This tutorial was done using an Ubuntu 8.04 livecd, but the process should be approximately the same with other distros.
1. Getting started:
Boot up your PC from a live CD and make sure you choose “Try ubuntu without installing”. Once the desktop is loaded, start a terminal and get root credentials:
$ sudo su –
Then, install the packages required to set up lvm and make encryption setup easier:
# apt-get install cryptsetup lvm2
Finally load the kernel modules that handle lvm and luks encryption:
# modprobe dm-crypt
2. Setting up the partitions
Here, we are going to partition the disk as follow:
- a boot partition of 200M which will be on a standard ext3 filesystem
- a LVM volume that will take the rest of the disk.
the lvmvolume will then be divided in 3 other partitions:
- / of 5G and encrypted
- /home 2G and encrypted
- swap of 512M and unencrypted
2.1. The physical partitions: fdisk
So, in the first place, let create the physical partition with fdisk. Those are going to be the place holder of our boot partition and lvm volume:
# fdisk /dev/sda
## lvm volume
#set the type to lvm
2.2. The logical volumes: lvm tools
Now that we have our LVM placeholder, we need to set it up. To do this, we need to: create the physical volume, create the volume group and then create the logical volumes on this volume group.
If you already have your LVM set up, run: # lvchange -ay lvmvolume to see your partitions.
Let’s create this physical volume first:
# pvcreate /dev/sda2
then, the volume group:
# vgcreate lvmvolume /dev/sda2
finally, we create the logical partitions:
# lvcreate -L 5G -n encryptedroot lvmvolume
# lvcreate -L 512M -n swap lvmvolume
# lvcreate -L 2G -n encryptedhome lvmvolume
Ok, now we got our partition layout almost set up, we just need to encrypt the partitions, and format them…
3. Encrypting the partitions
3.1. Filling the partition with random data
Now that we have our partition layout, we need to encrypt /home and /. The first thing we are going to do is to fill those partitions with random data. There is 2 ways of doing it. A fairly fast one or a really slow but efficient one.
3.1.1. using badblocks
By using badblocks you will verify that your physical disk is fine and at the ame time, fill with some random data.
# badblocks -c 10240 -s -w -t random -v /dev/lvmvolume/encryptedhome
# badblocks -c 10240 -s -w -t random -v /dev/lvmvolume/encryptedroot
3.1..2. using dd
We can use dd to read random data from /dev/urandom and write them to the “to be” encrypted partitions:
Note that this is really long and slow, but it will make it harder to find the key that lock your partition.
# dd if=/dev/urandom of=/dev/lvmvolume/encryptedroot
# dd if=/dev/urandom of=/dev/lvmvolume/encryptedhome
Fill the partitions with random data. This may take MANY hours for the large partitions, on average 1.6M/sec of data is written to disk, so a 10GB partition might take around 2 hours, and 100GB partition might take a bit under 20 hours.
In the meantime you can wish that the tutorial is going to work.
3.2. Setting up the LUKS encryption
Ok, now that our partitions are full of random bytes, we can set up our encryption mechanism wtih the help of cryptsetup.
# cryptsetup -y –cipher aes-cbc-essiv:sha256 –key-size 256 luksFormat /dev/lvmvolume/encryptedroot
This will overwrite data on /dev/lvmvolume/encryptedroot irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
And the same for encryptedhome:
# cryptsetup -y –cipher aes-cbc-essiv:sha256 –key-size 256 luksFormat /dev/lvmvolume/encryptedhome
3.3. Mounting the encrypted partitions:
Now, encryptedhome and encryptedroot are LUKS enabled, from there, we can use cryptsetup again to mount those encrypted partitions:
root@ubuntu:~# cryptsetup luksOpen /dev/lvmvolume/encryptedroot rootvolume
Enter LUKS passphrase:
key slot 0 unlocked.
root@ubuntu:~# cryptsetup luksOpen /dev/lvmvolume/encryptedhome homevolume
Enter LUKS passphrase:
key slot 0 unlocked.
3.4. Formatting the partitions
Finally, we now have all our partition pseudo devices available. we can now format them so Ubuntu installer sees the partition we want to install our system on, e.g the encrypted ones.
4. Installing the system
we are now going to install the distro over our layout. Start the installer and make sure you choose manual partitioning. Then set up your filesystem like the one on the screenshot.
Note: When the installer has finished, do not reboot yet
5. Configuring the installed system
As we force the system to be installed on our custom partitions, and because Ubuntu desktop livecd is not aware of lvm and encryption, we need to customize the system that has just been installed. To achieve this, we will chroot into our future system and mount the required partitions.
# mkdir /target
# mount /dev/mapper/rootvolume /target/
# mount /dev/mapper/homevolume /target/home
# mount /dev/sda1 /target/boot
# chroot /target
# mount -t proc proc /proc
# mount -t sysfs sys /sys
Now, we will install the required software to be able to handle encryption and lvm:
# apt-get install lvm2 cryptsetup
then, we need to inform cryptsetup on how to mount our encrypted partitions. The settings happens in /etc/crypttab:
rootvolume /dev/lvmvolume/encryptedroot none luks,retry=1
homevolume /dev/lvmvolume/encryptedhome none luks,retry=1
Also, if we want our system to be able to mount the partitions, the initrd needs to contains modules for lvm, and encryption. This is handled by /etc/initramfs-tools/modules. So edit it and add:
And finally, another last step: editing fstab
Note : This next step has to be done, otherwise, your system won’t boot!!!
It looks like the kernel is not match the UUID with the actual logical device. So, for each of your encrypted partition, change the UUID=asas-asa-sasas by the actual device: /dev/mapper/mydevice. For instance, in this tutorial, my final /etc/fstab looked like this:
# /etc/fstab: static file system information. # # proc /proc proc defaults 0 0 # /dev/mapper/rootvolume #UUID=af21a76e-3a85-4ca5-a6b9-e362d97892ba /dev/mapper/rootvolume / ext3 relatime,errors=remount-ro 0 1 # /dev/sda1 UUID=2de459f5-306a-4d57-bd5c-76eb50c81179 /boot ext2 relatime 0 2 # /dev/mapper/homevolume #UUID=443a67f1-2ee1-43bc-b248-882b5068cc24 /dev/mapper/homevolume /home ext3 relatime 0 2 # /dev/mapper/lvmvolume-swap UUID=d4f44b82-0d73-4269-af68-a613f11876fe none swap sw 0 0 /dev/scd0 /media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0
And regenerate the initrd file with:
# update-initramfs -k all -c
you can verify that the initrd contains the correct information to mount the encrypted partition:
# mkdir /tmp/tmp
# cd /tmp/tmp
# zcat /boot/initrd.img-`uname -r` | cpio -iv
# cat conf/conf.d/cryptroot
Well, that’s about it, you should now reboot your computer, and hopefully you will get a screen like the screenshot prompting you for a password. If the progress bar seems to hang for quite some time, chances that either /etc/fstab or /etc/crypttab is not properly set up. In that case, you will need to boot on the live cd again, install the packages lvm2 and cryptsetup, run lvchange -ay , reopen the partitions and mount them….. and find what is wrong… a lot of pleasure. If you are lucky enough :), type your password to unlock / first then another time for /home and voila, you are running ubuntu on an encrypted filesystem.
Thank You for Visiting this site.