This guide will help you install Ubuntu 8.10, with some notes on later versions of ubuntu, to an encrypted partition. The swap partition is also encrypted. When it’s finished, you will need to enter the passphrase when the system boots.
There is more indepth information about encrypted filesystems here: EncryptedFilesystemHowto
NOTE: You can also achieve the same setup using the Alternate Installer which allows encryption of the root file system and swap, all through an easy-to-use graphical interface. If you wish to install using your entire hard drive, there’s even an automatic option in which the installer will create the necessary LVM volumes and partition your drive for you. Download Alternate Installer Here
Alternatively, the EncryptedFilesystemLVMHowto will allow you to create the encrypted partitions, install Ubuntu, and configure the system all from the Live CD without the need for a minimal install.
Summary
Steps to perform:
- Perform a minimal server install
- Create encrypted partition and copy minimal install to it
- Modify grub’s menu.lst and fstab
Files to create and modify:
- /etc/initramfs-tools/modules
- /etc/initramfs-tools/hooks/cryptoroot
- /etc/initramfs-tools/scripts/local-top/cryptoroot
- /etc/fstab
- /boot/grub/menu.lst
- /etc/crypttab
Extra packages that will be installed:
- cryptsetup
- hashalot
- initramfs-tools
Changes from the 8.04 version:
- chvt has moved from /usr/bin/chvt to /bin/chvt, so /etc/initramfs-tools/hooks/cryptoroot needed to be modified.
Gather materials
You will need:
- Computer
- Ubuntu server install CD
- Paper and writing instrument
- Internet access
Make a partition plan
You need to establish four partitions for this operation. They may be created in addition to Windows partitions or other operating systems. Some knowledge of hard disk devices and partitioning is necessary.
Note the the “miniroot” partition is where a minimal system will first be installed. It’s small, because it only needs to be operational long enough to set up the final, encrypted root partition.
Purpose | Initial mount point | Size | Format |
Boot | /boot | 100 MB | ext3 |
Swap | n/a | Double the amount of RAM on the system | swap |
Cryptoroot | “do not use” | 10 GB+, up to all free space | n/a |
Miniroot | / | 512 MB | ext3 |
You will create these partitions while running the Ubuntu installer (if not before). It’s ok to wait until that point before figuring out what you’re going to do. However, once they created, you should definitely write down the device names of all four. You will need this information later on.
I will refer to these partitions in bold, italic capital letters: CRYPTOROOT, MINIROOT, SWAP, and BOOT. When you see them in the instructions below, substitute the correct device name.
Here is an example, using a system that was entirely devoted to Ubuntu. It had 256 MB RAM, so the size of the swap partition was 512 MB. After the boot, swap, and miniroot partitions were created, the remainder of the disk was set aside for the eventual encrypted root partition.
Partition | Initial mount point | Size | Format |
/dev/sda1 | /boot | 100 MB | ext3 |
/dev/sda2 | swap | 512 MB | swap |
/dev/sda3 | / | 512 MB | ext3 |
/dev/sda4 | “do not use” | 18.9 GB | n/a |
In this example, CRYPTOROOT would be replaced with /dev/sda4.
Perform initial install
- Boot up the system using the server install CD.
- Create the partitions as advised above, and write them down.
- Complete the installation. Don’t install any extra software (such as DNS server, etc.).
Become root
- Reboot to the newly-installed system.
- Log in as the user you created.
- Enter “sudo -i” in order to become root.
The rest of the commands in this guide need to be executed with root privileges. “sudo -i” allows you to do that without typing “sudo” before each one.
Install additional packages
- Enable the universe repository (see CommandLine)
- Install the following packages (see InstallingSoftware)
apt-get install cryptsetup hashalot initramfs-tools
Set up the initial ramdisk
Explanation: When your system is fully set up, it won’t be able to boot directly to the encrypted partition because, well, it’s encrypted. Software and the decryption key would both be needed. The solution is to have a small unencrypted partition that boots at first. It contains only system software (not your data), so it’s alright for it to be unencrypted. The form of this software is a ramdisk. It’s a mini-system that can do things like initialize devices and ask you for the passphrase to decrypt the main root partition.
- Edit /etc/initramfs-tools/modules. Add the following lines:
dm_mod dm_crypt sha256
Note: Since Ubuntu 9.04 sha256 is named sha256_generic. Replace every occurrence you find in this article.
- Create /etc/initramfs-tools/hooks/cryptoroot:
PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac if [ ! -x /sbin/cryptsetup ]; then exit 0 fi . /usr/share/initramfs-tools/hook-functions mkdir -p ${DESTDIR}/etc/console-setup cp /etc/console-setup/boottime.kmap.gz ${DESTDIR}/etc/console copy_exec /bin/loadkeys /bin copy_exec /bin/chvt /bin copy_exec /sbin/cryptsetup /sbin copy_exec /sbin/vol_id /sbin
Note: Since Ubuntu 9.10 /sbin/vol_id is replaced with /sbin/blkid. Replace every occurrence you find in this article.
- Create /etc/initramfs-tools/scripts/local-top/cryptoroot, be careful if using Ubuntu 9.04 or newer version and change the -Q option at the modprobe line for -q:
PREREQ="udev" prereqs() { echo "$PREREQ" } case $1 in # get pre-requisites prereqs) prereqs exit 0 ;; esac /bin/loadkeys -q /etc/console-setup/boottime.kmap.gz modprobe -Qb dm_crypt modprobe -Qb sha256 # The following command will ensure that the kernel is aware of # the partition before we attempt to open it with cryptsetup. /sbin/udevadm settle if grep -q splash /proc/cmdline; then /bin/chvt 1 fi /sbin/cryptsetup luksOpen CRYPTOROOT cryptoroot if grep -q splash /proc/cmdline; then /sbin/usplash -c & sleep 1 fi
- Make the created files executable:
chmod +x /etc/initramfs-tools/hooks/cryptoroot chmod +x /etc/initramfs-tools/scripts/local-top/cryptoroot
- Update the initrd:
update-initramfs -u
Create the encrypted partition
- Load up the appropriate kernel modules:
modprobe dm_crypt modprobe sha256
- Format and encrypt your partition:
luksformat -t ext3 CRYPTOROOT
You should see something like this:
Creating encrypted device on /dev/hda3... WARNING! ======== This will owerwrite data on /dev/hda3 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful. Please enter your passphrase again to verify it Enter LUKS passphrase: key slot 0 unlocked. Command successful. mke2fs 1.38 (30-Jun-2005) .....
Your encrypted partition is now created and formated.
Mount the partition for setup
cryptsetup luksOpen CRYPTOROOT cryptoroot mkdir /mnt/target mount /dev/mapper/cryptoroot /mnt/target cp -avx / /mnt/target
The copy process should take about two minutes for a server profile (depends on your hardware).
Change target’s fstab to mount the encrypted root
You need to modify /mnt/target/etc/fstab.
You should find a section that refers to the “miniroot” partition, and mounts it at /. This must be changed to use the cryptoroot device instead.
It looks something like this:
# MINIROOT UUID=43d7895d-e74c-4483-a55a-9b73de17f19e / ext3 defaults,errors=remount-ro 0 1
That UUID must be replaced with the one that refers to your cryptoroot device.
- Determine the UUID of your cryptoroot device.
vol_id -u /dev/mapper/cryptoroot
- Determine the UUID of your cryptoroot device on Ububtu 9.10 and later.
blkid | grep /dev/mapper/cryptoroot
- Edit /mnt/target/etc/fstab. In the section that mounts /, replace the UUID with the one you just got for /dev/mapper/cryptoroot.
Configure grub for testing
This will only allow you to test the cryptoroot – it won’t be installed as the default boot option yet.
- Edit /boot/grub/menu.lst. Add following after the line containing ### END DEBIAN AUTOMAGIC KERNELS LIST:
title Cryptotest root GRUB-ROOT kernel /vmlinuz-<your kernel version here> root=CRYPTOROOT-UUID ro initrd /initrd.img-<your kernel version here> savedefault boot
Three of the above values can be copied from boot stanzas in the automatic section, before “### END DEBIAN AUTOMAGIC KERNELS LIST”:
- GRUB-ROOT – this is something like (hd0,0)
- The kernel – something like /vmlinuz-VERSION-server
- The initrd – something like /initrd.img-VERSION-server
The CRYPTOROOT-UUID is the same as the one you put into /etc/fstab, which was retrieved by entering “vol_id -u /dev/mapper/cryptoroot”.
Reboot for testing
reboot
Now, after all your BIOS mumbo-jumbo, you should look very carefully and when you see following prompt:
GRUB Loading stage 1.5. GRUB Loading, please wait... Press `ESC` to enter the menu
Press ESC and select last option, namely “Cryptotest”
Now you will see lots of kernel debugging info, since we didn’t add quiet option to kernel options. It’s ok.
At some point you will see the prompt:
Enter LUKS passphrase:
Enter it. Now you have booted from crypted partition.
If something goes Very Wrong ™, don’t panic. You still have unencrypted partition to boot from.
Note :if you are installing the encrypted root on a USB stick or other slow devices LUKS may fail complaining about a filesystem not found and the kernel will eventually drop you in a shell. This is due to the long setting time of the device. To solve it reboot with the unencrypted partition, go back to the steps needed to setup the initial ramdisk and add (interval may change depending on device speed):
sleep 10
in the file
/etc/initramfs-tools/scripts/local-top/cryptoroot
just before the line
/sbin/cryptsetup luksOpen CRYPTOROOT cryptoroot
thus giving to the USB filesytem enough time to settle.
Copy the modified file on the encrypted partition, otherwise the same problem will happen at every kernel upgrade.
Cryptoswap
Let’s enable the swap partition.
Firstly, your current /etc/fstab may have been set to enable the swap partition. Therefore, it has already been mounted (unencrypted) and must be unmounted before you can proceed.
umount SWAP
Edit /etc/crypttab. Use the name of the partition you set aside for swap in place of SWAP.
cryptoswap SWAP /dev/urandom swap
Edit /etc/fstab. Add following lines:
# Encrypted swap partition /dev/mapper/cryptoswap none swap sw 0 0
Now, you need to destroy your filesystem on the swap partition (if you don’t destroy it explicitely, the safety check of the following command will refuse to create your “cryptoswap” on it):
dd if=/dev/urandom of=SWAP count=100
Finally, create the swap and activate it:
invoke-rc.d cryptdisks restart swapon /dev/mapper/cryptoswap
Did it work? Check it:
swapon -s
You should see:
Filename Type Size Used Priority /dev/mapper/cryptoswap partition XXXXXXXX 0 -2
The exact details don’t matter. You just want to ensure that “/dev/mapper/cryptoswap” is in there.
- Edit /etc/fstab.
- If the swap partition was enabled automatically, you need to turn that off. (Reason: it now has the wrong UUID and won’t work.) Comment out the existing swap line.
- Add your own line:
/dev/mapper/cryptoswap none swap sw 0 0
Finishing
Now that the system is tested, it’s time to set it up as the default in grub.
- Edit /boot/grub/menu.lst.
- Remove the “Cryptotest” stanza that you added earlier.
- Look above to find a line like this (with a specific UUID instead of XXXs):
# kopt=root=UUID=XXXXXXXXXXXXXXXXXXXXXXXXXXXX ro
- * Replace this with the following, using the actual UUID of /dev/mapper/cryptoroot:
# kopt=root=UUID=CRYPTOROOT-UUID ro
Reinstall grub:
update-grub
Reboot:
reboot reference -> https://help.ubuntu.com/community/EncryptedFilesystemOnIntrepid
Views: 3