特殊:Badtitle/NS100:EncryptedFilesystemHowto6

来自Ubuntu中文
Oneleaf留言 | 贡献2007年5月24日 (四) 09:37的版本 (新页面: {{From|https://help.ubuntu.com/community/EncryptedFilesystemHowto6}} {{Languages|UbuntuHelp:EncryptedFilesystemHowto6}} This is the ninth encrypted filesystem HOWTO. You may wonder why we...)
(差异) ←上一版本 | 最后版本 (差异) | 下一版本→ (差异)
跳到导航跳到搜索

{{#ifexist: :EncryptedFilesystemHowto6/zh | | {{#ifexist: EncryptedFilesystemHowto6/zh | | {{#ifeq: {{#titleparts:EncryptedFilesystemHowto6|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:EncryptedFilesystemHowto6|1|-1|}} | zh | | }}

This is the ninth encrypted filesystem HOWTO. You may wonder why we need another one, when we allready have EncryptedFilesystem, EncryptedFilesystemHowto, EncryptedFilesystemHowto2, EncryptedFilesystemHowto3, EncryptedFilesystemHowto4, EncryptedFilesystemHowto5 and EncryptedFilesystemHowtoEdgy and EncryptedFilesystemLVMHowto.

Some of this documentation is just old, while some works better for other cases. Here's the requirements for this howto:

  • Should be based on FeistyFawn.
  • Encrypt everything, except /boot.
  • For fresh installations only. The entire disk will be erased.
  • No temporary installation either. We want to install directly to the encrypted disk.
  • Network-based installation. A live-cd will only be used to set up the encrypted disks and bootstrap the installation.
  • No theoretical explanations. You will find whatever you need in the other HOWTOs.
  • Everything in one filesystem. No separate /home.

Hopefully, the next version of Ubuntu's installer will do all the setup, like Debian Etch's installer does.

Before we begin, a few warnings:

  • This HOWTO will tell you to wipe any existing installation. Back-up all your data!
  • There may be errors in this HOWTO. You should NOT follow this HOWTO without enough understanding to get yourself out of unexpected trouble. Reading the other HOWTOs is a good start...
  • This HOWTO has now been tested with VMware Workstation 6. Other hardware may or may not give the same results.
  • Older versions of this HOWTO included some bugs that made it impossible to boot the newly installed system. Make sure you're using the latest version.

Ok, then... Let's start.

The livecd

First, boot from a live CD. I guess an Edgy-disc should work, but I have only tested with Feisty.

Configure networking, keyboard, proxy and whatever you need to have Internet access and a way to work with a terminal. (Hint: If you're behind a proxy, set the http_proxy environment variable: export http_proxy=http://proxy:port/)

Start a terminal and edit /etc/apt/sources.list to add the universe repository. (Remember sudo!) You may want to change to a mirror close to you instead of archive.ubuntu.com. To me, it's no.archive.ubuntu.com.

Install cryptsetup, gparted and debootstrap:

sudo aptitude update && sudo aptitude install cryptsetup gparted debootstrap

Use gparted to partition your drive. You will need >= 100 MB for /boot (ext3), twice your amount of RAM for swap and the usual minimum for your encrypted root filesystem. From now on, I assume /boot is /dev/sda1, encrypted swap is /dev/sda5 and the encrypted root is /dev/sda6.

Exit gparted and unmount the newly created filesystems by right-clicking on them on your desktop.

Then load some modules:

sudo modprobe dm_crypt
sudo modprobe sha256
sudo modprobe aes_i586

Use LUKS to encrypt your root partition. If you want key storage on an USB-disk, smartcard or anything else, see the other LUKS-based guides mentioned at the top of this document. Remember to choose a good passphrase, as this probably will be the weakest link in the setup...

sudo cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=128 luksFormat /dev/sda6
sudo cryptsetup luksOpen /dev/sda6 root

Create a filesystem and mount it and the /boot partition:

sudo mke2fs -j -O dir_index,filetype,sparse_super /dev/mapper/root
sudo mkdir /mnt/newroot
sudo mount /dev/mapper/root /mnt/newroot
sudo mkdir /mnt/newroot/boot
sudo mount /dev/sda1 /mnt/newroot/boot

Basic installation

It's time to do the installation, but don't start the wizard at your desktop. You need to use debootstrap.

sudo debootstrap feisty /mnt/newroot http://no.archive.ubuntu.com/ubuntu # Choose a mirror close to you.

After a few minutes, you should have a basic installation of FeistyFawn in your encrypted root. But don't pat yourself on your back yet, as the installation is too basic to even boot. All you can do is chroot into it and start configuring and installing packages:

sudo cp /etc/apt/sources.list /mnt/newroot/etc/apt/sources.list
sudo /etc/init.d/acpid stop # Your chroot will eventually want to run it's own.
sudo /etc/init.d/acpi-support stop
sudo mount --bind /dev /mnt/newroot/dev
sudo mount --bind /proc /mnt/newroot/proc
sudo mount --bind /sys /mnt/newroot/sys
sudo umount /mnt/newroot/boot
sudo chroot /mnt/newroot
export LANG=C
mount /dev/sda1 /boot
mkdir /home/ubuntu # To get rid of some annoying vim errors. Skip if wanted, and delete when done.

Install basic packages:

aptitude update
aptitude install grub linux-image-generic bsdmainutils cryptsetup

Yes, you want a symlink, and no, you do not want to abort while installing the kernel. To avoid that message in the future, add do_initrd = Yes to /etc/kernel-img.conf.

Set up /etc/crypttab: (Make sure you're using the same name for the root filesystem as you did with the luksOpen-command above. If not, cryptsetup will fail at first boot.)

# <target name> <source device>         <key file>      <options>
swap            /dev/sda5               /dev/random     swap
root            /dev/sda6               none            luks

/etc/fstab: (Again, double-check the names used.)

proc                    /proc   proc    defaults                        0       0
/dev/mapper/root        /       ext3    defaults,errors=remount-ro      0       0
/dev/sda1               /boot   ext3    defaults                        0       1
/dev/mapper/swap        swap    swap    defaults                        0       0

/etc/network/interfaces:

auto lo
iface lo inet loopback

Configure the console:

dpkg-reconfigure console-setup # Install if needed

Make sure your initramfs is correct:

update-initramfs -u

Install grub:

grub-install --recheck hd0,0
update-grub
grub-install hd0

Remove quiet and splash from the defoptions-line in /boot/grub/menu.lst and run update-grub again.

Install (k)ubuntu-desktop:

aptitude install ubuntu-desktop
killall acpid
dpkg --configure -a # Make sure this does not return any errors.

Create a user for yourself:

adduser --add_extra_groups username
adduser username adm
adduser username admin

Run visudo and add this just under the entry for root:

%admin  ALL=(ALL) ALL

Boot your encrypted system

Restart (make sure your filesystems is unmounted) and boot into your new system. You should be asked for your passphrase by cryptsetup.

If grub complains about a file it can't find, you may try to press ESC to edit the command, go down to savedefault and press d and b. Then, reinstall grub when booted.

Your system may seem to hang while setting up encrypted devices. This is because it lacks random data. Press a few keys, and it will continue.

Be aware that your new system is not as well configured as with a normal installation, so you have to do some configuration after first boot. Here's a list to get you started. You will find tools for this in the System menu in Ubuntu.

  • Hostname.
  • Other network parameters and DNS. (If you don't want to use network manager for that.)
  • Web proxy if needed.
  • Date, time and time zone. (NTP if wanted)
  • Localization. (Language packs, default language.)
  • Software repositories (multiverse, updates, backports...) and keys used to sign the archives.
  • Non-free drivers. (NVIDIA/ATI-cards)

You may also want make sure your Mail Transfer Agent (exim, postfix, ...) is set up correctly.

When upgrading kernels, be sure to keep your old kernel. Some versions of the Linux kernel will change from /dev/hd* to /dev/sd* and others the other way. This will break /etc/cryptsetup.