SEARCH

Enter your search query in the box above ^, or use the forum search tool.

You are not logged in.

#1 2009-08-26 08:42:06

hgk
Member
Registered: 2009-08-25
Posts: 11

HOWTO: Install #! with encrypted /, swap and /data partitions

Hi!

I always liked crunchbang linux. The only thing that kept me from using it as my main system was that I couldn't encrypt the partitions on my laptop HD during installation. (In case that the laptop is stolen, they can have fun with the hardware, but not with my data...) I used (K)Ubuntu because they provide the "alternative" installer CDs where this is possible. In this howto I'll describe the necessary steps to do this with the existing crunchbang linux installation CD's. (And probably for lots of other distro's as well.)

This howto is quite long, because it is supposed to be understandable for inexperienced users. If something in this howto is unclear or wrong, then please let me know.

Remarks:
Before, I had a (K)Ubuntu installation on my laptop with the following configuration: one unencrypted partition (/boot) and one encrypted partition which was logically divided into two (/ and swap) by means of lvm. The reason for using lvm was that I wanted to have an encrypted / and swap partition, but didn't want to type in more than one passphrase during boot. In the meantime I learned other ways of achieving this, so in my current setup I do not use lvm anymore. Therefore, in the following howto I don't consider lvm (but it should be straightforward to include it).

I used a lot of resources on the web to learn enough to be able to set up my system like described below. Unfortunately, I don't know most of the URLs anymore. The only thing I remember is that http://wiki.ubuntuusers.de was an invaluable source of information for me.

1) Setup (and goals):
I partitoned my harddrive like this:

/dev/sda1 boot (unencrypted)
/dev/sda2 ...
/dev/sda3 ...
/dev/sda5 swap (encrypted)
/dev/sda6 root (encrypted)
/dev/sda7 ...
/dev/sda8 data (encrypted)

The boot partiton has to be unencrypted, but the other 3 (sda5, sda6, sda8) will be encrypted. I wanted to type only the passphrase for the root partition during boot (this is unavoidable, I think), and the other 2 encrypted partitons should be opened automatically afterwards. There are several ways to achieve this (besides using lvm), but I chose to derive both keys for swap and data from the root key.

<OPTIONAL>
You can (should?!) overwrite the data on the partitions which will be encrypted with random data before you use them. To check for bad block at the same time, you can use the command

/sbin/badblocks -c 10240 -s -w -t random -v /dev/sda5

(And similar for sda6 and sda8)
This can take some time, depending on the size of the partitons. In my case it was something like more than 2h for 400GB (but I don't remember how much more wink ). There are better ways to fill the partitions with random data, but they take longer and because I never had unencrypted things on the HD anyway, it was good enough for me.
</OPTIONAL>

2) Preparation:
Boot from a crunchbang linux live cd. I used "crunchbang-lite 9.04.01 amd64". After login, open a terminal and connect to the internet. You need to download the package for luks encryption:

sudo apt-get update

(This was needed to be able to install software)

sudo apt-get install cryptsetup

(And install lvm2 as well if you want to use logical volumes. But this is not covered in this howto.)

Prepare the root partition for encryption:

sudo cryptsetup -c aes-xts-plain -s 512 -h ripemd160 luksFormat /dev/sda6

(You will be asked to give a passphrase for this encrypted partition and confirm it.)

Open the encrypted partition:

sudo cryptsetup luksOpen /dev/sda6 sda6crypt

(sda6crypt is a name that you can choose to identify it.) If this was successful, then

ls /dev/mapper

will show the device /dev/mapper/sda6crypt (or whatever you chose for a name).

To use sda6crypt, you have to format it. To use the ext3 filesystem, type

sudo mkfs.ext3 /dev/mapper/sda6crypt

(By the way: the default features of this newly created filesystem can be found in /etc/mke2fs.conf: sparse_super,filetype,resize_inode,dir_index,ext_attr,has_journal.)

Prepare the data partition for encryption:
Use the same set of commands for data:

sudo cryptsetup -c aes-xts-plain -s 512 -h ripemd160 luksFormat /dev/sda8
sudo cryptsetup luksOpen /dev/sda8 sda8crypt
sudo mkfs.ext3 /dev/mapper/sda8crypt

Prepare the swap partition for encryption:
For swap the only difference is that you have to set up a swap area (with mkswap) instead of creating a filesystem:

sudo cryptsetup -c aes-xts-plain -s 512 -h ripemd160 luksFormat /dev/sda5
sudo cryptsetup luksOpen /dev/sda5 sda5crypt
sudo mkswap /dev/mapper/sda5crypt

3) Installation of crunchbang linux:
Start the installer and perform steps 1 to 3 as usual. In step 4, choose "Prepare disk space" and "Specify partitions manually". In my example, I chose the following setup:

/dev/mapper/sda5crypt   SWAP (was automatically chosen by installer)
/dev/mapper/sda6crypt   /
/dev/mapper/sda8crypt   /data
/dev/sda1               /boot

IMPORTANT: if the installation is complete, choose "Continue Testing", because otherwise the new system cannot boot.

4) Setup the new system for first boot:
After a few preparation steps, we chroot into the new root partition where crunchbang linux was installed (/dev/mapper/sda6crypt), install cryptsetup there and make the necessary changes so that the new installation can handle the luks partitions.

Preparation:

sudo mount /dev/mapper/sda6crypt /mnt
sudo mount /dev/sda1 /mnt/boot
sudo mount -o bind /dev/ /mnt/dev/
sudo cp /etc/resolv.conf /mnt/etc/resolv.conf

(The last command is necessary to be able to use the current internet connection.)

Chroot and further preparations:

sudo chroot /mnt

(Now, because we're automatically root, sudo isn't necessary anymore as long as we are in the chroot environment)

mount -t proc proc /proc
mount -t sysfs sys /sys

Install cryptsetup:

apt-get update
apt-get install cryptsetup

Edit /etc/crypttab to be able to mount the encrypted partitons:
It is recommended to use the UUIDs of the encrypted devices instead of their names. So in the first step, find the UUID for /dev/sda6:

ls -la /dev/disk/by-uuid/ | grep sda6

(Only the output for sda6 (not sda6crypt) is needed in the following. I will write it here as xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)

Now add a line to /etc/crypttab. The required option (column 4) is "luks". Additionally I added that one has 3 tries to input the passphrase ("tries=3"), and to check the partition ("check=vol_id"). This is optional.

echo "sda6crypt UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx none luks,tries=3,check=vol_id" >> /etc/crypttab

You could do it similarly for sda8crypt and sda5crypt (here with "swap" instead of "luks"), but then you would have to type three passphrases during every boot. To avoid this, I used a script (provided by the package cryptsetup) which generates a new luks passphrase (for sda5 and sda8) from an already opened luks device (sda6 resp. sda6crypt).
One way to get this is to copy the new passphrase, derived from sda6crypt, into ram and then add this passphrase to the luks devices /dev/sda5 and /dev/sda8. (A luks device can have up to 8 different passphrases.)

Create the ram disk to temporarily store the derived passphrase:

mkdir /mnt/ram
mount -t ramfs -o size=1m ramfs /mnt/ram/
chmod 600 /mnt/ram

Derive a new passphrase from sda6crypt and store it in the file tmp.key inside the ram disk:

/lib/cryptsetup/scripts/decrypt_derived sda6crypt > /mnt/ram/tmp.key

Add this key to sda8 and add the corresponding line to /etc/crypttab:

cryptsetup luksAddKey /dev/sda8 /mnt/ram/tmp.key
ls -la /dev/disk/by-uuid/ | grep sda8
echo "sda8crypt UUID=<uuid> sda6crypt luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived" >> /etc/crypttab

In the last command we have to write the luks device from which the new passphrase will be generated into column 3 (sda6crypt), and give the path to the keyscript in column 4.

Do the same for sda5 (encrypted swap):

cryptsetup luksAddKey /dev/sda5 /mnt/ram/tmp.key
ls -la /dev/disk/by-uuid/ | grep sda5
echo "sda5crypt UUID=<uuid> sda6crypt swap,keyscript=/lib/cryptsetup/scripts/decrypt_derived" >> /etc/crypttab

Here in column 4 you have to use "swap" instead of "luks" to use it as a swap space.

Now we can delete the derived key and remove the ram disk:

rm /mnt/ram/tmp.key
umount /mnt/ram
rmdir /mnt/ram

The last step is to update the initramfs image, which resides in /boot and is needed to boot the system. After the update, it will be aware of the luks partitons.

update-initramfs -u -k all

Now you can reboot into your new system. At every boot, you will be asked to type the passphrase for the encrypted root partiton (/dev/sda6 in my case). After that, the encrypted swap and data partiton will be automatically opened (and /dev/mapper/sda8crypt mounted to /data).

Enjoy!



Afterword/Backup of luks header:
If you followed this howto, then the accessibility of your data depends on the luks headers of the 3 enrypted partitions. In them, the information about the used encryption algorithm, hash, etc. is stored. If something happens to it, you will not be able to open the luks device anymore even if you still know the correct passphrase.

Backup/restore of a luks header:
Search for the "payloadnumber" of the device which header you want to backup (for example sda6)...

cryptsetup luksDump /dev/sda6 | grep Payload

=> "Payload offset: <payloadnumber>"
...and perform the backup with dd:

dd if=/dev/sda6 of=<destination of the backup> count=<payloadnumber>

To restore this header, just reverse the arguments of "if" and "of" in the "dd" command

dd if=<destination of the backup> of=/dev/sda6 count=<payloadnumber>

I found this solution on a wiki page with the title "How can I backup my partition header/my metadata?": http://www.saout.de/tikiwiki/tiki-slide … aq&slide=1
On it, there is also a discussion/warning why you should not backup the luks header. But after I lost data on a luks partition once because the header was damaged, my choice was easy...

Regards,
|hgk>

Offline

Be excellent to each other!

#2 2009-08-26 08:55:21

Toolz
#! Die Hard
From: Asia
Registered: 2009-02-02
Posts: 937

Re: HOWTO: Install #! with encrypted /, swap and /data partitions

Very interesting, very thorough. I'm going to try this out.

Offline

#3 2009-08-28 06:21:19

hgk
Member
Registered: 2009-08-25
Posts: 11

Re: HOWTO: Install #! with encrypted /, swap and /data partitions

Toolz wrote:

Very interesting, very thorough. I'm going to try this out.

Please do! I am very interested to read if this howto works for you. Don't hesitate to ask me if you have additional questions.

Regards,
|hgk>

Offline

#4 2009-09-03 05:30:38

hemu
Member
From: Finland
Registered: 2009-09-03
Posts: 10

Re: HOWTO: Install #! with encrypted /, swap and /data partitions

Thanks, great tutorial!

Worked fine smile Thanks to you i'm running crypted partitions again.

Offline

#5 2009-09-03 06:33:32

tartan
#! Junkie
From: Moscow
Registered: 2009-07-13
Posts: 314

Re: HOWTO: Install #! with encrypted /, swap and /data partitions

Kinda noob question: what is going on to performance after that tweak? I would try it, 'cause i'm a little bit paranoid about having mail archive and prawn collection on the same laptop, but not paranoid enough to tolerate noticeable lags and memory leak. Would 1 gb ram and 1600 khz be enough?

And how do I get access to my hypothetically encrypted /home partition after switching from !# to Arch or Sabayon?

Last edited by tartan (2009-09-03 06:34:01)

Offline

#6 2009-09-03 08:18:06

hgk
Member
Registered: 2009-08-25
Posts: 11

Re: HOWTO: Install #! with encrypted /, swap and /data partitions

tartan wrote:

Kinda noob question: what is going on to performance after that tweak? (...) Would 1 gb ram and 1600 khz be enough?

If you meant 1600 MHz instead of 1600 kHz, then yes smile I use linux on encrypted partitions for years even on weaker systems, but also on an Asus EEE PC with 1.6 GHz Atom Processor and 1GB RAM. Copying large files from/to encrypted partitions might be slower, but I didn't noticed it.

tartan wrote:

And how do I get access to my hypothetically encrypted /home partition after switching from !# to Arch or Sabayon?

In the same manner as you do in the howto after the creation of the encrypted partitions. For example, you would type

sudo cryptsetup luksOpen /dev/sda8 sda8crypt

and type in the passphrase to open the encrypted partition. This will give you the device /dev/mapper/sda8crypt, which you can mount as usual:

sudo mount /dev/mapper/sda8crypt /mnt

And after you're done you umount it and close the encrypted device:

sudo umount /dev/mapper/sda8crypt
sudo cryptsetup luksClose sda8crypt

Offline

#7 2009-09-03 08:19:36

hgk
Member
Registered: 2009-08-25
Posts: 11

Re: HOWTO: Install #! with encrypted /, swap and /data partitions

hemu wrote:

Thanks, great tutorial!

Worked fine smile Thanks to you i'm running crypted partitions again.

Happy to read that!

Offline

#8 2009-10-23 06:32:02

seespatz
New Member
Registered: 2009-10-23
Posts: 2

Re: HOWTO: Install #! with encrypted /, swap and /data partitions

Hi! Thanks for the great HOWTO. It works great. But I do have a tiny little problem with it:

Before encryption I created /dev/sda5 as my SWAP with the size 2500 MB. After encryption and installation it only shows up with 501 MB. The command "free" and "cat /proc/swaps" show also only 513 MB. I checked the partition and it's definetly the correct one with 2500 MB.

Do you have any ideas what went wrong?

Thanks in advance.

Last edited by seespatz (2009-10-23 06:33:23)

Offline

#9 2009-10-23 07:35:13

hgk
Member
Registered: 2009-08-25
Posts: 11

Re: HOWTO: Install #! with encrypted /, swap and /data partitions

seespatz wrote:

Hi! Thanks for the great HOWTO. It works great. But I do have a tiny little problem with it:

Before encryption I created /dev/sda5 as my SWAP with the size 2500 MB. After encryption and installation it only shows up with 501 MB. The command "free" and "cat /proc/swaps" show also only 513 MB. I checked the partition and it's definetly the correct one with 2500 MB.

Do you have any ideas what went wrong?

Thanks in advance.

I had the same problem when I was playing around with my system (before I started from scratch with my howto). The reason in my case was that the encrypted swap partition was not decrypted during the startup, therefore not mounted and crunchbang linux seems to create a small swap file in this case.
Is the decrypted partition really mounted? Do you see the swap partition if you type

ls /dev/mapper/

Did you follow the howto step by step or did you deviate from it?

Offline

#10 2009-10-23 09:02:52

seespatz
New Member
Registered: 2009-10-23
Posts: 2

Re: HOWTO: Install #! with encrypted /, swap and /data partitions

I just changed the HOWTO to fit my partitions (but maybe, I made a mistake following it). I guess you are right, the swap is not activated at boot. But it gets mounted.

ls /dev/mapper

shows

control sda2crypt sda5crypt

sda5crypt is the swap partition.

cat /proc/swaps

shows /dev/ramzswap0 with size 513380. I suppose that would be the small swapfile created by !#.
I found out that I can get my swap to work with

sudo swapon /dev/mapper/sda5crypt

Afterwards

cat /proc/swaps

shows 2 swaps: the one mentioned above AND my swap with the size 2441840. So it seems it is just not activated during boot. Do you have a suggestion? My idea is now (if there is no other way) to write a swapoff for the small one and a swapon for my one into austostart ...

Last edited by seespatz (2009-10-23 09:03:56)

Offline

#11 2011-03-08 11:47:57

jvd
#! CrunchBanger
Registered: 2010-01-29
Posts: 193

Re: HOWTO: Install #! with encrypted /, swap and /data partitions

Digging up an old topic, but looks like a great one!

Tried it yesterday, but failed since I did not understand that the installer should be started from the live session, in stead of booting anew. Want to give it a shot when I have the time later today.

Just wanted to know if the same (multiple encrypted partitions among which swap and root with a single password) can be achieved through the new LVM setup of the installer? Is there a way to get a longer key than 256, BTW?

Offline

#12 2011-03-08 16:03:20

jvd
#! CrunchBanger
Registered: 2010-01-29
Posts: 193

Re: HOWTO: Install #! with encrypted /, swap and /data partitions

Hrrrmmm.... Now I know. Debian/#! cannot install from a live session... Or at least not with a nice preconfigured button hmm Should be looking into another solution.

edit: Installer is running, all could be configured from the installer itself. This post was cryptic yet apt. Keeping my fingers crossed while installer runs... roll

edit2: Shouted too early. Grub cannot be installed on my single harddisk.

edit3: Found most likely error: Forgot to tell the installer that the unencrypted part is not only called boot, but that it actually should be used as boot. Now I am running into a small bug, after running the partitioning tool again during the same install: the installer is looking for a cd called Debian blah blah, and forgot that it is using a cd with a different title.

edit4: guess I'm there. This is what I did:

Once you enter the partitioner, choose manual partitioning
• i deleted existing partitions
• Make /boot partition (chose it to be 200M)
• press enter on the free space, create a new partition. Then: Use as physical volume for encryption. Choose Erase data: no if you don't have patience. Otherwise, I just stuck with the defaults of the configuration.
• Go back to Configure encrypted volumes, and select finish. Only after this you make an encrypted file system.
• Then: Configure the LVM. This will ask you to write the previously made changes to disk. You'll get into a dialogue which partition to include in your LVM, for which you select the encrypted one. It will prompt you for a name of your LVM
• create logical volumes for partitions you'd like to have (I took swap, home, root) and finish
• Now tell the installer where to mount the parts of the system you just created.
• ...and continue the installation as if nothing funny has happened.

Guess that I now should learn how to get to the data from a live-cd, so I can do some emergency repairs...

Last edited by jvd (2011-03-08 20:40:10)

Offline

#13 2011-03-13 19:50:54

Erinsfan
#! CrunchBanger
From: At a terminal
Registered: 2011-01-28
Posts: 148

Re: HOWTO: Install #! with encrypted /, swap and /data partitions

I'm struggling a little. I have followed the first post as best as I can. My hope was to have a data partition [sda3], /home [sda4] and swap [sda2] all encrypted and mount at boot. Using sda2 as the first mounted I have tried the key method but during boot all I get is a message saying no key is available. Obviously, sda4 doesn't decrypt or mount but sda2 does.

Running

EF@Spoonbill:~$ sudo /etc/init.d/cryptdisks start

gets

Starting remaining crypto disks...CBSwap (running)...CBHome (starting)...
No key available with this passphrase.
No key available with this passphrase.
No key available with this passphrase.
CBHome (failed)...failed.

I am retrofitting this to an installed !#. Any advice please. After a search of the 'Net I am confused but obviously don't want to type three keyphrases during boot.

Thanks in advance,
Erin


Enjoying a good !#

Offline

#14 2011-03-14 12:55:15

jvd
#! CrunchBanger
Registered: 2010-01-29
Posts: 193

Re: HOWTO: Install #! with encrypted /, swap and /data partitions

Hey Erin,

The first post does not apply to Debian Squeeze, apparently only to the 9.04 ubuntu versions, as there is no possibility to install debian from a running live session.

You can make the encryption of multiple disks all happen from the debian installer. Be prepared to spend quite some time in the not so intuitive partitioning tool.

The least intuitive part for me was to select Finish after creating the encrypted volume, before moving on to creating the LVM that contains the other partitions. Make sure you enter your passphrase before getting to the LVM phase...

Offline

#15 2011-03-14 13:06:24

Erinsfan
#! CrunchBanger
From: At a terminal
Registered: 2011-01-28
Posts: 148

Re: HOWTO: Install #! with encrypted /, swap and /data partitions

Hello jvd,

The only problem I am having is getting sda4 (a data drive) to recognise the passphrase entered during boot for sda2 (swap). I didn't bother with all the Live CD stuff as my !# exists currently.

Is there an alternative encryption method? All I am after is having a swap, data and home drive encrypted and mounted at boot - pref with home being mounted to the right user akin to Mint.

Thanks, Erin


Enjoying a good !#

Offline

#16 2011-03-14 13:54:19

jvd
#! CrunchBanger
Registered: 2010-01-29
Posts: 193

Re: HOWTO: Install #! with encrypted /, swap and /data partitions

Sorry, did not read your post well enough...

Not so sure, as I have not attempted to create encrypted disks after installation. Have not really looked under the hood of what is really happening, and cannot help you concretely, I am afraid sad

Good luck!

Offline

Board footer

Powered by FluxBB

Copyright © 2012 CrunchBang Linux.
Proudly powered by Debian. Hosted by Linode.
Debian is a registered trademark of Software in the Public Interest, Inc.

Debian Logo