Main

Home
Projects
About

Projects

TG Install
uClibc chroot
Basic initramfs image
VAIO Brightness
Basic cryptsetup
Install CD -> USB
Gentoo stages
NiTi research project

Howto: Basic cryptsetup

This is a quick and easy HOWTO for encrypting everything on the hard drive, except the kernel and a helper initramfs image. We will be using Gentoo, but this should work with any other distribution if you're willing to hack around a bit.
You might want to encrypt all of your data for example, if you'd rather not have anyone read through your files if your laptop gets stolen.

Partitions

You would normally be doing this as part of a new Gentoo install. Follow the Gentoo Handbook until you get to Chapter 4: Preparing the Disks. We will create two physical partitions on the hard drive: one small one that will be /boot, and the rest of the space will be encrypted using dm-crypt. The encrypted partition will then be partitioned using LVM.

If you are not installing onto /dev/hda, remember to use your drive name instead. You will need two partitions, but you can have others if you want to. For great partitioning instructions see Using fdisk to Partition your Disk
Create your partitions so that you have a small /boot, and an other partition that has the rest of the space.
For example:
/dev/hda1 = 50M
/dev/hda2 = 60G

Filling the partition with random data (optional)

If you don't want anyone to know how much data there is on your disk, or where on the disk it is, you might want to fill it with random data first.
This can take DAYS on a slower machine or a huge drive, so can only be recommended for the truly paranoid.

# dd if=/dev/urandom of=/dev/hda2

Encrypting the partition

We will be using cryptsetup/luks to encrypt the drive. For this you will need >=cryptsetup-1.0.5 or cryptsetup-luks.
There are quite a few options you could use with cryptsetup, but we'll stick to the defaults. See cryptsetup(8) for all the options.

Load the necessary modules on the livecd. If you are on x86 and on i586 or above you can use aes-i586 instead of aes, and on x86_64 you can use aes-x86_64.

# modprobe dm-crypt # modprobe aes # modprobe sha256

Format the partition you created earlier. Remember that if you forget the passphrase all the encrypted data will be lost.

# cryptsetup luksFormat /dev/hda2 enc-pv

If the command failed make sure you have the necessary modules loaded.

Open the encrypted partition

To access the data on the partition you will need to do the following. This will create /dev/mapper/enc-pv that we will use for LVM.

# cryptsetup luksOpen /dev/hda2 enc-pv

Creating LVM partitons

You will now need to setup LVM and the logical volumes you will install Gentoo onto.

Create a physical volume

# pvcreate /dev/mapper/enc-pv

And a volume group.

# vgcreate vg /dev/mapper/enc-pv

Now add the logical volumes.
In this example we will have 40G for the root partition and 1G for swap.

# lvcreate -L 40G -n root vg # lvcreate -L 1G -n swap vg

Format and mount

Format them.

# mke2fs -j -L root /dev/vg/root # mkswap -L swap /dev/vg/swap

And mount/enable them.

# mount /dev/vg/root /mnt/gentoo # swapon /dev/vg/swap

Now you are ready to continue with the Gentoo Handbook from Chapter 5: Installing the Gentoo Installation Files until you get to Chapter 7.c: Default: Manual Configuration

Kernel configuration

You will need to follow the manual configuration of the kernel in Chapter 7.c, and also enable a few other things.
Instead of the generic AES you can choose AES i586 or AES x86_64 if your cpu supports it. 

    General Setup --->
       [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
       ()    Initramfs source file(s)
    Device Drivers --->
       [*] Multiple devices driver support (RAID and LVM)  --->
       [*]   Device mapper support
       [*]     Crypt target support
    -*- Cryptographic API  --->
       [*]   SHA256 digest algorithm
       [*]   AES cipher algorithms

When you have enabled these, continue from compiling and installing your kernel until you get to Chapter 10: Configuring the Bootloader.

Creating the initramfs image

As the root filesystem is encrypted and on LVM, you will need an initramfs image to open the encrypted partition and enable the LVM partitions. To do this we will create a /init script that is run by the kernel when it has loaded the initramfs.
You will need to follow through Chapter 10, but also create an initramfs image and add the initrd line to your grub.conf. Follow the initramfs HOWTO, but instead use the script below as the /init script. 

#!/bin/sh

#Mount things needed by this script
mount -t proc proc /proc
mount -t sysfs sysfs /sys

#Disable kernel messages from popping onto the screen
echo 0 > /proc/sys/kernel/printk

#Clear the screen
clear

#Create all the symlinks to /bin/busybox
busybox --install -s

#Create device nodes
mknod /dev/null c 1 3
mknod /dev/tty c 5 0
mdev -s

#Function for parsing command line options with "=" in them
# get_opt("init=/sbin/init") will return "/sbin/init"
get_opt() {
	echo "$@" | cut -d "=" -f 2
}

#Defaults
init="/sbin/init"
root="/dev/vg/root"
enc_root=/dev/hda2

#Process command line options
for i in $(cat /proc/cmdline); do
	case "${i}" in
		root\=*)
			root=$(get_opt $i)
			;;
		init\=*)
			init=$(get_opt $i)
			;;
		enc_root\=*)
			enc_root=$(get_opt $i)
			;;
	esac
done

#Open encrypted partition to create /dev/mapper/enc-pv
cryptsetup luksOpen "${enc_root}" enc-pv

#Get LVM volumes up
lvm vgchange -a y

#Mount the root device
mount "${root}" /newroot

#Unmount all other mounts so that the ram used by
#the initramfs can be cleared after switch_root
umount /sys /proc

#Uncomment the next line if you're using tuxonice sources
#and want to resume from an encrypted swap partition
#echo > /sys/power/tuxonice/do_resume

#Switch to the new root and execute init
if [[ -x "/newroot/${init}" ]] ; then
	exec switch_root /newroot "${init}"
fi

#This will only be run if the above line failed
echo "Failed to switch_root, dropping to a shell"
exec sh

You will also need to have lvm and cryptsetup on the initramfs.
First, check that they have both statically linked.

# file /sbin/{cryptsetup,lvm}

If yes, copy them.

# cp /sbin/{cryptsetup,lvm} initramfs/bin/

Now you can continue with Creating .cpio and .igz and the rest of the initramfs HOWTO. When you have done that, continue with the Gentoo Handbook from Chapter 10.d: Rebooting the System.

Test

Now if everything has gone well, when you boot you will be prompted for the luks passphrase after which the system will boot normally.
If you have any problems or questions you can always contact me (mki), or you can try #gentoo on irc.freenode.net

Links

Gentoo Handbook
More indepth DM-Crypt setup
HOWTO initramfs image
Images by Mrs A. Linnapuomi