Entries tagged as Notebook
Tuesday, May 15. 2007
Full disk encryption with LUKS on new notebook
Maybe most of you know, that I prefer a Unix like system. So it is obvious GNU/Linux find its way on my new notebook as the preferred OS. Nowadays encryption of your data gets more and more important, not only on portable devices but on these they are a must. For me it was clear that I need a full disk encryption for my GNU/Linux system.
Let’s look at the starting position:
Another possibility is to setup a LVM in ”/dev/sda3” and encrypt all filesystems in the logical volumes, but with this setup I loose most of the flexibility of the LVM, so this possibility is not preferred.
But how to achieve the encryption?
There are several possible solutions:
Okay AES-loopback devices are a bit outdated and Truecrypt is usable for partitions or filesystems in files but it is not design for encryption of a root filesystem. LUKS seems to be the right solution for my problem.
I used this HowTo and adopted it to my needs.
At first I filled the partition ”/dev/sda3” which will be encrypted with random data. This makes sense because this way you can not easily assume where the real data ends. The tool I used for the procedure was shred:
Then I created the encrypted device and opened it:
Now I installed the LVM with some logical volumes and filesystem:
Now I installed my GNU/Linux system with a kernel including LVM and crypt support.
Then I needed the possibility to boot this system and I mentioned earlier that I want to use a boot-partition at ”/dev/sda2” for the kernel image (bzImage), the initial ramdisk (initrd) and grub. But it is also possible to use an usb-device to make it even more secure.
Initial ramdisk aka initrd
To install grub and to create the kernel image was not that difficult but we still need the initrd for mounting the encrypted device and activating the LVM. Good to know that my meta-distribution Gentoo offers the tool genkernel which can create initrds with LUKS and LVM support. I only edited the linuxrc because I need a german keymap and added the following section before “startLUKS”:
And I commented “startVolumes” because this is also done by “startLUKS”. Then the initrd was created by genkernel:
At last I created the grub configuration:
That’s it! And it works fine ;-)
Let’s look at the starting position:
- /dev/sda1: Windows partition
- /dev/sda2: /boot
- /dev/sda3: encrypted partition including a LVM with all needed logical volumes for ”/”, ”/home”, swap, etc. pp.
Another possibility is to setup a LVM in ”/dev/sda3” and encrypt all filesystems in the logical volumes, but with this setup I loose most of the flexibility of the LVM, so this possibility is not preferred.
But how to achieve the encryption?
There are several possible solutions:
- a AES-loopback device
- Truecrypt
- and yes: Linux Unified Key Setup (LUKS)
Okay AES-loopback devices are a bit outdated and Truecrypt is usable for partitions or filesystems in files but it is not design for encryption of a root filesystem. LUKS seems to be the right solution for my problem.
I used this HowTo and adopted it to my needs.
At first I filled the partition ”/dev/sda3” which will be encrypted with random data. This makes sense because this way you can not easily assume where the real data ends. The tool I used for the procedure was shred:
shred -v -n 1 /dev/sda3Then I created the encrypted device and opened it:
cryptsetup -c aes-cbc-essiv:sha256 luksFormat /dev/sda3
cryptsetup luksOpen /dev/sda3 decryptedsda3Now I installed the LVM with some logical volumes and filesystem:
# create a physical volume
pvcreate /dev/mapper/decryptedsda3
# create a volume group
vgcreate vg0 /dev/mapper/decryptedsda3
# scan for volume groups and activate them
vgscan --mknodes
vgchange -ay
# create a logical volumes for "/", swap, "/home"
lvcreate -L20G -n root vg0
lvcreate -L256M -n swap vg0
lvcreate -L60G -n home vg0
# create ext3-filesystems and swap
mke2fs -j /dev/vg0/root
mke2fs -j /dev/vg0/home
mkswap /dev/vg0/swapNow I installed my GNU/Linux system with a kernel including LVM and crypt support.
Then I needed the possibility to boot this system and I mentioned earlier that I want to use a boot-partition at ”/dev/sda2” for the kernel image (bzImage), the initial ramdisk (initrd) and grub. But it is also possible to use an usb-device to make it even more secure.
Initial ramdisk aka initrd
To install grub and to create the kernel image was not that difficult but we still need the initrd for mounting the encrypted device and activating the LVM. Good to know that my meta-distribution Gentoo offers the tool genkernel which can create initrds with LUKS and LVM support. I only edited the linuxrc because I need a german keymap and added the following section before “startLUKS”:
# Setup german keymap
good_msg "Loading the ''de'' keymap"
[ ! -e /dev/tty0 ] && ln -s /dev/tty1 /dev/tty0
loadkmap < /lib/keymaps/de.map
mkdir -p /etc/sysconfig
echo "XKEYBOARD=de" > /etc/sysconfig/keyboardAnd I commented “startVolumes” because this is also done by “startLUKS”. Then the initrd was created by genkernel:
genkernel --luks --lvm2 --linuxrc= initrd At last I created the grub configuration:
# For booting GNU/Linux
title Gentoo GNU/Linux
root (hd0,1)
kernel /boot/bzImage root=/dev/ram0 init=/linuxrc ramdisk=8192 crypt_root=/dev/sda3 real_root=/dev/vg0/root nodetect dolvm2
initrd /boot/initrdThat’s it! And it works fine ;-)
(Page 1 of 1, totaling 1 entries)
