Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Tutorial] Quick Guide to setup an encrypted root partition
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
Yttrium
n00b
n00b


Joined: 22 Oct 2009
Posts: 29
Location: Germany

PostPosted: Tue Feb 09, 2010 7:02 pm    Post subject: [Tutorial] Quick Guide to setup an encrypted root partition Reply with quote

Tutorial: Quick and easy Step-by-Step Guide to setup an encrypted root partition

This guide shows how to encrypt your root partition using simple password authentication. Of course you are free to modify it so that it fits your specific needs. You might want to use gpg encrypted keyfiles stored on an external USB drive for example. However this guide only covers password authentication at the moment as this should be sufficient for the majority of users.


0. System setup:
  • 1 single HDD /dev/hda
  • /dev/hda1 is the boot partition, which contains the bootloader, the kernel image (~2,7 MB) and the initial ramdisk (~1,6 MB).
  • /dev/hda2 will become our encrypted root partition.
1. We encrypt our partition using LUKS. In this example I use Twofish in plain XTS mode with a key size of 256 bits as cipher and SHA-512 as hash function. Remember to switch to the standard US keyboard layout before setting your password. Otherwise you might get a hard time entering your password, when prompted on boot screen. :twisted:
Code:
cryptsetup -v --cipher twofish-xts-plain:sha512 --key-size 256 luksFormat /dev/hda2

Note: If cryptsetup isn't installed, follow steps 7-9 and return.

2. We open our new LUKS partition.
Code:
cryptsetup luksOpen /dev/hda2 root

3. We create a file system. For example ext4.
Code:
mkfs.ext4 /dev/mapper/root

4. Now that we've created a filesystem for the device /dev/mapper/root which transparently encrypts all data and finally writes it to the physical /dev/hda2 device, we can mount it like any other normal device.
Code:
mkdir -p /mnt/hda2 && mount -o noatime,nodiratime /dev/mapper/root /mnt/hda2

5. Now we are ready to install Gentoo, following the Gentoo Linux x86 Handbook. (This is the most time-consuming step perhaps ;))

6. We have to modify the line describing the root partition in /etc/fstab
Code:
/dev/mapper/root        /               ext4            rw,noatime,nodiratime   0 1

7. We have to create the initial ramdisk. We need to emerge busybox and cryptsetup. Optionally if you want to use the latest (officially unstable) versions type:
Code:
echo -e "sys-apps/busybox\nsys-fs/cryptsetup" >> /etc/portage/package.keywords

If the directory doesn't exist, create it with mkdir /etc/portage

8. We must enable the static use flag for busybox. To permanently activate it type:
Code:
echo "sys-apps/busybox static" >> /etc/portage/package.use

9. We emerge the two packages.
Code:
emerge -av busybox cryptsetup

10. We create a folder to store our ramdisk in. For example in the home folder of root.
Code:
mkdir -p /root/initramfs/bin

11. We copy busybox and cryptsetup to our newly created bin folder.
Code:
cp /sbin/cryptsetup /root/initramfs/bin/
cp /bin/busybox /root/initramfs/bin/

12. We need to create only one hard link (no need to create device nodes or anything else).
Code:
cd /root/initramfs/bin
ln busybox sh

13. Now we create the file /root/initramfs/init and fill it with the following short & sweet script.
Code:
#!/bin/sh
#####Author: scandium at lavabit.com#####

export PATH=/bin
mkdir /new-root /sys /proc /sbin
mount -n -t sysfs sysfs /sys
mount -n -t proc proc /proc
busybox --install -s
echo /bin/mdev > /proc/sys/kernel/hotplug
mdev -s
for cmdline in $(cat /proc/cmdline); do
        case $cmdline in
                root=*) root=$(echo $cmdline | cut -d "=" -f 2) ;;
        esac
done
cryptsetup luksOpen $root root
mount -n -o ro /dev/mapper/root /new-root
umount -n /sys /proc
exec switch_root /new-root /sbin/init

14. Don't forget to make the init script executable.
Code:
chmod +x /root/initramfs/init

WARNING: Don't run this script outside of the initial ramdisk at boot time. It will very likely damage your system if you execute it manually! It's not meant for that purpose. :twisted:

15. We mount our boot partition and create the ramdisk image on it.
Code:
mount /dev/hda1 /boot
cd /root/initramfs/
find . | cpio -o -H newc | gzip -9 > /boot/initramfs

16. Finally we have to modify our bootloader. I use grub 0.9x and the relevant part of my /boot/grub/menu.lst looks like:
Code:
title Gentoo linux-2.6.32-gentoo-r3 (LUKS, ext4, /dev/hda2)
root (hd0,0)                                               
kernel /boot/linux-2.6.32-gentoo-r3 root=/dev/hda2
initrd /boot/initramfs

The kernel command line root=... tells the initial ramdisk which LUKS partition to mount.

17. Unmount everything, reboot and enjoy your encrypted root file system. :D
_________________
LILA - Live Iptables Log Analyzer
Back to top
View user's profile Send private message
dman777
l33t
l33t


Joined: 10 Jan 2007
Posts: 916

PostPosted: Mon Mar 21, 2011 10:41 am    Post subject: Reply with quote

If there is no passphrase prompt or a keyfile with passphrase required, how does this data encryption help since anyone could boot up the pc or steal the hard drive and mount/read into the partition?
Back to top
View user's profile Send private message
tomk
Bodhisattva
Bodhisattva


Joined: 23 Sep 2003
Posts: 7221
Location: Sat in front of my computer

PostPosted: Mon Mar 21, 2011 10:43 am    Post subject: Reply with quote

Moved from Networking & Security to Documentation, Tips & Tricks as it fits better here.
_________________
Search | Read | Answer | Report | Strip
Back to top
View user's profile Send private message
dman777
l33t
l33t


Joined: 10 Jan 2007
Posts: 916

PostPosted: Mon Mar 21, 2011 11:59 pm    Post subject: Reply with quote

kinda sux...i find threads in this forum that are old do not get replied to when they have been around for awhile.
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Tue Mar 22, 2011 3:45 am    Post subject: Reply with quote

dman777 wrote:
kindaIf there is no passphrase prompt



Code:
cryptsetup luksOpen $root root
cryptsetup will take care of that.
_________________
The End of the Internet!
Back to top
View user's profile Send private message
marziods
Tux's lil' helper
Tux's lil' helper


Joined: 25 Jun 2009
Posts: 118
Location: <Roma>par lavor | Udine | Friul | Italie

PostPosted: Sun Apr 03, 2011 10:23 am    Post subject: Reply with quote

Hi everybody,
just a question, if I want just my home encrypted what I have to do?
tnx in advance
Marzio
_________________
linux user #493115
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum