howto: install (k)ubuntu with encrypted root and swap

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

howto: install (k)ubuntu with encrypted root and swap

Andreas Jellinghaus-3
Hi,

I wrote an howto for installing (k)ubuntu with encrypted root and swap
partitions. Can anyone suggest a good place/wiki where I can put this?
Also I would like to write a spec for proposing that this can be done
with the default installer. Can someone recommend a place where I can
put such a spec?

The howto might look complicated, but essentialy we do all the step the
normal installer would do, except generating keys, setting up the crypt
layer, and configuring mkinitramfs to be able to decrypt the partitions
during boot.

The method used in this howto is neither luks nor cryptsetup for a good
reason:
 - cryptsetup uses a hashed password as key. thus you can't ever change
   the password on a partition which is bad.
 - luks uses some space at the beginning of the partition for metadata
   and stores passwords in it. the good part is that it can manage a number
   of passwords and the passwords can be changed, as they are independend
   from the key the kernel uses.

in this howto instead an rsa key is generated and the private key is
protected by a passphrase. that passphrase can be simply changed. the
real partition keys are random numbers and are stored encrypted with the
rsa key. this concept has the benefit that the rsa key could be as well
on a smart card. I have a working debian based initramfs doing this,
and will port it to ubuntu mkinitramfs mechanism later.

Encrypting valuable data is very important for many companies, and it feels
a lot better if the whole filesystem is encrypted, not only some partitions
(e.g. home - what if you start using some webserver, database etc.).
Of course a full encryption of root and swap has significant impact on
latency for reading/writing and increased cpu usage for that. But for
normal desktop it is not a big deal, but if you copy hundereds of MB of
data you will notice it.

Still I think it would be great ot have this option available in a default
installation of (k)ubunutu. Help to get this HOWTO cleanup up and put into
an appriopriate place in somw wiki as well as help with writing and
submitting a spec for the next ubuntu version is very much appreciated.

Thanks, Andreas

How to install Ubuntu encrypted
===============================
 
1.) Boot from desktop CD
    Download this text to the ubuntu system, so you can cut and paste.
    Open in vi (not less, with less you get cut&paste problems on lone
    lines).
 
2.) Start an xterm
 
3.) Get a root shell  
        sudo bash
 
4.) load dm-crypt
        modprobe dm-crypt
 
5.) Partition the system
        cfdisk /dev/sda
        # or /dev/hda
    Create three partitions:
        first partition: linux, 100mb, bootable (/boot)
        second parition: linux, what you prefer (2GB?) (swap)
        third partition: root, rest of the disk
                (or leave space - however you prefer)
 
    Do not set the second partition to swap, as ubuntu will automatically
    enable it and thus cause problems.
 
    In this document we will assume:
        /dev/sda1       /boot partition
        /dev/sda2       swap partition
        /dev/sda3       root partition
 
6.) Create crypto keys in /tmp (tmpfs, never written anywhere)
        cd /tmp
        openssl genrsa -aes256 -out privkey.pem 2048
        dd if=/dev/urandom of=swapkey bs=32 count=1
        dd if=/dev/urandom of=rootkey bs=32 count=1
        openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt
        openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt
        rm swapkey rootkey
 
        SWAPKEY=`openssl rsautl -in swapkey.enc -decrypt -inkey privkey.pem \
                        | hexdump -e '"" 32/1 "%02x" "\n"'`
        ROOTKEY=`openssl rsautl -in rootkey.enc -decrypt -inkey privkey.pem \
                        | hexdump -e '"" 32/1 "%02x" "\n"'`
        echo 0 `blockdev --getsize /dev/sda2` crypt aes-cbc-essiv:sha256 \
                $SWAPKEY 0 /dev/sda2 0 |dmsetup create swap
        echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \
                $ROOTKEY 0 /dev/sda3 0 |dmsetup create root
 
7.) Create filesystems
        mkfs.ext3 /dev/sda1             # /boot
        mkswap /dev/mapper/swap         # swap
        mkfs.ext3 /dev/mapper/root      # root
 
8.) Mount filesystems
        mount /dev/mapper/root /mnt
        mkdir /mnt/boot
        mount /dev/sda1 /mnt/boot
 
9.) Download ar and debootstrap
        cd /tmp
        mkdir download
        cd download
        wget
http://security.ubuntu.com/ubuntu/pool/main/b/binutils/binutils_2.16.1cvs20060117-1ubuntu2.1_i386.deb 
        wget
http://de.archive.ubuntu.com/ubuntu/pool/main/d/debootstrap/debootstrap_0.3.3.0ubuntu2_all.deb 
        dpkg -x binutils*deb x
        dpkg -x debootstrap*deb x
 
10.) install dapper on the crypto root
        export LD_LIBRARY_PATH=/tmp/download/x/usr/lib
        export PATH=/tmp/download/x/usr/bin:$PATH
        export DEBOOTSTRAP_DIR=/tmp/download/x/usr/lib/debootstrap
        /tmp/download/x/usr/sbin/debootstrap dapper /mnt
http://de.archive.ubuntu.com/ubuntu/ 
 
11.) create an fstab in the chroot
        chroot /mnt
        vi /etc/fstab
/dev/sda1               /boot           ext3    defaults
/dev/mapper/root        /               ext3    defaults
/dev/mapper/swap        swap            swap    defaults
none                    /proc           proc    defaults
none                    /proc/bus/usb   usbfs   defaults
none                    /sys            sysfs   defaults
none                    /dev/shm        tmpfs   defaults
none                    /dev/pts        devpts  defaults
 
12.) create an apt config file in the chroot
        chroot /mnt
        vi /etc/apt/sources.list
deb http://de.archive.ubuntu.com/ubuntu/ dapper main restricted
deb http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
deb http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted

deb-src http://de.archive.ubuntu.com/ubuntu/ dapper main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-updates main restricted
deb-src http://de.archive.ubuntu.com/ubuntu/ dapper-security main restricted

 
13.) update packages, install dselect and kubuntu-destkop
        chroot /mnt
        apt-get update
        apt-get upgrade
        apt-get install grub linux-image-686 dmsetup bsdmainutils wipe
        apt-get install kubuntu-desktop
 
13.) configure initramfs-tools for crypt root and swap
        chroot /mnt
        cd /etc/mkinitramfs
        echo dm-crypt >> modules
        echo aes >> modules
        echo sha256 >> modules
        vi hooks/cryptroot (copy till EOF)
#!/bin/sh
 
. /usr/share/initramfs-tools/hook-functions
 
mkdir -p ${DESTDIR}/boot
mkdir -p ${DESTDIR}/sbin
mkdir -p ${DESTDIR}/usr/bin
 
cp -p /boot/privkey.pem /boot/rootkey.enc /boot/swapkey.enc ${DESTDIR}/boot
 
copy_exec /sbin/blockdev /sbin
copy_exec /sbin/dmsetup /sbin
copy_exec /usr/bin/openssl /usr/bin
copy_exec /usr/bin/hexdump /usr/bin
EOF
 
        chmod +x hooks/cryptroot
 
        vi scripts/local-top/cryptroot (copy till EOF)
#!/bin/sh
 
PREREQ="udev"
 
# Output pre-requisites
prereqs()
{
        echo "$PREREQ"
}
 
case "$1" in
    prereqs)
        prereqs
        exit 0
        ;;
esac
 
modprobe aes
modprobe sha256
modprobe dm-crypt
 
echo "Waiting for crypted root device..."
 
slumber=1800
while [ ${slumber} -gt 0 -a ! -e "/dev/sda3" ]; do
        /bin/sleep 0.1
        slumber=$(( ${slumber} - 1 ))
done
 
while test -z "$ROOTKEY"
do
        ROOTKEY=`openssl rsautl -in /boot/rootkey.enc -decrypt
-inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1
"%02x" "\n"' `
done
 
SECTORS=`blockdev --getsize /dev/sda3`
 
echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $ROOTKEY 0 /dev/sda3 0 \
        |dmsetup create root
 
echo "Waiting for crypted swap device..."
 
slumber=1800
while [ ${slumber} -gt 0 -a ! -e "/dev/sda2" ]; do
        /bin/sleep 0.1
        slumber=$(( ${slumber} - 1 ))
done
 
while test -z "$SWAPKEY"
do
        SWAPKEY=`openssl rsautl -in /boot/swapkey.enc -decrypt
-inkey /boot/privkey.pem < /dev/tty0 2>/dev/tty0 |hexdump -e '"" 32/1
"%02x" "\n"' `
done
 
SECTORS=`blockdev --getsize /dev/sda2`
 
echo 0 $SECTORS crypt aes-cbc-essiv:sha256 $SWAPKEY 0 /dev/sda2 0 \
        |dmsetup create root
 
EOF
        chmod +x scripts/local-top/cryptroot
 
14.) put the crypto keys in place and create a new initramfs
        mv /tmp/privkey.pem /tmp/swapkey.enc /tmp/rootkey.enc /mnt/boot/
        chroot /mnt
        update-initramfs -u
 
15.) install grub
        chroot /mnt
        update-grub
        apt-get install kubuntu-grub-splashimages
 
        cd /boot/grub
        cp /lib/grub/i386-pc/* .
 
        grub
        root (hd0,0)
        setup (hd0)
        quit
 
16.) configure grub
        vi /boot/grub/menu.lst
        # add "acpi=off"
        # change "root=/dev/mapper/root"
        * splash (hd0,0)/grub/splashimages/kubuntugood.xpm.gz
        * timeout 15
        * default 0
        (remove all the other crap)
        (remove all "savedefault" lines)
        (remove splash as you want a console to enter your password)
 
16.) finish installation, reboot
        umount /mnt/boot
        fuser -k /mnt
        umount /mnt
        sync
 
        ctrl-alt-del -> reboot
 
Tools
=====
 
1.) change password on rsa key
        su root
        cd /boot
        openssl rsa -in privkey.pem -out privkey.new.pem -aes256
        wipe privkey.pem
        mv privkey.new.pem privkey.pem
        update-initramfs -u
 
2.) replace rsa key
        su root
        cd /tmp
        openssl rsautl -in /boot/rootkey.enc -inkey /boot/privkey.pem \
                -decrypt -out rootkey
        openssl rsautl -in /boot/swapkey.enc -inkey /boot/privkey.pem \
                -decrypt -out swapkey
        openssl genrsa -aes256 -out privkey.pem 2048
        openssl rsautl -in swapkey -out swapkey.enc -inkey privkey.pem -encrypt
        openssl rsautl -in rootkey -out rootkey.enc -inkey privkey.pem -encrypt
        rm swapkey rootkey
        mv swapkey.enc rootkey.enc privkey.pem /boot/
        update-initramfs -u
 
3.) recover with bootcd
        * boot kubuntu cd
        * start xterm
        sudo bash
        mount /dev/sda1 /mnt
        echo 0 `blockdev --getsize /dev/sda3` crypt aes-cbc-essiv:sha256 \
                `openssl rsautl -in /mnt/rootkey.enc -decrypt -inkey \
                /mnt/privkey.pem |hexdump -e '"" 32/1 "%02x" "\n"'` \
                        0 /dev/sda3 0 | dmsetup create root
        umount /mnt/
        mount /dev/mapper/root /mnt
        mount /dev/sda1 /mnt/boot
 
        chroot /mnt
        ...
 
        update-initramfs -u
 
        umount /mnt/boot
        umount /mnt
        sync
 
        * ctrl-alt-del -> reboot
 
Other changes
=============
 
1.) set root password
        * boot  
        * switch to text console
        * login as "root" (no password)
        shadowconfig on
        passwd root
 
2.) create user
        adduser user
        vigr
        # add user to dialout, fax, voice, cdrom, floppy, sudo, audio,
                video, scanner, scard
        fi


--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: howto: install (k)ubuntu with encrypted root and swap

Bugzilla from krzysiek@lichota.net
Andreas Jellinghaus napisał(a):
> Hi,
>
> I wrote an howto for installing (k)ubuntu with encrypted root and swap
> partitions. Can anyone suggest a good place/wiki where I can put this?
> Also I would like to write a spec for proposing that this can be done
> with the default installer. Can someone recommend a place where I can
> put such a spec?

You should put your howto on Ubuntu wiki and then create specification
on launchpad, pointing to your wiki page. See
https://launchpad.net/distros/ubuntu/+specs

Regards

        Krzysztof Lichota




--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel

signature.asc (262 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: howto: install (k)ubuntu with encrypted root and swap

Ivan Krstić-3
In reply to this post by Andreas Jellinghaus-3
Andreas Jellinghaus wrote:
> Also I would like to write a spec for proposing that this can be done
> with the default installer.

Adam is already planning to add dm-crypt and dm-fakeraid support to the
Edgy installer, and since it's straightforward work (in terms of what
needs to be done, if not the amount of work), it probably doesn't
require a spec.

--
Ivan Krstic <[hidden email]> | GPG: 0x147C722D

--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: howto: install (k)ubuntu with encrypted root and swap

Daniel Koć
Ivan Krstic napisał(a):
> Adam is already planning to add dm-crypt and dm-fakeraid support to the
> Edgy installer, and since it's straightforward work (in terms of what
> needs to be done, if not the amount of work), it probably doesn't
> require a spec.
>  
Probably the best place for the community HOWTO is:

https://help.ubuntu.com/community


--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: howto: install (k)ubuntu with encrypted root and swap

Reinhard Tartler-2
In reply to this post by Andreas Jellinghaus-3
Andreas Jellinghaus wrote:
> I wrote an howto for installing (k)ubuntu with encrypted root and swap
> partitions.

Does hibernate/suspend to disk work with encrypted swap?

Greetings,
        Reinhard



--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: howto: install (k)ubuntu with encrypted root and swap

Andreas Jellinghaus-3
Reinhard Tartler wrote:

> Andreas Jellinghaus wrote:
>> I wrote an howto for installing (k)ubuntu with encrypted root and swap
>> partitions.
>
> Does hibernate/suspend to disk work with encrypted swap?

I tried it, yes it work fine.

althought I'm not 100% sure, the swsups documentation is not 100% clear to
me when some action could cause trouble, but I think everything is ok.
setting up dm(-crypt) and mounting the root partition read only should be
fine.

Regards, Andreas


--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Reply | Threaded
Open this post in threaded view
|

Re: howto: install (k)ubuntu with encrypted root and swap

Andreas Jellinghaus-3
In reply to this post by Daniel Koć
Daniel Ko? wrote:
> Probably the best place for the community HOWTO is:
>
> https://help.ubuntu.com/community

thanks, I added my howto as
https://help.ubuntu.com/community/EncryptedFilesystemHowto4

Now where can I create a wiki page for proposing a spec?

Regards, Andreas


--
ubuntu-devel mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel