特殊:Badtitle/NS100:EncryptedFilesystem:修订间差异
小无编辑摘要 |
小无编辑摘要 |
||
第2行: | 第2行: | ||
{{Languages|UbuntuHelp:EncryptedFilesystem}} | {{Languages|UbuntuHelp:EncryptedFilesystem}} | ||
== Encrypted Root and Swap with LUKS (on Ubuntu 6.06) == | == Encrypted Root and Swap with LUKS (on Ubuntu 6.06) == | ||
by Mikhail Lukyanchenko <[email protected]> | by Mikhail Lukyanchenko <[email protected]> | ||
Info: another, more detailed and explanatory guide is here: https://help.ubuntu.com/community/EncryptedFilesystemHowto | Info: another, more detailed and explanatory guide is here: https://help.ubuntu.com/community/EncryptedFilesystemHowto | ||
=== Introduction === | === Introduction === | ||
This is the way I got Ubuntu 6.06 (Dapper Drake) with fully encrypted file system: root (/) and swap. Since Ubuntu installer does not support yet this option, this process concerns, first, installing Ubuntu on a temporary partition and then, inside that installation, preparing all the encrypted partitions for the OS. The old root which I used in the beginning is turned into a swap partition. | This is the way I got Ubuntu 6.06 (Dapper Drake) with fully encrypted file system: root (/) and swap. Since Ubuntu installer does not support yet this option, this process concerns, first, installing Ubuntu on a temporary partition and then, inside that installation, preparing all the encrypted partitions for the OS. The old root which I used in the beginning is turned into a swap partition. | ||
Please, be warned, that this HOWTO '''can not''' be used on later versions of Ubuntu without modifications. For more info, have a look at cryptsetup package documentation (<code><nowiki>/usr/share/doc/cryptsetup/CryptoRoot.HowTo</nowiki></code>) and at the [http://ubuntuforums.org/showthread.php?t=199824 discussion thread at ubuntuforums.org]. | Please, be warned, that this HOWTO '''can not''' be used on later versions of Ubuntu without modifications. For more info, have a look at cryptsetup package documentation (<code><nowiki>/usr/share/doc/cryptsetup/CryptoRoot.HowTo</nowiki></code>) and at the [http://ubuntuforums.org/showthread.php?t=199824 discussion thread at ubuntuforums.org]. | ||
==== Notes ==== | ==== Notes ==== | ||
In this tutorial we assume that: | In this tutorial we assume that: | ||
* old (unencrypted) and the new (encrypted) swap is in the partition '/dev/hda2' | * old (unencrypted) and the new (encrypted) swap is in the partition '/dev/hda2' | ||
* new home (encrypted) is in the partition '/dev/hda3' | * new home (encrypted) is in the partition '/dev/hda3' | ||
replace '/dev/hda2' with your real swap partition and '/dev/hda3' with an empty partition that will become your new encrypted home partition. | replace '/dev/hda2' with your real swap partition and '/dev/hda3' with an empty partition that will become your new encrypted home partition. | ||
==== Warnings ==== | ==== Warnings ==== | ||
Encrypting a partition is a destructive operation; then, your new root partition (/dev/hda3) must be empty, because all data on it will be erased. | Encrypting a partition is a destructive operation; then, your new root partition (/dev/hda3) must be empty, because all data on it will be erased. | ||
Also be warned, that this HOWTO is at beta state. I would not recommend to use it on production system. But it would be greatly appreciated if you test it and send me some feedback. | Also be warned, that this HOWTO is at beta state. I would not recommend to use it on production system. But it would be greatly appreciated if you test it and send me some feedback. | ||
=== Ubuntu installation === | === Ubuntu installation === | ||
Note that you should install a ''server'' profile at this step even if you need a desktop profile at the end. The switch between the two profiles will be realized later on. | Note that you should install a ''server'' profile at this step even if you need a desktop profile at the end. The switch between the two profiles will be realized later on. | ||
Install Ubuntu with the following initial partitioning scheme: | Install Ubuntu with the following initial partitioning scheme: | ||
<pre><nowiki> | <pre><nowiki> | ||
/dev/hda1 /boot 100 MB ext3 | /dev/hda1 /boot 100 MB ext3 | ||
/dev/hda2 / 512 MB ext3 | /dev/hda2 / 512 MB ext3 | ||
</nowiki></pre> | </nowiki></pre> | ||
Mark that 512 MB is really the shortest size you can set for a server type of installation. A complete Ubuntu installation requires at least 2.4 GB. Make your choice now. In addition, create one more space to hold your future encrypted root, so as the following: | Mark that 512 MB is really the shortest size you can set for a server type of installation. A complete Ubuntu installation requires at least 2.4 GB. Make your choice now. In addition, create one more space to hold your future encrypted root, so as the following: | ||
<pre><nowiki> | <pre><nowiki> | ||
/dev/hda3 future / 10GB | /dev/hda3 future / 10GB | ||
</nowiki></pre> | </nowiki></pre> | ||
Set this partition in the installer option for filesystem as "do not use the partition". Just ignore the alert about not having a swap partition and keep walking. | Set this partition in the installer option for filesystem as "do not use the partition". Just ignore the alert about not having a swap partition and keep walking. | ||
=== Cryptography software installation === | === Cryptography software installation === | ||
Enable the Universe repository. See [https://help.ubuntu.com/community/Repositories/CommandLine here] | Enable the Universe repository. See [https://help.ubuntu.com/community/Repositories/CommandLine here] | ||
After adding the universe repository, don't forget to update so the packages below will be available: | After adding the universe repository, don't forget to update so the packages below will be available: | ||
Use [https://help.ubuntu.com/community/InstallingSoftware#head-d8f69d35d4730387415ca928210750f1eac75257 any method] to install the following packages: | Use [https://help.ubuntu.com/community/InstallingSoftware#head-d8f69d35d4730387415ca928210750f1eac75257 any method] to install the following packages: | ||
<pre><nowiki> | <pre><nowiki> | ||
cryptsetup hashalot initramfs-tools | cryptsetup hashalot initramfs-tools | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Setting up mkinitramfs === | === Setting up mkinitramfs === | ||
Edit <code><nowiki>/etc/kernel-img.conf</nowiki></code>. Add the following line: | Edit <code><nowiki>/etc/kernel-img.conf</nowiki></code>. Add the following line: | ||
<pre><nowiki> | <pre><nowiki> | ||
ramdisk = /usr/sbin/mkinitramfs | ramdisk = /usr/sbin/mkinitramfs | ||
</nowiki></pre> | </nowiki></pre> | ||
Edit <code><nowiki>/etc/mkinitramfs/modules</nowiki></code> (note, this and other files move to <code><nowiki>/etc/initramfs-tools</nowiki></code> in Edgy). Add folowing lines: | Edit <code><nowiki>/etc/mkinitramfs/modules</nowiki></code> (note, this and other files move to <code><nowiki>/etc/initramfs-tools</nowiki></code> in Edgy). Add folowing lines: | ||
<pre><nowiki> | <pre><nowiki> | ||
dm_mod | dm_mod | ||
第74行: | 第46行: | ||
aes_i586 | aes_i586 | ||
</nowiki></pre> | </nowiki></pre> | ||
Create file <code><nowiki>/etc/mkinitramfs/hooks/cryptoroot</nowiki></code>: | Create file <code><nowiki>/etc/mkinitramfs/hooks/cryptoroot</nowiki></code>: | ||
<pre><nowiki> | <pre><nowiki> | ||
#!/bin/sh | #!/bin/sh | ||
PREREQ="" | PREREQ="" | ||
prereqs() | prereqs() | ||
{ | { | ||
echo "$PREREQ" | echo "$PREREQ" | ||
} | } | ||
case $1 in | case $1 in | ||
prereqs) | prereqs) | ||
第93行: | 第60行: | ||
;; | ;; | ||
esac | esac | ||
if [ ! -x /sbin/cryptsetup ]; then | if [ ! -x /sbin/cryptsetup ]; then | ||
exit 0 | exit 0 | ||
fi | fi | ||
. /usr/share/initramfs-tools/hook-functions | . /usr/share/initramfs-tools/hook-functions | ||
mkdir ${DESTDIR}/etc/console | mkdir ${DESTDIR}/etc/console | ||
cp /etc/console/boottime.kmap.gz ${DESTDIR}/etc/console | cp /etc/console/boottime.kmap.gz ${DESTDIR}/etc/console | ||
第106行: | 第70行: | ||
copy_exec /sbin/cryptsetup /sbin | copy_exec /sbin/cryptsetup /sbin | ||
</nowiki></pre> | </nowiki></pre> | ||
If you use Ubuntu 6.10, you have to add the following line to the above script (at the end): | If you use Ubuntu 6.10, you have to add the following line to the above script (at the end): | ||
<pre><nowiki> | <pre><nowiki> | ||
copy_exec /sbin/vol_id /sbin | copy_exec /sbin/vol_id /sbin | ||
</nowiki></pre> | </nowiki></pre> | ||
Create file <code><nowiki>/etc/mkinitramfs/scripts/local-top/cryptoroot</nowiki></code>: | Create file <code><nowiki>/etc/mkinitramfs/scripts/local-top/cryptoroot</nowiki></code>: | ||
<pre><nowiki> | <pre><nowiki> | ||
#!/bin/sh | #!/bin/sh | ||
PREREQ="udev" | PREREQ="udev" | ||
prereqs() | prereqs() | ||
{ | { | ||
echo "$PREREQ" | echo "$PREREQ" | ||
} | } | ||
case $1 in | case $1 in | ||
# get pre-requisites | # get pre-requisites | ||
第131行: | 第89行: | ||
;; | ;; | ||
esac | esac | ||
/bin/loadkeys /etc/console/boottime.kmap.gz | /bin/loadkeys /etc/console/boottime.kmap.gz | ||
modprobe -Qb dm_crypt | modprobe -Qb dm_crypt | ||
第145行: | 第102行: | ||
fi | fi | ||
</nowiki></pre> | </nowiki></pre> | ||
If you use Ubuntu 6.10, add the following line directly below "/sbin/cryptsetup luksOpen /dev/hda3 cryptoroot": | If you use Ubuntu 6.10, add the following line directly below "/sbin/cryptsetup luksOpen /dev/hda3 cryptoroot": | ||
<pre><nowiki> | <pre><nowiki> | ||
ln -s ../../mapper/cryptoroot /dev/disk/by-uuid/`vol_id -u /dev/mapper/cryptoroot` | ln -s ../../mapper/cryptoroot /dev/disk/by-uuid/`vol_id -u /dev/mapper/cryptoroot` | ||
</nowiki></pre> | </nowiki></pre> | ||
Also, if you use Ubuntu 6.10, replace the following line: | Also, if you use Ubuntu 6.10, replace the following line: | ||
<pre><nowiki> | <pre><nowiki> | ||
第159行: | 第114行: | ||
/bin/loadkeys /etc/console-setup/boottime.kmap.gz | /bin/loadkeys /etc/console-setup/boottime.kmap.gz | ||
</nowiki></pre> | </nowiki></pre> | ||
Make created files executable: | Make created files executable: | ||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo chmod +x /etc/mkinitramfs/hooks/cryptoroot | $ sudo chmod +x /etc/mkinitramfs/hooks/cryptoroot | ||
$ sudo chmod +x /etc/mkinitramfs/scripts/local-top/cryptoroot | $ sudo chmod +x /etc/mkinitramfs/scripts/local-top/cryptoroot | ||
</nowiki></pre> | </nowiki></pre> | ||
Update initrd image: | Update initrd image: | ||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo update-initramfs -u ALL | $ sudo update-initramfs -u ALL | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Creating the encrypted system === | === Creating the encrypted system === | ||
Now it is time to create the cryptography devices. | Now it is time to create the cryptography devices. | ||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo modprobe dm_crypt | $ sudo modprobe dm_crypt | ||
第182行: | 第131行: | ||
$ sudo luksformat -t ext3 /dev/hda3 | $ sudo luksformat -t ext3 /dev/hda3 | ||
</nowiki></pre> | </nowiki></pre> | ||
The following dialog should look like this: | The following dialog should look like this: | ||
<pre><nowiki> | <pre><nowiki> | ||
Creating encrypted device on /dev/hda3... | Creating encrypted device on /dev/hda3... | ||
WARNING! | WARNING! | ||
======== | ======== | ||
This will owerwrite data on /dev/hda3 irrevocably. | This will owerwrite data on /dev/hda3 irrevocably. | ||
Are you sure? (Type uppercase yes): YES | Are you sure? (Type uppercase yes): YES | ||
Enter LUKS passphrase: | Enter LUKS passphrase: | ||
第203行: | 第148行: | ||
..... | ..... | ||
</nowiki></pre> | </nowiki></pre> | ||
Your encrypted partition is now created and formated. It's time to populate it: | Your encrypted partition is now created and formated. It's time to populate it: | ||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo cryptsetup luksOpen /dev/hda3 cryptoroot | $ sudo cryptsetup luksOpen /dev/hda3 cryptoroot | ||
第213行: | 第156行: | ||
$ sudo chown -R $(whoami):$(whoami) /mnt/target/home/$(whoami) | $ sudo chown -R $(whoami):$(whoami) /mnt/target/home/$(whoami) | ||
</nowiki></pre> | </nowiki></pre> | ||
The copy process should take about two minutes for a server profile (depends on your hardware). | The copy process should take about two minutes for a server profile (depends on your hardware). | ||
Then you need to correct <code><nowiki>/mnt/target/etc/fstab</nowiki></code>. | Then you need to correct <code><nowiki>/mnt/target/etc/fstab</nowiki></code>. | ||
Find | Find | ||
<pre><nowiki> | <pre><nowiki> | ||
/dev/hda2 / ext3 defaults,errors=remount-ro 0 1 | /dev/hda2 / ext3 defaults,errors=remount-ro 0 1 | ||
</nowiki></pre> | </nowiki></pre> | ||
Replace with | Replace with | ||
<pre><nowiki> | <pre><nowiki> | ||
/dev/mapper/cryptoroot / ext3 defaults,errors=remount-ro 0 1 | /dev/mapper/cryptoroot / ext3 defaults,errors=remount-ro 0 1 | ||
</nowiki></pre> | </nowiki></pre> | ||
If you use Ubuntu 6.10, your fstab won't use /dev/* anymore, but instead UUIDs. Therefore, you need to find out the UUID by using the following command: | If you use Ubuntu 6.10, your fstab won't use /dev/* anymore, but instead UUIDs. Therefore, you need to find out the UUID by using the following command: | ||
<pre><nowiki> | <pre><nowiki> | ||
第236行: | 第174行: | ||
UUID=25e3f85a-3488-d58e-9372-f31a45789035 / ext3 defaults,errors=remount-ro 0 1 | UUID=25e3f85a-3488-d58e-9372-f31a45789035 / ext3 defaults,errors=remount-ro 0 1 | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Configuring Grub === | === Configuring Grub === | ||
Edit <code><nowiki>/boot/grub/menu.lst</nowiki></code>. Add following after the line containing <code><nowiki>### END DEBIAN AUTOMAGIC KERNELS LIST</nowiki></code>: | Edit <code><nowiki>/boot/grub/menu.lst</nowiki></code>. Add following after the line containing <code><nowiki>### END DEBIAN AUTOMAGIC KERNELS LIST</nowiki></code>: | ||
<pre><nowiki> | <pre><nowiki> | ||
title Cryptotest | title Cryptotest | ||
第250行: | 第185行: | ||
</nowiki></pre> | </nowiki></pre> | ||
Again, if you use Ubuntu 6.10, you'll have to replace <code><nowiki>root=/dev/mapper/cryptoroot</nowiki></code> by your UUID - i.e. sth. similar to <code><nowiki>root=UUID=25e3f85a-3488-d58e-9372-f31a45789035</nowiki></code> (of course, YOUR ID will be different!). | Again, if you use Ubuntu 6.10, you'll have to replace <code><nowiki>root=/dev/mapper/cryptoroot</nowiki></code> by your UUID - i.e. sth. similar to <code><nowiki>root=UUID=25e3f85a-3488-d58e-9372-f31a45789035</nowiki></code> (of course, YOUR ID will be different!). | ||
You may find your kernel version by running: | You may find your kernel version by running: | ||
<pre><nowiki> | <pre><nowiki> | ||
$ uname -r | $ uname -r | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Rebooting and testing configuration === | === Rebooting and testing configuration === | ||
As simple as it should be: | As simple as it should be: | ||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo reboot | $ sudo reboot | ||
</nowiki></pre> | </nowiki></pre> | ||
Now, after all your BIOS mumbo-jumbo, you should look very carefully and when you see following prompt: | Now, after all your BIOS mumbo-jumbo, you should look very carefully and when you see following prompt: | ||
<pre><nowiki> | <pre><nowiki> | ||
GRUB Loading stage 1.5. | GRUB Loading stage 1.5. | ||
GRUB Loading, please wait... | GRUB Loading, please wait... | ||
Press `ESC` to enter the menu | Press `ESC` to enter the menu | ||
</nowiki></pre> | </nowiki></pre> | ||
Press ESC and select last option, namely "Cryptotest" | Press ESC and select last option, namely "Cryptotest" | ||
Now you will see lots of kernel debugging info, since we didn't add <code><nowiki>quiet</nowiki></code> option to kernel options. It's ok. | Now you will see lots of kernel debugging info, since we didn't add <code><nowiki>quiet</nowiki></code> option to kernel options. It's ok. | ||
At some point you will see the promt: | At some point you will see the promt: | ||
<pre><nowiki> | <pre><nowiki> | ||
Enter LUKS passphrase: | Enter LUKS passphrase: | ||
</nowiki></pre> | </nowiki></pre> | ||
Go on! Enter it. Now you have booted from crypted partition. | Go on! Enter it. Now you have booted from crypted partition. | ||
If something goes Very Wrong Way (tm), don't panic. Any way you still have unencrypted partition to boot from. | If something goes Very Wrong Way (tm), don't panic. Any way you still have unencrypted partition to boot from. | ||
=== Cryptoswap === | === Cryptoswap === | ||
Let's enable swap partition. | Let's enable swap partition. | ||
Edit <code><nowiki>/etc/crypttab</nowiki></code>: | Edit <code><nowiki>/etc/crypttab</nowiki></code>: | ||
<pre><nowiki> | <pre><nowiki> | ||
cryptoswap /dev/hda2 /dev/urandom swap | cryptoswap /dev/hda2 /dev/urandom swap | ||
</nowiki></pre> | </nowiki></pre> | ||
Edit <code><nowiki>/etc/fstab</nowiki></code>. Add following line: | Edit <code><nowiki>/etc/fstab</nowiki></code>. Add following line: | ||
<pre><nowiki> | <pre><nowiki> | ||
/dev/mapper/cryptoswap none swap sw 0 0 | /dev/mapper/cryptoswap none swap sw 0 0 | ||
</nowiki></pre> | </nowiki></pre> | ||
Now, you need to destroy your filesystem on <code><nowiki>/dev/hda2</nowiki></code> (if you don't destroy it explicitely, the safety check of the following command will refuse to create your "cryptoswap" on it): | Now, you need to destroy your filesystem on <code><nowiki>/dev/hda2</nowiki></code> (if you don't destroy it explicitely, the safety check of the following command will refuse to create your "cryptoswap" on it): | ||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo dd if=/dev/urandom of=/dev/hda2 count=100 | $ sudo dd if=/dev/urandom of=/dev/hda2 count=100 | ||
</nowiki></pre> | </nowiki></pre> | ||
Finally, create the swap and activate it: | Finally, create the swap and activate it: | ||
<pre><nowiki> | <pre><nowiki> | ||
第309行: | 第227行: | ||
$ sudo swapon /dev/mapper/cryptoswap | $ sudo swapon /dev/mapper/cryptoswap | ||
</nowiki></pre> | </nowiki></pre> | ||
=== Finishing === | === Finishing === | ||
Edit <code><nowiki>/boot/grub/menu.lst</nowiki></code> and remove lines, you previously added after the line containing <code><nowiki>### END DEBIAN AUTOMAGIC KERNELS LIST</nowiki></code>. | Edit <code><nowiki>/boot/grub/menu.lst</nowiki></code> and remove lines, you previously added after the line containing <code><nowiki>### END DEBIAN AUTOMAGIC KERNELS LIST</nowiki></code>. | ||
In the same file find line containing | In the same file find line containing | ||
<pre><nowiki> | <pre><nowiki> | ||
# kopt=root=/dev/hda2 ro | # kopt=root=/dev/hda2 ro | ||
</nowiki></pre> | </nowiki></pre> | ||
Change this to | Change this to | ||
<pre><nowiki> | <pre><nowiki> | ||
# kopt=root=/dev/mapper/cryptoroot ro | # kopt=root=/dev/mapper/cryptoroot ro | ||
</nowiki></pre> | </nowiki></pre> | ||
Run | Run | ||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo update-grub | $ sudo update-grub | ||
</nowiki></pre> | </nowiki></pre> | ||
Now you have an operational server profile with encrypted root and swap. If what you need is a desktop profile (i.e. a complete graphical environment like Gnome or KDE and lots of applications), you can install it now with the single command: | Now you have an operational server profile with encrypted root and swap. If what you need is a desktop profile (i.e. a complete graphical environment like Gnome or KDE and lots of applications), you can install it now with the single command: | ||
<pre><nowiki> | <pre><nowiki> | ||
$ sudo apt-get install ubuntu-desktop | $ sudo apt-get install ubuntu-desktop | ||
</nowiki></pre> | </nowiki></pre> | ||
Replace <code><nowiki>ubuntu-desktop</nowiki></code> with <code><nowiki>kubuntu-desktop</nowiki></code>, or <code><nowiki>xubuntu-desktop</nowiki></code>, or <code><nowiki>edubuntu-desktop</nowiki></code> according to your needs. | Replace <code><nowiki>ubuntu-desktop</nowiki></code> with <code><nowiki>kubuntu-desktop</nowiki></code>, or <code><nowiki>xubuntu-desktop</nowiki></code>, or <code><nowiki>edubuntu-desktop</nowiki></code> according to your needs. | ||
That's all. Finished. | That's all. Finished. | ||
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] |
2007年11月30日 (五) 17:05的版本
文章出处: |
{{#if: | {{{2}}} | https://help.ubuntu.com/community/EncryptedFilesystem }} |
点击翻译: |
English {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/af | • {{#if: UbuntuHelp:EncryptedFilesystem|Afrikaans| [[::EncryptedFilesystem/af|Afrikaans]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/ar | • {{#if: UbuntuHelp:EncryptedFilesystem|العربية| [[::EncryptedFilesystem/ar|العربية]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/az | • {{#if: UbuntuHelp:EncryptedFilesystem|azərbaycanca| [[::EncryptedFilesystem/az|azərbaycanca]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/bcc | • {{#if: UbuntuHelp:EncryptedFilesystem|جهلسری بلوچی| [[::EncryptedFilesystem/bcc|جهلسری بلوچی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/bg | • {{#if: UbuntuHelp:EncryptedFilesystem|български| [[::EncryptedFilesystem/bg|български]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/br | • {{#if: UbuntuHelp:EncryptedFilesystem|brezhoneg| [[::EncryptedFilesystem/br|brezhoneg]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/ca | • {{#if: UbuntuHelp:EncryptedFilesystem|català| [[::EncryptedFilesystem/ca|català]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/cs | • {{#if: UbuntuHelp:EncryptedFilesystem|čeština| [[::EncryptedFilesystem/cs|čeština]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/de | • {{#if: UbuntuHelp:EncryptedFilesystem|Deutsch| [[::EncryptedFilesystem/de|Deutsch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/el | • {{#if: UbuntuHelp:EncryptedFilesystem|Ελληνικά| [[::EncryptedFilesystem/el|Ελληνικά]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/es | • {{#if: UbuntuHelp:EncryptedFilesystem|español| [[::EncryptedFilesystem/es|español]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/fa | • {{#if: UbuntuHelp:EncryptedFilesystem|فارسی| [[::EncryptedFilesystem/fa|فارسی]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/fi | • {{#if: UbuntuHelp:EncryptedFilesystem|suomi| [[::EncryptedFilesystem/fi|suomi]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/fr | • {{#if: UbuntuHelp:EncryptedFilesystem|français| [[::EncryptedFilesystem/fr|français]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/gu | • {{#if: UbuntuHelp:EncryptedFilesystem|ગુજરાતી| [[::EncryptedFilesystem/gu|ગુજરાતી]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/he | • {{#if: UbuntuHelp:EncryptedFilesystem|עברית| [[::EncryptedFilesystem/he|עברית]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/hu | • {{#if: UbuntuHelp:EncryptedFilesystem|magyar| [[::EncryptedFilesystem/hu|magyar]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/id | • {{#if: UbuntuHelp:EncryptedFilesystem|Bahasa Indonesia| [[::EncryptedFilesystem/id|Bahasa Indonesia]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/it | • {{#if: UbuntuHelp:EncryptedFilesystem|italiano| [[::EncryptedFilesystem/it|italiano]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/ja | • {{#if: UbuntuHelp:EncryptedFilesystem|日本語| [[::EncryptedFilesystem/ja|日本語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/ko | • {{#if: UbuntuHelp:EncryptedFilesystem|한국어| [[::EncryptedFilesystem/ko|한국어]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/ksh | • {{#if: UbuntuHelp:EncryptedFilesystem|Ripoarisch| [[::EncryptedFilesystem/ksh|Ripoarisch]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/mr | • {{#if: UbuntuHelp:EncryptedFilesystem|मराठी| [[::EncryptedFilesystem/mr|मराठी]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/ms | • {{#if: UbuntuHelp:EncryptedFilesystem|Bahasa Melayu| [[::EncryptedFilesystem/ms|Bahasa Melayu]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/nl | • {{#if: UbuntuHelp:EncryptedFilesystem|Nederlands| [[::EncryptedFilesystem/nl|Nederlands]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/no | • {{#if: UbuntuHelp:EncryptedFilesystem|norsk| [[::EncryptedFilesystem/no|norsk]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/oc | • {{#if: UbuntuHelp:EncryptedFilesystem|occitan| [[::EncryptedFilesystem/oc|occitan]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/pl | • {{#if: UbuntuHelp:EncryptedFilesystem|polski| [[::EncryptedFilesystem/pl|polski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/pt | • {{#if: UbuntuHelp:EncryptedFilesystem|português| [[::EncryptedFilesystem/pt|português]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/ro | • {{#if: UbuntuHelp:EncryptedFilesystem|română| [[::EncryptedFilesystem/ro|română]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/ru | • {{#if: UbuntuHelp:EncryptedFilesystem|русский| [[::EncryptedFilesystem/ru|русский]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/si | • {{#if: UbuntuHelp:EncryptedFilesystem|සිංහල| [[::EncryptedFilesystem/si|සිංහල]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/sq | • {{#if: UbuntuHelp:EncryptedFilesystem|shqip| [[::EncryptedFilesystem/sq|shqip]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/sr | • {{#if: UbuntuHelp:EncryptedFilesystem|српски / srpski| [[::EncryptedFilesystem/sr|српски / srpski]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/sv | • {{#if: UbuntuHelp:EncryptedFilesystem|svenska| [[::EncryptedFilesystem/sv|svenska]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/th | • {{#if: UbuntuHelp:EncryptedFilesystem|ไทย| [[::EncryptedFilesystem/th|ไทย]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/tr | • {{#if: UbuntuHelp:EncryptedFilesystem|Türkçe| [[::EncryptedFilesystem/tr|Türkçe]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/vi | • {{#if: UbuntuHelp:EncryptedFilesystem|Tiếng Việt| [[::EncryptedFilesystem/vi|Tiếng Việt]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/yue | • {{#if: UbuntuHelp:EncryptedFilesystem|粵語| [[::EncryptedFilesystem/yue|粵語]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/zh | • {{#if: UbuntuHelp:EncryptedFilesystem|中文| [[::EncryptedFilesystem/zh|中文]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/zh-hans | • {{#if: UbuntuHelp:EncryptedFilesystem|中文(简体)| [[::EncryptedFilesystem/zh-hans|中文(简体)]]}}|}} {{#ifexist: {{#if: UbuntuHelp:EncryptedFilesystem | UbuntuHelp:EncryptedFilesystem | {{#if: | :}}EncryptedFilesystem}}/zh-hant | • {{#if: UbuntuHelp:EncryptedFilesystem|中文(繁體)| [[::EncryptedFilesystem/zh-hant|中文(繁體)]]}}|}} |
{{#ifeq:UbuntuHelp:EncryptedFilesystem|:EncryptedFilesystem|请不要直接编辑翻译本页,本页将定期与来源同步。}} |
{{#ifexist: :EncryptedFilesystem/zh | | {{#ifexist: EncryptedFilesystem/zh | | {{#ifeq: {{#titleparts:EncryptedFilesystem|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:EncryptedFilesystem|1|-1|}} | zh | | }}
Encrypted Root and Swap with LUKS (on Ubuntu 6.06)
by Mikhail Lukyanchenko <[email protected]> Info: another, more detailed and explanatory guide is here: https://help.ubuntu.com/community/EncryptedFilesystemHowto
Introduction
This is the way I got Ubuntu 6.06 (Dapper Drake) with fully encrypted file system: root (/) and swap. Since Ubuntu installer does not support yet this option, this process concerns, first, installing Ubuntu on a temporary partition and then, inside that installation, preparing all the encrypted partitions for the OS. The old root which I used in the beginning is turned into a swap partition.
Please, be warned, that this HOWTO can not be used on later versions of Ubuntu without modifications. For more info, have a look at cryptsetup package documentation (/usr/share/doc/cryptsetup/CryptoRoot.HowTo
) and at the discussion thread at ubuntuforums.org.
Notes
In this tutorial we assume that:
- old (unencrypted) and the new (encrypted) swap is in the partition '/dev/hda2'
- new home (encrypted) is in the partition '/dev/hda3'
replace '/dev/hda2' with your real swap partition and '/dev/hda3' with an empty partition that will become your new encrypted home partition.
Warnings
Encrypting a partition is a destructive operation; then, your new root partition (/dev/hda3) must be empty, because all data on it will be erased. Also be warned, that this HOWTO is at beta state. I would not recommend to use it on production system. But it would be greatly appreciated if you test it and send me some feedback.
Ubuntu installation
Note that you should install a server profile at this step even if you need a desktop profile at the end. The switch between the two profiles will be realized later on. Install Ubuntu with the following initial partitioning scheme:
/dev/hda1 /boot 100 MB ext3 /dev/hda2 / 512 MB ext3
Mark that 512 MB is really the shortest size you can set for a server type of installation. A complete Ubuntu installation requires at least 2.4 GB. Make your choice now. In addition, create one more space to hold your future encrypted root, so as the following:
/dev/hda3 future / 10GB
Set this partition in the installer option for filesystem as "do not use the partition". Just ignore the alert about not having a swap partition and keep walking.
Cryptography software installation
Enable the Universe repository. See here After adding the universe repository, don't forget to update so the packages below will be available: Use any method to install the following packages:
cryptsetup hashalot initramfs-tools
Setting up mkinitramfs
Edit /etc/kernel-img.conf
. Add the following line:
ramdisk = /usr/sbin/mkinitramfs
Edit /etc/mkinitramfs/modules
(note, this and other files move to /etc/initramfs-tools
in Edgy). Add folowing lines:
dm_mod dm_crypt sha256 aes_i586
Create file /etc/mkinitramfs/hooks/cryptoroot
:
#!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac if [ ! -x /sbin/cryptsetup ]; then exit 0 fi . /usr/share/initramfs-tools/hook-functions mkdir ${DESTDIR}/etc/console cp /etc/console/boottime.kmap.gz ${DESTDIR}/etc/console copy_exec /bin/loadkeys /bin copy_exec /usr/bin/chvt /bin copy_exec /sbin/cryptsetup /sbin
If you use Ubuntu 6.10, you have to add the following line to the above script (at the end):
copy_exec /sbin/vol_id /sbin
Create file /etc/mkinitramfs/scripts/local-top/cryptoroot
:
#!/bin/sh PREREQ="udev" prereqs() { echo "$PREREQ" } case $1 in # get pre-requisites prereqs) prereqs exit 0 ;; esac /bin/loadkeys /etc/console/boottime.kmap.gz modprobe -Qb dm_crypt modprobe -Qb aes_i586 modprobe -Qb sha256 if grep -q splash /proc/cmdline; then /bin/chvt 1 fi /sbin/cryptsetup luksOpen /dev/hda3 cryptoroot if grep -q splash /proc/cmdline; then /sbin/usplash -c & sleep 1 fi
If you use Ubuntu 6.10, add the following line directly below "/sbin/cryptsetup luksOpen /dev/hda3 cryptoroot":
ln -s ../../mapper/cryptoroot /dev/disk/by-uuid/`vol_id -u /dev/mapper/cryptoroot`
Also, if you use Ubuntu 6.10, replace the following line:
/bin/loadkeys /etc/console/boottime.kmap.gz
with the following line:
/bin/loadkeys /etc/console-setup/boottime.kmap.gz
Make created files executable:
$ sudo chmod +x /etc/mkinitramfs/hooks/cryptoroot $ sudo chmod +x /etc/mkinitramfs/scripts/local-top/cryptoroot
Update initrd image:
$ sudo update-initramfs -u ALL
Creating the encrypted system
Now it is time to create the cryptography devices.
$ sudo modprobe dm_crypt $ sudo modprobe sha256 $ sudo modprobe aes_i586 $ sudo luksformat -t ext3 /dev/hda3
The following dialog should look like this:
Creating encrypted device on /dev/hda3... WARNING! ======== This will owerwrite data on /dev/hda3 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: Command successful. Please enter your passphrase again to verify it Enter LUKS passphrase: key slot 0 unlocked. Command successful. mke2fs 1.38 (30-Jun-2005) .....
Your encrypted partition is now created and formated. It's time to populate it:
$ sudo cryptsetup luksOpen /dev/hda3 cryptoroot $ sudo mkdir /mnt/target $ sudo mount /dev/mapper/cryptoroot /mnt/target $ sudo cp -avx / /mnt/target $ sudo chown -R $(whoami):$(whoami) /mnt/target/home/$(whoami)
The copy process should take about two minutes for a server profile (depends on your hardware).
Then you need to correct /mnt/target/etc/fstab
.
Find
/dev/hda2 / ext3 defaults,errors=remount-ro 0 1
Replace with
/dev/mapper/cryptoroot / ext3 defaults,errors=remount-ro 0 1
If you use Ubuntu 6.10, your fstab won't use /dev/* anymore, but instead UUIDs. Therefore, you need to find out the UUID by using the following command:
$ sudo vol_id -u /dev/mapper/cryptoroot
Instead of the "/dev/mapper/cryptoroot", you enter the UUID - hence the line in your /mnt/target/etc/fstab
will look similar to this one:
UUID=25e3f85a-3488-d58e-9372-f31a45789035 / ext3 defaults,errors=remount-ro 0 1
Configuring Grub
Edit /boot/grub/menu.lst
. Add following after the line containing ### END DEBIAN AUTOMAGIC KERNELS LIST
:
title Cryptotest root (hd0,0) kernel /vmlinuz-<your kernel version here> root=/dev/mapper/cryptoroot ro initrd /initrd.img-<your kernel version here> savedefault boot
Again, if you use Ubuntu 6.10, you'll have to replace root=/dev/mapper/cryptoroot
by your UUID - i.e. sth. similar to root=UUID=25e3f85a-3488-d58e-9372-f31a45789035
(of course, YOUR ID will be different!).
You may find your kernel version by running:
$ uname -r
Rebooting and testing configuration
As simple as it should be:
$ sudo reboot
Now, after all your BIOS mumbo-jumbo, you should look very carefully and when you see following prompt:
GRUB Loading stage 1.5. GRUB Loading, please wait... Press `ESC` to enter the menu
Press ESC and select last option, namely "Cryptotest"
Now you will see lots of kernel debugging info, since we didn't add quiet
option to kernel options. It's ok.
At some point you will see the promt:
Enter LUKS passphrase:
Go on! Enter it. Now you have booted from crypted partition. If something goes Very Wrong Way (tm), don't panic. Any way you still have unencrypted partition to boot from.
Cryptoswap
Let's enable swap partition.
Edit /etc/crypttab
:
cryptoswap /dev/hda2 /dev/urandom swap
Edit /etc/fstab
. Add following line:
/dev/mapper/cryptoswap none swap sw 0 0
Now, you need to destroy your filesystem on /dev/hda2
(if you don't destroy it explicitely, the safety check of the following command will refuse to create your "cryptoswap" on it):
$ sudo dd if=/dev/urandom of=/dev/hda2 count=100
Finally, create the swap and activate it:
$ sudo invoke-rc.d cryptdisks restart $ sudo swapon /dev/mapper/cryptoswap
Finishing
Edit /boot/grub/menu.lst
and remove lines, you previously added after the line containing ### END DEBIAN AUTOMAGIC KERNELS LIST
.
In the same file find line containing
# kopt=root=/dev/hda2 ro
Change this to
# kopt=root=/dev/mapper/cryptoroot ro
Run
$ sudo update-grub
Now you have an operational server profile with encrypted root and swap. If what you need is a desktop profile (i.e. a complete graphical environment like Gnome or KDE and lots of applications), you can install it now with the single command:
$ sudo apt-get install ubuntu-desktop
Replace ubuntu-desktop
with kubuntu-desktop
, or xubuntu-desktop
, or edubuntu-desktop
according to your needs.
That's all. Finished.