EncryptedRootFSbyOpenSUSE - UABgrid dev - Trac

Wiki Navigation

Encrypted Root File System

This manual was based on encrypted file system creation method provided by OpenSUSE at http://en.opensuse.org/Encrypted_Root_File_System_with_SUSE_HOWTO.

Note: The assumption that the following actions are performed on a freshly installed OS to avoid valuable data loss.

Introduction and Installation

This encryption proposal is based on an encrypted file system setup best suited for a laptop user (meaning most likely it will be used by a single user). The partitioning scheme is simple with one partition for swap, one for root file system mounted at "/" and one for home file system at /home. The largest partition is /home, but for initial setup the root file system will be installed into the partition that will later become the home (largest partition), while root will be copied on the smaller partition after the encryption procedure. Since each of these partitions will be encrypted, a small unencrypted boot partition will be mounted at "/boot". The boot partition can be either put on the same disk or on external media such as a USB flash drive. It will need to be at least 40 MB in size or more if multiple kernels will be loaded, 75-100 MB would be the safer choice.

If you are to use a USB flash drive plug it in before booting the computer with the installation cd. Then it should be formatted using a Linux file system. This can be done in Expert Partitioner setup menu, where the USB flash drive should show up. It should be formatted with Ext2 or Ext3 and mounted at /boot. Also in the Fstab Options dialog check the box "Do Not Mount at System Start-up". That is an important, necessary step in correct partitioning setup, without it booting with a USB drive would not work because USB devices are created after the boot.localfs tries to mount the entries in fstab.

The proposed partition table should look similar to this:

Device	Mount Point	Notes
/dev/sda1	/boot	Boot partition
/dev/sda2	swap	This will become the encrypted swap
/dev/sda3	/home	This will become the encrypted root
/dev/sda4	/	This will become the encrypted home

The idea is to install the root partition on sda4 first and then copy the root system from sda4 to sda3 and then create another encrypted partition on sda4 for home (new encrypted home).

Package selection :

Ensure that package "cryptsetup" is installed. There are few other alternatives like "loop-aes" and "truecrypt" but for this purpose cryptsetup is chosen as the simpler alternative. Advantage of using LUKS system is the ability to configure multiple passwords for encrypting a single partition which aids in data and password recovery.

After the system finishes installing run all the online update twice after adding the software community repositories, you need to update your kernel before encrypting it.

Preparation

Correct mkinitrd

Open /lib/mkinitrd/scripts/setup-luks.sh.

In line

luks_blockdev="$luks_blockdev $lucksbd"

replace "$lucksbd" by $luksbd.

An alternative to that method is istall the package mkinitrd-2.1-36.2.

Note: If you have ran the updates as instructed mkinitrd has already been corrected, so if the typo listed above is non-existent everything should work fine. \

IMPORTANT: If you are using a kernel later than or updated your system after May 12, 2008 or using mkinitrd-2.1-36-5 it is likely that luks encrypted partitions will not be automatically found by mkinitrd. There is a workaround to that. open /lib/mkinitrd/scripts/setup-storage.sh and add the partitions to the variable blockdev in the last line of the script. The end of your setup-storage.sh file should look something like this:

 blockdev="$(resolve_device Root $rootdev) $(resolve_device Resume $resumedev) $(resolve_device Journal $journaldev) $(resolve_device Dump $dumpdev) /dev/mapper/home /dev/mapper/swap"

Note: Do not make those changes until after you have updated your kernel if you are planning on doing so, otherwise the update will fail.

Create an encrypted swap partition

First step to get familiar with encryption method is to encrypt the swap partition, if problems arise they would be easy to repair.

LUKS system is going to be used for this. There are a few advantages to using LUX:

It does not use the supplied passwords directly for encryption, rather than a random key with a default size of 128 bits is generated
That key is encrypted using the supplied password. It makes it safe and convenient to use the same password to protect the master key of each separate partition.
Using a different password for every encrypted partition would be inconvenient, and there would not be any security gain, thus having the same password used to encrypt a unique 128 bit key for each partition is very convenient.
Only disadvantage is that the password you are to create needs to be created keeping the resistance to brute force and dictionary attacks in mind.

Encryption:

First make sure that all the needed modules have been loaded. Run these commands in command line (remember you should be logged in as root throughout the whole manual to ensure redundancy with the manual).

your-linux:~ # modprobe dm-mod
your-linux:~ # modprobe dm-crypt
your-linux:~ # modprobe aes
your-linux:~ # modprobe sha256
your-linux:~ # modprobe sha1

The above modules are as follows: device mapper module, device mapper cryptography module, default cipher, default hash algorithm, default LUKS has spec.

Next step is to turn off the existing swap:
your-linux:~ # swapoff /dev/sda2

Then fill the swap partition with random data. (This may take a few minutes.)
your-linux:~ #  dd if=/dev/urandom of=/dev/sda2

After that initialize the encrypted swap device using this command:
your-linux:~ # cryptsetup -v --key-size 256 luksFormat /dev/sda2

cryptsetup will prompt you for password, then create a new encrypted partition using the aes cipher in cbc-essiv mode. If you get a "Command failed" error, make sure you followed the directions very carefully.

You can view the LUKS partition header info by running:
your-linux:~ # cryptsetup -v luksDump /dev/sda2
Next open the new encrypted partition by running this command:
your-linux:~ # cryptsetup -v luksOpen /dev/sda2 swap
The above command should have no created a new mapped device in /dev/mapper called swap. To use it as a swap device add a swap file system and turn the swap back on by running these commands:
your-linux:~ # mkswap /dev/mapper/swap
your-linux:~ # swapon /dev/mapper/swap

You can see the new swap space by running:
your-linux:~ # free

Create an encrypted file system on the home partition

First unmount /home to prepare the new root file system:

your-linux:~ # umount /dev/sda3

Filling the disks with random data For this step there are a few different options:

/dev/urandom - fill the device with "random" data. Probably the fastest and best all around method. Used in this manual as a default
"shred" - overwrite file to hide its contents and optionally delete it. Overwrites files repeatedly, in order to make it harder for even very expensive hardware probing to recover it. Shred does many writes or passes on the disk depending on what options are given although it still takes input from /dev/urandom/. However this method is a lot slower, and can take many hours for a large partition.
/dev/random - fills the disk with more random data than the two of the above options makeing it the most secure method, but also the most time consuming. Note:The speed of this option is so slow that it makes it completely impractical. It took over 2 Days to randomize a 3.5 GB partition on a Virtual Machine
/dev/zero - the fastest method is to initially fill the beginning (1-2 MB) of the disk with /dev/urandom (or /dev/random) by running
```
 your-linux:~ # dd if=/dev/urandom/ of=/dev/sda3 count=4000 bs=512
```
and then make your luksFormat and luksOpen (see below) and then you can fill the decrypted disk (/dev/mapper/my_encrypted_partition) with /dev/zero:
```
your-linux:~ # dd if=/dev/zero of=/dev/mapper/my_encrypted_partition
```
which will fill the decrypted disk with zeros which will be encrypted and saved to your physical device. It will look like random data on the physical disk and is pretty fast.

Encryption

After dd command has finished, create device mapping for root partition the same way as you we did with the swap partition:
your-linux:~ # cryptsetup -v --key-size 256 luksFormat /dev/sda3
To view details after above step is complete (if successful) run:
your-linux:~ # cryptsetup luksDump /dev/sda3
Then open the partition:
your-linux:~ # cryptsetup luksOpen /dev/sda3 root

It should have created an entry in /dev/mapper, named root. Now its time to create a file system on the new device. Use ext3 ad the default throughout the instruction:
your-linux:~ # /sbin/mkfs.ext3 -O dir_index,resize_inode /dev/mapper/root

Copy root file system into the new encrypted partition. Once the encrypted system is created, copy the root file system onto the new file system. First you have to mount it by running the following commands:
```
your-linux:~ # mkdir /mnt/root
your-linux:~ # mount /dev/mapper/root /mnt/root
```
After you have done that there is a few different ways you can go about copying the root file system. As a default we will use "cp -ax / /mnt/root". Note that you don't have to copy /dev. /proc. and /sys because these will be re-created when system is booted. Run the following commands to copy and prepare your new root partition:
```
your-linux:~ # cd /
your-linux:~ # find bin boot dev etc home lib* opt root sbin srv subdomain tmp usr var \ -depth -print0 | cpio -pmd --null /mnt/root
your-linux:~ # mkdir /mnt/root/proc
your-linux:~ # mkdir /mnt/root/sys
your-linux:~ # mkdir /mnt/root/media
your-linux:~ # mkdir /mnt/root/mnt
```
Next go to "/mnt/root/etc" and open "fstab" with any text editor. Change entry for /dev/sda3 (the former home) to:
```
/dev/mapper/root     /     ext3     acl,user_xattr     1  1
```
Likewise change entry for swap:
```
/dev/mapper/swap    swap   swap     defaults           0  0
```
Also change entry for /dev/sda4 (former root) to:
```
/dev/sda4          /home    ext3    acl,user_xattr     1  2
```

Create a new initail ram disk (initrd) to boot the system

To use the new encrypted root file system, you must decrypt it when system is booted. That job is best handled by initial ram disk (initrd-VER-default). As a precaution you can copy the file initrd to a different folder on the boot partition such as /boot/original. To use mkinitrd run the following command:
your-linux:~ # mkinitrd -d /dev/mapper/root -f "dm luks" 

Create an entry in the bootloader menu for the new root file system Final step before rebooting is to create a new entry in the Grub menu for the encrypted partition. Create a new entry in Grub file menu.lst (/boot/grub/menu.lst) which should look something like this:
```
###Encrypted root###
title Encrypted OpenSuse 10.3
    root (hd0, 0)
    kernel /vmlinuz-VER-default root=/dev/mapper/root luks_root=/dev/sda3 luks_swap=/dev/sda2 luks="root swap" vga=0x317 resume=/dev/mapper/swap splash=silent showopts
    initrd /initrd-VER-default
```
Do not delete the old entries yet, we need to make sure the system can boot properly first. You also need to modify the entries for the old entries to use the initrd that you have backed up somewhere such as /boot/original (depending on your decision).

Now you should be ready to reboot your system. Type in your LUKS password at boot when you are prompted to do so. If you have used a USB device for your boot partition you need to modify your BIOS to boot from USB. Make sure everything works before you move on to the next step.

Erase the original root partition and replace it by another encrypted file system. \ After you have checked that everything is working, erase original root partition and replace it by another encrypted system by running the following commands:

your-linux:~ # umount /dev/sda4
your-linux:~ # dd if=/dev/urandom of=/dev/sda4
your-linux:~ # cryptsetup -v --key-size 256 luksFormat /dev/sda4
your-linux:~ # cryptsetup luksOpen /dev/sda4 home
your-linux:~ # /sbin/mkfs.ext3 -O dir_index, resize_inode /dev/mapper/home
your-linux:~ # mount /dev/mapper/home /home

*** Note: If your /sbin/mkfs.ext3 -O dir_index, resize_inode /dev/mapper/home command fails, you can run it without the "-O dir_index, resize_inode /dev/mapper/home" parameters.

Then edit fstab to add an entry for /home:

/dev/mapper/home           /home           ext3         acl,user_xattr    1 2

Rerun mkinitrd to add the information for /home to the initrd

mkinitrd

Then edit bootloader (/boot/grub/menu.lst) to decrypt home at startup:

###Encrypted root###
title openSUSE 10.3 - encrypted
   root (hd0,0)
   kernel /vmlinuz-VER-default root=/dev/mapper/root luks_root=/dev/sda3 luks_swap=/dev/sda2 luks_home=/dev/sda4 luks="root swap home" vga=0x317 resume=/dev/mapper/swap splash=silent showopts
   initrd /initrd-VER-default

At this point you should be ready to reboot and enjoy your encrypted system.

Updated on: Sun Nov 22 07:27:52 2009

Download in other formats:

Plain Text