Build a Ubuntu 9.04 (i686) with full disk encryption, from “/” to swap, including home and taking in account the existing “/home” partition already encrypted and “opened” during login sequence.

Also, swap will be encrypted but in a way it doesn’t create an interrupt during boot.

• Ubuntu 9.04 Live CD
• VMware Player for a BT4 install and Windows VM
• A USB key (512MB or more)
• A laptop which can boot from USB device.

The following is entirely based on the Dell Precision M65 laptop which hardware is described below.

“/home” contain data which will stay untouched. It is encrypted using LUKS and is unencrypted at login time. All the steps describing this are in the other note of installation for the same M65 laptop.

The USB key will stay a usable USB Key. I recognize a dedicated USB key could have been more appropriate.

• Full disk Encryption for Linux with LUKS:
  • http://forums.remote-exploit.org/backtrack-4-howto/25369-howto-bt4-pre-final-full-disk-encryption.html
  • http://forums.linuxmint.com/viewtopic.php?f=42&t=18743
• Encrytion of the Swap and booting from USB key
  • http://www.debianhelp.org/node/1116

What happen in case of...

Exactly the same as a regular installation

The USB key contains only the boot kernel. It has nothing important in it. Loosing it is just a pain as we now need to create a new USB key to boot from. The recovery procedure is find its part in the installation process:

• Boot from a LiceCD
• “crypt open” the “/” partition
• mount / in /mnt/cdisk
• chroot to /mnt/cdisk
• mount you new USB key and recover the files
• umount the USB key and remount the USB key in /boot
• launch grub to point to the USB key (aka grub-install /dev/sdb).

At the end of this setup, the laptop by itself doesn’t boot. It has either no boot loader or, with the USB key missing, no boot partition. If the laptop is lost but you still have the USB stick, your data are as secure as the passphrases and the passwords you used and which are still active on the laptop.

Change it, following the steps below in this document

End of the game, you just lost your system. Luckily, as your data are encrypted with the same key as your password, you have chances to get your data back, if you remember the password of your account.

The lost is as serious as if you had never encrypted your laptop.

The installation prepares for full disk encryption and booting using a USB key.

Installation steps will be as follow:

• Prepare the disk and setup encryption.
• Install Distribution.
• Post install modifications.
• Finalize boot from the USB key.
• Prepare recovery devices (Seconday USB key or copy of its content)

Assumption: All the following commands are run as root.

Boot from the LiveCD

Create the partitions according to your needs, or check which existing partition you are going to use.\\In our case, we have 3 partitions:

• Swap: /dev/sda1 - 3GB
• Root: /dev/sda2 - 15GB
• Home: /dev/sda3 - The rest

The swap partition will be taken care of last. During the installation, it will be used unencrypted and its encryption will be setup during the modifications after the installation of the distribution.
The root partition is going to be encrypted from the start. It will be “open” during boot time.
The home partition is already encrypted in this case. It is “open” during login time. But the exact same process used for the root partition can be applied to this partition or it could be “opened” at boot time is a similar way as the swap. We will cover this later.

Optionally, you can randomize the disk prior to using it with the following command:

# dd if=/dev/urandom of=/dev/sda2

Note: /dev/urandom is used and not /dev/random. /dev/random would take ages, especially on big disks or partitions. We don’t use shred either, as its the repetition of a small random pattern over the disk.

Install cryptsetup. The package is not installed by default on the liveCD

# apt-get install cryptsetup

Create an encrypted mapping

# modprobe aes-i586
# cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 -h sha256 luksFormat /dev/sda2

Option for cryptsetup:

• -y: –verify-passphrase
• -s: –key-size
• -c: –cipher
• -h: –hash

So the equivalent of the above command, in full lenght options, is:

cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=128 luksFormat /dev/sda2

Open the encrypted partition

cryptsetup luksOpen /dev/sda2 cdisk

Create the filesystem

mkfs.ext3 –j –O extent /dev/mapper/cdisk

Double-click on the “Install” icon.
Choose options as appropriate for language, time and timezone and keyboard.

When time comes to partition the disk, select “Custom partitionning” or “Manual”.

You should see all disks, sda and sdb, and the encrypted disk as well, under /dev/mapper/cdisk, with a partition in it.

If you have scrambled the disk, here is the list of device/partition you should see:

/dev/mapper/cdisk  etx4
/dev/sda
   /dev/sda1       swap
   /dev/sda2       unknown
   /dev/sda3       unknown
/dev/sdb
   /dev/sdb1       FAT16
   /dev/sdb2       ext2

Select the first partition, /dev/mapper/cdisk, and select to use it, format it as ext4 or ext3, and mountpoint “/”.
Select the swap partition to be used if it is not already the case.
Select /dev/sdb2 to be used, formatted and mounted on “/boot”.

Proceed with the rest of the installation.

DO NOT REBOOT AT THE END OF THE INSTALL. Select “Continue to Test”.

• chroot to the new encrypted system

mkdir /mnt/root
mount /dev/mapper/root /mnt/root
mount -o bind /dev /mnt/root/dev/
chroot /mnt/root
mount –t proc proc /proc
mount –t sysfs sys /sys

• Change crypttab and fstab

/etc/crypttab

cdisk     /dev/sda2     none     luks

/dev/fstab

/dev/mapper/cdisk    /               ext3 relatime,errors=remount-ro      0 1

• Add kernel modules

/etc/initramfs-tools/modules

aes-i586
sha256
dm-mod
dm-crypt

• update initrd

update-initramfs –k all –c

grub-install /dev/sdb

• Remove /boot from /etc/fstab.\\The reason is, for security, you will unplug the USB stick as soon as you entered the passphrase and it went successfully. So next reboot, the system will complain about /boot not being unmount properly and will start an FSCK. Removing the USB stick from the fstab makes it is not mounted.

• You can now reboot your system.

Thoses things can happen. You still have the possibility to get back to your system. Boot from the live CD. Install cryptsetup and “open” the encrypted partition as we did before the installation. You can then mount it, as we did in the first step of the post installation part.
You have access and can repair.

• encrypt swap

# swapoff /dev/sda1
# apt-get install hashalot
# hashalot -s whateversaltphraseyouwanttouse -x sha256 > /etc/keys/swapkey

I used an ascii file as the input so it would be a long source of ascii characters.

# cryptsetup create swap /dev/sda1 -d /etc/keys/swapkey -c twofish-cbc-essiv:sha256 -h sha512
# mkswap /dev/mapper/swap

edit /etc/crypttap

swap /dev/hda2 /etc/keys/swapkey cipher=blowfish,hash-sha512

edit /etc/fstab

/dev/mapper/swap none swap sw 0 0

or put the UUID if you have it.

# swapon -a

• get /home to be unencrypted at login

• Copy your /boot for future recovery

If Ubuntu upgrades contains a new kernel, it is important to plug back the USB stick and mount it in /boot.