LUKS

From YobiWiki
Jump to navigation Jump to search

Documentation

To encrypt the swap

apt-get install cryptsetup

Follow instructions of /usr/share/doc/cryptsetup/CryptoSwap.HowTo
The diff is that I had to destroy the content of the swap partition before /etc/init.d/cryptdisks otherwise cryptsetup refuses to work.

To encrypt disks

Creation 

cryptsetup luksFormat /dev/hdaX
cryptsetup luksOpen /dev/hdaX hdaX
mkfs.ext3 /dev/mapper/hdaX
cryptsetup luksClose hdaX

Usage 

cryptsetup luksOpen /dev/hdaX hdaX && mount -t ext3 /dev/mapper/hdaX /mnt/
umount /mnt && cryptsetup luksClose hdaX

To encrypt the root fs

Get packages

To use the XTS block chaining method we need a recent kernel (>=2.6.24 and 2.6.24 had apparently a bug related to XTS on some CPUs so I went for 2.6.25) 

apt-get install initramfs-tools cryptsetup linux-image-2.6.25-2-686

If you didn't have a separate /boot partition, make one in clear as we cannot boot on an encrypted kernel & initrd!

Have /boot on a separate partition

If it's not yet done, it's time!
Moving /boot to a separate partition involves a crucial step:
Recreating the MBR stage1 so it founds the new location of stage2
cf http://www.troubleshooters.com/linux/grub/grubpartition.htm
Assuming your /boot partition is /dev/[hs]da1, here's how you do it: 

grub
grub> root (hd0,0)
grub> setup (hd0)
grub> quit

/boot/grub/menu.lst needs the following changes: 

# groot=(hd0,0)
# splashimage=(hd0,0)/grub/...

FYI and to understand my instructions, here's my intended layout: 

# /dev/sda1 /boot
# /dev/sda2 will be the encrypted /
# /dev/sda5 encrypted swap
# /dev/sda6 /home

reboot to your temp / after you've altered the table of partitions

Creation of the encrypted volume

Backup the original partition 

dd if=/dev/sda2 of=./sda2.img bs=1024k

Fill it with random data 

dd if=/dev/urandom of=/dev/sda2

Create a LUKS volume 

cryptsetup luksFormat -c aes-xts-plain -s 256 /dev/sda2
YES
my_boot_password

Edit /etc/crypttab and add a ref to our new partition 

echo "croot /dev/sda2 none luks" >> /etc/crypttab

Start the encrypted root filesystem (don't worry if your swap is already started) 

/etc/init.d/cryptdisks start
my_boot_password

Setup the filesystem 

mkfs.ext3 /dev/mapper/croot

Mount the device 

mount /dev/mapper/croot /mnt/disk

Copy your root filesystem into place, sth like this in the simplest case 

cp -axv / /mnt/disk

Make sure the root device is listed in /etc/fstab 

/dev/mapper/croot / ext3 defaults 0 1

/boot/grub/menu.lst needs to point to /dev/mapper/croot: 

# kopt=root=/dev/mapper/croot ro vga=791

Regenerate the initramfs image 

dpkg-reconfigure linux-image-2.6.25-2-686

Reboot

TODO

One major drawback on my setup (you don't see it here) is that I've several partitions encrypted as such and it leads to some problems:

  • At boot time I've to enter the passphrase for each of the partitions
  • I tried the "noauto" keyword in /etc/crypttab to avoid mounting some of the partitions but it didn't work, I've to find out why.
  • One solution is to use a keyfile stored in the root partition to decrypt the other partitions but I don't want to give access to all partitions to those I give access to my rootfs (e.g. my homedir to my employer)
  • Another solution is to use keyfiles stored on a USB stick, which means I've to wear such USB stick and not getting it stolen aside my laptop...
  • The last solution I see is to implement something like the gpg or ssh agents to remember briefly my passphrase during boot time and try it against all partitions.
    • quintuple-agent could be used for example, but it has to be integrated into the initrd
    • maybe a simple environment variable would be enough
    • In both cases I've to take care that the passphrase cannot be retrieved later from a RAM dump.
Retrieved from "https://wiki.yobi.be/index.php?title=LUKS&oldid=4481"