Use sudo if needed.Partition your hard drive as normal (using fdisk, for example). Note that there need to be a separate partition
/boot
(~200MB), because you can’t from from an encrypted partition. An example layout can look like this:/dev/sda1 /boot (200MB) /dev/sda2 swap (1.5x RAM-Size) /dev/sda3 / /dev/sda4 /home
If you like your actual partition scheme, just make room for
/boot
(if you don’t have it yet) and use dd commands above with them separately so you don’t need to repartition.Now, we need to load some modules for crypto…things to work
$ sudo modprobe dm-crypt $ sudo modprobe aes-i586 #For 32Bit $ sudo modprobe aes-x86_64 #For 64Bit
It’s time to encrypt
/
and/home
partitions. Change _XX_ to the correct parameters as needed. If you’re doing it wrong you might loose data. Also, don’t use the same password for both partitions. If you want, use a shorter password for your /home partition. If you are afraid of forgetting them, use a sentence from a film, or a verse from a song…whatever lets you remember them without having to write them on paper (NEVER do this). Passwords should also be hard to guess, your name, your birthday or names/birthdays from your family do not work here$ sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sdXX
In our example, we will do:
$ sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 2048 luksFormat /dev/sda3 $ sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 2048 luksFormat /dev/sda4
Remember,
/boot
is not going to be encrypted. And the swap partition will be dynamically encrypted. I mean, we will configure cryptsetup to execute the command above on every boot, so swap will have a random key…so, _dd_ it!Now we have two encrypted containers. One in
/dev/sda3
and one in/dev/sda4
. Once finished, we must open them in order to format them. In our example:$ sudo cryptsetup luksOpen /dev/sda3 croot $ sudo cryptsetup luksOpen /dev/sda4 chome
croot and chome are just names, you can change them if you want. But remember them, they will be used lately.
Format the partitions:
$ mkfs.ext3 -j /dev/mapper/croot $ mkfs.ext3 -j /dev/mapper/chome
Install the OS as normal. When the installer asks you for partitioning, select
. In our example we should set mount-points like this:/dev/mapper/croot / /dev/mapper/chome /home /dev/sda1 /boot
Do nothing with
/dev/sda2
,/dev/sda3
,/dev/sda4
. If you have windows partitions or other like/usr
,/var
, … mount them as normal (If you want/usr
,/var
, to be encrypted proceed as for/
and/home
).Note
Note for Truecrypt users: If you have your windows system partition encrypted with Truecrypt, remember to install grub to
/boot
. To do this, click Advanced on the last step of the installer and type/dev/sdXX
(your/boot
partition) on the Install grub to… field. On our example, we would type/dev/sda1
.Click
, and let it be.Once the installation has finished, let the installer know that you want to keep using the LiveCD. We need to work some more. Do not reboot. Go back to the terminal and create a temporal mount point:
$ cd /mnt $ sudo mkdir root
Mount your
/
and/boot
partitions:$ sudo mount -t ext3 /dev/mapper/croot /mnt/root $ sudo mount -t ext3 /dev/sda1 /mnt/root/boot
And chroot onto your new system:
$ sudo chroot /mnt/root
We need to mount
proc
,sys
and/dev/pts
to get it work properly:$ mount -t proc proc /proc $ mount -t sysfs sys /sys $ mount -t devpts devpts /dev/pts
Update your apt and install cryptsetup and initramfs-tools:
$ apt-get update $ apt-get install cryptsetup initramfs-tools
Finally we need to set up some config files. Remember to change partitions as needed:
$ vi /etc/crypttab cswap /dev/sda2 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap # this line auto-mounts the swap partition at boot and ciphers it with a random key croot /dev/sda3 none luks chome /dev/sda4 none luks
In
/etc/fstab
remove the swap line added by the installer and add this:$ vi /etc/fstab /dev/mapper/cswap none swap sw 0 0 /dev/mapper/croot / ext3 relatime,errors=remount-ro 0 1 /dev/mapper/chome /home ext3 relatime 0 2
The lines added by the installer for croot and chome didn’t work for me. I think it’s because of using UUIDs. So, don’t use them.
$ vi /etc/initramfs-tools/modules dm_mod dm_crypt sha256_generic aes-i586
Update your
initramfs
:$ update-initramfs -k all -c
Exit chroot environment (:kbd`CTRL+D`) and umount
/boot
and/
:$ sudo umount /mnt/root/boot $ sudo umount /mnt/root
Reboot. You may loose your usplash…I wonder if there’s a solution for this… You’re done now. If you want to get your
/home
partition mounted automatically when you log in, continue (you basically have to make your login password identical to your encryption password.).Remove entries for chome on
/etc/fstab
.Change chome entry on
/etc/crypttab
to:
chome /dev/sda4 noauto luks
Install pam_mount
$ sudo apt-get install -y libpam-mount # (Don't use sudo if you're still on chroot session)
Update config files as seen:
$ vi /etc/security/pam_mount.conf.xml # (add it at the end of the file, before )
Note
Don’t forget to replace yourusername with…your username
$ vi /etc/pam.d/common-auth (add the line at the end of the file) auth optional pam_mount.so use_first_pass $ vi /etc/pam.d/common-session (add the line at the end of the file) session optional pam_mount.so
Finally, change your user’s password to match the one you put on your
/home
encrypted partition:$ sudo passwd
Now you will be asked for your / partition password at early boot. Then, you’ll logon as normal with your new password and /home will be mounted for you automatically.
Mounting the devil¶
Sooner or later you might accidentally destroy you system and then you need access to your data on the encrypted disk. Since it’s already 2012 we can boot from a USB stick and a guest system and mount the disk there in order to gain access to the encrypted filesystem. Here are some hints that may smoothen your way:
# Open the encrypted container
cryptsetup luksOpen /dev/sda1 <name>
# mount the opened container into the filesystem
mount -t <fs> /dev/mapper/<name> /mount/point