特殊:Badtitle/NS100:EncryptedFilesystemHowto8:修订间差异
小 新页面: {{From|https://help.ubuntu.com/community/EncryptedFilesystemHowto8}} {{Languages|UbuntuHelp:EncryptedFilesystemHowto8}} == How to Setup Completely Encrypted System - Ubuntu Feisty == '''... |
小无编辑摘要 |
||
(未显示同一用户的8个中间版本) | |||
第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/EncryptedFilesystemHowto8}} | {{From|https://help.ubuntu.com/community/EncryptedFilesystemHowto8}} | ||
{{Languages|UbuntuHelp:EncryptedFilesystemHowto8}} | {{Languages|UbuntuHelp:EncryptedFilesystemHowto8}} | ||
#title How to Setup Completely Encrypted System - Ubuntu Feisty | |||
<<Include(Tag/Unsupported)>> | |||
'''NOTE: this guide was written simply because all other guides about how to setup full system encrption are not complete. We were unable to setup the system following other guides, so we decided to write our own. This guide was tested many times on several different machines. However, use it at your own risk.''' | {|border="1" cellspacing="0" | ||
| {i} Please refer to [[UbuntuHelp:EncryptedFilesystems|EncryptedFilesystems]] for further documentation. | |||
|} | |||
'''NOTE: this guide was written simply because all other Feisty guides about how to setup full system encrption are not complete. We were unable to setup the system following other guides, so we decided to write our own. This guide was tested many times on several different machines. However, use it at your own risk.''' | |||
''By: [https://launchpad.net/~matej-kovacic Matej Kovačič] and Jožko Škrablin, l33t slovenian h4ck3rz :)'' | ''By: [https://launchpad.net/~matej-kovacic Matej Kovačič] and Jožko Škrablin, l33t slovenian h4ck3rz :)'' | ||
'''''With small remarks by Rainer Perske, written like this line.''''' | '''''With small remarks by Rainer Perske, written like this line.''''' | ||
'''Warning: using encryption can cause loss of data in case of disk errors. In some non-democratic countries use of strong encryption is illegal. Use at your own risk.''' | '''Warning: using encryption can cause loss of data in case of disk errors. In some non-democratic countries use of strong encryption is illegal. Use at your own risk.''' | ||
Unfortunately Ubuntu does not have a support for encrypted disks during setup as Debian does. However, since we are using laptops and USB sticks more and more, our data are at constant risk of loss or theft. So there is a need for hard disk encryption support and that need also has a commercial value. We hope Ubuntu creators will recognise this area as a marketing advantage of Linux soon. | Unfortunately Ubuntu does not have a support for encrypted disks during setup as Debian does. However, since we are using laptops and USB sticks more and more, our data are at constant risk of loss or theft. So there is a need for hard disk encryption support and that need also has a commercial value. We hope Ubuntu creators will recognise this area as a marketing advantage of Linux soon. | ||
=== Why? === | === Why? === | ||
* Read a story about [http://www.autistici.org/ai/crackdown/comunicato_en_210605.html Autistici and Inventati case]; | |||
* Read a story about [http://news.com.com/Police+blotter+Laptop+border+searches+OKd/2100-1030_3-6098939.html laptop border searches in USA] | |||
* Read a story about [http://www.schneier.com/blog/archives/2006/09/laptop_seizures.html laptop Seizures in Sudan] | |||
=== How? === | === How? === | ||
We are going to need Ubuntu 7.04 Server. ''However, this will be desktop installation'', we are using server edition just for a basic setup! | We are going to need Ubuntu 7.04 Server. ''However, this will be desktop installation'', we are using server edition just for a basic setup! | ||
''We are also assuming your hard drive is hda''. | ''We are also assuming your hard drive is hda''. | ||
So let's download [http://www.ubuntulinux.org/getubuntu/download ubuntu-7.04-server-i386.iso] first and burn it on a CD. | So let's download [http://www.ubuntulinux.org/getubuntu/download ubuntu-7.04-server-i386.iso] first and burn it on a CD. | ||
If you do not have a fresh computer, it is good to think about erasing your hard disk before setting up encryption. Erasing is also good because an attacker will be unable to determine how much encrypted data do you have on your hard disk and how much is a free space. However, it can take a lot of time, typical several hours or even days. You can use [http://dban.sourceforge.net/ DBAN tool] or dd command: | If you do not have a fresh computer, it is good to think about erasing your hard disk before setting up encryption. Erasing is also good because an attacker will be unable to determine how much encrypted data do you have on your hard disk and how much is a free space. However, it can take a lot of time, typical several hours or even days. You can use [http://dban.sourceforge.net/ DBAN tool] or dd command: | ||
<pre><nowiki> | <pre><nowiki> | ||
dd if=/dev/urandom of=/dev/hda bs=16M | dd if=/dev/urandom of=/dev/hda bs=16M | ||
</nowiki></pre> | </nowiki></pre> | ||
In the above command use a block size that divides evenly into the size of your hard drive so that there won't be a partial block left over at the end of your drive that dd wouldn't write to because it couldn't fit an entire block in. For example instead of bs=16M you might need bs=5M. Block sizes of less than 1M may slow down the throughput. | |||
==== First step: instal Ubuntu Server Edition with proper partitions of your hard drive ==== | ==== First step: instal Ubuntu Server Edition with proper partitions of your hard drive ==== | ||
When your hard drive is ready, put install CD into the CD-ROM unit, boot a computer from a CD and start the installation process. | When your hard drive is ready, put install CD into the CD-ROM unit, boot a computer from a CD and start the installation process. | ||
BTW: Because of an unresolved [https://launchpad.net/ubuntu/+bug/71594 bug No. 71594] in Feisty Server kernel, installation of server in virtual machines like Vmware and [[UbuntuHelp:VirtualBox|VirtualBox]] is not successful. | |||
BTW: Because of an unresolved [https://launchpad.net/ubuntu/+bug/71594 bug No. 71594] in Feisty Server kernel, installation of server in virtual machines like Vmware and VirtualBox is not successful. | |||
'''''But if you use a second virtual hard disk with one partition of 4 GB for the temporary root, you may use this guide with Feisty Desktop. Just replace hda2 with hdb1 in this guide until before you create cswap. Afterwards, you can remove that hard disk from the configuration of your virtual machine.''''' | '''''But if you use a second virtual hard disk with one partition of 4 GB for the temporary root, you may use this guide with Feisty Desktop. Just replace hda2 with hdb1 in this guide until before you create cswap. Afterwards, you can remove that hard disk from the configuration of your virtual machine.''''' | ||
There is also unresolved [https://bugs.launchpad.net/ubuntu/+source/console-setup/+bug/68843 bug No. 68843] in the Feisty Server installers, which disables use of slovenian, croatian and some other keyboard layouts. | There is also unresolved [https://bugs.launchpad.net/ubuntu/+source/console-setup/+bug/68843 bug No. 68843] in the Feisty Server installers, which disables use of slovenian, croatian and some other keyboard layouts. | ||
'''Warning: Be careful when setting in passwords, because at the startup (when you need to enter your master password to access your hard drive) your keyboard uses english layout.''' | '''Warning: Be careful when setting in passwords, because at the startup (when you need to enter your master password to access your hard drive) your keyboard uses english layout.''' | ||
When you came to the disk partitioning step, you need to create four partitions: | When you came to the disk partitioning step, you need to create four partitions: | ||
* partition ''' /boot''', 100 Mb - '''/hda1''' | |||
* partition '''temporary root''' (future cswap), 2 Gb - '''/hda2''' | |||
* not used partition (future croot partiton), 10 Gb - '''/hda3''' | |||
* not used partition (future chome partiton), all remained size - '''/hda4''' | |||
==== Step two: setup the encryption ==== | ==== Step two: setup the encryption ==== | ||
When installation is finished, and computer reboots, login and become administrator: | When installation is finished, and computer reboots, login and become administrator: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo su | sudo su | ||
</nowiki></pre> | </nowiki></pre> | ||
Load needed modules: | Load needed modules: | ||
<pre><nowiki> | <pre><nowiki> | ||
第63行: | 第47行: | ||
modprobe sha256 | modprobe sha256 | ||
</nowiki></pre> | </nowiki></pre> | ||
Add modules into /etc/modules to be loaded automatically at the reboot: | Add modules into /etc/modules to be loaded automatically at the reboot: | ||
<pre><nowiki> | <pre><nowiki> | ||
第71行: | 第54行: | ||
echo sha256 >> /etc/modules | echo sha256 >> /etc/modules | ||
</nowiki></pre> | </nowiki></pre> | ||
Install cryptsetup package: | Install cryptsetup package: | ||
<pre><nowiki> | <pre><nowiki> | ||
apt-get install cryptsetup | apt-get install cryptsetup | ||
</nowiki></pre> | </nowiki></pre> | ||
==== Step three: setup encrypted root partition ==== | ==== Step three: setup encrypted root partition ==== | ||
Now format future root partition with luksformat (we are using ext3 file system)//) <pre><nowiki> | |||
Now format future root partition with luksformat (we are using ext3 file system)//) | |||
<pre><nowiki> | |||
luksformat -t ext3 /dev/hda3 | luksformat -t ext3 /dev/hda3 | ||
</nowiki></pre> | </nowiki></pre> | ||
You need to type ''YES'' and then twice your LUKS password. '''This password is very important, because you will need it to access your hard drive. It should be good and long enough, and don't forget it!''' If your password uses upper and lower case letters of the english alphabet and the ten digits, then that's 62 possibilities per character. Six binary bits can encode 64 possibilities, so each character, if it's random, gives about 6 bits of security. You want about 128 bits for good security, so you need about 21 random characters in your password. Words and phrases have surprisingly little randomness, so if you use words or phrases or anything non-random, you need a MUCH longer passphrase. An estimate by Shannon puts english words at about two bits per character, so you would need about sixty characters in your passphrase. Any passphrase that uses a quote from Bartlets quotes or a famous book would be easily broken. | |||
You need to type ''YES'' and then twice your LUKS password. '''This password is very important, because you will need it to access your hard drive. It should be good and long enough, and don't forget it!''' | |||
Luksformat uses 128-bit key. We can use 256-bit key with the following command - in that case we will need to format it manually later: | Luksformat uses 128-bit key. We can use 256-bit key with the following command - in that case we will need to format it manually later: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo cryptsetup --key-size 256 luksFormat /dev/hda3 | sudo cryptsetup --key-size 256 luksFormat /dev/hda3 | ||
</nowiki></pre> | </nowiki></pre> | ||
We get output like that: | We get output like that: | ||
<pre><nowiki> | <pre><nowiki> | ||
Creating encrypted device on /dev/hda3... | Creating encrypted device on /dev/hda3... | ||
WARNING! | WARNING! | ||
======== | ======== | ||
This will overwrite data on /dev/hda3 irrevocably. | This will overwrite data on /dev/hda3 irrevocably. | ||
Are you sure? (Type uppercase yes): YES | Are you sure? (Type uppercase yes): YES | ||
Enter LUKS passphrase: | Enter LUKS passphrase: | ||
Verify passphrase: | Verify passphrase: | ||
Command successful. | Command successful. | ||
Please enter your passphrase again to verify it | Please enter your passphrase again to verify it | ||
Enter LUKS passphrase: | Enter LUKS passphrase: | ||
key slot 0 unlocked. | key slot 0 unlocked. | ||
Command successful. | Command successful. | ||
mke2fs 1.40-WIP (14-Nov-2006) | mke2fs 1.40-WIP (14-Nov-2006) | ||
... | ... | ||
... | ... | ||
Writing superblocks and filesystem accounting information: done | Writing superblocks and filesystem accounting information: done | ||
This filesystem will be automatically checked every 39 mounts or | This filesystem will be automatically checked every 39 mounts or | ||
180 days, whichever comes first. Use tune2fs -c or -i to override. | 180 days, whichever comes first. Use tune2fs -c or -i to override. | ||
</nowiki></pre> | </nowiki></pre> | ||
Now let's mount new crypto partition as croot: | Now let's mount new crypto partition as croot: | ||
<pre><nowiki> | <pre><nowiki> | ||
cryptsetup luksOpen /dev/hda3 croot | cryptsetup luksOpen /dev/hda3 croot | ||
</nowiki></pre> | </nowiki></pre> | ||
We need to enter our LUKS password, and crypto partition is mounted: | We need to enter our LUKS password, and crypto partition is mounted: | ||
<pre><nowiki> | <pre><nowiki> | ||
Enter LUKS passphrase: | Enter LUKS passphrase: | ||
key slot 0 unlocked. | key slot 0 unlocked. | ||
Command successful. | Command successful. | ||
</nowiki></pre> | </nowiki></pre> | ||
If we did not used luksformat, we need to format new partition manually right now: | If we did not used luksformat, we need to format new partition manually right now: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo mkfs.ext3 /dev/mapper/croot | sudo mkfs.ext3 /dev/mapper/croot | ||
</nowiki></pre> | </nowiki></pre> | ||
Now mount it to the /mnt: | Now mount it to the /mnt: | ||
<pre><nowiki> | <pre><nowiki> | ||
mount /dev/mapper/croot /mnt | mount /dev/mapper/croot /mnt | ||
</nowiki></pre> | </nowiki></pre> | ||
==== Step four: prepare encrypted system ==== | ==== Step four: prepare encrypted system ==== | ||
Now copy system on this new crypto partition (this can take a few minutes, you can use -v switch in cp command for verbose output): | Now copy system on this new crypto partition (this can take a few minutes, you can use -v switch in cp command for verbose output): | ||
第144行: | 第115行: | ||
cp -xa / . | cp -xa / . | ||
</nowiki></pre> | </nowiki></pre> | ||
Chroot into the new system: | Chroot into the new system: | ||
<pre><nowiki> | <pre><nowiki> | ||
第153行: | 第123行: | ||
chroot /mnt | chroot /mnt | ||
</nowiki></pre> | </nowiki></pre> | ||
Mount /boot partition: | Mount /boot partition: | ||
<pre><nowiki> | <pre><nowiki> | ||
mount /dev/hda1 boot | mount /dev/hda1 boot | ||
</nowiki></pre> | </nowiki></pre> | ||
Edit /etc/crypttab (last two entries should remain commented FOR NOW!): | Edit /etc/crypttab (last two entries should remain commented FOR NOW!): | ||
<pre><nowiki> | <pre><nowiki> | ||
nano etc/crypttab | nano etc/crypttab | ||
</nowiki></pre> | </nowiki></pre> | ||
Crypttab should look like this: | Crypttab should look like this: | ||
<pre><nowiki> | <pre><nowiki> | ||
# <target name> <source device> <key file> <options> | # <target name> <source device> <key file> <options> | ||
croot /dev/hda3 none luks | croot /dev/hda3 none luks | ||
#cswap /dev/hda2 /dev/urandom swap | #cswap /dev/hda2 /dev/urandom swap | ||
#chome /dev/hda4 /etc/keys/home.key luks | #chome /dev/hda4 /etc/keys/home.key luks | ||
</nowiki></pre> | </nowiki></pre> | ||
Edit /etc/fstab (entries for cswap and chome should remain commenter FOR NOW!): | Edit /etc/fstab (entries for cswap and chome should remain commenter FOR NOW!): | ||
<pre><nowiki> | <pre><nowiki> | ||
nano /etc/fstab | nano /etc/fstab | ||
</nowiki></pre> | </nowiki></pre> | ||
First comment active root entry ('''Don't forget this!'''). Then add: | First comment active root entry ('''Don't forget this!'''). Then add: | ||
<pre><nowiki> | <pre><nowiki> | ||
/dev/mapper/croot / ext3 defaults,errors=remount-ro 0 1 | /dev/mapper/croot / ext3 defaults,errors=remount-ro 0 1 | ||
#/dev/mapper/cswap none swap sw 0 0 | #/dev/mapper/cswap none swap sw 0 0 | ||
#/dev/mapper/chome /home ext3 defaults 0 2 | #/dev/mapper/chome /home ext3 defaults 0 2 | ||
</nowiki></pre> | </nowiki></pre> | ||
File /etc/fstab now should look like this (UUID's are symbolic) | File /etc/fstab now should look like this (UUID's are symbolic) | ||
<pre><nowiki> | <pre><nowiki> | ||
# /etc/fstab: static file system information. | # /etc/fstab: static file system information. | ||
# | # | ||
# <file system> <mount point> <type> <options> <dump> <pass> | # <file system> <mount point> <type> <options> <dump> <pass> | ||
proc /proc proc defaults 0 0 | proc /proc proc defaults 0 0 | ||
# /dev/hda2 | # /dev/hda2 | ||
#UUID=e8363198-819b-44e0-bba5-7b4dd58eef4e / ext3 defaults,errors=remount-ro 0 1 | #UUID=e8363198-819b-44e0-bba5-7b4dd58eef4e / ext3 defaults,errors=remount-ro 0 1 | ||
/dev/mapper/croot / ext3 defaults,errors=remount-ro 0 1 | /dev/mapper/croot / ext3 defaults,errors=remount-ro 0 1 | ||
# /dev/mapper/cswap none swap sw 0 0 | # /dev/mapper/cswap none swap sw 0 0 | ||
# /dev/mapper/chome /home ext3 defaults 0 2 | # /dev/mapper/chome /home ext3 defaults 0 2 | ||
# /dev/hda1 | # /dev/hda1 | ||
UUID=2fca8417-07de-4a7b-a8cb-4cfeddc89c7d /boot ext3 defaults 0 2 | UUID=2fca8417-07de-4a7b-a8cb-4cfeddc89c7d /boot ext3 defaults 0 2 | ||
/dev/hdc /media/cdrom0 udf,iso9660 user,noauto 0 0 | /dev/hdc /media/cdrom0 udf,iso9660 user,noauto 0 0 | ||
/dev/fd0 /media/floppy0 auto rw,user,noauto 0 0 | /dev/fd0 /media/floppy0 auto rw,user,noauto 0 0 | ||
</nowiki></pre> | </nowiki></pre> | ||
Make a key for encrypted home: | Make a key for encrypted home: | ||
<pre><nowiki> | <pre><nowiki> | ||
第206行: | 第169行: | ||
dd if=/dev/urandom of=home.key bs=1K count=1 | dd if=/dev/urandom of=home.key bs=1K count=1 | ||
</nowiki></pre> | </nowiki></pre> | ||
Key will be stored on /etc/keys. Because of this you will see a warning at the boot time (INSECURE MODE FOR /etc/home/key). However, key is stored on encrypted root, so it is not so much unsecure. BTW: you can mount chome by typing password, but you will need to change /etc/crypttab entry. | Key will be stored on /etc/keys. Because of this you will see a warning at the boot time (INSECURE MODE FOR /etc/home/key). However, key is stored on encrypted root, so it is not so much unsecure. BTW: you can mount chome by typing password, but you will need to change /etc/crypttab entry. | ||
Now the important part - make new initrd script (this will take a few minutes): | Now the important part - make new initrd script (this will take a few minutes): | ||
<pre><nowiki> | <pre><nowiki> | ||
第214行: | 第175行: | ||
update-initramfs -u | update-initramfs -u | ||
</nowiki></pre> | </nowiki></pre> | ||
Now we need to repair Grub menu (look for ''kernel'' and add /dev/mapper/croot): | Now we need to repair Grub menu (look for ''kernel'' and add /dev/mapper/croot): | ||
<pre><nowiki> | <pre><nowiki> | ||
nano /boot/grub/menu.lst | nano /boot/grub/menu.lst | ||
</nowiki></pre> | </nowiki></pre> | ||
Change menu entry like this: | Change menu entry like this: | ||
<pre><nowiki> | <pre><nowiki> | ||
title Ubuntu, kernel 2.6.20-15-server | title Ubuntu, kernel 2.6.20-15-server | ||
root (hd0,0) | root (hd0,0) | ||
kernel /vmlinuz-2.6.20-15-server root=/dev/mapper/croot ro quiet nosplash | kernel /vmlinuz-2.6.20-15-server root=/dev/mapper/croot ro quiet nosplash | ||
initrd /initrd.img-2.6.20-15-server | initrd /initrd.img-2.6.20-15-server | ||
quiet | quiet | ||
savedefault | savedefault | ||
</nowiki></pre> | </nowiki></pre> | ||
'''''To avoid further repairs of this file, also change two commented lines in the same file:''''' | |||
'''''To avoid further repairs of this file, also change two commented lines:''''' | |||
'''''Replace UUID=some-long-uuid-string with /dev/mapper/croot in the line '''# kopt=root=UUID=some-long-uuid-string ro'' | '''''Replace UUID=some-long-uuid-string with /dev/mapper/croot in the line '''# kopt=root=UUID=some-long-uuid-string ro'' | ||
'''''Replace splash with nosplash in the line beginning with '''# defoptions=quiet splash'' | '''''Replace splash with nosplash in the line beginning with '''# defoptions=quiet splash'' | ||
'''''Keep the comment sign at the beginning of these lines!''''' | '''''Keep the comment sign at the beginning of these lines!''''' | ||
'''''Additional info by MatejKovačič: after upgrade to Gutsy and update of it, splash screen enables to enter LUKS passwords.''''' | |||
Reboot the system: | Reboot the system: | ||
* press '''Ctrl-D''' to exit chroot enviroment | |||
<pre><nowiki> | <pre><nowiki> | ||
reboot | reboot | ||
</nowiki></pre> | </nowiki></pre> | ||
==== Step five: encrypted home and swap ==== | ==== Step five: encrypted home and swap ==== | ||
At the very beginnig of the boot process you will get this text: | At the very beginnig of the boot process you will get this text: | ||
<pre><nowiki> | <pre><nowiki> | ||
Starting up ... | Starting up ... | ||
Loading, please wait... | Loading, please wait... | ||
Setting up cryptographic volume croot (based on /dev/hda3) | Setting up cryptographic volume croot (based on /dev/hda3) | ||
Enter LUKS passphrase: | Enter LUKS passphrase: | ||
</nowiki></pre> | </nowiki></pre> | ||
Enter your LUKS password (for croot), log-in and become administrator: | Enter your LUKS password (for croot), log-in and become administrator: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo su | sudo su | ||
</nowiki></pre> | </nowiki></pre> | ||
You can rewrite old root partition with random data if you like (this can take a long time): | You can rewrite old root partition with random data if you like (this can take a long time): | ||
<pre><nowiki> | <pre><nowiki> | ||
dd if=/dev/urandom of=/dev/hda2 bs=16M | dd if=/dev/urandom of=/dev/hda2 bs=16M | ||
</nowiki></pre> | </nowiki></pre> | ||
If you do not do this, you need to format this partition with swap filesystem (if not, cswap will not mount at reboot): | If you do not do this, you need to format this partition with swap filesystem (if not, cswap will not mount at reboot): | ||
<pre><nowiki> | <pre><nowiki> | ||
mkswap /dev/hda2 | mkswap /dev/hda2 | ||
</nowiki></pre> | </nowiki></pre> | ||
Now there is again a [https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/105266 nasty bug No. 105266] in Foobuntu, I mean Ubuntu, which can be easily solved by typing this command: | Now there is again a [https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/105266 nasty bug No. 105266] in Foobuntu, I mean Ubuntu, which can be easily solved by typing this command: | ||
<pre><nowiki> | <pre><nowiki> | ||
mkdir /dev/.static/dev/mapper | mkdir /dev/.static/dev/mapper | ||
</nowiki></pre> | </nowiki></pre> | ||
Now let's format future /home partition. For now we are using a passphrase and not a keyfile: | Now let's format future /home partition. For now we are using a passphrase and not a keyfile: | ||
<pre><nowiki> | <pre><nowiki> | ||
luksformat -t ext3 /dev/hda4 | luksformat -t ext3 /dev/hda4 | ||
</nowiki></pre> | </nowiki></pre> | ||
Mount this new partition (we need to enter LUKS password): | Mount this new partition (we need to enter LUKS password): | ||
<pre><nowiki> | <pre><nowiki> | ||
第283行: | 第231行: | ||
mount /dev/mapper/chome /mnt | mount /dev/mapper/chome /mnt | ||
</nowiki></pre> | </nowiki></pre> | ||
Create user's directory for the current user (n my case for the user "matej"): | Create user's directory for the current user (n my case for the user "matej"): | ||
<pre><nowiki> | <pre><nowiki> | ||
第290行: | 第237行: | ||
chown matej.matej matej | chown matej.matej matej | ||
</nowiki></pre> | </nowiki></pre> | ||
Add a keyfile to this crypto partition: | Add a keyfile to this crypto partition: | ||
<pre><nowiki> | <pre><nowiki> | ||
cryptsetup luksAddKey /dev/hda4 /etc/keys/home.key | cryptsetup luksAddKey /dev/hda4 /etc/keys/home.key | ||
</nowiki></pre> | </nowiki></pre> | ||
(We can remove first passphrase with cryptsetup luksDelKey command.) | (We can remove first passphrase with cryptsetup luksDelKey command.) | ||
Now uncomment '''cswap''' and '''chome''' entries in /etc/crypttab: | Now uncomment '''cswap''' and '''chome''' entries in /etc/crypttab: | ||
<pre><nowiki> | <pre><nowiki> | ||
nano /etc/crypttab | nano /etc/crypttab | ||
</nowiki></pre> | </nowiki></pre> | ||
Uncomment also '''cswap''' and '''chome''' entries in /etc/fstab. | Uncomment also '''cswap''' and '''chome''' entries in /etc/fstab. | ||
<pre><nowiki> | <pre><nowiki> | ||
nano /etc/fstab | nano /etc/fstab | ||
</nowiki></pre> | </nowiki></pre> | ||
Reboot the system: | Reboot the system: | ||
<pre><nowiki> | <pre><nowiki> | ||
reboot | reboot | ||
</nowiki></pre> | </nowiki></pre> | ||
==== Step six: enter fully encrypted system and setup desktop ==== | ==== Step six: enter fully encrypted system and setup desktop ==== | ||
After reboot log-in and check if crypto partitions are mounted: | After reboot log-in and check if crypto partitions are mounted: | ||
<pre><nowiki> | <pre><nowiki> | ||
ls /dev/mapper | ls /dev/mapper | ||
</nowiki></pre> | </nowiki></pre> | ||
We should get something like this: | We should get something like this: | ||
<pre><nowiki> | <pre><nowiki> | ||
chome control croot cswap | chome control croot cswap | ||
</nowiki></pre> | </nowiki></pre> | ||
Check the swap space: | Check the swap space: | ||
<pre><nowiki> | <pre><nowiki> | ||
第331行: | 第269行: | ||
We should get something like this: | We should get something like this: | ||
<pre><nowiki> | <pre><nowiki> | ||
Filename Type Size Used Priority | Filename Type Size Used Priority | ||
/dev/mapper/cswap partition 1951888 0 -1 | /dev/mapper/cswap partition 1951888 0 -1 | ||
</nowiki></pre> | </nowiki></pre> | ||
Now comment CD-ROM source in APT sources.list: | Now comment CD-ROM source in APT sources.list: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo nano /etc/apt/sources.list | sudo nano /etc/apt/sources.list | ||
</nowiki></pre> | </nowiki></pre> | ||
Comment this: | Comment this: | ||
<pre><nowiki> | <pre><nowiki> | ||
# deb cdrom:[Ubuntu-Server 7.04 _Feisty Fawn_ - Release i386 (20070415)]/ feisty main restricted | # deb cdrom:[Ubuntu-Server 7.04 _Feisty Fawn_ - Release i386 (20070415)]/ feisty main restricted | ||
</nowiki></pre> | </nowiki></pre> | ||
Install Ubuntu desktop: | Install Ubuntu desktop: | ||
<pre><nowiki> | <pre><nowiki> | ||
第350行: | 第285行: | ||
sudo apt-get install ubuntu-desktop | sudo apt-get install ubuntu-desktop | ||
</nowiki></pre> | </nowiki></pre> | ||
You will need to configure X server (very easy, you need only to check the supported resolutions for your screen). | You will need to configure X server (very easy, you need only to check the supported resolutions for your screen). | ||
Now we can install generic kernel if we like: | Now we can install generic kernel if we like: | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo apt-get install linux-image-generic | sudo apt-get install linux-image-generic | ||
</nowiki></pre> | </nowiki></pre> | ||
After reboot your system will start in a graphic mode. Now we remove old server kernel... | After reboot your system will start in a graphic mode. Now we remove old server kernel... | ||
<pre><nowiki> | <pre><nowiki> | ||
sudo apt-get remove --purge linux-image-2.6.20-15-server linux-image-server linux-server | sudo apt-get remove --purge linux-image-2.6.20-15-server linux-image-server linux-server | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Conclusion === | === Conclusion === | ||
That's it. Now you have fully encrypted system (except /boot partition of course) and your system is using advanced LUKS encryption. You can add or delete (an therefore change) keys (passwords). You can mount your LUKS formatted partitions in other Linux or even Windows systems (for Windows, you need a program [http://www.freeotfe.org/ FreeOTFE] and drivers for ext3). | That's it. Now you have fully encrypted system (except /boot partition of course) and your system is using advanced LUKS encryption. You can add or delete (an therefore change) keys (passwords). You can mount your LUKS formatted partitions in other Linux or even Windows systems (for Windows, you need a program [http://www.freeotfe.org/ FreeOTFE] and drivers for ext3). | ||
However: | However: | ||
* full system encryption protects you only against offline attack (on-line attacker can still hack your system and access your data); | |||
* be caferul for your password (and use good password!); | |||
* do your backups regulary (if possible on encrypted media or in a safe place - BTW: LUKS formatted media can be easily mounted in Gnome. When you connect encrypted USB drive, you get fancy pop-up to enter your password and encrypted partition is magically automounted when right password provided) | |||
* be aware of possible attacka on /boot partition or hardware (someone can install you a keyboard sniffer program to /boot partition, keyboard sniffing device ([http://www.keyghost.com/hardware-keylogger.htm hardware keylogger]), [http://www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdf PCI Rootkit], hacked [http://www.grandideastudio.com/files/security/tokens/usb_hardware_token.pdf USB device], hacked [http://www.security-assessment.com/files/presentations/ab_firewire_rux2k6-final.pdf firewire device], etc. | |||
But generally everything should work fine, just don't forget to repair Grub menu after each kernel upgrade/update. If you forget to do it, don't panic, you can do it during boot process - at boot time press Esc to enter Grub menu, then press '''e''' (to edit), select "kernel line" and press '''e''' again. Then edit the line, press enter and '''b''' to boot. This change is not saved, so you need to repair Grub menu after sucessfull boot manually. | But generally everything should work fine, just don't forget to repair Grub menu after each kernel upgrade/update. If you forget to do it, don't panic, you can do it during boot process - at boot time press Esc to enter Grub menu, then press '''e''' (to edit), select "kernel line" and press '''e''' again. Then edit the line, press enter and '''b''' to boot. This change is not saved, so you need to repair Grub menu after sucessfull boot manually. | ||
P. S. If you find this guide useful, please [https://launchpad.net/~matej-kovacic let us know]. | P. S. If you find this guide useful, please [https://launchpad.net/~matej-kovacic let us know]. | ||
'''''Dear Matej and Jožko, I found it extremely useful, thus I dared to enhance this page as given above. Feel free to incorporate my ideas as if they were your own. Rainer Perske''''' | '''''Dear Matej and Jožko, I found it extremely useful, thus I dared to enhance this page as given above. Feel free to incorporate my ideas as if they were your own. Rainer Perske''''' | ||
'''''Thanks for update - we tested it, and it is working. However, as mentioned, in new Gutsy with updates splash screen is working. Matej Kovačič''''' | |||
---- | ---- | ||
[[category:CategorySecurity]] | [[category:CategorySecurity]] | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2009年5月12日 (二) 16:39的最新版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/EncryptedFilesystemHowto8 }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/af | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|Afrikaans| [[::EncryptedFilesystemHowto8/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/ar | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|العربية| [[::EncryptedFilesystemHowto8/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/az | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|azərbaycanca| [[::EncryptedFilesystemHowto8/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/bcc | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|جهلسری بلوچی| [[::EncryptedFilesystemHowto8/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/bg | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|български| [[::EncryptedFilesystemHowto8/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/br | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|brezhoneg| [[::EncryptedFilesystemHowto8/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/ca | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|català| [[::EncryptedFilesystemHowto8/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/cs | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|čeština| [[::EncryptedFilesystemHowto8/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/de | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|Deutsch| [[::EncryptedFilesystemHowto8/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/el | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|Ελληνικά| [[::EncryptedFilesystemHowto8/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/es | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|español| [[::EncryptedFilesystemHowto8/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/fa | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|فارسی| [[::EncryptedFilesystemHowto8/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/fi | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|suomi| [[::EncryptedFilesystemHowto8/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/fr | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|français| [[::EncryptedFilesystemHowto8/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/gu | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|ગુજરાતી| [[::EncryptedFilesystemHowto8/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/he | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|עברית| [[::EncryptedFilesystemHowto8/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/hu | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|magyar| [[::EncryptedFilesystemHowto8/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/id | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|Bahasa Indonesia| [[::EncryptedFilesystemHowto8/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/it | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|italiano| [[::EncryptedFilesystemHowto8/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/ja | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|日本語| [[::EncryptedFilesystemHowto8/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/ko | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|한국어| [[::EncryptedFilesystemHowto8/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/ksh | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|Ripoarisch| [[::EncryptedFilesystemHowto8/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/mr | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|मराठी| [[::EncryptedFilesystemHowto8/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/ms | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|Bahasa Melayu| [[::EncryptedFilesystemHowto8/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/nl | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|Nederlands| [[::EncryptedFilesystemHowto8/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/no | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|norsk| [[::EncryptedFilesystemHowto8/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/oc | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|occitan| [[::EncryptedFilesystemHowto8/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/pl | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|polski| [[::EncryptedFilesystemHowto8/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/pt | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|português| [[::EncryptedFilesystemHowto8/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/ro | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|română| [[::EncryptedFilesystemHowto8/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/ru | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|русский| [[::EncryptedFilesystemHowto8/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/si | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|සිංහල| [[::EncryptedFilesystemHowto8/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/sq | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|shqip| [[::EncryptedFilesystemHowto8/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/sr | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|српски / srpski| [[::EncryptedFilesystemHowto8/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/sv | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|svenska| [[::EncryptedFilesystemHowto8/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/th | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|ไทย| [[::EncryptedFilesystemHowto8/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/tr | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|Türkçe| [[::EncryptedFilesystemHowto8/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/vi | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|Tiếng Việt| [[::EncryptedFilesystemHowto8/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/yue | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|粵語| [[::EncryptedFilesystemHowto8/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/zh | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|中文| [[::EncryptedFilesystemHowto8/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/zh-hans | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|中文(简体)| [[::EncryptedFilesystemHowto8/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto8 | UbuntuHelp:EncryptedFilesystemHowto8 | {{#if: | :}}EncryptedFilesystemHowto8}}/zh-hant | • {{#if: UbuntuHelp:EncryptedFilesystemHowto8|中文(繁體)| [[::EncryptedFilesystemHowto8/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:EncryptedFilesystemHowto8|:EncryptedFilesystemHowto8|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :EncryptedFilesystemHowto8/zh | | {{#ifexist: EncryptedFilesystemHowto8/zh | | {{#ifeq: {{#titleparts:EncryptedFilesystemHowto8|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:EncryptedFilesystemHowto8|1|-1|}} | zh | | }}
- title How to Setup Completely Encrypted System - Ubuntu Feisty
<<Include(Tag/Unsupported)>>
{i} Please refer to EncryptedFilesystems for further documentation. |
NOTE: this guide was written simply because all other Feisty guides about how to setup full system encrption are not complete. We were unable to setup the system following other guides, so we decided to write our own. This guide was tested many times on several different machines. However, use it at your own risk. By: Matej Kovačič and Jožko Škrablin, l33t slovenian h4ck3rz :) With small remarks by Rainer Perske, written like this line. Warning: using encryption can cause loss of data in case of disk errors. In some non-democratic countries use of strong encryption is illegal. Use at your own risk. Unfortunately Ubuntu does not have a support for encrypted disks during setup as Debian does. However, since we are using laptops and USB sticks more and more, our data are at constant risk of loss or theft. So there is a need for hard disk encryption support and that need also has a commercial value. We hope Ubuntu creators will recognise this area as a marketing advantage of Linux soon.
Why?
- Read a story about Autistici and Inventati case;
- Read a story about laptop border searches in USA
- Read a story about laptop Seizures in Sudan
How?
We are going to need Ubuntu 7.04 Server. However, this will be desktop installation, we are using server edition just for a basic setup! We are also assuming your hard drive is hda. So let's download ubuntu-7.04-server-i386.iso first and burn it on a CD. If you do not have a fresh computer, it is good to think about erasing your hard disk before setting up encryption. Erasing is also good because an attacker will be unable to determine how much encrypted data do you have on your hard disk and how much is a free space. However, it can take a lot of time, typical several hours or even days. You can use DBAN tool or dd command:
dd if=/dev/urandom of=/dev/hda bs=16M
In the above command use a block size that divides evenly into the size of your hard drive so that there won't be a partial block left over at the end of your drive that dd wouldn't write to because it couldn't fit an entire block in. For example instead of bs=16M you might need bs=5M. Block sizes of less than 1M may slow down the throughput.
First step: instal Ubuntu Server Edition with proper partitions of your hard drive
When your hard drive is ready, put install CD into the CD-ROM unit, boot a computer from a CD and start the installation process. BTW: Because of an unresolved bug No. 71594 in Feisty Server kernel, installation of server in virtual machines like Vmware and VirtualBox is not successful. But if you use a second virtual hard disk with one partition of 4 GB for the temporary root, you may use this guide with Feisty Desktop. Just replace hda2 with hdb1 in this guide until before you create cswap. Afterwards, you can remove that hard disk from the configuration of your virtual machine. There is also unresolved bug No. 68843 in the Feisty Server installers, which disables use of slovenian, croatian and some other keyboard layouts. Warning: Be careful when setting in passwords, because at the startup (when you need to enter your master password to access your hard drive) your keyboard uses english layout. When you came to the disk partitioning step, you need to create four partitions:
- partition /boot, 100 Mb - /hda1
- partition temporary root (future cswap), 2 Gb - /hda2
- not used partition (future croot partiton), 10 Gb - /hda3
- not used partition (future chome partiton), all remained size - /hda4
Step two: setup the encryption
When installation is finished, and computer reboots, login and become administrator:
sudo su
Load needed modules:
modprobe dm-crypt modprobe dm-mod modprobe aes modprobe sha256
Add modules into /etc/modules to be loaded automatically at the reboot:
echo dm-crypt >> /etc/modules echo dm-mod >> /etc/modules echo aes >> /etc/modules echo sha256 >> /etc/modules
Install cryptsetup package:
apt-get install cryptsetup
Step three: setup encrypted root partition
Now format future root partition with luksformat (we are using ext3 file system)//)
luksformat -t ext3 /dev/hda3
You need to type YES and then twice your LUKS password. This password is very important, because you will need it to access your hard drive. It should be good and long enough, and don't forget it! If your password uses upper and lower case letters of the english alphabet and the ten digits, then that's 62 possibilities per character. Six binary bits can encode 64 possibilities, so each character, if it's random, gives about 6 bits of security. You want about 128 bits for good security, so you need about 21 random characters in your password. Words and phrases have surprisingly little randomness, so if you use words or phrases or anything non-random, you need a MUCH longer passphrase. An estimate by Shannon puts english words at about two bits per character, so you would need about sixty characters in your passphrase. Any passphrase that uses a quote from Bartlets quotes or a famous book would be easily broken. Luksformat uses 128-bit key. We can use 256-bit key with the following command - in that case we will need to format it manually later:
sudo cryptsetup --key-size 256 luksFormat /dev/hda3
We get output like that:
Creating encrypted device on /dev/hda3... WARNING! ======== This will overwrite data on /dev/hda3 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful. Please enter your passphrase again to verify it Enter LUKS passphrase: key slot 0 unlocked. Command successful. mke2fs 1.40-WIP (14-Nov-2006) ... ... Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 39 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override.
Now let's mount new crypto partition as croot:
cryptsetup luksOpen /dev/hda3 croot
We need to enter our LUKS password, and crypto partition is mounted:
Enter LUKS passphrase: key slot 0 unlocked. Command successful.
If we did not used luksformat, we need to format new partition manually right now:
sudo mkfs.ext3 /dev/mapper/croot
Now mount it to the /mnt:
mount /dev/mapper/croot /mnt
Step four: prepare encrypted system
Now copy system on this new crypto partition (this can take a few minutes, you can use -v switch in cp command for verbose output):
cd /mnt cp -xa / .
Chroot into the new system:
cd / mount --bind proc mnt/proc mount --bind sys mnt/sys mount --bind dev mnt/dev chroot /mnt
Mount /boot partition:
mount /dev/hda1 boot
Edit /etc/crypttab (last two entries should remain commented FOR NOW!):
nano etc/crypttab
Crypttab should look like this:
# <target name> <source device> <key file> <options> croot /dev/hda3 none luks #cswap /dev/hda2 /dev/urandom swap #chome /dev/hda4 /etc/keys/home.key luks
Edit /etc/fstab (entries for cswap and chome should remain commenter FOR NOW!):
nano /etc/fstab
First comment active root entry (Don't forget this!). Then add:
/dev/mapper/croot / ext3 defaults,errors=remount-ro 0 1 #/dev/mapper/cswap none swap sw 0 0 #/dev/mapper/chome /home ext3 defaults 0 2
File /etc/fstab now should look like this (UUID's are symbolic)
# /etc/fstab: static file system information. # # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc defaults 0 0 # /dev/hda2 #UUID=e8363198-819b-44e0-bba5-7b4dd58eef4e / ext3 defaults,errors=remount-ro 0 1 /dev/mapper/croot / ext3 defaults,errors=remount-ro 0 1 # /dev/mapper/cswap none swap sw 0 0 # /dev/mapper/chome /home ext3 defaults 0 2 # /dev/hda1 UUID=2fca8417-07de-4a7b-a8cb-4cfeddc89c7d /boot ext3 defaults 0 2 /dev/hdc /media/cdrom0 udf,iso9660 user,noauto 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto 0 0
Make a key for encrypted home:
cd etc/keys dd if=/dev/urandom of=home.key bs=1K count=1
Key will be stored on /etc/keys. Because of this you will see a warning at the boot time (INSECURE MODE FOR /etc/home/key). However, key is stored on encrypted root, so it is not so much unsecure. BTW: you can mount chome by typing password, but you will need to change /etc/crypttab entry. Now the important part - make new initrd script (this will take a few minutes):
cd /boot update-initramfs -u
Now we need to repair Grub menu (look for kernel and add /dev/mapper/croot):
nano /boot/grub/menu.lst
Change menu entry like this:
title Ubuntu, kernel 2.6.20-15-server root (hd0,0) kernel /vmlinuz-2.6.20-15-server root=/dev/mapper/croot ro quiet nosplash initrd /initrd.img-2.6.20-15-server quiet savedefault
To avoid further repairs of this file, also change two commented lines in the same file: Replace UUID=some-long-uuid-string with /dev/mapper/croot in the line # kopt=root=UUID=some-long-uuid-string ro Replace splash with nosplash in the line beginning with # defoptions=quiet splash Keep the comment sign at the beginning of these lines! Additional info by MatejKovačič: after upgrade to Gutsy and update of it, splash screen enables to enter LUKS passwords. Reboot the system:
- press Ctrl-D to exit chroot enviroment
reboot
Step five: encrypted home and swap
At the very beginnig of the boot process you will get this text:
Starting up ... Loading, please wait... Setting up cryptographic volume croot (based on /dev/hda3) Enter LUKS passphrase:
Enter your LUKS password (for croot), log-in and become administrator:
sudo su
You can rewrite old root partition with random data if you like (this can take a long time):
dd if=/dev/urandom of=/dev/hda2 bs=16M
If you do not do this, you need to format this partition with swap filesystem (if not, cswap will not mount at reboot):
mkswap /dev/hda2
Now there is again a nasty bug No. 105266 in Foobuntu, I mean Ubuntu, which can be easily solved by typing this command:
mkdir /dev/.static/dev/mapper
Now let's format future /home partition. For now we are using a passphrase and not a keyfile:
luksformat -t ext3 /dev/hda4
Mount this new partition (we need to enter LUKS password):
cryptsetup luksOpen /dev/hda4 chome mount /dev/mapper/chome /mnt
Create user's directory for the current user (n my case for the user "matej"):
cd /mnt mkdir matej chown matej.matej matej
Add a keyfile to this crypto partition:
cryptsetup luksAddKey /dev/hda4 /etc/keys/home.key
(We can remove first passphrase with cryptsetup luksDelKey command.) Now uncomment cswap and chome entries in /etc/crypttab:
nano /etc/crypttab
Uncomment also cswap and chome entries in /etc/fstab.
nano /etc/fstab
Reboot the system:
reboot
Step six: enter fully encrypted system and setup desktop
After reboot log-in and check if crypto partitions are mounted:
ls /dev/mapper
We should get something like this:
chome control croot cswap
Check the swap space:
cat /proc/swaps
We should get something like this:
Filename Type Size Used Priority /dev/mapper/cswap partition 1951888 0 -1
Now comment CD-ROM source in APT sources.list:
sudo nano /etc/apt/sources.list
Comment this:
# deb cdrom:[Ubuntu-Server 7.04 _Feisty Fawn_ - Release i386 (20070415)]/ feisty main restricted
Install Ubuntu desktop:
sudo apt-get update sudo apt-get install ubuntu-desktop
You will need to configure X server (very easy, you need only to check the supported resolutions for your screen). Now we can install generic kernel if we like:
sudo apt-get install linux-image-generic
After reboot your system will start in a graphic mode. Now we remove old server kernel...
sudo apt-get remove --purge linux-image-2.6.20-15-server linux-image-server linux-server
Conclusion
That's it. Now you have fully encrypted system (except /boot partition of course) and your system is using advanced LUKS encryption. You can add or delete (an therefore change) keys (passwords). You can mount your LUKS formatted partitions in other Linux or even Windows systems (for Windows, you need a program FreeOTFE and drivers for ext3). However:
- full system encryption protects you only against offline attack (on-line attacker can still hack your system and access your data);
- be caferul for your password (and use good password!);
- do your backups regulary (if possible on encrypted media or in a safe place - BTW: LUKS formatted media can be easily mounted in Gnome. When you connect encrypted USB drive, you get fancy pop-up to enter your password and encrypted partition is magically automounted when right password provided)
- be aware of possible attacka on /boot partition or hardware (someone can install you a keyboard sniffer program to /boot partition, keyboard sniffing device (hardware keylogger), PCI Rootkit, hacked USB device, hacked firewire device, etc.
But generally everything should work fine, just don't forget to repair Grub menu after each kernel upgrade/update. If you forget to do it, don't panic, you can do it during boot process - at boot time press Esc to enter Grub menu, then press e (to edit), select "kernel line" and press e again. Then edit the line, press enter and b to boot. This change is not saved, so you need to repair Grub menu after sucessfull boot manually. P. S. If you find this guide useful, please let us know.
Dear Matej and Jožko, I found it extremely useful, thus I dared to enhance this page as given above. Feel free to incorporate my ideas as if they were your own. Rainer Perske Thanks for update - we tested it, and it is working. However, as mentioned, in new Gutsy with updates splash screen is working. Matej Kovačič