特殊:Badtitle/NS100:EncryptedFilesystemHowto3:修订间差异
小无编辑摘要 |
小无编辑摘要 |
||
(未显示同一用户的5个中间版本) | |||
第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/EncryptedFilesystemHowto3}} | {{From|https://help.ubuntu.com/community/EncryptedFilesystemHowto3}} | ||
{{Languages|UbuntuHelp:EncryptedFilesystemHowto3}} | {{Languages|UbuntuHelp:EncryptedFilesystemHowto3}} | ||
== Encrypted Swap and Home with LUKS | <<Include(Tag/ContentCleanup)>> | ||
== Encrypted Swap and Home with LUKS on Ubuntu 6.06 and 5.10 == | |||
=== | {|border="1" cellspacing="0" | ||
==== | | {i} Please refer to [[UbuntuHelp:EncryptedFilesystems|EncryptedFilesystems]] for further documentation. | ||
|} | |||
* | By Stefano Spinucci: virgo977virgo at <googlemail> dot com | ||
* | === Introduction === | ||
==== Notes ==== | |||
* Newer Ubuntu versions can do hard disk encryption during installation time. You need to install from alternative install CD. [http://users.piuha.net/martti/comp/ubuntu/en/cryptolvm.html Here are instructions for install time encryption]. | |||
* In this tutorial we assume that: | |||
* Old (unencrypted) and the new (encrypted) swap is in the partition '/dev/hda2' | |||
* New home (encrypted) is in the partition '/dev/hda3' | |||
Replace '/dev/hda2' with your real swap partition and '/dev/hda3' with an | |||
empty partition that will become your new encrypted home partition. | empty partition that will become your new encrypted home partition. | ||
* DM-Crypt works by transparently translating (in the kernel) between a physical on-disk partition (which is encrypted) and a logical partition which you can then mount and use as normal; then, for example, to operate on your home partition you must do so by using /dev/mapper/home instead of /dev/hda3. | |||
between a physical on-disk partition (which is encrypted) and a logical | * If you are using Windows and you need to encrypt it also, it can be done [http://blog.redinnovation.com/2008/07/15/perfect-dual-boot-crypted-hard-disk-setup-with-truecrypt-and-luks/ with free open source tools in Linux friendly manner]. | ||
partition which you can then mount and use as normal; then, for example, | ==== Warnings ==== | ||
to operate on your home partition you must do so by using /dev/mapper/home | Encrypting a partition is a destructive operation; then, your new home | ||
instead of /dev/hda3. | |||
==== | |||
partition (/dev/hda3) must be empty, because all data on it will be erased. | partition (/dev/hda3) must be empty, because all data on it will be erased. | ||
Unencrypted data on the old home directory won’t be deleted and will be | |||
accessible, for example, with a live CD; then, you shouldn't put any | accessible, for example, with a live CD; then, you shouldn't put any | ||
sensitive data on home before encrypting. | sensitive data on home before encrypting. | ||
Otherwise, if you have sensitive data to delete securely from the old | |||
unencrypted home, you should < | unencrypted home, you should <code><nowiki>shred</nowiki></code> the old home directory. | ||
If the partition containing the old home directory is formatted with a | |||
journaled file system (JFS, ReiserFS, XFS, Ext3, etc.), you must boot with | journaled file system (JFS, ReiserFS, XFS, Ext3, etc.), you must boot with | ||
a live CD and < | a live CD and <code><nowiki>shred</nowiki></code> the entire partition containing the old home | ||
directory. | directory. | ||
If the shredded partition is the partition containing the OS, reinstall | |||
ubuntu, and finally mount the previously created encrypted home. | ubuntu, and finally mount the previously created encrypted home. | ||
References for secure deletion: | |||
* [http://man.linuxquestions.org/index.php?query=shred&type=2§ion=1 shred man page] | * [http://man.linuxquestions.org/index.php?query=shred&type=2§ion=1 shred man page] | ||
* [http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html Secure Deletion of Data - by Peter Gutmann] | * [http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html Secure Deletion of Data - by Peter Gutmann] | ||
==== | ==== Strong Passwords ==== | ||
Remember that ''a chain is only as strong as its weakest link'', and in | |||
the encryption chain the password is always the weakest link. | the encryption chain the password is always the weakest link. | ||
Then, choose a strong password, or your data won't be more secure than | |||
without encryption. | without encryption. | ||
References for strong passwords: | |||
* [ | * [[UbuntuWiki:StrongPasswords|Strong|Passwords (Ubuntu wiki)]] | ||
* [http://diceware.com The Diceware Passphrase Home Page] | * [http://diceware.com The Diceware Passphrase Home Page] | ||
* [http://en.wikipedia.org/wiki/Password_strength Password strength (Wikipedia)] | * [http://en.wikipedia.org/wiki/Password_strength Password strength (Wikipedia)] | ||
* [http://en.wikipedia.org/wiki/Password_cracking Password cracking (Wikipedia)] | * [http://en.wikipedia.org/wiki/Password_cracking Password cracking (Wikipedia)] | ||
* [http://en.wikipedia.org/wiki/Key_size Key size (Wikipedia)] | * [http://en.wikipedia.org/wiki/Key_size Key size (Wikipedia)] | ||
=== | === Install cryptsetup === | ||
Enable 'community maintained' (universe) repository from the Synaptic | |||
package manager or modifying the file /etc/apt/sources.list ( | package manager or modifying the file /etc/apt/sources.list (APT sources | ||
list). | list). | ||
Install cryptsetup: | |||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo apt-get install cryptsetup | |||
</nowiki></pre> | </nowiki></pre> | ||
=== | === Encrypted Home === | ||
Unmount (if mounted) /dev/hda3 | |||
<pre><nowiki> | <pre><nowiki> | ||
sudo umount /dev/hda3 | $ sudo umount /dev/hda3 | ||
</nowiki></pre> | </nowiki></pre> | ||
Check the partition for errors (and wait several minutes...): | |||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/hda3 | |||
</nowiki></pre> | </nowiki></pre> | ||
Fill the disk with random data (and wait many more minutes...); | |||
/dev/urandom won't be as random as /dev/random, but it is the best | /dev/urandom won't be as random as /dev/random, but it is the best | ||
practical solution available: | practical solution available: | ||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo dd if=/dev/urandom of=/dev/hda3 | |||
</nowiki></pre> | </nowiki></pre> | ||
Create a LUKS partition: | |||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/hda3 | |||
</nowiki></pre> | </nowiki></pre> | ||
'''NOTE''': | '''NOTE''': If you get errors that the kernel may not use dm-crypt, try the command <code><nowiki>modprobe dm-crypt</nowiki></code> and retry to create the LUKS partition; if that helps, you may also want to add the module <code><nowiki>dm-crypt</nowiki></code> to the file <code><nowiki>/etc/modules</nowiki></code>. | ||
Set up the device mapper: | |||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo cryptsetup luksOpen /dev/hda3 home | |||
</nowiki></pre> | </nowiki></pre> | ||
Confirm it worked: | |||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo cryptsetup status home | |||
/dev/mapper/home is active: | /dev/mapper/home is active: | ||
cipher: aes-cbc-essiv:sha256 | cipher: aes-cbc-essiv:sha256 | ||
第86行: | 第88行: | ||
mode: read/write | mode: read/write | ||
</nowiki></pre> | </nowiki></pre> | ||
Create the filesystem (e.g. ext3): | |||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/home | |||
</nowiki></pre> | </nowiki></pre> | ||
Temporary mount, to copy data from old home: | |||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo mount -t ext3 /dev/mapper/home /mnt | |||
</nowiki></pre> | </nowiki></pre> | ||
Copy data from old home: | |||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo cp -axv /home/* /mnt/ | |||
</nowiki></pre> | </nowiki></pre> | ||
Unmount the temporary mount: | |||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo umount /mnt | |||
</nowiki></pre> | </nowiki></pre> | ||
==== | ==== Permanent Mounting ==== | ||
===== Ubuntu 6.06 ===== | ===== Ubuntu 6.06 ===== | ||
Insert in /etc/fstab : | |||
<pre><nowiki> | <pre><nowiki> | ||
# <file system> <mount point> <type> <options> <dump> <pass> | # <file system> <mount point> <type> <options> <dump> <pass> | ||
/dev/mapper/home /home ext3 defaults 1 2 | /dev/mapper/home /home ext3 defaults 1 2 | ||
</nowiki></pre> | </nowiki></pre> | ||
After that, add an entry in /etc/crypttab: | |||
<pre><nowiki> | <pre><nowiki> | ||
# <target device> <source device> <key file> <options> | # <target device> <source device> <key file> <options> | ||
home /dev/hda3 none luks | home /dev/hda3 none luks | ||
</nowiki></pre> | </nowiki></pre> | ||
Reboot, and the encrypted home is done. | |||
===== Ubuntu 5.10 ===== | ===== Ubuntu 5.10 ===== | ||
Because 'crypttab' in Ubuntu 5.10 doesn't support LUKS encrypted | |||
partitions, automatic mounting of home with Ubuntu 5.10 is a bit more | partitions, automatic mounting of home with Ubuntu 5.10 is a bit more | ||
difficult. | difficult. | ||
Create a file named 'cryptinit' in /etc/init.d/ with the following content: | |||
<pre><nowiki> | <pre><nowiki> | ||
#! /bin/sh | #! /bin/sh | ||
第135行: | 第137行: | ||
fi | fi | ||
</nowiki></pre> | </nowiki></pre> | ||
Make 'cryptinit' executable | |||
<pre><nowiki> | <pre><nowiki> | ||
sudo chmod 755 /etc/init.d/cryptinit | $ sudo chmod 755 /etc/init.d/cryptinit | ||
</nowiki></pre> | </nowiki></pre> | ||
Then, create a symlink to 'cryptinit' in /etc/rcS.d | |||
<pre><nowiki> | <pre><nowiki> | ||
$ cd /etc/rcS.d | |||
$ sudo ln -s ../init.d/cryptinit S28cryptinit | |||
</nowiki></pre> | </nowiki></pre> | ||
Insert in /etc/fstab : | |||
<pre><nowiki> | <pre><nowiki> | ||
# <file system> <mount point> <type> <options> <dump> <pass> | # <file system> <mount point> <type> <options> <dump> <pass> | ||
/dev/mapper/home /home ext3 defaults 1 2 | /dev/mapper/home /home ext3 defaults 1 2 | ||
</nowiki></pre> | </nowiki></pre> | ||
Reboot, and the encrypted home is done. | |||
===== | ===== Notes ===== | ||
With the instructions above about encrypting home you can also encrypt | |||
generic data partitions (other than home), and you can permanently mount | generic data partitions (other than home), and you can permanently mount | ||
them in two ways. | them in two ways. | ||
The first technique is shown above for mounting home, and requests the | |||
password during the loading of the kernel. | password during the loading of the kernel. | ||
The second technique we explain here asks you for the password right at | |||
the end of the booting process, at the gnome login: | the end of the booting process, at the gnome login: | ||
* | * Do not make any modifications to /etc/fstab or /etc/crypttab | ||
* | * Add the encrypted partition to /etc/pmount.allow (ie. <code><nowiki>/dev/hda3</nowiki></code>) | ||
This will give you the convenience of entering the password at the end of | |||
the boot process rather than in the middle. however, a | the boot process rather than in the middle. however, a | ||
[https://launchpad.net/distros/ubuntu/+ticket/985 bug] means that your | [https://launchpad.net/distros/ubuntu/+ticket/985 bug] means that your | ||
encrypted partition will always be called 'usbdisk' whether it is a usbdisk | encrypted partition will always be called 'usbdisk' whether it is a usbdisk | ||
or not. | or not. | ||
==== | ==== Manual Mounting and Unmounting ==== | ||
If you have encrypted other partitions than home and you don't want to | |||
unlock those partitions on boot, then you need to manually mount and | unlock those partitions on boot, then you need to manually mount and | ||
unmount them. | unmount them. | ||
===== | ===== Mounting ===== | ||
Set up the device mapper: | |||
<pre><nowiki> | <pre><nowiki> | ||
$ cryptsetup luksOpen /dev/hda4 data | |||
</nowiki></pre> | </nowiki></pre> | ||
Mounting: | |||
<pre><nowiki> | <pre><nowiki> | ||
$ mount /dev/mapper/data /media/data | |||
</nowiki></pre> | </nowiki></pre> | ||
===== | ===== Unmounting ===== | ||
Umounting: | |||
<pre><nowiki> | <pre><nowiki> | ||
$ umount /media/data | |||
</nowiki></pre> | </nowiki></pre> | ||
Delete the device mapper: | |||
<pre><nowiki> | <pre><nowiki> | ||
$ cryptsetup luksClose data | |||
</nowiki></pre> | </nowiki></pre> | ||
=== | === Encrypted Swap === | ||
Before setting the encrypted swap, the file /etc/fstab should have a swap | |||
entry like this: | entry like this: | ||
<pre><nowiki> | <pre><nowiki> | ||
第194行: | 第196行: | ||
/dev/hda2 none swap sw 0 0 | /dev/hda2 none swap sw 0 0 | ||
</nowiki></pre> | </nowiki></pre> | ||
Now just replace in /etc/fstab /dev/hda2 with the new device name | |||
/dev/mapper/cswap: | /dev/mapper/cswap: | ||
<pre><nowiki> | <pre><nowiki> | ||
第200行: | 第202行: | ||
/dev/mapper/cswap none swap sw 0 0 | /dev/mapper/cswap none swap sw 0 0 | ||
</nowiki></pre> | </nowiki></pre> | ||
After that, add an entry in /etc/crypttab: | |||
<pre><nowiki> | <pre><nowiki> | ||
# <target device> <source device> <key file> <options> | # <target device> <source device> <key file> <options> | ||
cswap /dev/hda2 /dev/random swap | cswap /dev/hda2 /dev/random swap | ||
</nowiki></pre> | </nowiki></pre> | ||
Reboot, and that's it! The encrypted swap device is done; confirm it worked: | |||
<pre><nowiki> | <pre><nowiki> | ||
$ cat /proc/swaps | |||
Filename Type Size Used Priority | Filename Type Size Used Priority | ||
/dev/mapper/cswap partition 3148700 0 -1 | /dev/mapper/cswap partition 3148700 0 -1 | ||
$ sudo cryptsetup status cswap | |||
/dev/mapper/cswap is active: | /dev/mapper/cswap is active: | ||
cipher: aes-cbc-plain | cipher: aes-cbc-plain | ||
第220行: | 第222行: | ||
mode: read/write | mode: read/write | ||
</nowiki></pre> | </nowiki></pre> | ||
Read the crypttab(5) manpage for more information. | |||
=== | === Encrypting with Keyfiles === | ||
With LUKS you can encrypt/decrypt with keyfiles instead of passphrases. | |||
You can add a keyfile with the command luksFormat or with the command | |||
luksAddKey. | luksAddKey. | ||
For example, you can add with luksFormat a passphrase on slot 0 and with | |||
luksAddKey a keyfile on slot 1; then, you can open your encrypted device | luksAddKey a keyfile on slot 1; then, you can open your encrypted device | ||
with the keyfile and, if you lose the keyfile, you can always use the | with the keyfile and, if you lose the keyfile, you can always use the | ||
passphrase. | passphrase. | ||
For better security you can store your keyfiles on a USB stick, maybe | |||
encrypting the USB stick with a passphrase. | encrypting the USB stick with a passphrase. | ||
You can use every file you like as keyfile; for example, to generate a | |||
2048bit random key: | 2048bit random key: | ||
<pre><nowiki> | <pre><nowiki> | ||
$ dd if=/dev/random of=keyfile bs=1 count=256 | |||
</nowiki></pre> | </nowiki></pre> | ||
Then, to add the generated keyfile to an existing encrypted partition: | |||
<pre><nowiki> | <pre><nowiki> | ||
The following command will require you to enter two times the passphrase | |||
stored on slot 0... | stored on slot 0... | ||
$ sudo cryptsetup luksAddKey /dev/hda4 keyfile | |||
</nowiki></pre> | </nowiki></pre> | ||
Finally, to open the encrypted partition with the keyfile: | |||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo cryptsetup luksOpen /dev/hda4 data --key-file keyfile | |||
</nowiki></pre> | </nowiki></pre> | ||
If you like to disable (delete) the keyfile on slot 1: | |||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo cryptsetup luksDelKey /dev/hda4 1 | |||
</nowiki></pre> | </nowiki></pre> | ||
=== | === Tools === | ||
* [http://sourceforge.net/projects/cryptmount/ cryptmount] | * [http://sourceforge.net/projects/cryptmount/ cryptmount] | ||
=== | === References === | ||
* [http://luks.endorphin.org/dm-crypt LUKS on dm-crypt] | * [http://luks.endorphin.org/dm-crypt LUKS on dm-crypt] | ||
* [http://www.saout.de/misc/dm-crypt/ dm-crypt] | * [http://www.saout.de/misc/dm-crypt/ dm-crypt] | ||
第258行: | 第260行: | ||
* [http://news.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt dm-crypt mailing list] | * [http://news.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt dm-crypt mailing list] | ||
* [http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS Encrypted Device Using LUKS] | * [http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedDeviceUsingLUKS Encrypted Device Using LUKS] | ||
* < | * <code><nowiki>/usr/share/doc/cryptsetup/CryptoSwap.HowTo</nowiki></code> How to configure an encrypted swap partition on Debian systems | ||
* [ | * [[UbuntuWiki:EncryptedFilesystemHowto|Encrypted|filesystem howto (Ubuntu)]] | ||
* [ | * [[UbuntuWiki:EncryptedFilesystemHowto2|Encrypted|filesystem howto 2 (Ubuntu)]] | ||
* [http://deb.riseup.net/storage/encryption/dmcrypt/ dmcrypt (Debian)] | * [http://deb.riseup.net/storage/encryption/dmcrypt/ dmcrypt (Debian)] | ||
* [http://www.raoul.shacknet.nu/2005/11/10/encrypt-devices-using-dm-crypt-and-luks/ Encrypt devices using dm-crypt and LUKS (Fedora Core)] | * [http://www.raoul.shacknet.nu/2005/11/10/encrypt-devices-using-dm-crypt-and-luks/ Encrypt devices using dm-crypt and LUKS (Fedora Core)] | ||
第267行: | 第269行: | ||
* [http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt SECURITY Encrypting Root Filesystem with DM-Crypt (Gentoo)] | * [http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt SECURITY Encrypting Root Filesystem with DM-Crypt (Gentoo)] | ||
---- | ---- | ||
[[category:CategorySecurity]] | |||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2009年11月17日 (二) 19:02的最新版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/EncryptedFilesystemHowto3 }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/af | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|Afrikaans| [[::EncryptedFilesystemHowto3/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/ar | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|العربية| [[::EncryptedFilesystemHowto3/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/az | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|azərbaycanca| [[::EncryptedFilesystemHowto3/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/bcc | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|جهلسری بلوچی| [[::EncryptedFilesystemHowto3/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/bg | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|български| [[::EncryptedFilesystemHowto3/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/br | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|brezhoneg| [[::EncryptedFilesystemHowto3/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/ca | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|català| [[::EncryptedFilesystemHowto3/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/cs | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|čeština| [[::EncryptedFilesystemHowto3/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/de | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|Deutsch| [[::EncryptedFilesystemHowto3/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/el | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|Ελληνικά| [[::EncryptedFilesystemHowto3/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/es | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|español| [[::EncryptedFilesystemHowto3/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/fa | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|فارسی| [[::EncryptedFilesystemHowto3/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/fi | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|suomi| [[::EncryptedFilesystemHowto3/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/fr | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|français| [[::EncryptedFilesystemHowto3/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/gu | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|ગુજરાતી| [[::EncryptedFilesystemHowto3/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/he | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|עברית| [[::EncryptedFilesystemHowto3/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/hu | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|magyar| [[::EncryptedFilesystemHowto3/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/id | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|Bahasa Indonesia| [[::EncryptedFilesystemHowto3/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/it | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|italiano| [[::EncryptedFilesystemHowto3/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/ja | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|日本語| [[::EncryptedFilesystemHowto3/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/ko | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|한국어| [[::EncryptedFilesystemHowto3/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/ksh | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|Ripoarisch| [[::EncryptedFilesystemHowto3/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/mr | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|मराठी| [[::EncryptedFilesystemHowto3/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/ms | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|Bahasa Melayu| [[::EncryptedFilesystemHowto3/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/nl | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|Nederlands| [[::EncryptedFilesystemHowto3/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/no | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|norsk| [[::EncryptedFilesystemHowto3/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/oc | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|occitan| [[::EncryptedFilesystemHowto3/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/pl | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|polski| [[::EncryptedFilesystemHowto3/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/pt | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|português| [[::EncryptedFilesystemHowto3/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/ro | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|română| [[::EncryptedFilesystemHowto3/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/ru | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|русский| [[::EncryptedFilesystemHowto3/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/si | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|සිංහල| [[::EncryptedFilesystemHowto3/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/sq | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|shqip| [[::EncryptedFilesystemHowto3/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/sr | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|српски / srpski| [[::EncryptedFilesystemHowto3/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/sv | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|svenska| [[::EncryptedFilesystemHowto3/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/th | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|ไทย| [[::EncryptedFilesystemHowto3/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/tr | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|Türkçe| [[::EncryptedFilesystemHowto3/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/vi | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|Tiếng Việt| [[::EncryptedFilesystemHowto3/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/yue | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|粵語| [[::EncryptedFilesystemHowto3/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/zh | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|中文| [[::EncryptedFilesystemHowto3/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/zh-hans | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|中文(简体)| [[::EncryptedFilesystemHowto3/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto3 | UbuntuHelp:EncryptedFilesystemHowto3 | {{#if: | :}}EncryptedFilesystemHowto3}}/zh-hant | • {{#if: UbuntuHelp:EncryptedFilesystemHowto3|中文(繁體)| [[::EncryptedFilesystemHowto3/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:EncryptedFilesystemHowto3|:EncryptedFilesystemHowto3|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :EncryptedFilesystemHowto3/zh | | {{#ifexist: EncryptedFilesystemHowto3/zh | | {{#ifeq: {{#titleparts:EncryptedFilesystemHowto3|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:EncryptedFilesystemHowto3|1|-1|}} | zh | | }}
<<Include(Tag/ContentCleanup)>>
Encrypted Swap and Home with LUKS on Ubuntu 6.06 and 5.10
{i} Please refer to EncryptedFilesystems for further documentation. |
By Stefano Spinucci: virgo977virgo at <googlemail> dot com
Introduction
Notes
- Newer Ubuntu versions can do hard disk encryption during installation time. You need to install from alternative install CD. Here are instructions for install time encryption.
- In this tutorial we assume that:
- Old (unencrypted) and the new (encrypted) swap is in the partition '/dev/hda2'
- New home (encrypted) is in the partition '/dev/hda3'
Replace '/dev/hda2' with your real swap partition and '/dev/hda3' with an empty partition that will become your new encrypted home partition.
- DM-Crypt works by transparently translating (in the kernel) between a physical on-disk partition (which is encrypted) and a logical partition which you can then mount and use as normal; then, for example, to operate on your home partition you must do so by using /dev/mapper/home instead of /dev/hda3.
- If you are using Windows and you need to encrypt it also, it can be done with free open source tools in Linux friendly manner.
Warnings
Encrypting a partition is a destructive operation; then, your new home
partition (/dev/hda3) must be empty, because all data on it will be erased.
Unencrypted data on the old home directory won’t be deleted and will be
accessible, for example, with a live CD; then, you shouldn't put any
sensitive data on home before encrypting.
Otherwise, if you have sensitive data to delete securely from the old
unencrypted home, you should shred
the old home directory.
If the partition containing the old home directory is formatted with a
journaled file system (JFS, ReiserFS, XFS, Ext3, etc.), you must boot with
a live CD and shred
the entire partition containing the old home
directory.
If the shredded partition is the partition containing the OS, reinstall
ubuntu, and finally mount the previously created encrypted home.
References for secure deletion:
Strong Passwords
Remember that a chain is only as strong as its weakest link, and in the encryption chain the password is always the weakest link. Then, choose a strong password, or your data won't be more secure than without encryption. References for strong passwords:
- Strong|Passwords (Ubuntu wiki)
- The Diceware Passphrase Home Page
- Password strength (Wikipedia)
- Password cracking (Wikipedia)
- Key size (Wikipedia)
Install cryptsetup
Enable 'community maintained' (universe) repository from the Synaptic package manager or modifying the file /etc/apt/sources.list (APT sources list). Install cryptsetup:
$ sudo apt-get install cryptsetup
Encrypted Home
Unmount (if mounted) /dev/hda3
$ sudo umount /dev/hda3
Check the partition for errors (and wait several minutes...):
$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/hda3
Fill the disk with random data (and wait many more minutes...); /dev/urandom won't be as random as /dev/random, but it is the best practical solution available:
$ sudo dd if=/dev/urandom of=/dev/hda3
Create a LUKS partition:
$ sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/hda3
NOTE: If you get errors that the kernel may not use dm-crypt, try the command modprobe dm-crypt
and retry to create the LUKS partition; if that helps, you may also want to add the module dm-crypt
to the file /etc/modules
.
Set up the device mapper:
$ sudo cryptsetup luksOpen /dev/hda3 home
Confirm it worked:
$ sudo cryptsetup status home /dev/mapper/home is active: cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/.static/dev/hda3 offset: 2056 sectors size: 20962706 sectors mode: read/write
Create the filesystem (e.g. ext3):
$ sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/home
Temporary mount, to copy data from old home:
$ sudo mount -t ext3 /dev/mapper/home /mnt
Copy data from old home:
$ sudo cp -axv /home/* /mnt/
Unmount the temporary mount:
$ sudo umount /mnt
Permanent Mounting
Ubuntu 6.06
Insert in /etc/fstab :
# <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/home /home ext3 defaults 1 2
After that, add an entry in /etc/crypttab:
# <target device> <source device> <key file> <options> home /dev/hda3 none luks
Reboot, and the encrypted home is done.
Ubuntu 5.10
Because 'crypttab' in Ubuntu 5.10 doesn't support LUKS encrypted partitions, automatic mounting of home with Ubuntu 5.10 is a bit more difficult. Create a file named 'cryptinit' in /etc/init.d/ with the following content:
#! /bin/sh # if this script is executed when home is opened, tries to close it; # otherwise, tries to open it, for three times, then continue without # opening it if [ -b /dev/mapper/home ]; then /sbin/cryptsetup luksClose home else i=3 while [ $i -gt 0 ]; do let "i -= 1" /sbin/cryptsetup luksOpen /dev/hda3 home && i=0 done fi
Make 'cryptinit' executable
$ sudo chmod 755 /etc/init.d/cryptinit
Then, create a symlink to 'cryptinit' in /etc/rcS.d
$ cd /etc/rcS.d $ sudo ln -s ../init.d/cryptinit S28cryptinit
Insert in /etc/fstab :
# <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/home /home ext3 defaults 1 2
Reboot, and the encrypted home is done.
Notes
With the instructions above about encrypting home you can also encrypt generic data partitions (other than home), and you can permanently mount them in two ways. The first technique is shown above for mounting home, and requests the password during the loading of the kernel. The second technique we explain here asks you for the password right at the end of the booting process, at the gnome login:
- Do not make any modifications to /etc/fstab or /etc/crypttab
- Add the encrypted partition to /etc/pmount.allow (ie.
/dev/hda3
)
This will give you the convenience of entering the password at the end of the boot process rather than in the middle. however, a bug means that your encrypted partition will always be called 'usbdisk' whether it is a usbdisk or not.
Manual Mounting and Unmounting
If you have encrypted other partitions than home and you don't want to unlock those partitions on boot, then you need to manually mount and unmount them.
Mounting
Set up the device mapper:
$ cryptsetup luksOpen /dev/hda4 data
Mounting:
$ mount /dev/mapper/data /media/data
Unmounting
Umounting:
$ umount /media/data
Delete the device mapper:
$ cryptsetup luksClose data
Encrypted Swap
Before setting the encrypted swap, the file /etc/fstab should have a swap entry like this:
# <file system> <mount point> <type> <options> <dump> <pass> /dev/hda2 none swap sw 0 0
Now just replace in /etc/fstab /dev/hda2 with the new device name /dev/mapper/cswap:
# <file system> <mount point> <type> <options> <dump> <pass> /dev/mapper/cswap none swap sw 0 0
After that, add an entry in /etc/crypttab:
# <target device> <source device> <key file> <options> cswap /dev/hda2 /dev/random swap
Reboot, and that's it! The encrypted swap device is done; confirm it worked:
$ cat /proc/swaps Filename Type Size Used Priority /dev/mapper/cswap partition 3148700 0 -1 $ sudo cryptsetup status cswap /dev/mapper/cswap is active: cipher: aes-cbc-plain keysize: 256 bits device: /dev/.static/dev/hda2 offset: 0 sectors size: 6297417 sectors mode: read/write
Read the crypttab(5) manpage for more information.
Encrypting with Keyfiles
With LUKS you can encrypt/decrypt with keyfiles instead of passphrases. You can add a keyfile with the command luksFormat or with the command luksAddKey. For example, you can add with luksFormat a passphrase on slot 0 and with luksAddKey a keyfile on slot 1; then, you can open your encrypted device with the keyfile and, if you lose the keyfile, you can always use the passphrase. For better security you can store your keyfiles on a USB stick, maybe encrypting the USB stick with a passphrase. You can use every file you like as keyfile; for example, to generate a 2048bit random key:
$ dd if=/dev/random of=keyfile bs=1 count=256
Then, to add the generated keyfile to an existing encrypted partition:
The following command will require you to enter two times the passphrase stored on slot 0... $ sudo cryptsetup luksAddKey /dev/hda4 keyfile
Finally, to open the encrypted partition with the keyfile:
$ sudo cryptsetup luksOpen /dev/hda4 data --key-file keyfile
If you like to disable (delete) the keyfile on slot 1:
$ sudo cryptsetup luksDelKey /dev/hda4 1
Tools
References
- LUKS on dm-crypt
- dm-crypt
- dm-crypt wiki
- dm-crypt mailing list
- Encrypted Device Using LUKS
/usr/share/doc/cryptsetup/CryptoSwap.HowTo
How to configure an encrypted swap partition on Debian systems- Encrypted|filesystem howto (Ubuntu)
- Encrypted|filesystem howto 2 (Ubuntu)
- dmcrypt (Debian)
- Encrypt devices using dm-crypt and LUKS (Fedora Core)
- SECURITY System Encryption DM-Crypt with LUKS (Gentoo)
- SECURITY Encrypting Root Filesystem with DM-Crypt with LUKS (Gentoo)
- SECURITY Encrypting Root Filesystem with DM-Crypt (Gentoo)