Difference between revisions of "LUKS"

From YobiWiki
Jump to navigation Jump to search
Line 1: Line 1:
 
==Documentation==
 
==Documentation==
 
* [http://luks.endorphin.org/ LUKS - Linux Unified Key Setup]
 
* [http://luks.endorphin.org/ LUKS - Linux Unified Key Setup]
* /usr/share/doc/cryptsetup/README.initramfs.gz
+
* /usr/share/doc/cryptsetup/CryptRoot.HowTo.txt and /usr/share/doc/cryptsetup/README.initramfs.gz
  +
 
== To encrypt the swap==
 
== To encrypt the swap==
 
apt-get install cryptsetup
 
apt-get install cryptsetup

Revision as of 14:00, 10 June 2008

Documentation

To encrypt the swap

apt-get install cryptsetup

Follow instructions of /usr/share/doc/cryptsetup/CryptoSwap.HowTo
The diff is that I had to destroy the content of the swap partition before /etc/init.d/cryptdisks otherwise cryptsetup refuses to work.

To encrypt disks

Creation

cryptsetup luksFormat /dev/hdaX
cryptsetup luksOpen /dev/hdaX hdaX
mkfs.ext3 /dev/mapper/hdaX
cryptsetup luksClose hdaX

Usage

cryptsetup luksOpen /dev/hdaX hdaX && mount -t ext3 /dev/mapper/hdaX /mnt/
umount /mnt && cryptsetup luksClose hdaX

To encrypt the root fs

Get packages

To use the XTS block chaining method we need a recent kernel (>=2.6.24 and 2.6.24 had apparently a bug related to XTS on some CPUs so I went for 2.6.25)

apt-get install initramfs-tools cryptsetup linux-image-2.6.25-2-686

If you didn't have a separate /boot partition, make one in clear as we cannot boot on an encrypted kernel & initrd!

Have /boot on a separate partition

If it's not yet done, it's time!
Moving /boot to a separate partition involves a crucial step:
Recreating the MBR stage1 so it founds the new location of stage2
cf http://www.troubleshooters.com/linux/grub/grubpartition.htm
Assuming your /boot partition is /dev/[hs]da1, here's how you do it:

grub
grub> root (hd0,0)
grub> setup (hd0)
grub> quit

/boot/grub/menu.lst needs the following changes:

# groot=(hd0,0)
# splashimage=(hd0,0)/grub/...

FYI and to understand my instructions, here's my intended layout:

# /dev/sda1 /boot
# /dev/sda2 will be the encrypted /
# /dev/sda5 encrypted swap
# /dev/sda6 /home

reboot to your temp / after you've altered the table of partitions

Creation of the encrypted volume

Backup the original partition

dd if=/dev/sda2 of=./sda2.img bs=1024k

Fill it with random data

dd if=/dev/urandom of=/dev/sda2

Create a LUKS volume

cryptsetup luksFormat -c aes-xts-plain -s 256 /dev/sda2
YES
my_boot_password

Edit /etc/crypttab and add a ref to our new partition

echo "croot /dev/sda2 none luks" >> /etc/crypttab

Start the encrypted root filesystem (don't worry if your swap is already started)

/etc/init.d/cryptdisks start
my_boot_password

Setup the filesystem

mkfs.ext3 /dev/mapper/croot

Mount the device

mount /dev/mapper/croot /mnt/disk

Copy your root filesystem into place, sth like this in the simplest case

cp -axv / /mnt/disk

Make sure the root device is listed in /etc/fstab

/dev/mapper/croot / ext3 defaults 0 1

/boot/grub/menu.lst needs to point to /dev/mapper/croot:

# kopt=root=/dev/mapper/croot ro vga=791

Regenerate the initramfs image

dpkg-reconfigure linux-image-2.6.25-2-686

Reboot