Build a Ubuntu 9.04 (i686) with full disk encryption, from “/” to swap, including home and taking in account the existing “/home” partition already encrypted and “opened” during login sequence.
Also, swap will be encrypted but in a way it doesn’t create an interrupt during boot.
The following is entirely based on the Dell Precision M65 laptop which hardware is described below.
“/home” contain data which will stay untouched. It is encrypted using LUKS and is unencrypted at login time. All the steps describing this are in the other note of installation for the same M65 laptop.
The USB key will stay a usable USB Key. I recognize a dedicated USB key could have been more appropriate.
What happen in case of...
Exactly the same as a regular installation
The USB key contains only the boot kernel. It has nothing important in it. Loosing it is just a pain as we now need to create a new USB key to boot from. The recovery procedure is find its part in the installation process:
At the end of this setup, the laptop by itself doesn’t boot. It has either no boot loader or, with the USB key missing, no boot partition. If the laptop is lost but you still have the USB stick, your data are as secure as the passphrases and the passwords you used and which are still active on the laptop.
Change it, following the steps below in this document
End of the game, you just lost your system. Luckily, as your data are encrypted with the same key as your password, you have chances to get your data back, if you remember the password of your account.
The lost is as serious as if you had never encrypted your laptop.
|Processor||Intel® CoreTM 2 Duo T7200|
|Screen||15.4” WSXGA+ (1680 X 1050) LCD SCREEN|
|Memory||2.0GB, 667MHZ DDR2 SDRAM MEMORY (2 X 1024)|
|Hard Drive||80GB (7200RPM) SATA|
|CD/DVD||8X DVD+/-RW DRIVE|
|Internal Modem||UK - 56.6K V.92 CAPABLE INTERNAL MODEM & DATA|
|Bluetooth controller||Dell Wireless 350 BlueTooth™ Internal Card|
|Wireless controller||Dell Wireless 1390 Wireless 802.11 b/g Mini card for Core 2 Duo|
|Ethernet controller||Broadcom Corporation NetXtreme BCM5752 Gigabit Ethernet PCI Express|
|/dev/sda||This is the internal disk|
|/dev/sdb||This is the USB stick|
|Windows||XP|| 2 Network drives
U:\ → /home/<user>
Y:\ → /data
|Linux||Bactrack 4 Pre-Final|
The installation prepares for full disk encryption and booting using a USB key.
Installation steps will be as follow:
Assumption: All the following commands are run as root.
Boot from the LiveCD
Create the partitions according to your needs, or check which existing partition you are going to use.\\In our case, we have 3 partitions:
The swap partition will be taken care of last. During the installation, it will be used unencrypted and its encryption will be setup during the modifications after the installation of the distribution.
The root partition is going to be encrypted from the start. It will be “open” during boot time.
The home partition is already encrypted in this case. It is “open” during login time. But the exact same process used for the root partition can be applied to this partition or it could be “opened” at boot time is a similar way as the swap. We will cover this later.
Optionally, you can randomize the disk prior to using it with the following command:
# dd if=/dev/urandom of=/dev/sda2
Note: /dev/urandom is used and not /dev/random. /dev/random would take ages, especially on big disks or partitions. We don’t use shred either, as its the repetition of a small random pattern over the disk.
Install cryptsetup. The package is not installed by default on the liveCD
# apt-get install cryptsetup
Create an encrypted mapping
# modprobe aes-i586 # cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 -h sha256 luksFormat /dev/sda2
Option for cryptsetup:
So the equivalent of the above command, in full lenght options, is:
cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-cbc-essiv:sha256 --key-size=128 luksFormat /dev/sda2
Open the encrypted partition
cryptsetup luksOpen /dev/sda2 cdisk
Create the filesystem
mkfs.ext3 –j –O extent /dev/mapper/cdisk
Double-click on the “Install” icon.
Choose options as appropriate for language, time and timezone and keyboard.
When time comes to partition the disk, select “Custom partitionning” or “Manual”.
You should see all disks, sda and sdb, and the encrypted disk as well, under /dev/mapper/cdisk, with a partition in it.
If you have scrambled the disk, here is the list of device/partition you should see:
/dev/mapper/cdisk etx4 /dev/sda /dev/sda1 swap /dev/sda2 unknown /dev/sda3 unknown /dev/sdb /dev/sdb1 FAT16 /dev/sdb2 ext2
Select the first partition, /dev/mapper/cdisk, and select to use it, format it as ext4 or ext3, and mountpoint “/”.
Select the swap partition to be used if it is not already the case.
Select /dev/sdb2 to be used, formatted and mounted on “/boot”.
Proceed with the rest of the installation.
DO NOT REBOOT AT THE END OF THE INSTALL. Select “Continue to Test”.
mkdir /mnt/root mount /dev/mapper/root /mnt/root mount -o bind /dev /mnt/root/dev/ chroot /mnt/root mount –t proc proc /proc mount –t sysfs sys /sys
cdisk /dev/sda2 none luks
/dev/mapper/cdisk / ext3 relatime,errors=remount-ro 0 1
aes-i586 sha256 dm-mod dm-crypt
update-initramfs –k all –c
Thoses things can happen. You still have the possibility to get back to your system. Boot from the live CD. Install cryptsetup and “open” the encrypted partition as we did before the installation. You can then mount it, as we did in the first step of the post installation part.
You have access and can repair.
# swapoff /dev/sda1 # apt-get install hashalot # hashalot -s whateversaltphraseyouwanttouse -x sha256 > /etc/keys/swapkey
I used an ascii file as the input so it would be a long source of ascii characters.
# cryptsetup create swap /dev/sda1 -d /etc/keys/swapkey -c twofish-cbc-essiv:sha256 -h sha512 # mkswap /dev/mapper/swap
swap /dev/hda2 /etc/keys/swapkey cipher=blowfish,hash-sha512
/dev/mapper/swap none swap sw 0 0
or put the UUID if you have it.
# swapon -a
If Ubuntu upgrades contains a new kernel, it is important to plug back the USB stick and mount it in /boot.