howto: install (k)ubuntu with encrypted root and swap
Andreas Jellinghaus
aj at leogic.com
Tue Jun 20 10:55:38 BST 2006
Hi,
I wrote an howto for installing (k)ubuntu with encrypted root and swap
partitions. Can anyone suggest a good place/wiki where I can put this?
Also I would like to write a spec for proposing that this can be done
with the default installer. Can someone recommend a place where I can
put such a spec?
The howto might look complicated, but essentialy we do all the step the
normal installer would do, except generating keys, setting up the crypt
layer, and configuring mkinitramfs to be able to decrypt the partitions
during boot.
The method used in this howto is neither luks nor cryptsetup for a good
reason:
- cryptsetup uses a hashed password as key. thus you can't ever change
the password on a partition which is bad.
- luks uses some space at the beginning of the partition for metadata
and stores passwords in it. the good part is that it can manage a number
of passwords and the passwords can be changed, as they are independend
from the key the kernel uses.
in this howto instead an rsa key is generated and the private key is
protected by a passphrase. that passphrase can be simply changed. the
real partition keys are random numbers and are stored encrypted with the
rsa key. this concept has the benefit that the rsa key could be as well
on a smart card. I have a working debian based initramfs doing this,
and will port it to ubuntu mkinitramfs mechanism later.
Encrypting valuable data is very important for many companies, and it feels
a lot better if the whole filesystem is encrypted, not only some partitions
(e.g. home - what if you start using some webserver, database etc.).
Of course a full encryption of root and swap has significant impact on
latency for reading/writing and increased cpu usage for that. But for
normal desktop it is not a big deal, but if you copy hundereds of MB of
data you will notice it.
Still I think it would be great ot have this option available in a default
installation of (k)ubunutu. Help to get this HOWTO cleanup up and put into
an appriopriate place in somw wiki as well as help with writing and
submitting a spec for the next ubuntu version is very much appreciated.
Thanks, Andreas
How to install Ubuntu encrypted
===============================
1.) Boot from desktop CD
Download this text to the ubuntu system, so you can cut and paste.
Open in vi (not less, with less you get cut&paste problems on lone
lines).
2.) Start an xterm
3.) Get a root shell
sudo bash
4.) load dm-crypt
modprobe dm-crypt
5.) Partition the system
cfdisk /dev/sda
# or /dev/hda
Create three partitions:
first partition: linux, 100mb, bootable (/boot)
second parition: linux, what you prefer (2GB?) (swap)
third partition: root, rest of the disk
(or leave space - however you prefer)
Do not set the second partition to swap, as ubuntu will automatically
enable it and thus cause problems.
In this document we will assume:
/dev/sda1 /boot partition
/dev/sda2 swap partition
/dev/sda3 root partition
6.) Create crypto keys in /tmp (tmpfs, never written anywhere)
cd /tmp
openssl genrsa -aes256 -out privkey.pem 2048
dd if=/dev/urandom of=swapkey bs=32 count=1
dd if=/dev/urandom of=rootkey bs=32 count=1
openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt
openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt
rm swapkey rootkey
SWAPKEY=`openssl rsautl -in swapkey.enc -decrypt -inkey privkey.pem \
| hexdump -e '"" 32/1 "%02x" "\n"'`
ROOTKEY=`openssl rsautl -in rootkey.enc -decrypt -inkey privkey.pem \
| hexdump -e '"" 32/1 "%02x" "\n"'`
echo 0 `blockdev --getsize /dev/sda2` crypt aes-cbc-essiv:sha256 \
$SWAPKEY 0 /dev/sda2 0 |dmsetup create swap
echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \
$ROOTKEY 0 /dev/sda3 0 |dmsetup create root
7.) Create filesystems
mkfs.ext3 /dev/sda1 # /boot
mkswap /dev/mapper/swap # swap
mkfs.ext3 /dev/mapper/root # root
8.) Mount filesystems
mount /dev/mapper/root /mnt
mkdir /mnt/boot
mount /dev/sda1 /mnt/boot
9.) Download ar and debootstrap
cd /tmp
mkdir download
cd download
wget
http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.16.1cvs20060117-1ubuntu2.1_i386.deb
wget
http://de.archive.ubuntu.com/ubuntu/pool/main/d/debootstrap/debootstrap_0.3.3.0ubuntu2_all.deb
dpkg -x binutils*deb x
dpkg -x debootstrap*deb x
10.) install dapper on the crypto root
export LD_LIBRARY_PATH=/tmp/download/x/usr/lib
export PATH=/tmp/download/x/usr/bin:$PATH
export DEBOOTSTRAP_DIR=/tmp/download/x/usr/lib/debootstrap
/tmp/download/x/usr/sbin/debootstrap dapper /mnt
http://de.archive.ubuntu.com/ubuntu/
11.) create an fstab in the chroot
chroot /mnt
vi /etc/fstab
/dev/sda1 /boot ext3 defaults
/dev/mapper/root / ext3 defaults
/dev/mapper/swap swap swap defaults
none /proc proc defaults
none /proc/bus/usb usbfs defaults
none /sys sysfs defaults
none /dev/shm tmpfs defaults
none /dev/pts devpts defaults
12.) create an apt config file in the chroot
chroot /mnt
vi /etc/apt/sources.list
deb http://de.archive.ubuntu.com/ubuntu/ dapper main restricted
deb http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
deb http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ dapper main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted
13.) update packages, install dselect and kubuntu-destkop
chroot /mnt
apt-get update
apt-get upgrade
apt-get install grub linux-image-686 dmsetup bsdmainutils wipe
apt-get install kubuntu-desktop
13.) configure initramfs-tools for crypt root and swap
chroot /mnt
cd /etc/mkinitramfs
echo dm-crypt >> modules
echo aes >> modules
echo sha256 >> modules
vi hooks/cryptroot (copy till EOF)
#!/bin/sh
. /usr/share/initramfs-tools/hook-functions
mkdir -p ${DESTDIR}/boot
mkdir -p ${DESTDIR}/sbin
mkdir -p ${DESTDIR}/usr/bin
cp -p /boot/privkey.pem /boot/rootkey.enc /boot/swapkey.enc ${DESTDIR}/boot
copy_exec /sbin/blockdev /sbin
copy_exec /sbin/dmsetup /sbin
copy_exec /usr/bin/openssl /usr/bin
copy_exec /usr/bin/hexdump /usr/bin
EOF
chmod +x hooks/cryptroot
vi scripts/local-top/cryptroot (copy till EOF)
#!/bin/sh
PREREQ="udev"
# Output pre-requisites
prereqs()
{
echo "$PREREQ"
}
case "$1" in
prereqs)
prereqs
exit 0
;;
esac
modprobe aes
modprobe sha256
modprobe dm-crypt
echo "Waiting for crypted root device..."
slumber=1800
while [ ${slumber} -gt 0 -a ! -e "/dev/sda3" ]; do
/bin/sleep 0.1
slumber=$(( ${slumber} - 1 ))
done
while test -z "$ROOTKEY"
do
ROOTKEY=`openssl rsautl -in /boot/rootkey.enc -decrypt
-inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1
"%02x" "\n"' `
done
SECTORS=`blockdev --getsize /dev/sda3`
echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $ROOTKEY 0 /dev/sda3 0 \
|dmsetup create root
echo "Waiting for crypted swap device..."
slumber=1800
while [ ${slumber} -gt 0 -a ! -e "/dev/sda2" ]; do
/bin/sleep 0.1
slumber=$(( ${slumber} - 1 ))
done
while test -z "$SWAPKEY"
do
SWAPKEY=`openssl rsautl -in /boot/swapkey.enc -decrypt
-inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1
"%02x" "\n"' `
done
SECTORS=`blockdev --getsize /dev/sda2`
echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $SWAPKEY 0 /dev/sda2 0 \
|dmsetup create root
EOF
chmod +x scripts/local-top/cryptroot
14.) put the crypto keys in place and create a new initramfs
mv /tmp/privkey.pem /tmp/swapkey.enc /tmp/rootkey.enc /mnt/boot/
chroot /mnt
update-initramfs -u
15.) install grub
chroot /mnt
update-grub
apt-get install kubuntu-grub-splashimages
cd /boot/grub
cp /lib/grub/i386-pc/* .
grub
root (hd0,0)
setup (hd0)
quit
16.) configure grub
vi /boot/grub/menu.lst
# add "acpi=off"
# change "root=/dev/mapper/root"
* splash (hd0,0)/grub/splashimages/kubuntugood.xpm.gz
* timeout 15
* default 0
(remove all the other crap)
(remove all "savedefault" lines)
(remove splash as you want a console to enter your password)
16.) finish installation, reboot
umount /mnt/boot
fuser -k /mnt
umount /mnt
sync
ctrl-alt-del -> reboot
Tools
=====
1.) change password on rsa key
su root
cd /boot
openssl rsa -in privkey.pem -out privkey.new.pem -aes256
wipe privkey.pem
mv privkey.new.pem privkey.pem
update-initramfs -u
2.) replace rsa key
su root
cd /tmp
openssl rsautl -in /boot/rootkey.enc -inkey /boot/privkey.pem \
-decrypt -out rootkey
openssl rsautl -in /boot/swapkey.enc -inkey /boot/privkey.pem \
-decrypt -out swapkey
openssl genrsa -aes256 -out privkey.pem 2048
openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt
openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt
rm swapkey rootkey
mv swapkey.enc rootkey.enc privkey.pem /boot/
update-initramfs -u
3.) recover with bootcd
* boot kubuntu cd
* start xterm
sudo bash
mount /dev/sda1 /mnt
echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \
`openssl rsautl -in /mnt/rootkey.enc -decrypt -inkey \
/mnt/privkey.pem |hexdump -e '"" 32/1 "%02x" "\n"'` \
0 /dev/sda3 0 | dmsetup create root
umount /mnt/
mount /dev/mapper/root /mnt
mount /dev/sda1 /mnt/boot
chroot /mnt
...
update-initramfs -u
umount /mnt/boot
umount /mnt
sync
* ctrl-alt-del -> reboot
Other changes
=============
1.) set root password
* boot
* switch to text console
* login as "root" (no password)
shadowconfig on
passwd root
2.) create user
adduser user
vigr
# add user to dialout, fax, voice, cdrom, floppy, sudo, audio,
video, scanner, scard
fi
More information about the ubuntu-devel
mailing list