Encrypted Root

From RockWiki

Jump to: navigation, search

With this patch a new and easily extendable InitRD concept was introduced into ROCK (see Rock InitRD Concept. It also contained a plugin for the Device Mapper which can be used to encrypt devices in software.

This plugin can now be used to encrypt almost any local filesystem on your machine, be it the root filesystem /, the swap space or anything else. The only filesystem that can not be encrypted is the one where your InitRD is on, usually /boot. Note that the filesystem actually has to exist already. This means that you can encrypt your filesystem any time you want.

Contents

Prerequisites

  • You must use udev.
  • You need the device-mapper package installed.
  • You need the md5sum program installed.
  • You must have dmcrypt and aes-i586 configured as modules in your kernel.
  • You must have /boot on a non-encrypted partition.

Let's look at them one by one.

You must use udev.

First, check if you have the udev userspace part installed:

blindcoder@ceres:~$ mine -q udev
udev 050 0

If you don't have it installed, read Installing Packages on how to get the udev package onto your system.

Next, check if you have it activated:

root@ceres:~# stone -text

+---
|  Main Menu - Select the Subsystem you want to configure
+---

    1. Various general system configurations
    2. Kernel Drivers and Hardware Configuration
    3. Network Configuration
    4. SSH Daemon configuration
    5. X11/X.Org (Graphical User Interface)
    6. GRUB Boot Loader Setup
    7. LILO Boot Loader Setup
    8. Runlevel Configuration (Services)
    9. System Init Configuration
   10. Package Management (Install, Update and Remove)

> 2

+---
|  Kernel Drivers and Hardware Configuration
+---

    1. < > Use devfs /dev filesystem.
    2. <*> Use udev /dev filesystem.
    3. < > Use static /dev filesystem.

    4. < > Use hwscan to configure hardware.
    5. <*> Use hotplug to configure hardware.

    6. [ ] Use localtime instead of utc
    7. Set enhanced real time clock precision (2048)

>

Make sure that both hotplug and udev are checked.

You need the device-mapper package installed.

Check that the device-mapper userspace package is installed:

blindcoder@ceres:~$ mine -q device-mapper
device-mapper 1.01.01 0

You need the md5sum program installed.

md5sum is part of the coreutils package:

blindcoder@ceres:~$ mine -q coreutils
coreutils 5.2.1 0
blindcoder@ceres:~$ which md5sum
/usr/bin/md5sum

You must have dmcrypt and aes-i586 configured as modules in your kernel.

The linux package comes with these modules. You need to take care only in case you built your own kernel:

blindcoder@ceres:~$ find /lib/modules/`uname -r`/ -name dm-crypt.ko
/lib/modules/2.6.10-rock/kernel/drivers/md/dm-crypt.ko
blindcoder@ceres:~$ find /lib/modules/`uname -r`/ -name aes-i586.ko
/lib/modules/2.6.10-rock/kernel/arch/i386/crypto/aes-i586.ko

You must have /boot on a non-encrypted partition.

This one is important since the InitRD can not reside on an encrypted filesystem. This would require the use of in-kernel code which is neither elegant nor worth the effort.

You can check this for example with the df commando:

blindcoder@ceres:~$ df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/ide/host0/bus0/target0/lun0/part3
                       19G  6.5G   13G  35% /
/dev/ide/host0/bus0/target0/lun0/part1
                      119M   12M  101M  11% /boot
/dev/ide/host2/bus0/target0/lun0/part1
                      114G   93G   21G  82% /data

As you can see, /boot is a partition on the /dev/ide/host0/bus0/target0/lun0/part1 device. For reference, here is my partition table:

root@ceres:~# fdisk /dev/discs/disc0/disc

Command (m for help): p

Disk /dev/discs/disc0/disc: 20.4 GB, 20496236544 bytes
16 heads, 63 sectors/track, 39714 cylinders
Units = cylinders of 1008 * 512 = 516096 bytes

                Device Boot      Start         End      Blocks   Id  System
/dev/discs/disc0/part1               1         249      125464+  83  Linux
/dev/discs/disc0/part2             250        1242      500472   83  Linux
/dev/discs/disc0/part3            1243       39714    19389888   83  Linux

Command (m for help):

Setting up encryption

To setup the encryption, start stone as superuser:

root@fuzzy:~# stone -text

+---
|  Main Menu - Select the Subsystem you want to configure
+---

    1. Various general system configurations
    2. Kernel Drivers and Hardware Configuration
    3. Network Configuration
    4. ROCK-Plug/Drivers Configuration
    5. SSH Daemon configuration
    6. X11/XFree86 (Graphical User Interface)
    7. (Re-)configure Desktop Environments
    8. DeviceMapper configuration (encrypted filesystems)
    9. EZ-Ipupdate Configuration (dyndns et al)
   10. GRUB Boot Loader Setup
   11. LILO Boot Loader Setup
   12. Runlevel Configuration (Services)
   13. System Init Configuration
   14. Package Management (Install, Update and Remove)

>

Here, select the DeviceMapper configuration.

+---
|  encrypted filesystems
+---

    1. Edit device /dev/ide/host0/bus0/target0/lun0/part3 (encrypted on /home)
    2. Edit device /dev/ide/host0/bus0/target0/lun0/part2 (swap on swap)
    3. Add new device

> 3

As you can see, I already have two encrypted filesystems on my machine. Let's examine them:

  • 1. Edit device /dev/ide/host0/bus0/target0/lun0/part3 (encrypted on /home)

This means I have my /home filesystem encrypted on the /dev/ide/host0/bus0/target0/lun0/part3 device

  • 2. Edit device /dev/ide/host0/bus0/target0/lun0/part2 (swap on swap)

This means I have the swapspace encrypted on the /dev/ide/host0/bus0/target0/lun0/part2 device. Encrypted swap is a special case that does not require you to enter a passphrase. A random one is picked every boottime so that the former swap is not recoverable. This is important because when the system is swapping, the passphrase used for encryption might be swapped, too! And you don't want it plaintext on your harddisk, do you?

Now, let's add another device to be encrypted. In this case, the root filesystem /:

+---
|  Please select the device to use
+---

    1. /dev/ide/host0/bus0/target0/lun0/disc
    2. /dev/ide/host0/bus0/target0/lun0/part1
    3. /dev/ide/host0/bus0/target0/lun0/part4

> 3

+---
|  Please enter mountpoint of /dev/ide/host0/bus0/target0/lun0/part4
+---

[ /data ] > /

+---
|  Please enter current state of /dev/ide/host0/bus0/target0/lun0/part4
+---

    1. is encrypted
    2. Decrypt
    3. Encrypt
    4. Encrypted Swap (read documentation)
    5. not encrypted

> 3

Here are five different settings to use:

  • 1. is encrypted

Use this after you have encrypted a filesystem. See option 3. Starting with this patch the initrd automatically adjusts itself to the new configuration.

  • 2. Decrypt

If you have an encrypted filesystem and want to decrypt it (for example for a kernel update you're not sure to be flawless)

  • 3. Encrypt

If you have an unencrypted filesystem you want to encrypt, use this option.

  • 4. Encrypted Swap

If you have a swappartition you want to have encrypted, use this option. You should always do this if you have at least one encrypted normal filesystem.

  • 5. not encrypted

Use this option after you have decrypted a filesystem. Note: It is not necessary to add every device you have decrypted to this list. Note 2: If you have /boot on a seperate partition, it IS necessary to add this partition as 'plain' here.

+---
|  encrypted filesystems
+---

    1. Edit device /dev/ide/host0/bus0/target0/lun0/part3 (encrypted on /home)
    2. Edit device /dev/ide/host0/bus0/target0/lun0/part2 (swap on swap)
    3. Edit device /dev/ide/host0/bus0/target0/lun0/part4 (encrypt on /)
    4. Add new device

>

After you changed anything in these options, the initrd will automatically be recreated. As dm-crypt mounts/swapons your encrypted partitions init does not need to care about them while booting. Check that your encrypted partitions are commented out from /etc/fstab.

Retrieved from "https://www.rocklinux.net/wiki/Encrypted_Root"
Personal tools