:date: 2011-12-23 10:03 .. index:: tech, linux Linux and encrypted harddisks ============================= As everything in the internet, people building up stuff on other people's stuff. Since I've recently reinstalled a system and wanted to take the chance to encrypt the whole hard disk, this is how it works. What you basically need is a Live-CD like `Linux Mint `__ or `Ubuntu `__ and boot your system from it. `Ubuntu `__ provides you the full disk encryption already within the installation procedure, but Linux Mint e.g. doesn't. During the Installation I was using `Linux Mint `__, booted from a USB-Stick. Oh, and I'm not going to start about the meaning of having encryption. Either you know that you want it or not. I'm not trying to convince you here. Other people have written enough about that topic. -------- This receipt is assuming the following: * Disk to install to is :file:`/dev/sda` * :kbd:`$` = Command line Shell * First of all: make a backup of your data. If you're sure about that you don't have any relevant data on the hard disk you want to install to, then never-mind. Then, boot your `Mint LiveCD `__. There might be a booting problem which I encountered on version 12 (`md5sum `__: `ee3d6e2ca498bc7685b7f17cdb5f2eea`) booting from a USB-Stick. It just started to the command line on the CD. Type in *live* to bring up the system. * Make sure you have Internet connection (Wifi or Cable), we need to install a package. * Once at the desktop, type on a terminal (press :kbd:`Alt+F2` and type :kbd:`xterm`): .. code:: bash $ sudo apt-get install -y cryptsetup * If this is your old machine you should fill your hard disk with either random data or zeros. This will destroy your partition scheme and all your data on the disk. The whole procedure may take a couple of hours. Do this with .. code:: bash $ dd if=/dev/urandom of=/dev/sda # Filling with random data (takes longer) $ dd if=/dev/zero of=/dev/sda    # Filling with zeros * Change :file:`sda` for the name of the hard disk you want to install to. Use :program:`sudo` if needed. * Partition your hard drive as normal (using :program:`fdisk`, for example). Note that there need to be a separate partition :file:`/boot` (~200MB), because you can't from from an encrypted partition. An example layout can look like this: .. code:: bash /dev/sda1 /boot (200MB) /dev/sda2 swap  (1.5x RAM-Size) /dev/sda3 / /dev/sda4 /home If you like your actual partition scheme, just make room for :file:`/boot` (if you don't have it yet) and use :program:`dd` commands above with them separately so you don't need to repartition. * Now, we need to load some modules for crypto...things to work .. code:: bash $ sudo modprobe dm-crypt $ sudo modprobe aes-i586 #For 32Bit $ sudo modprobe aes-x86_64 #For 64Bit * It's time to encrypt :file:`/` and :file:`/home` partitions. Change _XX_ to the correct parameters as needed. If you're doing it wrong you might loose data. Also, don't use the same password for both partitions. If you want, use a shorter password for your /home partition. If you are afraid of forgetting them, use a sentence from a film, or a verse from a song...whatever lets you remember them without having to write them on paper (NEVER do this). Passwords should also be hard to guess, your name, your birthday or names/birthdays from your family do not work here .. code:: bash $ sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sdXX In our example, we will do: .. code:: bash $ sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 2048 luksFormat /dev/sda3 $ sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 2048 luksFormat /dev/sda4 Remember, :file:`/boot` is not going to be encrypted. And the swap partition will be dynamically encrypted. I mean, we will configure cryptsetup to execute the command above on every boot, so swap will have a random key...so, _dd_ it! * Now we have two encrypted containers. One in :file:`/dev/sda3` and one in :file:`/dev/sda4`. Once finished, we must open them in order to format them. In our example: .. code:: bash $ sudo cryptsetup luksOpen /dev/sda3 croot $ sudo cryptsetup luksOpen /dev/sda4 chome *croot* and *chome* are just names, you can change them if you want. But remember them, they will be used lately. * Format the partitions: .. code:: bash $ mkfs.ext3 -j /dev/mapper/croot $ mkfs.ext3 -j /dev/mapper/chome * Install the OS as normal. When the installer asks you for partitioning, select :menuselection:`Manual`. In our example we should set mount-points like this: .. code:: bash /dev/mapper/croot / /dev/mapper/chome /home /dev/sda1 /boot Do nothing with :file:`/dev/sda2`, :file:`/dev/sda3`, :file:`/dev/sda4`. If you have windows partitions or other like :file:`/usr`, :file:`/var`, ... mount them as normal (If you want :file:`/usr`, :file:`/var`, to be encrypted proceed as for :file:`/` and :file:`/home`). .. NOTE:: Note for `Truecrypt `__ users: If you have your windows system partition encrypted with `Truecrypt `__, remember to install grub to :file:`/boot`. To do this, click *Advanced* on the last step of the installer and type :file:`/dev/sdXX` (your :file:`/boot` partition) on the *Install grub to...* field. On our example, we would type :file:`/dev/sda1`. * Click :menuselection:`Install`, and let it be. * Once the installation has finished, let the installer know that you want to keep using the LiveCD. We need to work some more. Do not reboot. Go back to the terminal and create a temporal mount point: .. code:: bash $ cd /mnt $ sudo mkdir root Mount your :file:`/` and :file:`/boot` partitions: .. code:: bash $ sudo mount -t ext3 /dev/mapper/croot /mnt/root $ sudo mount -t ext3 /dev/sda1 /mnt/root/boot And chroot onto your new system: .. code:: bash $ sudo chroot /mnt/root We need to mount :file:`proc`, :file:`sys` and :file:`/dev/pts` to get it work properly: .. code:: bash $ mount -t proc proc /proc $ mount -t sysfs sys /sys $ mount -t devpts devpts /dev/pts * Update your :program:`apt` and install :program:`cryptsetup` and :program:`initramfs-tools`: .. code:: bash $ apt-get update $ apt-get install cryptsetup initramfs-tools * Finally we need to set up some config files. Remember to change partitions as needed: .. code:: bash $ vi /etc/crypttab cswap /dev/sda2 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap # this line auto-mounts the swap partition at boot and ciphers it with a random key croot /dev/sda3 none luks chome /dev/sda4 none luks * In :file:`/etc/fstab` remove the swap line added by the installer and add this: .. code:: bash $ vi /etc/fstab /dev/mapper/cswap none swap sw 0 0 /dev/mapper/croot / ext3 relatime,errors=remount-ro 0 1 /dev/mapper/chome /home ext3 relatime 0 2 * The lines added by the installer for `croot` and `chome` didn't work for me. I think it's because of using UUIDs. So, don't use them. .. code:: bash $ vi /etc/initramfs-tools/modules dm_mod dm_crypt sha256_generic aes-i586 * Update your :file:`initramfs`: .. code:: bash $ update-initramfs -k all -c * Exit chroot environment (:kbd`CTRL+D`) and umount :file:`/boot` and :file:`/`: .. code:: bash $ sudo umount /mnt/root/boot $ sudo umount /mnt/root * Reboot. You may loose your usplash...I wonder if there's a solution for this... You're done now. If you want to get your :file:`/home` partition mounted automatically when you log in, continue (you basically have to make your login password identical to your encryption password.). * Remove entries for `chome` on :file:`/etc/fstab`. * Change `chome` entry on :file:`/etc/crypttab` to: .. code:: chome /dev/sda4 noauto luks * Install :program:`pam_mount` .. code:: bash $ sudo apt-get install -y libpam-mount # (Don't use sudo if you're still on chroot session) * Update config files as seen: .. code:: bash $ vi /etc/security/pam_mount.conf.xml # (add it at the end of the file, before ) .. NOTE:: Don't forget to replace *yourusername* with...your *username* .. code:: bash $ vi /etc/pam.d/common-auth (add the line at the end of the file) auth optional pam_mount.so use_first_pass $ vi /etc/pam.d/common-session (add the line at the end of the file) session optional pam_mount.so * Finally, change your user's password to match the one you put on your :file:`/home` encrypted partition: .. code:: bash $ sudo passwd Now you will be asked for your `/` partition password at early boot. Then, you'll logon as normal with your new password and `/home` will be mounted for you automatically. `Sources `__ -------- Mounting the devil ------------------ Sooner or later you might *accidentally* destroy you system and then you need access to your data on the encrypted disk. Since it's already 2012 we can boot from a USB stick and a guest system and mount the disk there in order to gain access to the encrypted filesystem. Here are some hints that may smoothen your way: .. code:: bash # Open the encrypted container cryptsetup luksOpen /dev/sda1 # mount the opened container into the filesystem mount -t /dev/mapper/ /mount/point