Difference between revisions of "LUKS"
m (New page: ==Documentation== * [http://luks.endorphin.org/ LUKS - Linux Unified Key Setup] * /usr/share/doc/cryptsetup/README.initramfs.gz == To encrypt the swap== apt-get install cryptsetup Follow ...) |
|||
| Line 62: | Line 62: | ||
Make sure the root device is listed in /etc/fstab |
Make sure the root device is listed in /etc/fstab |
||
/dev/mapper/croot / ext3 defaults 0 1 |
/dev/mapper/croot / ext3 defaults 0 1 |
||
| − | /boot/grub/menu.lst needs |
+ | /boot/grub/menu.lst needs to point to /dev/mapper/croot: |
# kopt=root=/dev/mapper/croot ro vga=791 |
# kopt=root=/dev/mapper/croot ro vga=791 |
||
Regenerate the initramfs image |
Regenerate the initramfs image |
||
Revision as of 15:25, 9 June 2008
Documentation
- LUKS - Linux Unified Key Setup
- /usr/share/doc/cryptsetup/README.initramfs.gz
To encrypt the swap
apt-get install cryptsetup
Follow instructions of /usr/share/doc/cryptsetup/CryptoSwap.HowTo
The diff is that I had to destroy the content of the swap partition before /etc/init.d/cryptdisks otherwise cryptsetup refuses to work.
To encrypt disks
Creation
cryptsetup luksFormat /dev/hdaX cryptsetup luksOpen /dev/hdaX hdaX mkfs.ext3 /dev/mapper/hdaX cryptsetup luksClose hdaX
Usage
cryptsetup luksOpen /dev/hdaX hdaX && mount -t ext3 /dev/mapper/hdaX /mnt/ umount /mnt && cryptsetup luksClose hdaX
To encrypt the root fs
Get packages
To use the XTS block chaining method we need a recent kernel (>=2.6.24 and 2.6.24 had apparently a bug related to XTS on some CPUs so I went for 2.6.25)
apt-get install initramfs-tools cryptsetup linux-image-2.6.25-2-686
If you didn't have a separate /boot partition, make one in clear as we cannot boot on an encrypted kernel & initrd!
Have /boot on a separate partition
If it's not yet done, it's time!
Moving /boot to a separate partition involves a crucial step:
Recreating the MBR stage1 so it founds the new location of stage2
cf http://www.troubleshooters.com/linux/grub/grubpartition.htm
Assuming your /boot partition is /dev/[hs]da1, here's how you do it:
grub grub> root (hd0,0) grub> setup (hd0) grub> quit
/boot/grub/menu.lst needs the following changes:
# groot=(hd0,0) # splashimage=(hd0,0)/grub/...
FYI and to understand my instructions, here's my intended layout:
# /dev/sda1 /boot # /dev/sda2 will be the encrypted / # /dev/sda5 encrypted swap # /dev/sda6 /home
reboot to your temp / after you've altered the table of partitions
Creation of the encrypted volume
Backup the original partition
dd if=/dev/sda2 of=./sda2.img bs=1024k
Fill it with random data
dd if=/dev/urandom of=/dev/sda2
Create a LUKS volume
cryptsetup luksFormat -c aes-xts-plain -s 256 /dev/sda2 YES my_boot_password
Edit /etc/crypttab and add a ref to our new partition
echo "croot /dev/sda2 none luks" >> /etc/crypttab
Start the encrypted root filesystem (don't worry if your swap is already started)
/etc/init.d/cryptdisks start my_boot_password
Setup the filesystem
mkfs.ext3 /dev/mapper/croot
Mount the device
mount /dev/mapper/croot /mnt/disk
Copy your root filesystem into place, sth like this in the simplest case
cp -axv / /mnt/disk
Make sure the root device is listed in /etc/fstab
/dev/mapper/croot / ext3 defaults 0 1
/boot/grub/menu.lst needs to point to /dev/mapper/croot:
# kopt=root=/dev/mapper/croot ro vga=791
Regenerate the initramfs image
dpkg-reconfigure linux-image-2.6.25-2-686
Reboot