Monday, September 6, 2010

Set up full disk encryption in Eeebuntu 4 with dm-crypt

Some time ago I was trying to set up Full Disk Encryption with my EeePc 1000HE and couldn't find a working howto so I decided to make one myself after I wasted a lot of time with trial and error setting up the system.

This howto comes without any kind warranty from my side, so use it on your own risk. Don't forget to backup all your sensitive data before continuing the installation because the hard drive will be repartitioned and reformatted.

In my case I made a clean installation after I backed up the old standard Windows XP Partitions and deleted everything else on the HDD.

2 Partitions were used for the system - /dev/sda1 as unencrypted /boot partition and /dev/sda2 as an ecrypted LUKS-partition. Inside the LUKS-partition will be a LVM with root and swap which will be mounted upon every start by entering your password. Addtionally I made an unecrypted Data partition, /dev/sda3, but thats up to you. Alternatively the data partition could also be encrypted with dm-crypt and mounted with every start, but this is another story.



                       /dev/sda1 -> Boot
dev/sda>>                                                                                       ->root
                       /dev/sda2 -> crypted LUKS-partition -> LVM ->
                                                                                                         ->swap   
                       /dev/sda3 -> unencrypted Data partition



First you need to get Eeebuntu 4 on a USB-Stick. 1GB should be enough. I did this under Windows with the open-source program Unetbootin which you can get HERE.

Then you have to boot from the stick. On the EeePc you can do this by pressing ESC upon starting and select the stick.

The first thing you have to do after booting up is to set the keyboard layout to US. Go to System->Preferences->Keyboard, then click on add and pick US. Make sure you don't select the predefined latin in the menu. Select it in the menu and delete the UK preset.
This is needed in order to get the password for the crypted volume right because the US layout is used at startup.
Open Gparted from SYSTEM->GParted for repartitioning. I deleted all the old partitions an partitioned my hard drive like following but you can vary the size of the LUKS volume.



/dev/sda1 - 200MB for the unencrypted /boot partition with ext4

/dev/sad2 - 80GB  for the encrypted LUKS volume (ext4)

/dev/sda3 - Rest of the hard disk


After formatting the disks you have to change into the terminal to configure the encrypted LUKS volume.
You do this by first becoming root and then entering the following commands.


Become root (gives you superuser permissions):

$ sudo -i

Load Kernel modules:

$ modprobe dm-crypt
$ modprobe dm-mod
$ modprobe sha256
$ modprobe aes


Creating the encrypted volume.
(You will have to set and confirm the password that will also be used at startup)

$ cryptsetup -c aes-xts-plain -s 512 luksFormat /dev/sda2


After the process is completed we mount the encrypted volume for the installation and call it sda2_crypt.

$ cryptsetup luksOpen /dev/sda2 sda2_crypt


Now we create a LVM inside the encrypted volume and call it vg (volume group).

$ pvcreate /dev/mapper/sda2_crypt
$ vgcreate vg /dev/mapper/sda2_crypt


Next step is to create the swap and root. The swap size in this sample is 1300Mb, root takes the rest of the LUKS volume.


$ lvcreate -L 1300M -n swap vg
$ lvcreate -l 100%FREE -n root vg


Format root and swap

$ mkswap /dev/mapper/vg-swap
$ mkfs.ext4 /dev/mapper/vg-root


Now we can start the eeebuntu installer. Fill out the forms until you get to the partitioning. Select the manual partitioning.

Specify /dev/sda1 as

File system: ext4
Format: yes
mount point: /boot

        /dev/mapper/vg-root
   
File system: ext4
Format: yes
mount point: /

    /dev/mapper/vg-swap

File system: swap



In the last installation step you just have to change the grub destination from (hd0,0) to you primary hard drive else you get an error when installing. To do this you have to click on "Advanced" at the last installation step and select your primary harddisk, /dev/sda for example.


When you get asked whether you want to restart the system or continue, click on Continue.

Now we have to change into our new installed system with chroot. Go back to the terminal and enter following commands as superuser.

$ sudo -i
$ mount /dev/mapper/vg-root /mnt
$ mount /dev/sdX1 /mnt/boot
$ mount -o rbind /dev /mnt/dev
$ mount -t proc proc /mnt/proc
$ mount -t sysfs sys /mnt/sys
$ cp /etc/resolv.conf /mnt/etc/resolv.conf
$ chroot /mnt /bin/bash


The last step is to install lvm2 and cryptsetup to the now mounted filesystem (you need an internet connection).

$ apt-get update
$ apt-get install lvm2 cryptsetup


Edit /etc/crypttab with gedit (as superuser)
This file is for detecting the encrypted device at startup

$ gedit /etc/crypttab


Enter the following in a new line and save it

sda2_crypt /dev/sda2 none luks


Edit /etc/modules and enter the following in a new line

dm-crypt

Edit /etc/initramfs-tools/modules with gedit and add following lines

aes
sha256
dm_crypt
dm_mod

Change into the terminal and enter

$ update-initramfs -k all -u

$ reboot

You're done. Enjoy your encrypted and secured System! With every reboot you will be asked to enter your password to mount the LUKS-volume with your root and swap.
I'd be glad to hear your opinions and improvement suggestions.

No comments:

Post a Comment