How to: get the whole system encrypted

Write tutorials for Linux Mint here
More tutorials on https://github.com/orgs/linuxmint/discu ... /tutorials and (archive) on https://community.linuxmint.com/tutorial
Forum rules
Don't add support questions to tutorials; start your own topic in the appropriate sub-forum instead. Before you post read forum rules
wuying_ren

How to: get the whole system encrypted

Post by wuying_ren »

Updated on 13 Nov 2008: Made some minor corrections :D.
Updated on 25 Nov 2008: Made some more minor corrections :D.

Hi!

This is my first howto ever! First of all I would like to advise that all the work has been done by others and all the credits are for them. This howto is just a little summary for those who get confused...or are too lazy :P Please, check the links at the end of the post. The intro is mine, but almost all the steps of the howto are based on them.

I hope many people would find it useful. I think that if you install Ubuntu with the alternate cd, it gives you the possibility of encrypting the root filesystem. But if you use the desktop cd (the LiveCD like Mint's one) you don't have this option, and you can only encrypt a folder onto your /home after installation. Fedora also lets you encrypt the whole system during installation...but we want to install Mint, didn't we? :P

Some people thinks encryption is not necessary for the average user, but that's not true. If you lose your laptop, or if anyone stoles it, the personal information (yes, last picnic pics included :twisted: ) on it can be used against you. Sometimes we don't realise that we don't protect some personal information at all. Think of it, how many times do you let your browser store your passwords so you don't have to remember them? Is the one for accessing your bank's webpage included? If someone uses your browser and "accidentally" gets to one of these webpages...dangerous, huh? Well, maybe I'm getting paranoic... :roll:

Anyway, encryption is not the holy grail...specially while the computer is running. Encryption will lock your computer and if anyone gets physical access to your computer, it is possible to take the hard drive and connect it to another computer but, if the cipher is good and the password is strong enough, it will take years to decrypt it.

OK, here is the recipe...I don't want to scare you. It has been tested on Felicia RC1, but it should work in older releases. It will also work if you are dual-booting and also if you have your windows partition encrypted with Truecrypt (Truecrypt bootloader can chainload partitions).

1 - First of all, make a backup of your data. Then, boot your Mint LiveCD. Make sure you have Internet connection, we need to install a package. Once at the desktop, type on a terminal (press Alt+F2 and type "xterm"):

Code: Select all

sudo apt-get install cryptsetup

2 - OK, now you should fill your hard disk with random data. This will destroy your partition scheme and all your data on the disk. To do this, type:

Code: Select all

dd if=/dev/urandom of=/dev/sda
Change sda for the name of the hard disk you want to use. Use sudo if needed. It can take hours because random data has to be "prepared"...so you can use /dev/zero, which will fill it with zeros instead of random data:

Code: Select all

dd if=/dev/zero of=/dev/sda
Now partition your hard drive as normal. Take point that we will need a separate /boot partition (about 50-100 mb) because it's not possible to boot from encrypted partitions. So, for example:
/dev/sda1 /boot
/dev/sda2 swap
/dev/sda3 /
/dev/sda4 /home
If you like your actual partition scheme, just make room for /boot (if you don't have it yet) and use dd commands above with them separately so you don't need to repartition.

3 - Now, we need to load some modules for crypto...things to work

Code: Select all

sudo modprobe dm-crypt
sudo modprobe aes-i586
4 - It's time to encrypt / and /home partitions. Change XX to the correct parameters as needed and, please, CHECK THEM TWICE...i've lost my data lots of times... Also, don't use the same password for both partitions. If you want, use a shorter password for your /home partition. If you are afraid of forgetting them, use a sentence from a film, or a verse from a song...whatever lets you remember them without having to write them on paper (NEVER do this). Passwords should also be hard to guess, your name, your birthday or names/birthdays from your family do not work here :P

Code: Select all

sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sdXX
In our example, we will do:

Code: Select all

sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda3

Code: Select all

sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda4
Remember, /boot is not going to be encrypted. And the swap partition will be "dynamically" encrypted. I mean, we will configure cryptsetup to execute the command above on every boot, so swap will have a random key...so, dd it!

5 - Now we have two encrypted containers. One in /dev/sda3 and one in /dev/sda4. Once finished, we must open them in order to format them. In our example:

Code: Select all

sudo cryptsetup luksOpen /dev/sda3 croot

Code: Select all

sudo cryptsetup luksOpen /dev/sda4 chome
"croot" and "chome" are just names, you can change them if you want. But remember them, they will be used lately.

6 - Format them.

Code: Select all

mkfs.ext2 -j /dev/mapper/croot
mkfs.ext2 -j /dev/mapper/chome
I warned you, "they will be used lately".


7 - Install as normal. When the installer asks you for partitioning, select "Manual". In our example we should set mountpoints like this:
/dev/mapper/croot /
/dev/mapper/chome /home
/dev/sda1 /boot
Do nothing with /dev/sda2, /dev/sda3, /dev/sda4. If you have windows partitions or other like /usr, /var, ... mount them as normal (If you want /usr, /var, to be encrypted proceed as for / and /home).

Note for Truecrypt users: If you have your windows system partition encrypted with Truecrypt, remember to install grub to /boot. To do this, click "Advanced" on the last step of the installer and type /dev/sdXX (your /boot partition) on the "Install grub to..." field. On our example, we would type /dev/sda1.

Click "Install", and let it be.

8 - Once the installation has finished, let the installer know that you want to keep using the LiveCD. We need to work some more.

Go back to the terminal and create a temporal mountpoint:

Code: Select all

cd /mnt

sudo mkdir root
Mount your / and /boot partitions:

Code: Select all

sudo mount -t ext3 /dev/mapper/croot /mnt/root

sudo mount -t ext2 /dev/sda1 /mnt/root/boot
And chroot onto your new system:

Code: Select all

sudo chroot /mnt/root
We need to mount proc, sys and /dev/pts to get it work properly:

Code: Select all

mount -t proc proc /proc

mount -t sysfs sys /sys

mount -t devpts devpts /dev/pts

9 - Update your apt and install cryptsetup and initramfs-tools:

Code: Select all

apt-get update

apt-get install cryptsetup initramfs-tools
10 - Finally we need to set up some config files. Remeber to change partitions as needed:

nano /etc/crypttab
cswap /dev/sda2 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap # this line auto-mounts the swap partition at boot and ciphers it with a random key
croot /dev/sda3 none luks
chome /dev/sda4 none luks
nano /etc/fstab

Remove the swap line added by the installer and add this:
/dev/mapper/cswap none swap sw 0 0
/dev/mapper/croot / ext3 relatime,errors=remount-ro 0 1
/dev/mapper/chome /home ext3 relatime 0 2
The lines added by the installer for croot and chome didn't work for me. I think it's because of using UUIDs. So, don't use them.

nano /etc/initramfs-tools/modules
dm_mod
dm_crypt
sha256_generic
aes-i586
11 - Update your initramfs:

Code: Select all

update-initramfs -k all -c

12 - Exit chroot environment (CTRL+D) and umount /boot and /:

Code: Select all

umount /mnt/root/boot

umount /mnt/root
13 - Reboot :D You may loose your usplash...I wonder if there's a solution for this...

Extra (get your /home partition mounted automatically when you log in): (Credits for http://blog.gnist.org/article.php?story ... HomeUbuntu)

14 - Remove entries for chome on /etc/fstab

15 - Change chome entry on /etc/crypttab to:
chome /dev/sda4 noauto luks
16 - Install pam_mount

Code: Select all

sudo apt-get install libpam-mount
(Don't use sudo if you're still on chroot session)

17 - Update config files as seen:

nano /etc/security/pam_mount.conf.xml (add it at the end of the file, before </pam_mount>)
<volume user="yourusername" fstype="crypt" path="/dev/sda4" mountpoint="/home" />
Note: Don't forget to replace yourusername with...your username :P

nano /etc/pam.d/common-auth (add the line at the end of the file)
auth optional pam_mount.so use_first_pass
nano /etc/pam.d/common-session (add the line at the end of the file)
session optional pam_mount.so
18 - Finally, change your user's password to match the one you put on your /home encrypted partition:

Code: Select all

sudo passwd <yourusername>
Now you will be asked for your / partition password at early boot. Then, you'll logon as normal with your new password and /home will be mounted for you automatically 8)

If it does not work for any of you, or you have questions, etc just tell me. And I'm sure this howto is full of mistakes, tell me so :D

This Howto is based on information from:

http://blog.gnist.org/article.php?story ... HomeUbuntu
http://www.hacktimes.com/?q=node/48/print
https://help.ubuntu.com/community/Encry ... ystemHowto
https://help.ubuntu.com/community/Encry ... emLVMHowto
http://wiki.archlinux.org/index.php/LUKS_Encrypted_Root
https://help.ubuntu.com/community/Encry ... OnIntrepid
Last edited by wuying_ren on Tue Nov 25, 2008 5:30 pm, edited 7 times in total.
wuying_ren

Re: How to: get the whole system encrypted

Post by wuying_ren »

Ah! And I forgot to mention that, if you want an extra piece of paranoia, you can create a file container with Truecrypt in your /home folder (or use the Ubuntu ~/Private method) and store important files there. But that's only for super-paranoic people :lol:
kristhor

Re: How to: get the whole system encrypted

Post by kristhor »

Hi and thanx for a good how to, I worked for me out of the box, aside from a couple of places where I neede to use sudo where it wasnt indicated. But I have a small problem, I have my system set up on a external usb drive and to get a consistent boot I had to label the partitions and use those when passing the boot options in grub, cos grub was very unconsistent with if it like /dev/sdb or /dev/sdf for the partitions and I have no idea why it like sometimes one over the other, but I solved that with labeling them. Now after using your guide I succesfully managed to encrypt my system but I dont get a consistent boot, Is there a way of getting a partition label to work with this?
Joejc

Re: How to: get the whole system encrypted

Post by Joejc »

what r the pros/cons of doing this?
kristhor

Re: How to: get the whole system encrypted

Post by kristhor »

of encrypting? or doing what I was doing?
Fred

Re: How to: get the whole system encrypted

Post by Fred »

wuying_ren,

Nice, straight forward how-to. It is something that is desired by many and will be appreciated.

I would like to comment on whole system encryption in general however. What on your hard drive merits encryption? There is certainly nothing secret that merits protection about the Linux OS. After-all, It can be downloaded for free. Nothing there to bother protecting, is there? The sensitive data you have on your system is what merits protection.

On a Windows system you need to encrypt the whole system because data is scattered all over the system. Linux on the other hand is structured differently. All data is located in the user's home directory. Or preferably on a different partition and just mounted in /home, /media, or /mnt.

On a Linux system it is pretty much impossible to maintain plausible deniability with whole system encryption. Don't you think it would look a little odd to have a computer with only a /boot partition showing on it?

Actually, I think it would be a more secure setup to have your Linux OS unencrypted, with encrypted containers containing your sensitive data that you could mount in your file system. That way it would look like a normal working system but nothing of interest would be available. You would have plausible deniability that there was anything else there at all, or encryption was even being used.

Just another point of view. :-)

Fred
kristhor

Re: How to: get the whole system encrypted

Post by kristhor »

That is a very interesting point and I agree, but if you just have for example the / and /home on separate partitions and you would just encrypt the /home partition then you might have sensitive data on the /tmp directory which is on the /. I guess you could just have 3 partitions /, /tmp and /home and encrypt /tmp, /home and swap. Right? That would I guess solve my probem described above :)
Fred

Re: How to: get the whole system encrypted

Post by Fred »

kristhor,

None of your user data would ever windup in /tmp or /var/tmp. Log files and system work files are generally all that is found there. If you are concerned about something ending up in a /tmp or /var/tmp that would give away that you are using encryption, there is an easy solution.

tmpfs /tmp tmpfs size=512M,mode=1777 0 0

tmpfs /var/tmp tmpfs size=512M,mode=1777 0 0

tmpfs /var/log tmpfs size=512M,mode=1777 0 0

Put the above in your /etc/fstab file and you will be using RAM for these files. When you turn the system off all traces of your session activity will be gone. :-)

You might want to Google and learn a little bit about tmpfs and how it works.

Fred
walterav

Re: How to: get the whole system encrypted

Post by walterav »

Some questions after playing around with the ubuntu 9.04 alternate cd, and luks whole system encryption.

Why isn't the swap partition encrypted?
Is it possible to format the system partition to ext4 instead of ext2?
kristhor

Re: How to: get the whole system encrypted

Post by kristhor »

I have it set up on Gloria and works fine.
sharney

Re: How to: get the whole system encrypted

Post by sharney »

This works great, however, if you have a laptop and you want to use hibernate to disk, you can't because the swap partition is encrypted with a random key. However, I found another howto at http://www.c3l.de/linux/howto-completly ... y-eft.html which helped me figure out how to do fix this. Basically you make the swap partition like you do the other paritions with a passphrase but there are a few wrinkles

first thing to do is to turn off the cswap with the randomized key and then recreate it with a passphrase:

Code: Select all

daydreamnation local-top # swapoff /dev/mapper/cswap
daydreamnation local-top # cryptsetup luksClose /dev/mapper/cswap
daydreamnation local-top # cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda5

WARNING!
========
This will overwrite data on /dev/sda5 irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
daydreamnation local-top # cryptsetup luksOpen /dev/sda5 cswap
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
daydreamnation local-top # mkswap /dev/mapper/cswap
Setting up swapspace version 1, size = 1364460 KiB
no label, UUID=a32c044c-6924-451e-aea2-0aabc1203db9
daydreamnation local-top # swapon -a
daydreamnation local-top # swapon -s
Filename                                Type            Size    Used    Priority
/dev/mapper/cswap                       partition       1364456 0       -1
Next you modify /etc/crypttab

Code: Select all

# <target name> <source device>         <key file>      <options>
#cswap /dev/sda5 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap # this line auto-mounts the s
wap partition at boot and ciphers it with a random key
cswap /dev/sda5 none luks
croot /dev/sda7 none luks
Modify /usr/share/initramfs-tools/scripts/local-top/cryptroot

Code: Select all

--- /home/sharn90/source/cryptroot.orig 2009-09-17 13:16:26.000000000 -0500
+++ cryptroot   2009-09-17 13:17:20.000000000 -0500
@@ -281,6 +281,7 @@
                        message "cryptsetup: unknown error setting up device mapping"
                        return 1
                fi
+               /sbin/cryptsetup luksOpen /dev/sda5 cswap
 
                FSTYPE=''
                eval $(fstype < "$NEWROOT")
I know this is lazy. there should be a way to mod it to use the graphical and be dynamic, but this is simple and it works. It also means you'll have to turn off splash which I do a little further down

Edit /etc/acpi/hibernate.sh

Code: Select all

--- /home/sharn90/source/hibernate.sh.orig      2009-09-17 13:39:28.000000000 -0500
+++ /etc/acpi/hibernate.sh      2009-09-17 13:18:49.000000000 -0500
@@ -32,6 +32,7 @@
 
 if [ -x /sbin/s2disk ]; then
     DEVICE="/dev/disk/by-uuid/`awk -F= '{print $3}' </etc/initramfs-tools/conf.d/resume`"
+    DEVICE="/dev/mapper/cswap"
     if [ -f /etc/usplash.conf ]; then
        . /etc/usplash.conf
        /sbin/s2disk -x "$xres" -y "$yres" $DEVICE
Edit /etc/initramfs-tools/conf-d/resume to look like this

Code: Select all

RESUME=/dev/mapper/cswap
update initramfs

Code: Select all

daydreamnation local-top # update-initramfs -u -k all -c
update-initramfs: Generating /boot/initrd.img-2.6.28-11-generic
Mount /boot so you can modify the defoptions value /boot/grub/menu.lst

Code: Select all

 --- /home/sharn90/source/menu.lst.orig  2009-09-17 13:42:10.000000000 -0500
+++ /boot/grub/menu.lst 2009-09-17 13:27:13.000000000 -0500
@@ -81,7 +81,7 @@
 ## additional options to use with the default boot option, but not with the
 ## alternatives
 ## e.g. defoptions=vga=791 resume=/dev/hda5
-# defoptions=quiet splash
+# defoptions=quiet nosplash
 
 ## should update-grub lock old automagic boot options
 ## e.g. lockold=false
And update grub

Code: Select all

daydreamnation local-top # update-grub
Searching for GRUB installation directory ... found: /boot/grub
Distro title is set to Linux Mint 7 Gloria
Searching for default file ... found: /boot/grub/default
Testing for an existing GRUB menu.lst file ... found: /boot/grub/menu.lst
Searching for splash image ... none found, skipping ...
Found kernel: /boot/vmlinuz-2.6.28-11-generic
Found kernel: /boot/memtest86+.bin
Updating /boot/grub/menu.lst ... done
At this point you can hibernate. When you boot you'll be prompted for two passphrases, the second is swap. You will see the system go to resume from hibernation via your swap partition
zenarcher

Re: How to: get the whole system encrypted

Post by zenarcher »

It would really be nice if we had an Alternate Install disk, as in Kubuntu/Ubuntu. Using the Alternate Install disk, full disk encryption has worked beautifully for me using this guide. Never been difficult at all:

http://kuparinen.org/martti/comp/ubuntu ... tolvm.html

Cheers,
zenarcher
gtech

Re: How to: get the whole system encrypted

Post by gtech »

I followed the guide word for word from a USB drive with Helena live boot. I start up the computer and there is just a cursor blinking on the upper left of the screen. Any ideas on why it isn't booting?
I have an extended partition with 10GB root, 12GB not used, and 124 GB home partition, all three are encrypted.

Strangely everytime I try to umount /dev/root/ at the end it says the drive is busy. Each time I just restarted anyway.
twistx

Re: How to: get the whole system encrypted

Post by twistx »

Confirming this guide works under helena x64. Nice work wuying_ren.

A caveat in case others run into a problem i had with update-initramfs in step 11. Once you have chrooted into your new environtment and are making edits to /etc/crypttab and /etc/fstab in step 10, the names you picked back in step 5 are still relavent. If these names differ update-initramfs will fail and you most likely will not be able to boot your new system.

@alwyn
Chrooting to the newly installed system should happen after you have installed mint and mounted your new filesystem under /mnt, at this point there is an environtment to chroot to.

@gtech
The failure to boot with just a cursor blinking sounds like grub didn't install properly, perhaps to the wrong device, or not at all. Check those settings in wuying_ren's guide under step 7.
Second, the busy message you get trying to umount /mnt/root is because /proc, /sys, and /dev/pts are still mounted inside your chrooted environment. Before exiting chroot, umount those 3 and then exit to umount /mnt/root. There should be no message.
Aevum

Re: How to: get the whole system encrypted

Post by Aevum »

Amazing guide, I'll try it out ASAP on my main PC!
User avatar
linuxviolin
Level 8
Level 8
Posts: 2081
Joined: Tue Feb 27, 2007 6:55 pm
Location: France

Re: How to: get the whole system encrypted

Post by linuxviolin »

OK guys, all of this is very good and interesting but at first, why have a " whole system encrypted"? I don't guess here there are some people who administer one or more Linux servers for the NSA, the Army, the Department of Defense or something like that, neither a server database for a Swiss bank... :roll: :lol: Just simple guys with a personal computer for their simple usage... So, a " whole system encrypted"? Why? For the fun or the curiosity if you want, maybe, but that's all. It's like SELinux and other things like that, no need.
K.I.S.S. ===> "Keep It Simple, Stupid"
"Simplicity is the ultimate sophistication." (Leonardo da Vinci)
"Everything should be made as simple as possible, but no simpler." (Albert Einstein)
kristhor

Re: How to: get the whole system encrypted

Post by kristhor »

well the "simple" user as you call it might have his system on a laptop or even mobile on a usb harddrive, and even though it doesnt have stuff on it thats relevant to national security he might have some personal stuff or just doesnt like the idea of somone going through his system out of curiosity or malicious reasons. And he might loose his disk or laptop, and even if he gets it back there can be no way of knowing if anyone has tinkered with it in the meantime. Maybe its a little superparanoid to have the whole system encrypted, probably enough to just have your home or parts of it, but the whole thing makes some people sleep better at night..... besides its fun :)
kristhor

Re: How to: get the whole system encrypted

Post by kristhor »

gtech wrote:I followed the guide word for word from a USB drive with Helena live boot. I start up the computer and there is just a cursor blinking on the upper left of the screen. Any ideas on why it isn't booting?
I have an extended partition with 10GB root, 12GB not used, and 124 GB home partition, all three are encrypted.

Strangely everytime I try to umount /dev/root/ at the end it says the drive is busy. Each time I just restarted anyway.

when that happines go back in to chroot and unmount /proc /sys and /dev/pts before exiting
then your able to unmount root.
User avatar
linuxviolin
Level 8
Level 8
Posts: 2081
Joined: Tue Feb 27, 2007 6:55 pm
Location: France

Re: How to: get the whole system encrypted

Post by linuxviolin »

kristhor wrote:besides its fun :)
Ok, maybe... everyone amused as he can/wants :lol:

But I maintain my point of view. I don't think the personal stuff of a normal user are so important and secret that the system must be encrypted... But this is just my opinion! :D
K.I.S.S. ===> "Keep It Simple, Stupid"
"Simplicity is the ultimate sophistication." (Leonardo da Vinci)
"Everything should be made as simple as possible, but no simpler." (Albert Einstein)
twistx

Re: How to: get the whole system encrypted

Post by twistx »

Why not? That's what you should be asking yourself. Why compile a custom kernel when genkernel can do it for you? Why build a computer when you can buy one from Dell? Why run linux at all when windows is the more popular and widely used OS? You're certainly entitled to your opinion though.
Post Reply

Return to “Tutorials”