特殊:Badtitle/NS100:FeistyEncryptedRootWithInstaller:修订间差异

来自Ubuntu中文
跳到导航跳到搜索
Wikibot留言 | 贡献
新页面: {{From|https://help.ubuntu.com/community/FeistyEncryptedRootWithInstaller}} {{Languages|UbuntuHelp:FeistyEncryptedRootWithInstaller}} I have previously written EncryptedFilesystemHowto6, ...
 
Wikibot留言 | 贡献
无编辑摘要
第2行: 第2行:
{{Languages|UbuntuHelp:FeistyEncryptedRootWithInstaller}}
{{Languages|UbuntuHelp:FeistyEncryptedRootWithInstaller}}
I have previously written EncryptedFilesystemHowto6, where I describe how to do a fresh install of Feisty to an encrypted filesystem. The method is a bit clumsy, as you have to do a lot of work that you normally will leave to the installer. This time I want to use the installer for all that work, while just fix en encryption stuff myself.
I have previously written EncryptedFilesystemHowto6, where I describe how to do a fresh install of Feisty to an encrypted filesystem. The method is a bit clumsy, as you have to do a lot of work that you normally will leave to the installer. This time I want to use the installer for all that work, while just fix en encryption stuff myself.
Everything is tested on a VMware Workstation 6 computer with 512 MB RAM and i386 compatible CPU.
Everything is tested on a VMware Workstation 6 computer with 512 MB RAM and i386 compatible CPU.
=== Outline of solution ===
=== Outline of solution ===
 
# Start the LiveCD and set up working environment
* Start the LiveCD and set up working environment
2. Use <code><nowiki>gparted</nowiki></code> or <code><nowiki>fdisk</nowiki></code> to partition the drive
* Use <code><nowiki>gparted</nowiki></code> or <code><nowiki>fdisk</nowiki></code> to partition the drive
3. Use <code><nowiki>cryptsetup</nowiki></code> to set up LUKS-encrypted partitions
* Use <code><nowiki>cryptsetup</nowiki></code> to set up LUKS-encrypted partitions
4. Launch the installer and tell it to install to <code><nowiki>/dev/mapper/*</nowiki></code>
* Launch the installer and tell it to install to <code><nowiki>/dev/mapper/*</nowiki></code>
5. Before reboot, <code><nowiki>chroot</nowiki></code> into <code><nowiki>/target</nowiki></code> and do the necessary changes
* Before reboot, <code><nowiki>chroot</nowiki></code> into <code><nowiki>/target</nowiki></code> and do the necessary changes
 
=== LiveCD ===
=== LiveCD ===
[http://www.ubuntu.com/getubuntu/download Download] Ubuntu 7.04 Desktop Edition. This guide is not tested with other versions or variants of Ubuntu.
[http://www.ubuntu.com/getubuntu/download Download] Ubuntu 7.04 Desktop Edition. This guide is not tested with other versions or variants of Ubuntu.
Boot the CD and set up keyboard, network, proxy and whatever you need. (Hint: If you're behind a proxy, set the http_proxy environment variable: <code><nowiki>export http_proxy=http://proxy:port/</nowiki></code>)
Boot the CD and set up keyboard, network, proxy and whatever you need. (Hint: If you're behind a proxy, set the http_proxy environment variable: <code><nowiki>export http_proxy=http://proxy:port/</nowiki></code>)
Start a terminal and run <code><nowiki>sudo -i</nowiki></code> to become root. Edit /etc/apt/sources.list to add the universe repository. You may want to change to a mirror close to you instead of archive.ubuntu.com. To me, it's no.archive.ubuntu.com.
Start a terminal and run <code><nowiki>sudo -i</nowiki></code> to become root. Edit /etc/apt/sources.list to add the universe repository. You may want to change to a mirror close to you instead of archive.ubuntu.com. To me, it's no.archive.ubuntu.com.
Install cryptsetup and gparted. (Use fdisk or other utility if you prefer that.)
Install cryptsetup and gparted. (Use fdisk or other utility if you prefer that.)
<pre><nowiki>
<pre><nowiki>
aptitude update && aptitude install cryptsetup gparted
aptitude update && aptitude install cryptsetup gparted
</nowiki></pre>
</nowiki></pre>
=== Partitioning ===
=== Partitioning ===
Use gparted to partition your drive. You will need >= 100 MB for /boot (important: '''unformatted'''), twice your amount of RAM for swap (linux-swap) and the usual minimum for your encrypted root filesystem (important: '''unformatted'''). From now on, this guide assumes /boot is /dev/sda1, encrypted swap is /dev/sda5 and the encrypted root is /dev/sda6.
Use gparted to partition your drive. You will need >= 100 MB for /boot (important: '''unformatted'''), twice your amount of RAM for swap (linux-swap) and the usual minimum for your encrypted root filesystem (important: '''unformatted'''). From now on, this guide assumes /boot is /dev/sda1, encrypted swap is /dev/sda5 and the encrypted root is /dev/sda6.
Exit gparted and unmount any auto-mounted filesystems by right-clicking on them on your desktop.
Exit gparted and unmount any auto-mounted filesystems by right-clicking on them on your desktop.
=== LUKS ===
=== LUKS ===
Then load some modules:
Then load some modules:
<pre><nowiki>
<pre><nowiki>
for mod in dm_crypt sha256 aes_i586; do modprobe $mod; done
for mod in dm_crypt sha256 aes_i586; do modprobe $mod; done
</nowiki></pre>
</nowiki></pre>
Use LUKS to encrypt your root partition. This is just an example using AES in CBC-mode and SHA-256 with a passphrase. Change these parameters at will, and use smartcards or whatever you want for better security. Remember to choose a good passphrase, as this probably will be the weakest link in the setup...
Use LUKS to encrypt your root partition. This is just an example using AES in CBC-mode and SHA-256 with a passphrase. Change these parameters at will, and use smartcards or whatever you want for better security. Remember to choose a good passphrase, as this probably will be the weakest link in the setup...
<pre><nowiki>
<pre><nowiki>
第44行: 第30行:
cryptsetup luksOpen /dev/sda6 root
cryptsetup luksOpen /dev/sda6 root
</nowiki></pre>
</nowiki></pre>
=== Installer ===
=== Installer ===
Start the installer and choose language and time zone.
Start the installer and choose language and time zone.
Choose ''manual'' partitioning.
Choose ''manual'' partitioning.
<code><nowiki>/dev/mapper/root</nowiki></code> should be formatted and mounted as <code><nowiki>/</nowiki></code>, while <code><nowiki>/dev/sda1</nowiki></code> should be used as ext3 and mounted as <code><nowiki>/boot</nowiki></code>.
<code><nowiki>/dev/mapper/root</nowiki></code> should be formatted and mounted as <code><nowiki>/</nowiki></code>, while <code><nowiki>/dev/sda1</nowiki></code> should be used as ext3 and mounted as <code><nowiki>/boot</nowiki></code>.
Leave the swap partition as swap. We will fix that later.
Leave the swap partition as swap. We will fix that later.
<code><nowiki>/dev/sda6</nowiki></code> (or any other encrypted partitons) should ''not'' be mounted.
<code><nowiki>/dev/sda6</nowiki></code> (or any other encrypted partitons) should ''not'' be mounted.
Create a user and confirm your options. Go make some coffee.
Create a user and confirm your options. Go make some coffee.
'''Do not restart when the installer asks you to!''' Just click that you want to continue working with the LiveCD.
'''Do not restart when the installer asks you to!''' Just click that you want to continue working with the LiveCD.
=== Chroot and configure ===
=== Chroot and configure ===
So now we have a luks partition, that was the easy part.  Now we need it to boot.  In my experience this has been a bit fiddly.  Hopefully these instructions will help.
So now we have a luks partition, that was the easy part.  Now we need it to boot.  In my experience this has been a bit fiddly.  Hopefully these instructions will help.
Mount everything:
Mount everything:
<pre><nowiki>
<pre><nowiki>
第71行: 第46行:
for dir in proc dev sys; do mount --bind /$dir  /target/$dir; done
for dir in proc dev sys; do mount --bind /$dir  /target/$dir; done
</nowiki></pre>
</nowiki></pre>
You need to MAKEDEV in the *rootfs* (will be copied over to your temp bind directory) to make sure you get a /dev/.static directory created, otherwise you will see errors on boot complaining it doesn't exist.
You need to MAKEDEV in the *rootfs* (will be copied over to your temp bind directory) to make sure you get a /dev/.static directory created, otherwise you will see errors on boot complaining it doesn't exist.
<pre><nowiki>
<pre><nowiki>
cd /dev; MAKEDEV generic
cd /dev; MAKEDEV generic
</nowiki></pre>
</nowiki></pre>
Chroot into the target:
Chroot into the target:
<pre><nowiki>
<pre><nowiki>
chroot /target
chroot /target
</nowiki></pre>
</nowiki></pre>
I prefer to update everything, but there are probably a reason the installer doesn't do this:
I prefer to update everything, but there are probably a reason the installer doesn't do this:
<pre><nowiki>
<pre><nowiki>
第87行: 第59行:
aptitude -y dist-upgrade
aptitude -y dist-upgrade
</nowiki></pre>
</nowiki></pre>
Install cryptsetup:
Install cryptsetup:
<pre><nowiki>
<pre><nowiki>
aptitude install cryptsetup
aptitude install cryptsetup
</nowiki></pre>
</nowiki></pre>
Set up <code><nowiki>/etc/crypttab</nowiki></code>:
Set up <code><nowiki>/etc/crypttab</nowiki></code>:
<pre><nowiki>
<pre><nowiki>
第99行: 第69行:
root            /dev/sda6              none            luks
root            /dev/sda6              none            luks
</nowiki></pre>
</nowiki></pre>
Edit <code><nowiki>/etc/fstab</nowiki></code> and change swap to <code><nowiki>/dev/mapper/swap</nowiki></code> (from some UUID-line).
Edit <code><nowiki>/etc/fstab</nowiki></code> and change swap to <code><nowiki>/dev/mapper/swap</nowiki></code> (from some UUID-line).
Create <code><nowiki>/etc/initramfs-tools/conf.d/cryptroot</nowiki></code> and add:
Create <code><nowiki>/etc/initramfs-tools/conf.d/cryptroot</nowiki></code> and add:
<code><nowiki>CRYPTOPTS=target=root,source=/dev/sda6</nowiki></code>
<code><nowiki>CRYPTOPTS=target=root,source=/dev/sda6</nowiki></code>
Copy over the pre-built cryptroot scripts (ignore other HOWTOs that tell you to create these):
Copy over the pre-built cryptroot scripts (ignore other HOWTOs that tell you to create these):
<pre><nowiki>
<pre><nowiki>
第110行: 第77行:
cp /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/cryptroot
cp /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/cryptroot
</nowiki></pre>
</nowiki></pre>
You may want to alias aes to speed performance <code><nowiki>/etc/modprobe.d/aliases</nowiki></code>:
You may want to alias aes to speed performance <code><nowiki>/etc/modprobe.d/aliases</nowiki></code>:
<pre><nowiki>
<pre><nowiki>
alias aes aes_i586
alias aes aes_i586
</nowiki></pre>
</nowiki></pre>
Edit <code><nowiki>/boot/grub/menu.lst</nowiki></code> and remove <code><nowiki>quiet splash</nowiki></code> from the defoptions-line:
Edit <code><nowiki>/boot/grub/menu.lst</nowiki></code> and remove <code><nowiki>quiet splash</nowiki></code> from the defoptions-line:
<pre><nowiki>
<pre><nowiki>
# defoptions=
# defoptions=
</nowiki></pre>
</nowiki></pre>
Run  
Run  
<pre><nowiki>
<pre><nowiki>
第126行: 第90行:
update-initramfs -u
update-initramfs -u
</nowiki></pre>.
</nowiki></pre>.
Exit the chroot, umount /target/{proc,dev,sys,boot} and (if it works) /target and reboot.
Exit the chroot, umount /target/{proc,dev,sys,boot} and (if it works) /target and reboot.
----
----
[[category:CategorySecurity]]
[[category:CategorySecurity]]


[[category:UbuntuHelp]]
[[category:UbuntuHelp]]

2007年11月30日 (五) 17:12的版本

{{#ifexist: :FeistyEncryptedRootWithInstaller/zh | | {{#ifexist: FeistyEncryptedRootWithInstaller/zh | | {{#ifeq: {{#titleparts:FeistyEncryptedRootWithInstaller|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:FeistyEncryptedRootWithInstaller|1|-1|}} | zh | | }}

I have previously written EncryptedFilesystemHowto6, where I describe how to do a fresh install of Feisty to an encrypted filesystem. The method is a bit clumsy, as you have to do a lot of work that you normally will leave to the installer. This time I want to use the installer for all that work, while just fix en encryption stuff myself. Everything is tested on a VMware Workstation 6 computer with 512 MB RAM and i386 compatible CPU.

Outline of solution

  1. Start the LiveCD and set up working environment

2. Use gparted or fdisk to partition the drive 3. Use cryptsetup to set up LUKS-encrypted partitions 4. Launch the installer and tell it to install to /dev/mapper/* 5. Before reboot, chroot into /target and do the necessary changes

LiveCD

Download Ubuntu 7.04 Desktop Edition. This guide is not tested with other versions or variants of Ubuntu. Boot the CD and set up keyboard, network, proxy and whatever you need. (Hint: If you're behind a proxy, set the http_proxy environment variable: export http_proxy=http://proxy:port/) Start a terminal and run sudo -i to become root. Edit /etc/apt/sources.list to add the universe repository. You may want to change to a mirror close to you instead of archive.ubuntu.com. To me, it's no.archive.ubuntu.com. Install cryptsetup and gparted. (Use fdisk or other utility if you prefer that.)

aptitude update && aptitude install cryptsetup gparted

Partitioning

Use gparted to partition your drive. You will need >= 100 MB for /boot (important: unformatted), twice your amount of RAM for swap (linux-swap) and the usual minimum for your encrypted root filesystem (important: unformatted). From now on, this guide assumes /boot is /dev/sda1, encrypted swap is /dev/sda5 and the encrypted root is /dev/sda6. Exit gparted and unmount any auto-mounted filesystems by right-clicking on them on your desktop.

LUKS

Then load some modules:

for mod in dm_crypt sha256 aes_i586; do modprobe $mod; done

Use LUKS to encrypt your root partition. This is just an example using AES in CBC-mode and SHA-256 with a passphrase. Change these parameters at will, and use smartcards or whatever you want for better security. Remember to choose a good passphrase, as this probably will be the weakest link in the setup...

cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=128 luksFormat /dev/sda6
cryptsetup luksOpen /dev/sda6 root

Installer

Start the installer and choose language and time zone. Choose manual partitioning. /dev/mapper/root should be formatted and mounted as /, while /dev/sda1 should be used as ext3 and mounted as /boot. Leave the swap partition as swap. We will fix that later. /dev/sda6 (or any other encrypted partitons) should not be mounted. Create a user and confirm your options. Go make some coffee. Do not restart when the installer asks you to! Just click that you want to continue working with the LiveCD.

Chroot and configure

So now we have a luks partition, that was the easy part. Now we need it to boot. In my experience this has been a bit fiddly. Hopefully these instructions will help. Mount everything:

mount /dev/mapper/root /target
mount /dev/sda1 /target/boot
for dir in proc dev sys; do mount --bind /$dir  /target/$dir; done

You need to MAKEDEV in the *rootfs* (will be copied over to your temp bind directory) to make sure you get a /dev/.static directory created, otherwise you will see errors on boot complaining it doesn't exist.

cd /dev; MAKEDEV generic

Chroot into the target:

chroot /target

I prefer to update everything, but there are probably a reason the installer doesn't do this:

aptitude update
aptitude -y dist-upgrade

Install cryptsetup:

aptitude install cryptsetup

Set up /etc/crypttab:

# <target name> <source device>         <key file>      <options>
swap            /dev/sda5               /dev/random     swap
root            /dev/sda6               none            luks

Edit /etc/fstab and change swap to /dev/mapper/swap (from some UUID-line). Create /etc/initramfs-tools/conf.d/cryptroot and add: CRYPTOPTS=target=root,source=/dev/sda6 Copy over the pre-built cryptroot scripts (ignore other HOWTOs that tell you to create these):

cp /usr/share/initramfs-tools/hooks/cryptroot /etc/initramfs-tools/hooks/cryptroot
cp /usr/share/initramfs-tools/scripts/local-top/cryptroot /etc/initramfs-tools/scripts/local-top/cryptroot

You may want to alias aes to speed performance /etc/modprobe.d/aliases:

alias aes aes_i586

Edit /boot/grub/menu.lst and remove quiet splash from the defoptions-line:

# defoptions=

Run

update-grub
update-initramfs -u

.

Exit the chroot, umount /target/{proc,dev,sys,boot} and (if it works) /target and reboot.