“UbuntuHelp:EncryptedFilesystemHowto6”的版本间的差异

2007年11月30日 (五) 17:07的版本

文章出处:

https://help.ubuntu.com/community/EncryptedFilesystemHowto6

点击翻译:

English

请不要直接编辑翻译本页，本页将定期与来源同步。

WARNING: Don't follow this guide! You'll probably be better off with FeistyEncryptedRootWithInstaller! This is the ninth encrypted filesystem HOWTO. You may wonder why we need another one, when we allready have EncryptedFilesystem, EncryptedFilesystemHowto, EncryptedFilesystemHowto2, EncryptedFilesystemHowto3, EncryptedFilesystemHowto4, EncryptedFilesystemHowto5 and EncryptedFilesystemHowtoEdgy and EncryptedFilesystemLVMHowto. Some of this documentation is just old, while some works better for other cases. Here's the requirements for this howto:

• Should be based on FeistyFawn.
• Encrypt everything, except /boot.
• For fresh installations only. The entire disk will be erased.
• No temporary installation either. We want to install directly to the encrypted disk.
• Network-based installation. A live-cd will only be used to set up the encrypted disks and bootstrap the installation.
• No theoretical explanations. You will find whatever you need in the other HOWTOs.
• Everything in one filesystem. No separate /home.

Hopefully, the next version of Ubuntu's installer will do all the setup, like Debian Etch's installer does. Before we begin, a few warnings:

• This HOWTO will tell you to wipe any existing installation. Back-up all your data!
• There may be errors in this HOWTO. You should NOT follow this HOWTO without enough understanding to get yourself out of unexpected trouble. Reading the other HOWTOs is a good start...
• This HOWTO has now been tested with VMware Workstation 6. Other hardware may or may not give the same results.
• Older versions of this HOWTO included some bugs that made it impossible to boot the newly installed system. Make sure you're using the latest version.

Ok, then... Let's start.

The livecd

First, boot from a live CD. I guess an Edgy-disc should work, but I have only tested with Feisty. Configure networking, keyboard, proxy and whatever you need to have Internet access and a way to work with a terminal. (Hint: If you're behind a proxy, set the http_proxy environment variable: export http_proxy=http://proxy:port/) Start a terminal and edit /etc/apt/sources.list to add the universe repository. (Remember sudo!) You may want to change to a mirror close to you instead of archive.ubuntu.com. To me, it's no.archive.ubuntu.com. Install cryptsetup, gparted and debootstrap:

sudo aptitude update && sudo aptitude install cryptsetup gparted debootstrap

Use gparted to partition your drive. You will need >= 100 MB for /boot (ext3), twice your amount of RAM for swap and the usual minimum for your encrypted root filesystem. From now on, I assume /boot is /dev/sda1, encrypted swap is /dev/sda5 and the encrypted root is /dev/sda6. Exit gparted and unmount the newly created filesystems by right-clicking on them on your desktop. Then load some modules:

sudo modprobe dm_crypt
sudo modprobe sha256
sudo modprobe aes_i586
# or...
for mod in dm_crypt sha256 aes_i586; do modprobe $mod; done

Use LUKS to encrypt your root partition. If you want key storage on an USB-disk, smartcard or anything else, see the other LUKS-based guides mentioned at the top of this document. Remember to choose a good passphrase, as this probably will be the weakest link in the setup...

sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=128 luksFormat /dev/sda6
sudo cryptsetup luksOpen /dev/sda6 root

If cryptsetup fails, you probably forgot to unmount the automounted partitions. Create a filesystem and mount it and the /boot partition:

sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/root
sudo mkdir /mnt/newroot
sudo mount /dev/mapper/root /mnt/newroot
sudo mkdir /mnt/newroot/boot
sudo mount /dev/sda1 /mnt/newroot/boot

Basic installation

It's time to do the installation, but don't start the wizard at your desktop. You need to use debootstrap.

sudo debootstrap feisty /mnt/newroot http://no.archive.ubuntu.com/ubuntu # Choose a mirror close to you.

After a few minutes, you should have a basic installation of FeistyFawn in your encrypted root. But don't pat yourself on your back yet, as the installation is too basic to even boot. All you can do is chroot into it and start configuring and installing packages:

sudo cp /etc/apt/sources.list /mnt/newroot/etc/apt/sources.list
sudo /etc/init.d/acpid stop # Your chroot will eventually want to run it's own.
sudo /etc/init.d/acpi-support stop
sudo mount --bind /dev /mnt/newroot/dev
sudo mount --bind /proc /mnt/newroot/proc
sudo mount --bind /sys /mnt/newroot/sys
sudo umount /mnt/newroot/boot
sudo chroot /mnt/newroot
export LANG=C
mount /dev/sda1 /boot
mkdir /home/ubuntu # To get rid of some annoying vim errors. Skip if wanted, and delete when done.

Set up /etc/kernel-img.conf:

do_symlinks = yes
relative_links = yes
do_bootloader = no
do_bootfloppy = no
do_initrd = yes
link_in_boot = no
postinst_hook = update-grub
postrm_hook   = update-grub

Install and upgrade basic packages:

aptitude update
aptitude upgrade
aptitude install grub linux-image-generic bsdmainutils cryptsetup

Set up /etc/crypttab: (Make sure you're using the same name for the root filesystem as you did with the luksOpen-command above. If not, cryptsetup will fail at first boot.)

# <target name> <source device>         <key file>      <options>
swap            /dev/sda5               /dev/random     swap
root            /dev/sda6               none            luks

/etc/fstab: (Again, double-check the names used.)

proc                    /proc   proc    defaults                        0       0
/dev/mapper/root        /       ext3    defaults,errors=remount-ro      0       0
/dev/sda1               /boot   ext3    defaults                        0       1
/dev/mapper/swap        swap    swap    defaults                        0       0

/etc/network/interfaces:

auto lo
iface lo inet loopback

Configure the console:

dpkg-reconfigure console-setup # Install if needed

Make sure your initramfs is correct:

update-initramfs -u

Install grub:

grub-install --recheck hd0,0
update-grub
grub-install hd0

Remove quiet and splash from the defoptions-line in /boot/grub/menu.lst and run update-grub again. Install some important packages:

aptitude install ubuntu-standard ubuntu-minimal

You may want to install openssh-server, too. :) Install (k)ubuntu-desktop:

aptitude install ubuntu-desktop
killall acpid
dpkg --configure -a # Make sure this does not return any errors.

Create a user for yourself:

adduser --add_extra_groups username
adduser username adm
adduser username admin

Run visudo and add this just under the entry for root:

%admin  ALL=(ALL) ALL

Boot your encrypted system

Restart (make sure your filesystems is unmounted) and boot into your new system. You should be asked for your passphrase by cryptsetup. If your boot partition is not the first partition on the first disk then you may need to edit the root line if Grub reports "Error 17: Cannot mount selected partition". Change it to hd(x,y) where x is the index of your disk and y is the index of the boot partition (first is zero, second is one, etc). You may also need to remove the "/boot" prefix from the kernel and initrd lines since the boot partition does not include a boot folder. If grub complains about a file it can't find, you may try to press ESC to edit the command, go down to savedefault and press d and b. Then, reinstall grub when booted. Your system may seem to hang while setting up encrypted devices. This is because it lacks random data. Press a few keys, and it will continue. Be aware that your new system is not as well configured as with a normal installation, so you have to do some configuration after first boot. Here's a list to get you started. You will find tools for this in the System menu in Ubuntu.

• Hostname.
• Other network parameters and DNS. (If you don't want to use network manager for that.)
• Web proxy if needed.
• Date, time and time zone. (NTP if wanted)
• Localization. (Language packs, default language.)
• Software repositories (multiverse, updates, backports...) and keys used to sign the archives.
• Non-free drivers. (NVIDIA/ATI-cards)

You may also want make sure your Mail Transfer Agent (exim, postfix, ...) is set up correctly. When upgrading kernels, be sure to keep your old kernel. Some versions of the Linux kernel will change from /dev/hd* to /dev/sd* and others the other way. This will break /etc/cryptsetup. Installing Feisty kernel 2.6.20-16 appears to have this problem and installing that kernel while working from a 2.6.20-15 live CD may result in "cryptsetup: Source device /dev/sda* not found" at the end of the process.