community.riocities.com

Ubuntu Dapper with dm-crypt

Installing Ubuntu with encrypted root and swap

Installing Ubuntu Dapper Drake 6.06 LTS with encrypted root and swap (LUKS+LVM2)

Based on:

  • http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedLVM2Root

  • http://www.sicherheitsschwankung.de/node/16

  • http://ner.dy.fi/deb/

Tested with: Ubuntu Dapper 6.06 LTS

What will be done

Partition table of the disk

/dev/hda1(bootable)ext3/boot100MB-
/dev/hda2-swap500MB(enc)
/dev/hda3-LVM2rest of disk(enc)

LVM Setup

lv_rootreiserfs4000MB
lv_homereiserfsrest of disk

Instruction

  1. Boot LiveCD

  2. Open Terminal

  3. Obtain priviliges

    $ sudo bash

  4. Partition the disk according to the partition table above

  5. reboot LiveCD and open a Terminal (Note: reboot is sometimes needed in order for the new partitions to show in /dev) 

    $ sudo bash
# modprobe aes-i586
# modprobe dm-crypt

  6. Bring up the network

  7. add universe repos to /etc/apt/sources.list

  8. Update and install

    # apt-get update
# apt-get install cryptsetup lvm2

  9. Randomize the partitions 

    # dd if=/dev/urandom of=/dev/hda2
# dd if=/dev/urandom of=/dev/hda3

  10. Create filesystem on /dev/hda1

    mkfs.ext3 /dev/hda1

  11. LUKS on /dev/hda3

    # cryptsetup luksFormat /dev/hda3
WARNING!
========
This will overwrite data on /dev/hda3 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:

# cryptsetup luksOpen /dev/hda3 vg_crypt
Enter LUKS passphrase:
key slot 0 unlocked.

  12. edit /etc/lvm/lvm.conf to support lvm devices on device-mapper:

    filter = [ "r|/dev/cdrom|", "r|/dev/hda*|" ]
types = [ "device-mapper", 16 ]

  13. Restart LVM

    # /etc/init.d/lvm restart

  14. Setup LVM

    # pvcreate /dev/mapper/vg_crypt
# vgcreate vg_crypt /dev/mapper/vg_crypt
# lvcreate -v -L 4G -n lv_root vg_crypt
# lvcreate -L XG -n lv_home vg_crypt

  15. Create Filesystems on root and home

    # mkfs.resiserfs /dev/mapper/vg_crypt-lv_root
# mkfs.resiserfs /dev/mapper/vg_crypt-lv_home

  16. Disable some checks and actions in partman

    # rm /lib/partman/finish.d/05proper_mountpints
# rm /lib/partman/finish.d/10check_swap
# rm /lib/partman/finish.d/10check_basicfilesystems
# rm /lib/partman/commit.d/50format*
# rm /lib/partman/commit.d/45format_swap

  17. Install the system

    Double click on "Install" (make selections for your setup)
 Use "Manually edit partition table"
 Click "Forward"
 Click "Forward" (do nothing)

At screen "Prepare mount points", remove all disk mounting configuration (all config selection should be fully empty), click "Forward".
Then do the following before continuing the installation (at "Ready to install")...

# mkdir /target/
# mount /dev/mapper/vg_crypt-lv_root /target

# mkdir /target/boot
# mkdir /target/home

# mount /dev/mapper/vg_crypt-lv_home /target/home
# mount /dev/hda1 /target/boot

...continue installation, by clicking "Install"

sedWhen installation is ready click: "Continue using the live CD"

  18. Post installation tasks (re-mount drives under /target again before continuing)

    # cp /etc/lvm/lvm.conf /target/etc/lvm/

# mount --bind /sys /target/sys/
# mount --bind /proc /target/proc/
# mount --bind /dev /target/dev/

# chroot /target

18.1. check that /etc/hosts and /etc/hostname are correct.

18.2. add universe to /etc/apt/sources.list and update

   # apt-get update
   # apt-get install cryptsetup lvm2 dmsetup module-init-tools initramfs-tools
   # wget http://ner.dy.fi/deb/initramfs-cryptsetup_0.43_all.deb
   # dpkg -i initramfs-cryptsetup_0.43_all.deb

18.3. edit /etc/crypttab and add

       swap /dev/hda2 /dev/urandom swap

18.4. Run

    # /etc/init.d/cryptdisks start

18.5. fix /etc/fstab

       /dev/mapper/vg_crypt-lv_root  / reiserfs notail 0 1
       /dev/hda1                     /boot ext3 defaults 0 2
       /dev/mapper/vg_crypt-lv_home  /home reiserfs defaults 0 2
       /dev/mapper/swap              none swap sw 0 0

18.6. Setup /etc/mkinitramfs/cryptsetup.conf by setting to following varibles

     CRYPTOLVM="/dev/hda3"
     CRYPTOVG="vg_crypt"

18.7. Create an initrd with crypt support

  # mkinitramfs -o  /boot/initrd.img-2.6.15-XX-386-crypt 2.6.15-XX-386             (replace XX with rev e.g. 21)

18.8. edit /boot/grub/menu.lst

First add a new entry:

        ### END DEBIAN AUTOMAGIC KERNELS LIST
        title Ubuntu, kernel 2.6.15-XX-386 (cryptodisk)
        root (hd0,0)
        kernel /vmlinuz-2.6.15-XX-386 root=/dev/mapper/vg_crypt-lv_root ro
        initrd /initrd.img-2.6.15-XX-386-crypt
        savedefault
        boot
Then fix so "update-grub" will do the right thing when upgrading kernels in the future

    # kopt=root=/dev/mapper/vg_crypt-lv_root ro
    # defoptions=quiet

18.9 exit (from the chroot)

  1. Reboot and choose the new option in grub (and hope)

After reboot

Open a terminal and update

$ sudo aptitude update
$ sudo aptitude dist-upgrade

Published

Author

henrik

Category

HOWTOs