community.riocities.com
  • Home
  • Categories
  • Tags
  • Archives

Ubuntu Dapper with dm-crypt

Installing Ubuntu with encrypted root and swap¶

Installing Ubuntu Dapper Drake 6.06 LTS with encrypted root and swap (LUKS+LVM2)

Based on:

  • http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedLVM2Root

  • http://www.sicherheitsschwankung.de/node/16

  • http://ner.dy.fi/deb/

Tested with: Ubuntu Dapper 6.06 LTS

What will be done¶

Partition table of the disk

/dev/hda1(bootable)ext3/boot100MB-
/dev/hda2-swap500MB(enc)
/dev/hda3-LVM2rest of disk(enc)

LVM Setup

lv_rootreiserfs4000MB
lv_homereiserfsrest of disk

Instruction¶

  1. Boot LiveCD

  2. Open Terminal

  3. Obtain priviliges

    $ sudo bash
    
  4. Partition the disk according to the partition table above

  5. reboot LiveCD and open a Terminal (Note: reboot is sometimes needed in order for the new partitions to show in /dev)

    $ sudo bash
    # modprobe aes-i586
    # modprobe dm-crypt
    
  6. Bring up the network

  7. add universe repos to /etc/apt/sources.list

  8. Update and install

    # apt-get update
    # apt-get install cryptsetup lvm2
    
  9. Randomize the partitions

    # dd if=/dev/urandom of=/dev/hda2
    # dd if=/dev/urandom of=/dev/hda3
    
  10. Create filesystem on /dev/hda1

    mkfs.ext3 /dev/hda1
    
  11. LUKS on /dev/hda3

    # cryptsetup luksFormat /dev/hda3
    WARNING!
    ========
    This will overwrite data on /dev/hda3 irrevocably.
    
    Are you sure? (Type uppercase yes): YES
    Enter LUKS passphrase:
    
    # cryptsetup luksOpen /dev/hda3 vg_crypt
    Enter LUKS passphrase:
    key slot 0 unlocked.
    
  12. edit /etc/lvm/lvm.conf to support lvm devices on device-mapper:

    filter = [ "r|/dev/cdrom|", "r|/dev/hda*|" ]
    types = [ "device-mapper", 16 ]
    
  13. Restart LVM

    # /etc/init.d/lvm restart
    
  14. Setup LVM

    # pvcreate /dev/mapper/vg_crypt
    # vgcreate vg_crypt /dev/mapper/vg_crypt
    # lvcreate -v -L 4G -n lv_root vg_crypt
    # lvcreate -L XG -n lv_home vg_crypt
    
  15. Create Filesystems on root and home

    # mkfs.resiserfs /dev/mapper/vg_crypt-lv_root
    # mkfs.resiserfs /dev/mapper/vg_crypt-lv_home
    
  16. Disable some checks and actions in partman

    # rm /lib/partman/finish.d/05proper_mountpints
    # rm /lib/partman/finish.d/10check_swap
    # rm /lib/partman/finish.d/10check_basicfilesystems
    # rm /lib/partman/commit.d/50format*
    # rm /lib/partman/commit.d/45format_swap
    
  17. Install the system

    Double click on "Install" (make selections for your setup)
     Use "Manually edit partition table"
     Click "Forward"
     Click "Forward" (do nothing)
    
    At screen "Prepare mount points", remove all disk mounting configuration (all config selection should be fully empty), click "Forward".
    Then do the following before continuing the installation (at "Ready to install")...
    
    # mkdir /target/
    # mount /dev/mapper/vg_crypt-lv_root /target
    
    # mkdir /target/boot
    # mkdir /target/home
    
    # mount /dev/mapper/vg_crypt-lv_home /target/home
    # mount /dev/hda1 /target/boot
    
    ...continue installation, by clicking "Install"
    
    sedWhen installation is ready click: "Continue using the live CD"
    
  18. Post installation tasks (re-mount drives under /target again before continuing)

    # cp /etc/lvm/lvm.conf /target/etc/lvm/
    
    # mount --bind /sys /target/sys/
    # mount --bind /proc /target/proc/
    # mount --bind /dev /target/dev/
    
    # chroot /target
    

18.1. check that /etc/hosts and /etc/hostname are correct.

18.2. add universe to /etc/apt/sources.list and update

   # apt-get update
   # apt-get install cryptsetup lvm2 dmsetup module-init-tools initramfs-tools
   # wget http://ner.dy.fi/deb/initramfs-cryptsetup_0.43_all.deb
   # dpkg -i initramfs-cryptsetup_0.43_all.deb

18.3. edit /etc/crypttab and add

       swap /dev/hda2 /dev/urandom swap

18.4. Run

    # /etc/init.d/cryptdisks start

18.5. fix /etc/fstab

       /dev/mapper/vg_crypt-lv_root  / reiserfs notail 0 1
       /dev/hda1                     /boot ext3 defaults 0 2
       /dev/mapper/vg_crypt-lv_home  /home reiserfs defaults 0 2
       /dev/mapper/swap              none swap sw 0 0

18.6. Setup /etc/mkinitramfs/cryptsetup.conf by setting to following varibles

     CRYPTOLVM="/dev/hda3"
     CRYPTOVG="vg_crypt"

18.7. Create an initrd with crypt support

  # mkinitramfs -o  /boot/initrd.img-2.6.15-XX-386-crypt 2.6.15-XX-386             (replace XX with rev e.g. 21)

18.8. edit /boot/grub/menu.lst

First add a new entry:

        ### END DEBIAN AUTOMAGIC KERNELS LIST
        title Ubuntu, kernel 2.6.15-XX-386 (cryptodisk)
        root (hd0,0)
        kernel /vmlinuz-2.6.15-XX-386 root=/dev/mapper/vg_crypt-lv_root ro
        initrd /initrd.img-2.6.15-XX-386-crypt
        savedefault
        boot
Then fix so "update-grub" will do the right thing when upgrading kernels in the future

    # kopt=root=/dev/mapper/vg_crypt-lv_root ro
    # defoptions=quiet

18.9 exit (from the chroot)

  1. Reboot and choose the new option in grub (and hope)

After reboot¶

Open a terminal and update

$ sudo aptitude update
$ sudo aptitude dist-upgrade

  • « MollieLog6
  • Openbsd qemu cf net4801 »

Published

Sep 4, 2006

Author

henrik

Category

HOWTOs

Social

  • atom feed
  • rss feed
  • ipv6 ready
  • Powered by Pelican. Theme: Elegant by Talha Mansoor