Beruflich Dokumente
Kultur Dokumente
FullDiskEncryptionHowtoCommunityHelpWiki
NeedsExpansion
Thisarticleisincomplete,andneedstobeexpanded.Moreinfo...
StyleCleanupRequired
ThisarticledoesnotfollowthestylestandardsintheWikiGuide.Moreinfo...
HowtosetupafullyencrypteddiskwithUbuntu
ThispagedescribesawaytosetupanUbuntuinstallationwithaencryptedrootpartitionandencryptedSwap.
PleaserefertoEncryptedFilesystemsforfurtherdocumentation.
NewinstallationsofUbuntu12.10andlater
Duringinstallation,checkthecheckboxEncryptthenewUbuntuinstallationforsecurity.Seealsothe
ElectronicFrontierFoundation'snotes.
Encryptionwithdm_crypt
Ifyou'dliketousethenewerandstrongerdm_cryptmethodyoushould:
sudo apt-get install cryptsetup
sudo modprobe dm_crypt
Foreachmethodofencryption,followthelistedhowto:
CryptoRoot/usr/share/doc/cryptsetup/CryptoRoot.HowTo
CryptoSwap/usr/share/doc/cryptsetup/CryptoSwap.HowTo
EncryptednonrootHDpartitionhttps://wiki.archlinux.org/index.php/Dmcrypt/Encrypting_a_non
root_file_system
Otherpossibilitiesarelistedatthedm_cryptwiki,includingencryptionacrossRAIDdevices,encryptingonlya
homedirectory(slightlyharder),andencryptionusingLUKS:http://www.saout.de/tikiwiki/tikiindex.php
EncryptionwithCryptoloop
WARNING!Weusethecryptoloopmoduleinthishowto.Thismodulehaswellknownweaknesses.
https://help.ubuntu.com/community/FullDiskEncryptionHowto
1/5
8/17/2016
Prearrangement
TosetupUbuntuthedescribedway,youwillneed
aKNOPPIXCD
internetaccess
InserttheKNOPPIXCDintoyourcomputerandboot.SetupKNOPPIXsothatitisabletoconnecttothe
internet.
Settinguptheharddisk
Weneedthreepartitions:
Size
Mountpoint
Encrypted?
10M
/osloader
NO
Purpose
Holdstheinitrdandkernelimageneededtomountandloadtherestof
thesystem.GRUBwillbootfromthispartition.
Rootpartition.HoldsanormalUbuntuinstallationthatwillbelaunched
*
YES
byinitrd.Thepartitionsizedependsontheavailableharddiskspace
butshouldn'tbesmallerthan2G.
swap
YES
Swap.ThepartitionsizedependsontheusedRAM.
Youcanusefdisktosetupthepartitiontable.Theresultsshouldlooksimiliarto
Disk /dev/hda: 20.0 GB, 20003880960 bytes
255 heads, 63 sectors/track, 2432 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot
Start
End
/dev/hda2
2312
18555075
/dev/hda3
2313
2432
963900
/dev/hda1
Blocks
Id System
16033+ 83 Linux
83 Linux
82 Linux swap / Solaris
Nowwecheckthepartitionforbadblockswhilefillingitwithrandomgarbage,setuptheencryptionwith
losetupandformattheencryptedpartition.WewillthenmountittoinstallUbuntu.
sudo badblocks -c 10240 -s -w -t random -v /dev/hda2
losetup -T -e aes128 /dev/loop0 /dev/hda2
mkreiserfs /dev/loop0
mkdir /mnt/ubuntu
mount /dev/loop0 /mnt/ubuntu
https://help.ubuntu.com/community/FullDiskEncryptionHowto
2/5
8/17/2016
InstallingUbuntu
TheinstallationprocedurefromKNOPPIXisdescribedinInstallation/FromKnoppix.
Youneedadifferentfstab.Insteadofanormalpartition,thedeviceforthe/mountpointis/dev/loop0.
Theswapentryneedsmoreargumentstoprovideencryptedswap.
/proc
/proc
proc
defaults
00
/sys
/sys
sysfs
defaults
00
/dev/hda1
/osloader
ext3
defaults,noauto
00
/dev/loop0
reiserfs
defaults
01
/dev/hda3
none
swap
user,noauto,exec,ro
00
sw,loop=/dev/loop1,encryption=aes128
/dev/cdrom
/mnt/cdrom
00
auto
Aftersettingupthebasesystem,installloop-aes-utils.
apt-get install loop-aes-utils
WheninstallingthekernelandGRUB,quittheGRUBconfigurationassistent.
SettinguptheOSloader
Afterinstallingthebasesystem,wesetupasmallpartitionthatmountstheencryptedrootandkicksoffinit.
mke2fs -j /dev/hda1
mkdir /osloader
mount /dev/hda1 /osloader
Copythekernelimagethere.
cp /vmlinuz /osloader/vmlinuz
Weneedtoeditthemkinitrdconfigurationsothatitsupportsloadingtheencryptedrootpartition.
Firstedit/etc/mkinitrd/mkinitrd.conf,setROOT=probetoROOT=sinceitwouldcomplainaboutour
/dev/loop0root.
Addsomerequiredmodulesto/etc/mkinitrd/modules:
ide-generic
loop
cryptoloop
aes
sha256
https://help.ubuntu.com/community/FullDiskEncryptionHowto
3/5
8/17/2016
reiserfs
Thenweaddascriptthathandlesthelosetupstuffwhilebooting.Createafile
/etc/mkinitrd/scripts/losetupthathasthefollowingcontent:
mknod -m 600 $INITRDDIR/dev/loop0 b 7 0
mknod -m 600 $INITRDDIR/dev/hda2 b 3 2
mkdir $INITRDDIR/loopcheck
cat > $INITRDDIR/scripts/losetup.sh << EOF
#!/bin/sh
mount -nt proc proc proc
losetup -e aes128 /dev/loop0 /dev/hda2
mount -nr /dev/loop0 /loopcheck >/dev/null 2>/dev/null
while [ \$? -ne 0 ]
do
echo "Try again."
losetup -d /dev/loop0 2>/dev/null
losetup -e aes128 /dev/loop0 /dev/hda2
mount -nr /dev/loop0 /loopcheck >/dev/null 2>/dev/null
done
umount -n /loopcheck
# loop0 = 7, 0
echo 1792 > /proc/sys/kernel/real-root-dev
umount -n proc
EOF
chmod a+x $INITRDDIR/scripts/losetup.sh
https://help.ubuntu.com/community/FullDiskEncryptionHowto
4/5
8/17/2016
default 0
timeout 0
title Ubuntu
root (hd0,0)
kernel /vmlinuz ro quiet splash root=/dev/loop0 acpi=off nolapic
initrd /initrd
boot
InstalltheMBRbyrunninggrub-install--root-directory=/osloader/dev/hda.
Tomakesuretheosloaderpartitionisclean,addalittlecheckscriptto/etc/rcS.d/S00checkosloader.
if [ "`md5sum /dev/hda1`" != "`cat /etc/osloader_checksum`" ]
then
echo "** FATAL SECURITY ERROR ************************************"
echo "*
*"
*"
echo "* This could have leaked your encryption password. You are *"
echo "* advised to install a new encryption setup.
*"
echo "*
*"
*"
echo "************************************************************"
read junk
fi
https://help.ubuntu.com/community/FullDiskEncryptionHowto
5/5