diff options
Diffstat (limited to 'src/Linux:System_Encryption.adoc')
| -rw-r--r-- | src/Linux:System_Encryption.adoc | 155 |
1 files changed, 155 insertions, 0 deletions
diff --git a/src/Linux:System_Encryption.adoc b/src/Linux:System_Encryption.adoc new file mode 100644 index 0000000..e9ff71b --- /dev/null +++ b/src/Linux:System_Encryption.adoc @@ -0,0 +1,155 @@ +Linux:System Encryption +======================= +:author: Aaron Ball +:email: nullspoon@iohq.net + + +== {doctitle} + +As mentioned in a Linux:dm-crypt_Encrypted_Home_Directories[previous post], I +use dm-crypt with a luks header and the pam-mount module to encrypt and mount +the home directories on my laptop and server. While this works fantastically, +it does have a potential fatal flaw, which is that my operating system is +readily available to a would-be attacker. For instance, if they were skilled +enough (which I am not), they could modify the any number of applications on my +system to, quitely dump or send my encryption key password the next time I +mount my home directory, thus defeating my security. Further, my system is +readily available for any linux user good with mounting and chroot knowledge +(which is probably most of us), and thus one could do all kinds of mischief on +the unencrypted system partition of my computer. + +I'm sure this is a bit tin-foil hatted of me. I have nothing to hide (though +it's not about that, it's a matter of principle). Further, there is no one +[_that I know of_] who would be *that* interested in me or my data. Despite, +this is a very cool thing that I am doing purely because it can be done (in +slang I believe the term is "the cool factor"). + +[[a-preliminary-note]] +== A Preliminary Note + +I would not recommend this be done for servers or multi-user laptops or +desktops. This process requires that a password be typed or a key be available +every time the system is booted, which requires physical presence to do so. +Since most servers are administered and used remotely over a network, a reboot +would me a service outtage until someone were able to open a local terminal to +type the password (to say nothing about having to share the password with +multiple people). + +[[overview]] +== Overview + +Due to the scope of this post and that I don't want to focus on documenting +some other tasks that are more generic and less related to the actual +encryption of the system, I will not be covering how to back up your system or +to partition your drive. However, please see the following two notes. + +During the installation process we will... + +. Set up encryption +. Modify the grub defaults so it properly sets up the loop device on boot +. Modify the Initramfs Configuration (this one is Arch Linux specific) + +[[setting-up-encryption]] +Setting Up Encryption +~~~~~~~~~~~~~~~~~~~~~ + +We're going to assume here that the system partition will be installed +on sda2. With that, let's "format" that with luks/dm-crypt. + +WARNING: Again, back up your data if you haven't already. This will irrevocably + destroy any data on the partition [unless you are good with data + recovery tools]. + +---- +cryptsetup luksFormat /dev/sda2 +---- + +And so our installation can continue, the loop device needs to be set up and a +filesystem created + +---- +# Open the encrypted container to the system map device (though you can name it whatever you want) +cryptsetup luksOpen /dev/sda2 system +# ...Type the password +# Create the filesystem here - I use btrfs +mkfs.your_choice /dev/mapper/system +# Mount the filesystem +mount /dev/mapper/system /mnt/ # Or wherever your distro's installation mount point is +---- + +Now that this is done, it's time to re-install or copy from backups your system +to the new encrypted container. + +[[modifying-the-grub-defaults]] +Modifying the Grub Defaults +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Now that the system partition is setup up and our system re-installation is +complete, it's time to configure Grub so it knows the system partition is +encrypted. Without this step, you won't get past the initramfs since an +encrypted system partition without a password is effectively useless. Here I +will again assume your system partition is on /dev/sda2.. + +Change... + +./etc/default/grub +---- +... +GRUB_CMDLINE_LINUX_DEFAULT="quiet" +... +---- + +...to ... + +./etc/default/grub +---- +... + +GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda2:system quiet" +... +---- + + +[[modifying-the-initramfs-configuration]] +Modifying the Initramfs Configuration +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This part is oriented towards https://archlinux.org[Arch Linux]. Modifying the +initramfs generation configuration is something that varies from distribution +to distribution. I run Arch, so Arch it is! (let me know though if you want to +know how to do it on another distribution and I'll figure it out and update the +post). + +This is actually very simple on Arch. Simply open _/etc/mkinitcpio.conf_ +and edit the *HOOKS* line. What matters here is that the *encrypt* hook +occurs _before_ the *filesystems* hooks. + +./etc/mkinitcpio.conf +---- +... +HOOKS="base udev autodetect modconf block encrypt filesystems keyboard fsck" +... +---- + +Once you've done that, save and close the config file and run + +---- +mkinitcpio -p linux +---- + +You should be able to now reboot your system and it will prompt you for a +password immediately after grub. If you were successful, you should be brought +to a screen that looks something like... + +[role="terminal"] +---- +A password is required to access the sda volume: + +Enter passphrase for /dev/sda2:_ +---- + + +Category:Encryption Category:Security + + +// vim: set syntax=asciidoc: |