Encrypted Root Filesystem HOWTO



Similar documents
Using Encrypted File Systems with Caché 5.0

EXPLORING LINUX KERNEL: THE EASY WAY!

ATT8231: Creating a Customized USB Thumb Drive for ZCM Imaging Methods for creating a customized bootable USB Thumb Drive

Backtrack 4 Bootable USB Thumb Drive with Full Disk Encryption

Open Source Encrypted Filesystems for Free Unix Systems

Linux Boot Loaders Compared

The Linux CryptoAPI A User s Perspective

Creating a Cray System Management Workstation (SMW) Bootable Backup Drive

Buildroot for Vortex86EX (2016/04/20)

Getting your system to boot with initrd and initramfs

Setup software RAID1 array on running CentOS 6.3 using mdadm. (Multiple Device Administrator) 1. Gather information about current system.

Installing Debian with SATA based RAID

LiveCD Howto (CentOS 4) - Step by step - 01/12/ Ver 1.1

RAID Software Suite for Linux

HTTP-FUSE PS3 Linux: an internet boot framework with kboot

Linux + Windows 95 mini HOWTO

Planning for an Amanda Disaster Recovery System

Cryptographic Filesystems. Background and Implementations for Linux and OpenBSD

TECHNICAL HOWTO. Imaging Linux systems with hardware changes. author:

Load Balancing - Single Multipath Route HOWTO

Linux Template Creation Guide. How to build your own Linux VM templates for deployment in Cloudturk.

Btrfs and Rollback How It Works and How to Avoid Pitfalls

Linux Embedded devices with PicoDebian Martin Noha

Redhat 6.2 Installation Howto -Basic Proxy and Transparent

WES 9.2 DRIVE CONFIGURATION WORKSHEET

BackTrack Hard Drive Installation

Computer forensic science

Linux Disaster Recovery best practices with rear

Customizing Boot Media for Linux* Direct Boot

Linux System Administration on Red Hat

Encryption Security Recommendations

Installing Ubuntu LTS with full disk encryption

BATTENING DOWN THE DISKS

System administration basics

Advanced SUSE Linux Enterprise Server Administration (Course 3038) Chapter 5 Manage Backup and Recovery

Booting Linux from a USB Flash Device on MPC5200 Systems David Wolfe, Infotainment, Multimedia and Telematics Division

HARFORD COMMUNITY COLLEGE 401 Thomas Run Road Bel Air, MD Course Outline CIS INTRODUCTION TO UNIX

NI Real-Time Hypervisor for Windows

A candidate following a programme of learning leading to this unit will be able to:

Relax and Recover (rear) Workshop

Linux Overview. The Senator Patrick Leahy Center for Digital Investigation. Champlain College. Written by: Josh Lowery

Red Hat Linux 7.2 Installation Guide

Recovering Data from Windows Systems by Using Linux

Yosemite Server Backup Installation Guide

An Introduction to the Linux Command Shell For Beginners

Puppy Linux Installation To a USB Flash Drive How to install Puppy Linux lupu Lucid to a Flash Drive

How to Install Windows on Xen TM 3.0

Backup of ESXi Virtual Machines using Affa

Building a diskless Linux Cluster for high performance computations from a standard Linux distribution

Support Notes for SUSE LINUX Enterprise Server 9 Service Pack 3 for the Intel Itanium 2 Processor Family

How To Manage Your Volume On Linux (Evms) On A Windows Box (Amd64) On A Raspberry Powerbook (Amd32) On An Ubuntu Box (Aes) On Linux

Unix/Linux Forensics 1

SETTING UP RASPBERRY PI FOR TOPPY FTP ACCESS. (Draft 5)

LSN 10 Linux Overview

Recovering Data from Windows Systems by Using Linux

2. Boot using the Debian Net Install cd and when prompted to continue type "linux26", this will load the 2.6 kernel

Abstract. Microsoft Corporation Published: August 2009

Windows Template Creation Guide. How to build your own Windows VM templates for deployment in Cloudturk.

How To Set Up Software Raid In Linux (Amd64)

II. Installing Debian Linux:

Installation GENTOO + RAID sur VMWARE

Linux Distributed Security Module 1

How to Restore a Linux Server Using Bare Metal Restore

Root-on-LVM-on-RAID HOWTO

Installing Multiple Linux Distributions on a Single Machine

CBMR for Linux v6.2.2 User Guide

Make a Bootable USB Flash Drive from the Restored Edition of Hiren s Boot CD

Acronis Backup & Recovery 10 Server for Linux. Update 5. Installation Guide

Getting Started with the Linux Intrusion Detection

Building Elastix-2.4 High Availability Clusters with DRBD and Heartbeat (using a single NIC)

Procedure to Create and Duplicate Master LiveUSB Stick

On Disk Encryption with Red Hat Enterprise Linux

w1r3 Network Documentation

Acronis Backup & Recovery 10 Server for Linux. Installation Guide

Getting started with ARM-Linux

Procedure to convert Intel Dot.Station 2300 into a LINUX Red Hat 8.0 box. Document Version: 1.1 Author: Javier Castilla (latas) Release: 1

Best Practices in Hardening Apache Services under Linux

Survey of Filesystems for Embedded Linux. Presented by Gene Sally CELF

Linux Disaster Recovery best practices with rear

Computer Science and Engineering Linux Cisco VPN Client Installation and Setup Guide

Restoring a Suse Linux Enterprise Server 9 64 Bit on Dissimilar Hardware with CBMR for Linux 1.02

Other trademarks and Registered trademarks include: LONE-TAR. AIR-BAG. RESCUE-RANGER TAPE-TELL. CRONY. BUTTSAVER. SHELL-LOCK

ULTEO OPEN VIRTUAL DESKTOP V4.0

RapidSeed for Replicating Systems Version 7.4

Linux System Recovery Guide. Version 7.1

Xen Zynq Distribution

Using Red Hat Enterprise Linux with Georgia Tech's RHN Satellite Server Installing Red Hat Enterprise Linux

How to Install and Run Tibia on Linux Using Wine without Windows Contents

AdvLinux for i486sx User Manual V1.02

INF-110. GPFS Installation

RecoverEDGE. Microlite. Smart Crash Recovery Software. Technical Reference Supplement to the. Microlite

RocketRAID 2640/2642 SAS Controller Ubuntu Linux Installation Guide

Converting Linux and Windows Physical and Virtual Machines to Oracle VM Virtual Machines. An Oracle Technical White Paper December 2008

Booting and Configuring a Xen Host

Deploying a Virtual Machine (Instance) using a Template via CloudStack UI in v4.5.x (procedure valid until Oct 2015)

Transcription:

Encrypted Root Filesystem HOWTO Christophe Devine Revision History Revision v1.3 2005 03 13 Revised by: cd Updated the packages version. Revision v1.2 2004 10 20 Revised by: cd Updated the packages version. Revision v1.1 2003 12 01 Revised by: cd Added support for GRUB. Revision v1.0 2003 09 24 Revised by: cd Initial release, reviewed by LDP. Revision v0.9 2003 09 11 Revised by: cd Updated and converted to DocBook XML. This document explains how to make your personal data secure by encrypting your Linux root filesystem using strong cryptography. This HOWTO is released under the GNU Free Documentation License Version 1.2.

Encrypted Root Filesystem HOWTO Table of Contents 1. Preparing the system...1 1.1. Setting up the partition layout...1 1.2. Required packages...1 1.3. Installing Linux 2.4.29...1 1.4. Installing Linux 2.6.10...3 1.5. Installing util linux 2.12p...3 2. Creating the encrypted root filesystem...4 3. Setting up the boot device...5 3.1. Creating the ramdisk...5 3.2. Booting from a CD ROM...6 3.3. Booting from a HD partition...7 4. Final steps...8 5. About this HOWTO...9 i

1. Preparing the system 1.1. Setting up the partition layout Your hard disk (hda) should contain at least three partitions: hda1: this small unencrypted partition will ask for a password in order to mount the encrypted root filesystem. hda2: this partition will contain your encrypted root filesystem; make sure it is large enough. hda3: this partition holds the current GNU/Linux system. At this point, both hda1 and hda2 are unused. hda3 is where your Linux distribution is currently installed; /usr and /boot must not be separated from this partition. Here's an example of what your partition layout might look like: # fdisk l /dev/hda Disk /dev/hda: 255 heads, 63 sectors, 2432 cylinders Units = cylinders of 16065 * 512 bytes Device Boot Start End Blocks Id System /dev/hda1 1 1 8001 83 Linux /dev/hda2 2 263 2104515 83 Linux /dev/hda3 264 525 2104515 83 Linux /dev/hda4 526 2047 12225465 83 Linux 1.2. Required packages If you use Debian, the following packages are mandatory: apt get install gcc make libncurses5 dev patch bzip2 wget To make copy & paste easier, you should also install: apt get install lynx gpm 1.3. Installing Linux 2.4.29 There are two main projects which add loopback encryption support in the kernel: cryptoloop and loop AES. This howto is based on loop AES, since it features an extremely fast and highly optimized implementation of Rijndael in assembly language, and therefore provides maximum performance if you have an IA 32 (x86) CPU. Besides, there are some security concerns about cryptoloop. First of all, download and unpack the loop AES package: cd /usr/src wget http://loop aes.sourceforge.net/loop AES/loop AES v3.0b.tar.bz2 tar xvjf loop AES v3.0b.tar.bz2 Then you must download and patch the kernel source: 1. Preparing the system 1

Encrypted Root Filesystem HOWTO wget http://ftp.kernel.org/pub/linux/kernel/v2.4/linux 2.4.29.tar.bz2 tar xvjf linux 2.4.29.tar.bz2 cd linux 2.4.29 rm include/linux/loop.h drivers/block/loop.c patch Np1 i../loop AES v3.0b/kernel 2.4.28.diff Setup the keyboard map: dumpkeys loadkeys m > drivers/char/defkeymap.c Next, configure your kernel; make sure the following options are set: make menuconfig Block devices > <*> Loopback device support [*] AES encrypted loop device support (NEW) <*> RAM disk support (4096) Default RAM disk size (NEW) [*] Initial RAM disk (initrd) support File systems > <*> Ext3 journalling file system support <*> Second extended fs support (important note: do not enable /dev file system support) Compile the kernel and install it: make dep bzimage make modules modules_install cp arch/i386/boot/bzimage /boot/vmlinuz If grub is your bootloader, update /boot/grub/menu.lst or /boot/grub/grub.conf: cat > /boot/grub/menu.lst << default 0 timeout 10 color green/black light green/black title Linux root (hd0,2) kernel /boot/vmlinuz ro root=/dev/hda3 Otherwise, update /etc/lilo.conf and run lilo: cat > /etc/lilo.conf << lba32 boot=/dev/hda prompt timeout=60 image=/boot/vmlinuz label=linux read only root=/dev/hda3 lilo You may now restart the system. 1. Preparing the system 2

1.4. Installing Linux 2.6.10 Proceed as described in the previous section, using loop aes' kernel 2.6.10.diff patch instead, and make sure cryptoloop support is not activated. Note that modules support require that you have the module init tools package installed. 1.5. Installing util linux 2.12p The losetup program, which is part of the util linux package, must be patched and recompiled in order to add strong cryptography support. Download, unpack and patch util linux: cd /usr/src wget http://ftp.kernel.org/pub/linux/utils/util linux/util linux 2.12p.tar.bz2 tar xvjf util linux 2.12p.tar.bz2 cd util linux 2.12p patch Np1 i../loop AES v3.0b/util linux 2.12p.diff To use passwords that are less than 20 characters, enter: CFLAGS=" O2 DLOOP_PASSWORD_MIN_LENGTH=8"; export CFLAGS Security is certainly your major concern. For this reason, please do not enable passwords shorter than 20 characters. Data privacy is not free, one has to 'pay' in form of long passwords. Compile losetup and install it as root: Encrypted Root Filesystem HOWTO./configure && make lib mount mv f /sbin/losetup /sbin/losetup~ rm f /usr/share/man/man8/losetup.8* cd mount gzip losetup.8 cp losetup /sbin cp losetup.8.gz /usr/share/man/man8/ chattr +i /sbin/losetup 1. Preparing the system 3

2. Creating the encrypted root filesystem Fill the target partition with random data: shred n 1 v /dev/hda2 Setup the encrypted loopback device: losetup e aes256 S xxxxxx /dev/loop0 /dev/hda2 To prevent optimized dictionary attacks, it is recommended to add the S xxxxxx option, where "xxxxxx" is your randomly chosen seed (for example, you might choose "gpk4la"). Write down your seed on a piece of paper so that you don't loose it afterwards. Also, in order to avoid boot time problems with the keyboard map, do not use non ASCII characters (accents, etc.) in your password. The Diceware site offers a simple way to create strong, yet easy to remember, passphrases. Now create the ext3 filesystem: mke2fs j /dev/loop0 Check that the password you entered is correct: losetup d /dev/loop0 losetup e aes256 S xxxxxx /dev/loop0 /dev/hda2 mkdir /mnt/efs mount /dev/loop0 /mnt/efs You can compare the encrypted and unencrypted data: xxd /dev/hda2 less xxd /dev/loop0 less It's time to install your encrypted Linux system. If you use a GNU/Linux distribution (such as Debian, Slackware, Gentoo, Mandrake, RedHat/Fedora, SuSE, etc.), run the following command: cp avx / /mnt/efs If you use the Linux From Scratch book, proceed as described in the manual, with the modifications below: Chapter 6 Installing util linux: Apply the loop AES patch after unpacking the sources. Chapter 8 Making the LFS system bootable: Refer to the next section (Setting up the boot device). 2. Creating the encrypted root filesystem 4

3. Setting up the boot device 3.1. Creating the ramdisk To begin with, chroot inside the encrypted partition and create the boot device mount point: chroot /mnt/efs mkdir /loader Then, create the initial ramdisk (initrd), which will be needed afterwards: cd dd if=/dev/zero of=initrd bs=1k count=4096 mke2fs F initrd mkdir ramdisk mount o loop initrd ramdisk If you're using grsecurity, you may get a "Permission denied" error message; in this case you'll have to run the mount command outside chroot. Create the filesystem hierarchy and copy the required files in it: mkdir ramdisk/{bin,dev,lib,mnt,sbin} cp /bin/{bash,mount} ramdisk/bin/ ln s bash ramdisk/bin/sh mknod m 600 ramdisk/dev/console c 5 1 mknod m 600 ramdisk/dev/hda2 b 3 2 mknod m 600 ramdisk/dev/loop0 b 7 0 cp /lib/{ld linux.so.2,libc.so.6,libdl.so.2} ramdisk/lib/ cp /lib/{libncurses.so.5,libtermcap.so.2} ramdisk/lib/ cp /sbin/{losetup,pivot_root} ramdisk/sbin/ It's ok if you see a message like "/lib/libncurses.so.5: No such file or directory", or "/lib/libtermcap.so.2: No such file or directory"; bash only requires one of these two libraries. You can check which one is actually required with: ldd /bin/bash Compile the sleep program, which will prevent the password prompt being flooded by kernel messages (such as usb devices being registered). cat > sleep.c << "" #include <unistd.h> #include <stdlib.h> int main( int argc, char *argv[] ) { if( argc == 2 ) sleep( atoi( argv[1] ) ); } return( 0 ); gcc s sleep.c o ramdisk/bin/sleep rm sleep.c Create the init script: 3. Setting up the boot device 5

cat > ramdisk/sbin/init << "" #!/bin/sh /bin/sleep 3 echo n "Enter seed value: " read SEED /sbin/losetup e aes256 S $SEED /dev/loop0 /dev/hda2 /bin/mount r n t ext3 /dev/loop0 /mnt while [ $? ne 0 ] do /sbin/losetup d /dev/loop0 /sbin/losetup e aes256 S $SEED /dev/loop0 /dev/hda2 /bin/mount r n t ext3 /dev/loop0 /mnt done cd /mnt /sbin/pivot_root. loader exec /usr/sbin/chroot. /sbin/init chmod 755 ramdisk/sbin/init Umount the loopback device and compress the initrd: Encrypted Root Filesystem HOWTO umount d ramdisk rmdir ramdisk gzip initrd mv initrd.gz /boot/ 3.2. Booting from a CD ROM I strongly advise you to start your system with a read only media, such as a bootable CD ROM. Download and unpack syslinux: wget http://ftp.kernel.org/pub/linux/utils/boot/syslinux/syslinux 3.07.tar.bz2 tar xvjf syslinux 3.07.tar.bz2 Configure isolinux: mkdir bootcd cp /boot/{vmlinuz,initrd.gz} syslinux 3.07/isolinux.bin bootcd echo "DEFAULT /vmlinuz initrd=initrd.gz ro root=/dev/ram0" \ > bootcd/isolinux.cfg Create and burn the bootable cd rom iso image: mkisofs o bootcd.iso b isolinux.bin c boot.cat \ no emul boot boot load size 4 boot info table \ J hide rr moved R bootcd/ cdrecord dev 0,0,0 speed 4 v bootcd.iso rm rf bootcd{,.iso} 3. Setting up the boot device 6

3.3. Booting from a HD partition The boot partition can come in handy if you happen to lose your bootable CD. Remember that hda1 is a writable media and is thus insecure; use it only in case of emergency! Create and mount the ext2 filesystem: dd if=/dev/zero of=/dev/hda1 bs=8192 mke2fs /dev/hda1 mount /dev/hda1 /loader Copy the kernel and the initial ramdisk: cp /boot/{vmlinuz,initrd.gz} /loader If you use grub: Encrypted Root Filesystem HOWTO mkdir /loader/boot cp av /boot/grub /loader/boot/ cat > /loader/boot/grub/menu.lst << default 0 timeout 10 color green/black light green/black title Linux root (hd0,0) kernel /vmlinuz ro root=/dev/ram0 initrd /initrd.gz grub install root directory=/loader /dev/hda umount /loader If you use lilo: mkdir /loader/{boot,dev,etc} cp /boot/boot.b /loader/boot/ mknod m 600 /loader/dev/hda b 3 0 mknod m 600 /loader/dev/hda1 b 3 1 mknod m 600 /loader/dev/hda2 b 3 2 mknod m 600 /loader/dev/hda3 b 3 3 mknod m 600 /loader/dev/hda4 b 3 4 mknod m 600 /loader/dev/ram0 b 1 0 cat > /loader/etc/lilo.conf << lba32 boot=/dev/hda prompt timeout=60 image=/vmlinuz label=linux initrd=/initrd.gz read only root=/dev/ram0 lilo r /loader umount /loader 3. Setting up the boot device 7

4. Final steps Still inside chroot, modify /etc/fstab so that it contains: /dev/loop0 / ext3 defaults 0 1 Delete /etc/mtab and exit from chroot. Finally, run "umount d /mnt/efs" and reboot. If something goes wrong, you can still boot your unencrypted partition by entering "Linux root=/dev/hda3" at the LILO: prompt. If everything went well, you can now re partition your disk and encrypt hda3 as well as hda4. In the following scripts, we assume that hda3 will hold the swap device and hda4 will contain /home; you should initialize both partitions first: shred n 1 v /dev/hda3 shred n 1 v /dev/hda4 losetup e aes256 S xxxxxx /dev/loop1 /dev/hda3 losetup e aes256 S xxxxxx /dev/loop2 /dev/hda4 mkswap /dev/loop1 mke2fs j /dev/loop2 Then create a script in the system startup directory and update fstab: cat > /etc/init.d/loop << "" #!/bin/sh if [ "`/usr/bin/md5sum /dev/hda1`"!= \ "5671cebdb3bed87c3b3c345f0101d016 /dev/hda1" ] then echo n "WARNING! hda1 integrity verification FAILED press enter." read fi echo "1st password chosen above" \ /sbin/losetup p 0 e aes256 S xxxxxx /dev/loop1 /dev/hda3 echo "2nd password chosen above" \ /sbin/losetup p 0 e aes256 S xxxxxx /dev/loop2 /dev/hda4 /sbin/swapon /dev/loop1 for i in `seq 0 63` do echo n e "\33[10;10]\33[11;10]" > /dev/tty$i done chmod 700 /etc/init.d/loop ln s../init.d/loop /etc/rcs.d/s00loop vi /etc/fstab... /dev/loop2 /home ext3 defaults 0 2 4. Final steps 8

5. About this HOWTO The Encrypted Root Filesystem HOWTO was first written in november 2002 for the Linux From Scratch project. I'd like to thank the many people who have since contributed to this document (in reverse chronological order): Micha Borrmann, Dennis Lemckert, Oleg Vyushin, Ellen Bokhorst, Daczi László, Gaetano Zappulla, Guillaume Lehmann, Claude Thomassin, Jean Philippe Guérard, Luc Vo Van, Jacobus Brink, Ernesto Pérez Estévez, Matthew Ploessel, Mike Lorek, Lars Bungum, Michael Shields, Julien Perrot, Grant Stephenson, Cary W. Gilmer, James Howells, Pedro Baez, Josh Purinton, Jari Ruusu and Zibeli Aton. This HOWTO has been translated in various languages: French Italian Hungarian Dutch Please send any comment to Christophe Devine. 5. About this HOWTO 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information