Here are some step by directions on creating an OpenSuse 10.3 encrypted system. This configuration is part of the UABgridSecure project effort.


1. Start the installation
2. Set up partitions with a small boot partition and a larger partition for where the encrypted system will be.
3. Click on Software
4. At the bottom click on Details
5. Select “Search” as the filter, and enter and check the following packages:

  • Kernel-source
  • Kernel-syms
  • Cryptconfig
  • Cryptsetup
  • Libgcrypt
  • Libxcrypt
  • Gcc
  • Make
  • E2fsprogs
  • E2fsprogs-devel
  • Kinternet


6. Create root password. Make sure not to use the password you are planning on using for your future system. Make sure you do not do Online Update during the post-installation process, for some reason the installation tends to fail. You can run the update later through YaST.
7. Finish installation, wait for restart and open YaST.
8. Go to Community Repositories and add Main Update Repository source to your repositories.

Run the update (this may take some time).


9. Log in as root.
10. Run the necessary updates on your system, mainly ones that would update or change your kernel.
11. Next step is to write random data on what will be your new root partition, so lets assume the partition you allocated for the new root partition will be dev/sda3. Run the following command 

your-linux:~# dd if=/dev/urandom of=/dev/sda4 bs=4096


This may take quite sometime especially for partitions larger than 5 GB. First time around my 10 GB took over 2 hours.

12.You can then set up your Grub loader and add a new item to it for your encrypted system to boot from. Change the contents of /boot/grub/menu.lst. It should look something like this: 

title Encrypted openSUSE 10.3
    root (hd0,4)
    kernel /vmlinuz-2.6.22.5-31-default root=/dev/mapper/root vga=0x317 resume=dev/sda4 splash=silent showopts
    initrd /initrd-2.6.22.5-31

13. Encrypting and formatting root.

  • Before you encrypt the filesystem make sure all the needed modules are loaded by running these commands: 
your-linux:~# modprobe dm-mod
your-linux:~# modprobe dm-crypt
your-linux:~# modprobe aes
your-linux:~# modprobe sha256
your-linux:~# modprobe sha1
  • Create an encrypted file system once the ramdon data has been written to your partition by running hte following command: 
your-linux:~# cryptsetup -v --key-size 256 luksFormat /dev/sda4

(assuming you chose /dev/sda3 as the partition for the future root)

  • Remember to use a different password from the usual user account login.
  • Next run: 
your-linux:~# cryptsetup luksOpen /dev/sda4 root

and enter your password.

  • Finally format the partition, use Ext3 here but you should use whatever the original root system was installed on (it is Ext3 by defualt). Run the following command 
your-linux:~# /sbin/mkfs.ext3 -j /dev/mapper/root
  • Now its time to move the root partition. Copy the current root file system to the new encrypted partition you have created by running this command.

1.First mount the partition by running this command. 

your-linux:~# mount /dev/mapper/root /mnt

If the directory /mnt does not exist make one.

Within /mnt make the directory's 'media', 'proc', 'boot' and 'sys'. These are system directories that you don't need to copy over; they are set up as the system is running.

Now you copy the rest of the root partition. 

your-linux:~# cd /
your-linux:~# / find bin dev etc home lib* opt root sbin srv tmp usr var -depth -print0 | cpio -pmd --null /mnt

Next the file "fstab" needs to be altered. Go to /mnt/etc and open file "fstab"

Alter the line for the root file system (most likely the first line) to look like this: 

/dev/mapper/root                                                   /          ext3       acl,user_xattr        1 1
  • Next set up the the initial Ram Disk - Initrd

The Linux system uses an initial ram disk (initrd) to boot the system, containing and modules and software that the kernel will need prior to mounting the root directory. In order to mount an encrypted root filesystem a few tools must be added to the initrd.

`With the introduction of openSuSE 10.3 the system will run almost out of the box with the standard kernel and software

Run the following command: 

your-linux:~# mkinitrd -d /dev/mapper/root

That tells mkinitrd to make a new initrd based on the root system on /dev/mapper/root.

Once done you should be able to reboot the system.

When the system boots up the boot screen choose the Encrypted openSUSE 10.3 option, if the option doesn't exist you have not edited the menu.lst (the grub menu file) file correctly.

When you system starts booting after selecting the Encrypted openSUSE 10.3 option this prompt should come up: 

Enter Luks password:

Enter your Luks password and press enter. The master instructions reported some problems one might have with USB keyboards.

Once you have booted into the new system you should run the command 

your-linux:~# mkinitrd

to make sure that the new system is able to build its own initial ram disk (this will be needed every time a kernel update is installed).

The initial default option of your old OpenSuse? 10.3 can be deleted from the menu list if everything works smoothly.

14. Creating the /home partition.

  • In our example the partition we will use for the new /home is going to be sda3 (which was the old root partition. We will encrypt it using TrueCrypt?

  • Now that the root system is installed and working it's time to delete the old root file system, which is /dev/sda3 in these instructions.

Run the command: 

your-linux:~# truecrypt -t -c /dev/sda8

The -t flag forces truecrypt to run in text mode because the above command does not work in graphical mode.

When you are prompted select "Normal" and as a default you can use the AES encryption algorithm, for the next prompt i chose the SHA-512 Hash algorithm

You will be asked what volume type you want, select 'normal', and when asked which filesystem you want, 'fat' or 'none' select 'none', follow the rest of the instructions to create an encrypted file system.

There is no need to randomise this partition first as truecrypt will fill it with random data, this will take an hour or more depending on system speed and partition size. Again go and make some tea. Formatting the home directory

Mount the new partition with the command:

tin-man:~# truecrypt /dev/sda8

This should mount the partition as /dev/mapper/truecrypt0, to format run the command:

tin-man:~# /sbin/mkfs.ext3 -j /dev/mapper/truecrypt0

If you don't intend to share this with windows then you can format the partition with any Linux filesystem (e.g. reiserfs).

Next un-mount the volume:

tin-man:~# truecrypt -d /dev/sda8

And run a test mount replacing the word 'yourpassword' with the password you used to create the truecrypt volume:

tin-man:~# truecrypt /dev/sda8 /home -p yourpassword

Setting up an auto-mount for /home

You now want to set the system up to mount this new truecrypt partition at boot, to do this edit the file /etc/init.d/boot.local as shown in the example here.

Reboot the system and check that the '/home' drive is mounted (the '/home' folder will go from being empty to containing a folder called 'lost+found') Also keep an eye out to make sure that disk checking is run every so often.. Adding a user account

Now that the system has been created with an encrypted '/' (root) and '/home' you can add a user account. Do this using YaST.

If you have enabled the auto-mount option for the Truecrypt partition, and have your password in the boot.local file you can now set up the user account to log-in automatically. This is safe as the entire basic Linux system is secure (except for swap which is covered soon), and it means that you will only need to enter one password between boot and desktop!

That's the basic Linux system set-up, with the exception of the swap space, which you will deal with later. Installing TCGINA and encrypting the Windows user account

Now that Truecrypt and WinRAR have been installed (earlier) you can extract and install TCGINA. Once installed go to the start menu and run:

'control userpasswords2'

Click on the advanced tab and then check the box 'Require users to press Ctrl+Alt+Delete', then click Ok and reboot the machine. This option is set to support TCGINA.

Once you have rebooted create a new user account, the one you actually want to use, log off, log into the new account (to make XP create the default folders etc), log out and log back into the first account.

Whilst we have disabled LM hashing for extra security make sure the password you use for the new account isn't the same as the one you use for either the Truecrypt or Linux root partitions.

Run Truecrypt and mount the shared encrypted partition on a high drive number, I use Z. This is because this drive must not change if you are to log into it as a user, and if you map the Truecrypt drive to drive E, then boot with a USB stick in the computer you will be unable to log-in.

Now run the TCGINA install program again and you should be able to move your user account to the encrypted partition. Next time you log into your new account you will log-in first via the Windows login, and then you will be asked for the Truecrypt partition password (unless your Windows password is the same as the Truecrypt one, in which case it may log you in automatically).

Once all this is done reboot the computer and log into Linux, open the root user account and go to '/home'. A new folder will be there called 'Documents and Settings' change the permissions and group to match your Linux user account and set it to do this to all sub-folders and files.

Once done you can log back into Windows and move 'My Documents' to a convenient folder within your Linux home directory, I just use a folder called 'Documents' which is installed by default in the openSuSE system. Whenever you create a file in Windows now it will be saved with the permissions of your user account in Linux. Moving the Windows pagefile to the Linux Swap partition

The SwapFS driver package can now be installed. Follow the instructions for installing the driver, when it comes to editing the registry entry Truecrypt can help.

Whilst on the Linux system the swap partition is partition 6 (/dev/sda6) under Windows it is '\Device\Harddisk0\Partition3'. If you run Truecrypt and click on 'Select Device' you will see a list of partitions as Windows sees them, and from that you should be able to determine the swap partition as Windows sees it and edit the registry entry correctly.

You can change the name of the drive in the last line from 'S:' to whatever you want, I use 'Y:' so it sits next to the Truecrypt partition.

An example can be seen in here.

Re-boot the computer, if the registry entry was correct you should now have a new drive with a Fat file system. Go to the pagefile settings window, select drive Y: (or whatever you set yours as) and set the pagefile size, then un-set the pagefile from the 'C:' drive. If the drive appears with a '?' next to it in explorer check your registry settings and edit the registry to correct.

As an additional security option you should set the minimum and maximum sizes of the pagefile to the same maximum value. This ensures that each new pagefile completely overwrites the last, rather than a growing/ shrinking file receding and leaving confidential data on the swap drive for months. More security options for the pagefile are discussed further down this page, including how to delete or encrypt it. Wiping the free space on Windows You now need to ensure that any old data on the Windows C: drive (before you started this whole process) is erased.

Open power properties from the control panel and disable hibernation (which will delete hiberfil.sys). Now run defragment on the C: drive; as can be seen now that the pagefile and hibernation files are gone there is no longer any unmoveable data on the drive.

Next run Eraser. You might want to reboot after the defragment as sometimes Eraser can cause errors when run on a recently defragmented drive. Set eraser to erase all free space on the C: drive and run, it will take 30 mins to several hours to run, depending on system and disk size. Encrypting the system swap and hibernation space

The final part of this howto covers the system swap and hibernation spaces. There are several options here for system security, starting with the most basic and finishing with high level security options.

The higher security options, whilst providing a significant level of security, can carry with them a much higher maintenance requirement than the simple options. Swap Space

On Windows this is the pagefile, and under Linux this is the swap partition.

Swap space is used when the computer runs out of physical memory (RAM), to free up physical memory information is swaped out of RAM into the swap space.

Therefore, even though you have encrypted all of your personal files, folders and personal settings (and the Linux root) there is still the risk that sensitive data will leak out into the swap space.

Of course if you are confident that your system has so much RAM it will never use swap space, and you will never want to suspend Linux to disk then you can set Windows to have no pagefile, and delete the Linux swap; for the rest of you, you have to look at either deleting or encrypting this data (see below).

Updates:

I created a tarball of the base installation of a machine based on the 8GB hard drive correctly partitioned (to the best of my knowledge) for encryption method described above.

After that I finished the setup for a root account with a password "test", configured the virtual machine and ran the updates and installed the needed packages, which saved another couple of hours of installation time. I decided to make another tarball of a system from that point.

Another tarball was created after getting the system to work with booting into the Encrypted OpenSuse? 10.3 with Luks password.

I am in the process of trying to making an encrypted /home partition using TrueCrypt? but it is having issues