特殊:Badtitle/NS100:EncryptedFilesystemHowto5:修订间差异
小无编辑摘要 |
小无编辑摘要 |
||
(未显示2个用户的7个中间版本) | |||
第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/EncryptedFilesystemHowto5}} | {{From|https://help.ubuntu.com/community/EncryptedFilesystemHowto5}} | ||
{{Languages|UbuntuHelp:EncryptedFilesystemHowto5}} | {{Languages|UbuntuHelp:EncryptedFilesystemHowto5}} | ||
#title Encrypted root, swap, and home using LUKS with no unencrypted key files available anywhere after boot | |||
{|border="1" cellspacing="0" | |||
submitted by John Bindel, | | {i} Please refer to [[UbuntuHelp:EncryptedFilesystems|EncryptedFilesystems]] for further documentation. | ||
|} | |||
submitted by John Bindel, jbindel@gmail.com. | |||
Please consider using the [[UbuntuHelp:EncryptedFilesystemLVMHowto|EncryptedFilesystemLVMHowto]] instead of these instructions. I may be able to help more with that, and it's a far better solution than this. | |||
This is even another procedure for encrypting a disk with Ubuntu 6.06. It uses a server installation, but the desktop could be used as long as the initial root filesystem is at least 2.6 GB to hold all of the normal installation files. | This is even another procedure for encrypting a disk with Ubuntu 6.06. It uses a server installation, but the desktop could be used as long as the initial root filesystem is at least 2.6 GB to hold all of the normal installation files. | ||
We will mount /keys encrypted partition from initrd script with a passphrase. We will then unlock our encrypted partitions via initrd using the encrypted keys partition so that they can be mounted during bootup. This how-to is similar to other how-tos in this wiki, but I wanted to make sure that no keys were visible even to root at run time rather than having the home partition keys available in /etc. | We will mount /keys encrypted partition from initrd script with a passphrase. We will then unlock our encrypted partitions via initrd using the encrypted keys partition so that they can be mounted during bootup. This how-to is similar to other how-tos in this wiki, but I wanted to make sure that no keys were visible even to root at run time rather than having the home partition keys available in /etc. | ||
We could put the /keys partition on a USB thumb drive as well, but that's less convenient though possibly even more secure because an attacker would need to have access to the thumb drive. | We could put the /keys partition on a USB thumb drive as well, but that's less convenient though possibly even more secure because an attacker would need to have access to the thumb drive. | ||
Some sources | Some sources | ||
[[UbuntuHelp:EncryptedFilesystemHowto3|EncryptedFilesystemHowto3]] | |||
EncryptedFilesystemHowto3 | [[UbuntuHelp:EncryptedFilesystem|EncryptedFilesystem]] | ||
EncryptedFilesystem | |||
==== Partition and Install ==== | ==== Partition and Install ==== | ||
Install the server version of Ubuntu with /dev/sda5 as /boot, /dev/sda7 as /, and no swap. '''NOTICE''': We do not initially use the final root and home partitions shown below because we will need to copy the initial installation to its encrypted destination after we install the operating system. | Install the server version of Ubuntu with /dev/sda5 as /boot, /dev/sda7 as /, and no swap. '''NOTICE''': We do not initially use the final root and home partitions shown below because we will need to copy the initial installation to its encrypted destination after we install the operating system. | ||
Manually edit the partition table. | Manually edit the partition table. | ||
<pre><nowiki> | |||
UE /dev/sda1 primary, "do not use" Future Windows partition for dual boot or vmware | |||
UE /dev/sda5 0.2 GB logical, ext3, /boot, bootable | UE /dev/sda5 0.2 GB logical, ext3, /boot, bootable | ||
EK /dev/sda6 >3 GB logical, "do not use" Future root partition. | EK /dev/sda6 >3 GB logical, "do not use" Future root partition. | ||
第30行: | 第24行: | ||
EK /dev/sda9 lots GB logical, "do not use" Future home partition. | EK /dev/sda9 lots GB logical, "do not use" Future home partition. | ||
EP /dev/sda10 0.1 GB logical, "do not use" Future keys partition.</nowiki></pre> | EP /dev/sda10 0.1 GB logical, "do not use" Future keys partition.</nowiki></pre> | ||
The hibernation swap partition should be at least as big as your RAM size. | The hibernation swap partition should be at least as big as your RAM size. | ||
Commit changes to disk. Enter user information and let the installer put the OS on the disk. Reboot when done. | Commit changes to disk. Enter user information and let the installer put the OS on the disk. Reboot when done. | ||
==== Create New Initrd Image ==== | ==== Create New Initrd Image ==== | ||
Login and edit /etc/apt/sources.list. | Login and edit /etc/apt/sources.list. | ||
<code><nowiki>$ sudo vi /etc/apt/sources.list</nowiki></code> | |||
Uncomment the "universe" repository lines. There are two for "dapper universe" and two for "dapper-security universe." | Uncomment the "universe" repository lines. There are two for "dapper universe" and two for "dapper-security universe." | ||
Update the apt list. | Update the apt list. | ||
<code><nowiki>$ sudo apt-get update</nowiki></code> | |||
Install cryptsetup, hashalot, and initramfs-tools. | Install cryptsetup, hashalot, and initramfs-tools. | ||
<code><nowiki>$ sudo apt-get install cryptsetup hashalot initramfs-tools</nowiki></code> | |||
Add the following line to /etc/kernel-img.conf: | Add the following line to /etc/kernel-img.conf: | ||
<code><nowiki>ramdisk = /usr/sbin/mkinitramfs</nowiki></code> | |||
Add the following lines to /etc/mkinitramfs/modules: | Add the following lines to /etc/mkinitramfs/modules: | ||
<pre><nowiki> | |||
dm_mod | |||
dm_crypt | dm_crypt | ||
sha256 | sha256 | ||
aes_i586</nowiki></pre> | aes_i586</nowiki></pre> | ||
Create file /etc/mkinitramfs/hooks/cryptokeys. This script is executed when the init ramdisk image is built. | Create file /etc/mkinitramfs/hooks/cryptokeys. This script is executed when the init ramdisk image is built. | ||
<pre><nowiki> | |||
#!/bin/sh | |||
PREREQ="" | PREREQ="" | ||
第83行: | 第71行: | ||
copy_exec /usr/bin/chvt /bin | copy_exec /usr/bin/chvt /bin | ||
copy_exec /sbin/cryptsetup /sbin</nowiki></pre> | copy_exec /sbin/cryptsetup /sbin</nowiki></pre> | ||
Create file /etc/mkinitramfs/scripts/local-top/cryptokeys. This script is executed during the init bootup. | Create file /etc/mkinitramfs/scripts/local-top/cryptokeys. This script is executed during the init bootup. | ||
<pre><nowiki> | |||
#!/bin/sh | |||
PREREQ="udev" | PREREQ="udev" | ||
第95行: | 第83行: | ||
case $1 in | case $1 in | ||
# get pre-requisites | |||
prereqs) | prereqs) | ||
prereqs | prereqs | ||
第109行: | 第98行: | ||
fi | fi | ||
sleep 3 | sleep 3 | ||
/sbin/cryptsetup luksOpen /dev/sda10 cryptokeys | |||
while ! /sbin/cryptsetup luksOpen /dev/sda10 cryptokeys; do | |||
echo "Try again..." | |||
done | |||
if grep -q splash /proc/cmdline; then | if grep -q splash /proc/cmdline; then | ||
/sbin/usplash -c & | /sbin/usplash -c & | ||
第120行: | 第113行: | ||
umount /cryptokeys | umount /cryptokeys | ||
/sbin/cryptsetup luksClose cryptokeys</nowiki></pre> | /sbin/cryptsetup luksClose cryptokeys</nowiki></pre> | ||
Make the scripts executable: | Make the scripts executable: | ||
<pre><nowiki> | |||
$ sudo chmod +x /etc/mkinitramfs/hooks/cryptokeys | |||
$ sudo chmod +x /etc/mkinitramfs/scripts/local-top/cryptokeys</nowiki></pre> | $ sudo chmod +x /etc/mkinitramfs/scripts/local-top/cryptokeys</nowiki></pre> | ||
Build a new initrd image: | Build a new initrd image: | ||
<code><nowiki>$ sudo update-initramfs -u ALL</nowiki></code> | |||
==== Create Encrypted Partitions ==== | ==== Create Encrypted Partitions ==== | ||
Check for bad blocks. This will take several minutes for each partition. This fills each partition with pseudorandom data from the not-so-random libc pseudorandom source. | Check for bad blocks. This will take several minutes for each partition. This fills each partition with pseudorandom data from the not-so-random libc pseudorandom source. | ||
<pre><nowiki> | |||
$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda6 | |||
$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda8 | $ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda8 | ||
$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda9 | $ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda9 | ||
$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda10</nowiki></pre> | $ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda10</nowiki></pre> | ||
Fill the partitions with random data. This may take hours for the larger partitions, but is necessary if you're paranoid. The /dev/urandom source is a good source of randomization that should prevent attackers from being able to determine where data actually resides on the encrypted filesystem, which would help them know what they should try to decrypt. The /dev/random source is even better, but it might take hundreds of years to fill the disk from it. | Fill the partitions with random data. This may take hours for the larger partitions, but is necessary if you're paranoid. The /dev/urandom source is a good source of randomization that should prevent attackers from being able to determine where data actually resides on the encrypted filesystem, which would help them know what they should try to decrypt. The /dev/random source is even better, but it might take hundreds of years to fill the disk from it. | ||
<pre><nowiki> | |||
$ sudo dd if=/dev/urandom of=/dev/sda6 | |||
$ sudo dd if=/dev/urandom of=/dev/sda8 | $ sudo dd if=/dev/urandom of=/dev/sda8 | ||
$ sudo dd if=/dev/urandom of=/dev/sda9 | $ sudo dd if=/dev/urandom of=/dev/sda9 | ||
$ sudo dd if=/dev/urandom of=/dev/sda10</nowiki></pre> | $ sudo dd if=/dev/urandom of=/dev/sda10</nowiki></pre> | ||
Make the encrypted keys filesystem. It is protected with a passphrase. | Make the encrypted keys filesystem. It is protected with a passphrase. | ||
<pre><nowiki> | |||
$ sudo modprobe dm_crypt | |||
$ sudo modprobe sha256 | $ sudo modprobe sha256 | ||
$ sudo modprobe aes_i586 | $ sudo modprobe aes_i586 | ||
第151行: | 第143行: | ||
$ sudo mkdir /mnt/cryptokeys | $ sudo mkdir /mnt/cryptokeys | ||
$ sudo mount -t ext3 /dev/mapper/cryptokeys /mnt/cryptokeys</nowiki></pre> | $ sudo mount -t ext3 /dev/mapper/cryptokeys /mnt/cryptokeys</nowiki></pre> | ||
Make keyfiles for the other partitions. This can sometimes take several seconds. If it pauses, press the shift key and the space bar a few times to introduce some entropy into the system. Reading from /dev/random will block when the kernel runs out of usable entropy. | Make keyfiles for the other partitions. This can sometimes take several seconds. If it pauses, press the shift key and the space bar a few times to introduce some entropy into the system. Reading from /dev/random will block when the kernel runs out of usable entropy. | ||
<pre><nowiki> | |||
$ sudo dd if=/dev/random of=/mnt/cryptokeys/root-key bs=1 count=256 | |||
$ sudo dd if=/dev/random of=/mnt/cryptokeys/home-key bs=1 count=256 | $ sudo dd if=/dev/random of=/mnt/cryptokeys/home-key bs=1 count=256 | ||
$ sudo chmod 600 /mnt/cryptokeys/*-key</nowiki></pre> | $ sudo chmod 600 /mnt/cryptokeys/*-key</nowiki></pre> | ||
Make the encrypted root and home filesystems. | Make the encrypted root and home filesystems. | ||
<pre><nowiki> | |||
$ sudo cryptsetup --verbose --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sda6 /mnt/cryptokeys/root-key | |||
$ sudo cryptsetup --verbose --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sda9 /mnt/cryptokeys/home-key | $ sudo cryptsetup --verbose --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sda9 /mnt/cryptokeys/home-key | ||
$ sudo cryptsetup --key-file=/mnt/cryptokeys/root-key luksOpen /dev/sda6 cryptoroot | $ sudo cryptsetup --key-file=/mnt/cryptokeys/root-key luksOpen /dev/sda6 cryptoroot | ||
第165行: | 第157行: | ||
$ sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/cryptohome</nowiki></pre> | $ sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/cryptohome</nowiki></pre> | ||
You should add passphrase access to your encrypted root and home partitions in case your keys partition becomes unusable. Otherwise your data will be inaccessible. | You should add passphrase access to your encrypted root and home partitions in case your keys partition becomes unusable. Otherwise your data will be inaccessible. | ||
<pre><nowiki> | |||
$ sudo cryptsetup --key-file=/mnt/cryptokeys/root-key luksAddKey /dev/sda6 | |||
$ sudo cryptsetup --key-file=/mnt/cryptokeys/home-key luksAddKey /dev/sda9</nowiki></pre> | $ sudo cryptsetup --key-file=/mnt/cryptokeys/home-key luksAddKey /dev/sda9</nowiki></pre> | ||
Populate the new encrypted filesystems. | Populate the new encrypted filesystems. | ||
<pre><nowiki> | |||
$ sudo mkdir /mnt/root | |||
$ sudo mkdir /mnt/home | $ sudo mkdir /mnt/home | ||
$ sudo mount /dev/mapper/cryptoroot /mnt/root | $ sudo mount /dev/mapper/cryptoroot /mnt/root | ||
第177行: | 第170行: | ||
$ sudo cp -ax /home/* /mnt/home | $ sudo cp -ax /home/* /mnt/home | ||
$ sudo chown -R $(whoami):$(whoami) /mnt/home/$(whoami)</nowiki></pre> | $ sudo chown -R $(whoami):$(whoami) /mnt/home/$(whoami)</nowiki></pre> | ||
Edit /mnt/root/etc/fstab. Make sure the swap line is commented out with a #. First change this line | Edit /mnt/root/etc/fstab. Make sure the swap line is commented out with a #. First change this line | ||
<code><nowiki>/dev/sda7 / ext3 defaults,errors=remount-ro 0 1</nowiki></code> | |||
to | to | ||
<code><nowiki>/dev/mapper/cryptoroot / ext3 defaults,errors=remount-ro 0 1</nowiki></code> | |||
And add these lines | And add these lines | ||
<pre><nowiki> | |||
/dev/mapper/cryptohome /home ext3 defaults 0 1 | |||
#/dev/mapper/cryptoswap none swap sw 0 0</nowiki></pre> | |||
Edit /mnt/root/etc/crypttab to look like this: | Edit /mnt/root/etc/crypttab to look like this: | ||
<pre><nowiki> | |||
# <target name> <source device> <key file> <options> | |||
#cryptoswap /dev/sda7 /dev/random swap | |||
cryptoroot /dev/sda6 none luks | cryptoroot /dev/sda6 none luks | ||
cryptohome /dev/sda9 none luks</nowiki></pre> | cryptohome /dev/sda9 none luks</nowiki></pre> | ||
==== Test the Configuration ==== | ==== Test the Configuration ==== | ||
Add this to the bottom of /boot/grub/menu.lst. (hd0,4) refers to the boot partition. | Add this to the bottom of /boot/grub/menu.lst. (hd0,4) refers to the boot partition. | ||
<pre><nowiki> | |||
title Cryptotest | |||
root (hd0,4) | root (hd0,4) | ||
kernel /vmlinuz-<your kernel version here> root=/dev/mapper/cryptoroot ro | kernel /vmlinuz-<your kernel version here> root=/dev/mapper/cryptoroot ro | ||
第199行: | 第194行: | ||
boot</nowiki></pre> | boot</nowiki></pre> | ||
Find the kernel version with the command: | Find the kernel version with the command: | ||
<code><nowiki>$ uname -r</nowiki></code> | |||
For example, it might be "2.6.15-26-server". | For example, it might be "2.6.15-26-server". | ||
Reboot to test by typing <code><nowiki>sudo reboot</nowiki></code>. Press ESC to enter the GRUB menu and select Cryptotest. The boot process will stop waiting for the keys partition's passphrase. | Reboot to test by typing <code><nowiki>sudo reboot</nowiki></code>. Press ESC to enter the GRUB menu and select Cryptotest. The boot process will stop waiting for the keys partition's passphrase. | ||
If all goes well, then continue. Otherwise seek help or figure out what went wrong. | If all goes well, then continue. Otherwise seek help or figure out what went wrong. | ||
Enable swap for the future by uncommenting the swap lines in /etc/fstab and /etc/crypttab. Then fill the old / partition, which will be the swap partition with random data and enable swap. | Enable swap for the future by uncommenting the swap lines in /etc/fstab and /etc/crypttab. Then fill the old / partition, which will be the swap partition with random data and enable swap. | ||
<pre><nowiki> | |||
$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda7 | |||
$ sudo dd if=/dev/urandom of=/dev/sda7 | $ sudo dd if=/dev/urandom of=/dev/sda7 | ||
$ sudo invoke-rc.d cryptdisks restart | $ sudo invoke-rc.d cryptdisks restart | ||
$ sudo swapon /dev/mapper/cryptoswap</nowiki></pre> | $ sudo swapon /dev/mapper/cryptoswap</nowiki></pre> | ||
Edit /boot/grub/menu.lst to remove the lines we added at the end, and change the line that has | Edit /boot/grub/menu.lst to remove the lines we added at the end, and change the line that has | ||
<code><nowiki># kopt=root=/dev/sda7 ro</nowiki></code> | |||
to | to | ||
<code><nowiki># kopt=root=/dev/mapper/cryptoroot ro</nowiki></code> | |||
Then run | Then run | ||
<code><nowiki>$ sudo update-grub</nowiki></code> | |||
==== Finish ==== | ==== Finish ==== | ||
Install a desktop. | Install a desktop. | ||
<code><nowiki>$ sudo apt-get install ubuntu-desktop</nowiki></code> | |||
Use something else if you don't like Gnome. You can chose kubuntu-desktop or xubuntu-desktop for other standard desktops. | Use something else if you don't like Gnome. You can chose kubuntu-desktop or xubuntu-desktop for other standard desktops. | ||
Finally backup your key files for safe keeping. This will require you to open and to mount the encrypted keys partition and then unmount and close it. | Finally backup your key files for safe keeping. This will require you to open and to mount the encrypted keys partition and then unmount and close it. | ||
<pre><nowiki> | |||
$ sudo cryptsetup luksOpen /dev/sda10 cryptokeys | |||
$ sudo mount /dev/mapper/cryptokeys /mnt/cryptokeys | $ sudo mount /dev/mapper/cryptokeys /mnt/cryptokeys | ||
$ sudo cp /mnt/cryptokeys/*key <destination usb drive> | $ sudo cp /mnt/cryptokeys/*key <destination usb drive> | ||
第231行: | 第222行: | ||
$ sudo cryptsetup luksClose cryptokeys</nowiki></pre> | $ sudo cryptsetup luksClose cryptokeys</nowiki></pre> | ||
The last line is necessary to make the system unable to access your precious keys for root and home without reentering the passphrase. | The last line is necessary to make the system unable to access your precious keys for root and home without reentering the passphrase. | ||
=== Notes === | === Notes === | ||
If your system seems to hang while booting, try pressing a few keys. Since we use /dev/random for the swap encryption key, the system may have run out of usable entropy while making the random swap encryption key. Pressing keys will give it some entropy to use. | If your system seems to hang while booting, try pressing a few keys. Since we use /dev/random for the swap encryption key, the system may have run out of usable entropy while making the random swap encryption key. Pressing keys will give it some entropy to use. | ||
The initrd image is rebuilt automatically when a kernel upgrade is installed. This appears to work just fine without requiring us to make new images ourselves. | The initrd image is rebuilt automatically when a kernel upgrade is installed. This appears to work just fine without requiring us to make new images ourselves. | ||
---- | ---- |
2008年12月16日 (二) 18:25的最新版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/EncryptedFilesystemHowto5 }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/af | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|Afrikaans| [[::EncryptedFilesystemHowto5/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/ar | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|العربية| [[::EncryptedFilesystemHowto5/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/az | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|azərbaycanca| [[::EncryptedFilesystemHowto5/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/bcc | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|جهلسری بلوچی| [[::EncryptedFilesystemHowto5/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/bg | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|български| [[::EncryptedFilesystemHowto5/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/br | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|brezhoneg| [[::EncryptedFilesystemHowto5/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/ca | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|català| [[::EncryptedFilesystemHowto5/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/cs | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|čeština| [[::EncryptedFilesystemHowto5/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/de | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|Deutsch| [[::EncryptedFilesystemHowto5/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/el | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|Ελληνικά| [[::EncryptedFilesystemHowto5/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/es | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|español| [[::EncryptedFilesystemHowto5/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/fa | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|فارسی| [[::EncryptedFilesystemHowto5/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/fi | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|suomi| [[::EncryptedFilesystemHowto5/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/fr | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|français| [[::EncryptedFilesystemHowto5/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/gu | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|ગુજરાતી| [[::EncryptedFilesystemHowto5/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/he | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|עברית| [[::EncryptedFilesystemHowto5/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/hu | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|magyar| [[::EncryptedFilesystemHowto5/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/id | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|Bahasa Indonesia| [[::EncryptedFilesystemHowto5/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/it | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|italiano| [[::EncryptedFilesystemHowto5/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/ja | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|日本語| [[::EncryptedFilesystemHowto5/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/ko | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|한국어| [[::EncryptedFilesystemHowto5/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/ksh | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|Ripoarisch| [[::EncryptedFilesystemHowto5/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/mr | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|मराठी| [[::EncryptedFilesystemHowto5/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/ms | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|Bahasa Melayu| [[::EncryptedFilesystemHowto5/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/nl | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|Nederlands| [[::EncryptedFilesystemHowto5/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/no | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|norsk| [[::EncryptedFilesystemHowto5/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/oc | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|occitan| [[::EncryptedFilesystemHowto5/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/pl | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|polski| [[::EncryptedFilesystemHowto5/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/pt | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|português| [[::EncryptedFilesystemHowto5/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/ro | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|română| [[::EncryptedFilesystemHowto5/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/ru | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|русский| [[::EncryptedFilesystemHowto5/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/si | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|සිංහල| [[::EncryptedFilesystemHowto5/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/sq | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|shqip| [[::EncryptedFilesystemHowto5/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/sr | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|српски / srpski| [[::EncryptedFilesystemHowto5/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/sv | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|svenska| [[::EncryptedFilesystemHowto5/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/th | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|ไทย| [[::EncryptedFilesystemHowto5/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/tr | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|Türkçe| [[::EncryptedFilesystemHowto5/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/vi | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|Tiếng Việt| [[::EncryptedFilesystemHowto5/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/yue | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|粵語| [[::EncryptedFilesystemHowto5/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/zh | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|中文| [[::EncryptedFilesystemHowto5/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/zh-hans | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|中文(简体)| [[::EncryptedFilesystemHowto5/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystemHowto5 | UbuntuHelp:EncryptedFilesystemHowto5 | {{#if: | :}}EncryptedFilesystemHowto5}}/zh-hant | • {{#if: UbuntuHelp:EncryptedFilesystemHowto5|中文(繁體)| [[::EncryptedFilesystemHowto5/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:EncryptedFilesystemHowto5|:EncryptedFilesystemHowto5|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :EncryptedFilesystemHowto5/zh | | {{#ifexist: EncryptedFilesystemHowto5/zh | | {{#ifeq: {{#titleparts:EncryptedFilesystemHowto5|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:EncryptedFilesystemHowto5|1|-1|}} | zh | | }}
- title Encrypted root, swap, and home using LUKS with no unencrypted key files available anywhere after boot
{i} Please refer to EncryptedFilesystems for further documentation. |
submitted by John Bindel, [email protected]. Please consider using the EncryptedFilesystemLVMHowto instead of these instructions. I may be able to help more with that, and it's a far better solution than this. This is even another procedure for encrypting a disk with Ubuntu 6.06. It uses a server installation, but the desktop could be used as long as the initial root filesystem is at least 2.6 GB to hold all of the normal installation files. We will mount /keys encrypted partition from initrd script with a passphrase. We will then unlock our encrypted partitions via initrd using the encrypted keys partition so that they can be mounted during bootup. This how-to is similar to other how-tos in this wiki, but I wanted to make sure that no keys were visible even to root at run time rather than having the home partition keys available in /etc. We could put the /keys partition on a USB thumb drive as well, but that's less convenient though possibly even more secure because an attacker would need to have access to the thumb drive. Some sources EncryptedFilesystemHowto3 EncryptedFilesystem
Partition and Install
Install the server version of Ubuntu with /dev/sda5 as /boot, /dev/sda7 as /, and no swap. NOTICE: We do not initially use the final root and home partitions shown below because we will need to copy the initial installation to its encrypted destination after we install the operating system. Manually edit the partition table.
UE /dev/sda1 primary, "do not use" Future Windows partition for dual boot or vmware UE /dev/sda5 0.2 GB logical, ext3, /boot, bootable EK /dev/sda6 >3 GB logical, "do not use" Future root partition. ER /dev/sda7 1.5 GB logical, ext3, "/" Future swap partition. EK /dev/sda8 1GB GB logical, "do not use" Future hibernation swap partition EK /dev/sda9 lots GB logical, "do not use" Future home partition. EP /dev/sda10 0.1 GB logical, "do not use" Future keys partition.
The hibernation swap partition should be at least as big as your RAM size. Commit changes to disk. Enter user information and let the installer put the OS on the disk. Reboot when done.
Create New Initrd Image
Login and edit /etc/apt/sources.list.
$ sudo vi /etc/apt/sources.list
Uncomment the "universe" repository lines. There are two for "dapper universe" and two for "dapper-security universe."
Update the apt list.
$ sudo apt-get update
Install cryptsetup, hashalot, and initramfs-tools.
$ sudo apt-get install cryptsetup hashalot initramfs-tools
Add the following line to /etc/kernel-img.conf:
ramdisk = /usr/sbin/mkinitramfs
Add the following lines to /etc/mkinitramfs/modules:
dm_mod dm_crypt sha256 aes_i586
Create file /etc/mkinitramfs/hooks/cryptokeys. This script is executed when the init ramdisk image is built.
#!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac if [ ! -x /sbin/cryptsetup ]; then exit 0 fi . /usr/share/initramfs-tools/hook-functions mkdir ${DESTDIR}/etc/console cp /etc/console/boottime.kmap.gz ${DESTDIR}/etc/console copy_exec /bin/loadkeys /bin copy_exec /usr/bin/chvt /bin copy_exec /sbin/cryptsetup /sbin
Create file /etc/mkinitramfs/scripts/local-top/cryptokeys. This script is executed during the init bootup.
#!/bin/sh PREREQ="udev" prereqs() { echo "$PREREQ" } case $1 in # get pre-requisites prereqs) prereqs exit 0 ;; esac /bin/loadkeys /etc/console/boottime.kmap.gz modprobe -Qb dm_crypt modprobe -Qb aes_i586 modprobe -Qb sha256 if grep -q splash /proc/cmdline; then /bin/chvt 1 fi sleep 3 while ! /sbin/cryptsetup luksOpen /dev/sda10 cryptokeys; do echo "Try again..." done if grep -q splash /proc/cmdline; then /sbin/usplash -c & sleep 1 fi mkdir /cryptokeys mount -t ext3 /dev/mapper/cryptokeys /cryptokeys /sbin/cryptsetup luksOpen /dev/sda6 cryptoroot --key-file=/cryptokeys/root-key /sbin/cryptsetup luksOpen /dev/sda9 cryptohome --key-file=/cryptokeys/home-key umount /cryptokeys /sbin/cryptsetup luksClose cryptokeys
Make the scripts executable:
$ sudo chmod +x /etc/mkinitramfs/hooks/cryptokeys $ sudo chmod +x /etc/mkinitramfs/scripts/local-top/cryptokeys
Build a new initrd image:
$ sudo update-initramfs -u ALL
Create Encrypted Partitions
Check for bad blocks. This will take several minutes for each partition. This fills each partition with pseudorandom data from the not-so-random libc pseudorandom source.
$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda6 $ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda8 $ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda9 $ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda10
Fill the partitions with random data. This may take hours for the larger partitions, but is necessary if you're paranoid. The /dev/urandom source is a good source of randomization that should prevent attackers from being able to determine where data actually resides on the encrypted filesystem, which would help them know what they should try to decrypt. The /dev/random source is even better, but it might take hundreds of years to fill the disk from it.
$ sudo dd if=/dev/urandom of=/dev/sda6 $ sudo dd if=/dev/urandom of=/dev/sda8 $ sudo dd if=/dev/urandom of=/dev/sda9 $ sudo dd if=/dev/urandom of=/dev/sda10
Make the encrypted keys filesystem. It is protected with a passphrase.
$ sudo modprobe dm_crypt $ sudo modprobe sha256 $ sudo modprobe aes_i586 $ sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sda10 $ sudo cryptsetup luksOpen /dev/sda10 cryptokeys $ sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/cryptokeys $ sudo tune2fs -c 0 -i 0 /dev/mapper/cryptokeys $ sudo mkdir /mnt/cryptokeys $ sudo mount -t ext3 /dev/mapper/cryptokeys /mnt/cryptokeys
Make keyfiles for the other partitions. This can sometimes take several seconds. If it pauses, press the shift key and the space bar a few times to introduce some entropy into the system. Reading from /dev/random will block when the kernel runs out of usable entropy.
$ sudo dd if=/dev/random of=/mnt/cryptokeys/root-key bs=1 count=256 $ sudo dd if=/dev/random of=/mnt/cryptokeys/home-key bs=1 count=256 $ sudo chmod 600 /mnt/cryptokeys/*-key
Make the encrypted root and home filesystems.
$ sudo cryptsetup --verbose --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sda6 /mnt/cryptokeys/root-key $ sudo cryptsetup --verbose --cipher=aes-cbc-essiv:sha256 --key-size=256 luksFormat /dev/sda9 /mnt/cryptokeys/home-key $ sudo cryptsetup --key-file=/mnt/cryptokeys/root-key luksOpen /dev/sda6 cryptoroot $ sudo cryptsetup --key-file=/mnt/cryptokeys/home-key luksOpen /dev/sda9 cryptohome $ sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/cryptoroot $ sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/cryptohome
You should add passphrase access to your encrypted root and home partitions in case your keys partition becomes unusable. Otherwise your data will be inaccessible.
$ sudo cryptsetup --key-file=/mnt/cryptokeys/root-key luksAddKey /dev/sda6 $ sudo cryptsetup --key-file=/mnt/cryptokeys/home-key luksAddKey /dev/sda9
Populate the new encrypted filesystems.
$ sudo mkdir /mnt/root $ sudo mkdir /mnt/home $ sudo mount /dev/mapper/cryptoroot /mnt/root $ sudo mount /dev/mapper/cryptohome /mnt/home $ sudo cp -ax / /mnt/root $ sudo rm -rf /mnt/root/home/* $ sudo cp -ax /home/* /mnt/home $ sudo chown -R $(whoami):$(whoami) /mnt/home/$(whoami)
Edit /mnt/root/etc/fstab. Make sure the swap line is commented out with a #. First change this line
/dev/sda7 / ext3 defaults,errors=remount-ro 0 1
to
/dev/mapper/cryptoroot / ext3 defaults,errors=remount-ro 0 1
And add these lines
/dev/mapper/cryptohome /home ext3 defaults 0 1 #/dev/mapper/cryptoswap none swap sw 0 0
Edit /mnt/root/etc/crypttab to look like this:
# <target name> <source device> <key file> <options> #cryptoswap /dev/sda7 /dev/random swap cryptoroot /dev/sda6 none luks cryptohome /dev/sda9 none luks
Test the Configuration
Add this to the bottom of /boot/grub/menu.lst. (hd0,4) refers to the boot partition.
title Cryptotest root (hd0,4) kernel /vmlinuz-<your kernel version here> root=/dev/mapper/cryptoroot ro initrd /initrd.img-<your kernel version here> savedefault boot
Find the kernel version with the command:
$ uname -r
For example, it might be "2.6.15-26-server".
Reboot to test by typing sudo reboot
. Press ESC to enter the GRUB menu and select Cryptotest. The boot process will stop waiting for the keys partition's passphrase.
If all goes well, then continue. Otherwise seek help or figure out what went wrong.
Enable swap for the future by uncommenting the swap lines in /etc/fstab and /etc/crypttab. Then fill the old / partition, which will be the swap partition with random data and enable swap.
$ sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sda7 $ sudo dd if=/dev/urandom of=/dev/sda7 $ sudo invoke-rc.d cryptdisks restart $ sudo swapon /dev/mapper/cryptoswap
Edit /boot/grub/menu.lst to remove the lines we added at the end, and change the line that has
# kopt=root=/dev/sda7 ro
to
# kopt=root=/dev/mapper/cryptoroot ro
Then run
$ sudo update-grub
Finish
Install a desktop.
$ sudo apt-get install ubuntu-desktop
Use something else if you don't like Gnome. You can chose kubuntu-desktop or xubuntu-desktop for other standard desktops.
Finally backup your key files for safe keeping. This will require you to open and to mount the encrypted keys partition and then unmount and close it.
$ sudo cryptsetup luksOpen /dev/sda10 cryptokeys $ sudo mount /dev/mapper/cryptokeys /mnt/cryptokeys $ sudo cp /mnt/cryptokeys/*key <destination usb drive> $ sudo umount /mnt/cryptokeys $ sudo cryptsetup luksClose cryptokeys
The last line is necessary to make the system unable to access your precious keys for root and home without reentering the passphrase.
Notes
If your system seems to hang while booting, try pressing a few keys. Since we use /dev/random for the swap encryption key, the system may have run out of usable entropy while making the random swap encryption key. Pressing keys will give it some entropy to use. The initrd image is rebuilt automatically when a kernel upgrade is installed. This appears to work just fine without requiring us to make new images ourselves.