Encrypted Root
From RockWiki
With this patch a new and easily extendable InitRD concept was introduced into ROCK (see Rock InitRD Concept. It also contained a plugin for the Device Mapper which can be used to encrypt devices in software.
This plugin can now be used to encrypt almost any local filesystem on your machine, be it the root filesystem /, the swap space or anything else. The only filesystem that can not be encrypted is the one where your InitRD is on, usually /boot. Note that the filesystem actually has to exist already. This means that you can encrypt your filesystem any time you want.
Contents |
Prerequisites
- You must use udev.
- You need the device-mapper package installed.
- You need the md5sum program installed.
- You must have dmcrypt and aes-i586 configured as modules in your kernel.
- You must have /boot on a non-encrypted partition.
Let's look at them one by one.
You must use udev.
First, check if you have the udev userspace part installed:
blindcoder@ceres:~$ mine -q udev udev 050 0
If you don't have it installed, read Installing Packages on how to get the udev package onto your system.
Next, check if you have it activated:
root@ceres:~# stone -text +--- | Main Menu - Select the Subsystem you want to configure +--- 1. Various general system configurations 2. Kernel Drivers and Hardware Configuration 3. Network Configuration 4. SSH Daemon configuration 5. X11/X.Org (Graphical User Interface) 6. GRUB Boot Loader Setup 7. LILO Boot Loader Setup 8. Runlevel Configuration (Services) 9. System Init Configuration 10. Package Management (Install, Update and Remove) > 2 +--- | Kernel Drivers and Hardware Configuration +--- 1. < > Use devfs /dev filesystem. 2. <*> Use udev /dev filesystem. 3. < > Use static /dev filesystem. 4. < > Use hwscan to configure hardware. 5. <*> Use hotplug to configure hardware. 6. [ ] Use localtime instead of utc 7. Set enhanced real time clock precision (2048) >
Make sure that both hotplug and udev are checked.
You need the device-mapper package installed.
Check that the device-mapper userspace package is installed:
blindcoder@ceres:~$ mine -q device-mapper device-mapper 1.01.01 0
You need the md5sum program installed.
md5sum is part of the coreutils package:
blindcoder@ceres:~$ mine -q coreutils coreutils 5.2.1 0 blindcoder@ceres:~$ which md5sum /usr/bin/md5sum
You must have dmcrypt and aes-i586 configured as modules in your kernel.
The linux package comes with these modules. You need to take care only in case you built your own kernel:
blindcoder@ceres:~$ find /lib/modules/`uname -r`/ -name dm-crypt.ko /lib/modules/2.6.10-rock/kernel/drivers/md/dm-crypt.ko blindcoder@ceres:~$ find /lib/modules/`uname -r`/ -name aes-i586.ko /lib/modules/2.6.10-rock/kernel/arch/i386/crypto/aes-i586.ko
You must have /boot on a non-encrypted partition.
This one is important since the InitRD can not reside on an encrypted filesystem. This would require the use of in-kernel code which is neither elegant nor worth the effort.
You can check this for example with the df commando:
blindcoder@ceres:~$ df -h Filesystem Size Used Avail Use% Mounted on /dev/ide/host0/bus0/target0/lun0/part3 19G 6.5G 13G 35% / /dev/ide/host0/bus0/target0/lun0/part1 119M 12M 101M 11% /boot /dev/ide/host2/bus0/target0/lun0/part1 114G 93G 21G 82% /data
As you can see, /boot is a partition on the /dev/ide/host0/bus0/target0/lun0/part1 device. For reference, here is my partition table:
root@ceres:~# fdisk /dev/discs/disc0/disc Command (m for help): p Disk /dev/discs/disc0/disc: 20.4 GB, 20496236544 bytes 16 heads, 63 sectors/track, 39714 cylinders Units = cylinders of 1008 * 512 = 516096 bytes Device Boot Start End Blocks Id System /dev/discs/disc0/part1 1 249 125464+ 83 Linux /dev/discs/disc0/part2 250 1242 500472 83 Linux /dev/discs/disc0/part3 1243 39714 19389888 83 Linux Command (m for help):
Setting up encryption
To setup the encryption, start stone as superuser:
root@fuzzy:~# stone -text +--- | Main Menu - Select the Subsystem you want to configure +--- 1. Various general system configurations 2. Kernel Drivers and Hardware Configuration 3. Network Configuration 4. ROCK-Plug/Drivers Configuration 5. SSH Daemon configuration 6. X11/XFree86 (Graphical User Interface) 7. (Re-)configure Desktop Environments 8. DeviceMapper configuration (encrypted filesystems) 9. EZ-Ipupdate Configuration (dyndns et al) 10. GRUB Boot Loader Setup 11. LILO Boot Loader Setup 12. Runlevel Configuration (Services) 13. System Init Configuration 14. Package Management (Install, Update and Remove) >
Here, select the DeviceMapper configuration.
+--- | encrypted filesystems +--- 1. Edit device /dev/ide/host0/bus0/target0/lun0/part3 (encrypted on /home) 2. Edit device /dev/ide/host0/bus0/target0/lun0/part2 (swap on swap) 3. Add new device > 3
As you can see, I already have two encrypted filesystems on my machine. Let's examine them:
- 1. Edit device /dev/ide/host0/bus0/target0/lun0/part3 (encrypted on /home)
This means I have my /home filesystem encrypted on the /dev/ide/host0/bus0/target0/lun0/part3 device
- 2. Edit device /dev/ide/host0/bus0/target0/lun0/part2 (swap on swap)
This means I have the swapspace encrypted on the /dev/ide/host0/bus0/target0/lun0/part2 device. Encrypted swap is a special case that does not require you to enter a passphrase. A random one is picked every boottime so that the former swap is not recoverable. This is important because when the system is swapping, the passphrase used for encryption might be swapped, too! And you don't want it plaintext on your harddisk, do you?
Now, let's add another device to be encrypted. In this case, the root filesystem /:
+--- | Please select the device to use +--- 1. /dev/ide/host0/bus0/target0/lun0/disc 2. /dev/ide/host0/bus0/target0/lun0/part1 3. /dev/ide/host0/bus0/target0/lun0/part4 > 3 +--- | Please enter mountpoint of /dev/ide/host0/bus0/target0/lun0/part4 +--- [ /data ] > / +--- | Please enter current state of /dev/ide/host0/bus0/target0/lun0/part4 +--- 1. is encrypted 2. Decrypt 3. Encrypt 4. Encrypted Swap (read documentation) 5. not encrypted > 3
Here are five different settings to use:
- 1. is encrypted
Use this after you have encrypted a filesystem. See option 3. Starting with this patch the initrd automatically adjusts itself to the new configuration.
- 2. Decrypt
If you have an encrypted filesystem and want to decrypt it (for example for a kernel update you're not sure to be flawless)
- 3. Encrypt
If you have an unencrypted filesystem you want to encrypt, use this option.
- 4. Encrypted Swap
If you have a swappartition you want to have encrypted, use this option. You should always do this if you have at least one encrypted normal filesystem.
- 5. not encrypted
Use this option after you have decrypted a filesystem. Note: It is not necessary to add every device you have decrypted to this list. Note 2: If you have /boot on a seperate partition, it IS necessary to add this partition as 'plain' here.
+--- | encrypted filesystems +--- 1. Edit device /dev/ide/host0/bus0/target0/lun0/part3 (encrypted on /home) 2. Edit device /dev/ide/host0/bus0/target0/lun0/part2 (swap on swap) 3. Edit device /dev/ide/host0/bus0/target0/lun0/part4 (encrypt on /) 4. Add new device >
After you changed anything in these options, the initrd will automatically be recreated. As dm-crypt mounts/swapons your encrypted partitions init does not need to care about them while booting. Check that your encrypted partitions are commented out from /etc/fstab.