How to crypt whole ubuntu installation

[paul roeland]

Sebastian Müsch wrote:
> Hallo,
> 
> Once upon a time VOJ wrote:
> 
> 
>>Is it possible to crypt whole Ubuntu installation?
> 
> 
> It is, but you need to:
> - recompile the kernel
> - change the initrd
> 

Actually, you don't need to recompile the kernel. Everything is already
in. Using the cryptsetup, it's actually quite easy. The short, schematic
version:

- create a small (512 Mb) partition mounted at /boot. This partition
will contain the kernels and grub, and will stay unencrypted.
- create a smallish partition (3 Gb) for your initial setup, this will
be mounted at / (root)
- plus some swap space, leave the rest of the disk unpartitioned
- install Ubuntu, don't bother setting everything up to perfection, that
can be done later
- apt-get install cryptsetup
- read the documentation in /usr/share/doc/cryptsetup. When done, read
it again.
- create appropriate /etc/crypttab entries
- create partition in free space, put filesystem on encrypted partition,
mount it somewhere
- copy the original filesystem over. You may have some problems copying
over the /dev/ filesystem. It helps to stop udev, and then copy.
- change /boot/grub/menu.lst to boot from /dev/mapper/yourcryptedpartition
- change /etc/fstab *on the encrypted filesystem*
- reboot, pray to your favourite deity
- if it does not work, reboot into the original partition and further
tinker with /etc/crypttab, /etc/fstab until success
- delete the original partition, use it as extra (encrypted) swap space,
or whatever.

It works, have done it on several occasions. Good luck!

Paul Roeland