1 Linux:System Encryption
2 =======================
3 :author: Aaron Ball
4 :email: nullspoon@iohq.net
5
6
7 == {doctitle}
8
9 As mentioned in a Linux:dm-crypt_Encrypted_Home_Directories[previous post], I
10 use dm-crypt with a luks header and the pam-mount module to encrypt and mount
11 the home directories on my laptop and server. While this works fantastically,
12 it does have a potential fatal flaw, which is that my operating system is
13 readily available to a would-be attacker. For instance, if they were skilled
14 enough (which I am not), they could modify the any number of applications on my
15 system to, quitely dump or send my encryption key password the next time I
16 mount my home directory, thus defeating my security. Further, my system is
17 readily available for any linux user good with mounting and chroot knowledge
18 (which is probably most of us), and thus one could do all kinds of mischief on
19 the unencrypted system partition of my computer.
20
21 I'm sure this is a bit tin-foil hatted of me. I have nothing to hide (though
22 it's not about that, it's a matter of principle). Further, there is no one
23 [_that I know of_] who would be *that* interested in me or my data. Despite,
24 this is a very cool thing that I am doing purely because it can be done (in
25 slang I believe the term is "the cool factor").
26
27 [[a-preliminary-note]]
28 == A Preliminary Note
29
30 I would not recommend this be done for servers or multi-user laptops or
31 desktops. This process requires that a password be typed or a key be available
32 every time the system is booted, which requires physical presence to do so.
33 Since most servers are administered and used remotely over a network, a reboot
34 would me a service outtage until someone were able to open a local terminal to
35 type the password (to say nothing about having to share the password with
36 multiple people).
37
38 [[overview]]
39 == Overview
40
41 Due to the scope of this post and that I don't want to focus on documenting
42 some other tasks that are more generic and less related to the actual
43 encryption of the system, I will not be covering how to back up your system or
44 to partition your drive. However, please see the following two notes.
45
46 During the installation process we will...
47
48 . Set up encryption
49 . Modify the grub defaults so it properly sets up the loop device on boot
50 . Modify the Initramfs Configuration (this one is Arch Linux specific)
51
52 [[setting-up-encryption]]
53 Setting Up Encryption
54 ~~~~~~~~~~~~~~~~~~~~~
55
56 We're going to assume here that the system partition will be installed
57 on sda2. With that, let's "format" that with luks/dm-crypt.
58
59 WARNING: Again, back up your data if you haven't already. This will irrevocably
60 destroy any data on the partition [unless you are good with data
61 recovery tools].
62
63 ----
64 cryptsetup luksFormat /dev/sda2
65 ----
66
67 And so our installation can continue, the loop device needs to be set up and a
68 filesystem created
69
70 ----
71 # Open the encrypted container to the system map device (though you can name it whatever you want)
72 cryptsetup luksOpen /dev/sda2 system
73 # ...Type the password
74 # Create the filesystem here - I use btrfs
75 mkfs.your_choice /dev/mapper/system
76 # Mount the filesystem
77 mount /dev/mapper/system /mnt/ # Or wherever your distro's installation mount point is
78 ----
79
80 Now that this is done, it's time to re-install or copy from backups your system
81 to the new encrypted container.
82
83 [[modifying-the-grub-defaults]]
84 Modifying the Grub Defaults
85 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
86
87 Now that the system partition is setup up and our system re-installation is
88 complete, it's time to configure Grub so it knows the system partition is
89 encrypted. Without this step, you won't get past the initramfs since an
90 encrypted system partition without a password is effectively useless. Here I
91 will again assume your system partition is on /dev/sda2..
92
93 Change...
94
95 ./etc/default/grub
96 ----
97 ...
98 GRUB_CMDLINE_LINUX_DEFAULT="quiet"
99 ...
100 ----
101
102 ...to ...
103
104 ./etc/default/grub
105 ----
106 ...
107
108 GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=/dev/sda2:system quiet"
109 ...
110 ----
111
112
113 [[modifying-the-initramfs-configuration]]
114 Modifying the Initramfs Configuration
115 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
116
117 This part is oriented towards https://archlinux.org[Arch Linux]. Modifying the
118 initramfs generation configuration is something that varies from distribution
119 to distribution. I run Arch, so Arch it is! (let me know though if you want to
120 know how to do it on another distribution and I'll figure it out and update the
121 post).
122
123 This is actually very simple on Arch. Simply open _/etc/mkinitcpio.conf_
124 and edit the *HOOKS* line. What matters here is that the *encrypt* hook
125 occurs _before_ the *filesystems* hooks.
126
127 ./etc/mkinitcpio.conf
128 ----
129 ...
130 HOOKS="base udev autodetect modconf block encrypt filesystems keyboard fsck"
131 ...
132 ----
133
134 Once you've done that, save and close the config file and run
135
136 ----
137 mkinitcpio -p linux
138 ----
139
140 You should be able to now reboot your system and it will prompt you for a
141 password immediately after grub. If you were successful, you should be brought
142 to a screen that looks something like...
143
144 [role="terminal"]
145 ----
146 A password is required to access the sda volume:
147
148 Enter passphrase for /dev/sda2:_
149 ----
150
151
152 Category:Encryption Category:Security
153
154
155 // vim: set syntax=asciidoc:
|
