8/17/2016

FullDiskEncryptionHowto - Community Help Wiki

FullDiskEncryptionHowtoCommunityHelpWiki

NeedsExpansion
Thisarticleisincomplete,andneedstobeexpanded.Moreinfo...

StyleCleanupRequired
ThisarticledoesnotfollowthestylestandardsintheWikiGuide.Moreinfo...

HowtosetupafullyencrypteddiskwithUbuntu
ThispagedescribesawaytosetupanUbuntuinstallationwithaencryptedrootpartitionandencryptedSwap.

PleaserefertoEncryptedFilesystemsforfurtherdocumentation.

NewinstallationsofUbuntu12.10andlater
Duringinstallation,checkthecheckboxEncryptthenewUbuntuinstallationforsecurity.Seealsothe
ElectronicFrontierFoundation'snotes.

Encryptionwithdm_crypt
Ifyou'dliketousethenewerandstrongerdm_cryptmethodyoushould:
sudo apt-get install cryptsetup
sudo modprobe dm_crypt
Foreachmethodofencryption,followthelistedhowto:
CryptoRoot/usr/share/doc/cryptsetup/CryptoRoot.HowTo
CryptoSwap/usr/share/doc/cryptsetup/CryptoSwap.HowTo
EncryptednonrootHDpartitionhttps://wiki.archlinux.org/index.php/Dmcrypt/Encrypting_a_non
root_file_system
Otherpossibilitiesarelistedatthedm_cryptwiki,includingencryptionacrossRAIDdevices,encryptingonlya
homedirectory(slightlyharder),andencryptionusingLUKS:http://www.saout.de/tikiwiki/tikiindex.php

EncryptionwithCryptoloop
WARNING!Weusethecryptoloopmoduleinthishowto.Thismodulehaswellknownweaknesses.
https://help.ubuntu.com/community/FullDiskEncryptionHowto

1/5

8/17/2016

FullDiskEncryptionHowto - Community Help Wiki

Prearrangement
TosetupUbuntuthedescribedway,youwillneed
aKNOPPIXCD
internetaccess
InserttheKNOPPIXCDintoyourcomputerandboot.SetupKNOPPIXsothatitisabletoconnecttothe
internet.

Settinguptheharddisk
Weneedthreepartitions:
Size

Mountpoint

Encrypted?

10M

/osloader

NO

Purpose

Holdstheinitrdandkernelimageneededtomountandloadtherestof
thesystem.GRUBwillbootfromthispartition.

Rootpartition.HoldsanormalUbuntuinstallationthatwillbelaunched
*

YES

byinitrd.Thepartitionsizedependsontheavailableharddiskspace
butshouldn'tbesmallerthan2G.

swap

YES

Swap.ThepartitionsizedependsontheusedRAM.

Youcanusefdisktosetupthepartitiontable.Theresultsshouldlooksimiliarto
Disk /dev/hda: 20.0 GB, 20003880960 bytes
255 heads, 63 sectors/track, 2432 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot

Start

End

/dev/hda2

2312

18555075

/dev/hda3

2313

2432

963900

/dev/hda1

Blocks

Id System

16033+ 83 Linux
83 Linux
82 Linux swap / Solaris

Nowwecheckthepartitionforbadblockswhilefillingitwithrandomgarbage,setuptheencryptionwith
losetupandformattheencryptedpartition.WewillthenmountittoinstallUbuntu.
sudo badblocks -c 10240 -s -w -t random -v /dev/hda2
losetup -T -e aes128 /dev/loop0 /dev/hda2
mkreiserfs /dev/loop0
mkdir /mnt/ubuntu
mount /dev/loop0 /mnt/ubuntu

https://help.ubuntu.com/community/FullDiskEncryptionHowto

2/5

8/17/2016

FullDiskEncryptionHowto - Community Help Wiki

InstallingUbuntu
TheinstallationprocedurefromKNOPPIXisdescribedinInstallation/FromKnoppix.
Youneedadifferentfstab.Insteadofanormalpartition,thedeviceforthe/mountpointis/dev/loop0.
Theswapentryneedsmoreargumentstoprovideencryptedswap.
/proc

/proc

proc

defaults

00

/sys

/sys

sysfs

defaults

00

/dev/hda1

/osloader

ext3

defaults,noauto

00

/dev/loop0

reiserfs

defaults

01

/dev/hda3

none

swap

user,noauto,exec,ro

00

sw,loop=/dev/loop1,encryption=aes128
/dev/cdrom

/mnt/cdrom

00

auto

Aftersettingupthebasesystem,installloop-aes-utils.
apt-get install loop-aes-utils
WheninstallingthekernelandGRUB,quittheGRUBconfigurationassistent.

SettinguptheOSloader
Afterinstallingthebasesystem,wesetupasmallpartitionthatmountstheencryptedrootandkicksoffinit.
mke2fs -j /dev/hda1
mkdir /osloader
mount /dev/hda1 /osloader
Copythekernelimagethere.
cp /vmlinuz /osloader/vmlinuz
Weneedtoeditthemkinitrdconfigurationsothatitsupportsloadingtheencryptedrootpartition.
Firstedit/etc/mkinitrd/mkinitrd.conf,setROOT=probetoROOT=sinceitwouldcomplainaboutour
/dev/loop0root.
Addsomerequiredmodulesto/etc/mkinitrd/modules:
ide-generic
loop
cryptoloop
aes
sha256
https://help.ubuntu.com/community/FullDiskEncryptionHowto

3/5

8/17/2016

FullDiskEncryptionHowto - Community Help Wiki

reiserfs
Thenweaddascriptthathandlesthelosetupstuffwhilebooting.Createafile
/etc/mkinitrd/scripts/losetupthathasthefollowingcontent:
mknod -m 600 $INITRDDIR/dev/loop0 b 7 0
mknod -m 600 $INITRDDIR/dev/hda2 b 3 2
mkdir $INITRDDIR/loopcheck
cat > $INITRDDIR/scripts/losetup.sh << EOF
#!/bin/sh
mount -nt proc proc proc
losetup -e aes128 /dev/loop0 /dev/hda2
mount -nr /dev/loop0 /loopcheck >/dev/null 2>/dev/null
while [ \$? -ne 0 ]
do
echo "Try again."
losetup -d /dev/loop0 2>/dev/null
losetup -e aes128 /dev/loop0 /dev/hda2
mount -nr /dev/loop0 /loopcheck >/dev/null 2>/dev/null
done
umount -n /loopcheck
# loop0 = 7, 0
echo 1792 > /proc/sys/kernel/real-root-dev
umount -n proc
EOF
chmod a+x $INITRDDIR/scripts/losetup.sh

chmod a+x /etc/mkinitrd/scripts/losetup

Nowgeneratetheinitialramdiskwithmkinitrd-o/osloader/initrd2.6.10-5-386.
ConfigureGRUB:
mkdir /osloader/boot
mkdir /osloader/boot/grub
Add/osloader/boot/grub/menu.lst

https://help.ubuntu.com/community/FullDiskEncryptionHowto

4/5

8/17/2016

FullDiskEncryptionHowto - Community Help Wiki

default 0
timeout 0
title Ubuntu
root (hd0,0)
kernel /vmlinuz ro quiet splash root=/dev/loop0 acpi=off nolapic
initrd /initrd
boot
InstalltheMBRbyrunninggrub-install--root-directory=/osloader/dev/hda.
Tomakesuretheosloaderpartitionisclean,addalittlecheckscriptto/etc/rcS.d/S00checkosloader.
if [ "`md5sum /dev/hda1`" != "`cat /etc/osloader_checksum`" ]
then
echo "** FATAL SECURITY ERROR ************************************"
echo "*

*"

echo "* The OS loader was modified!

*"

echo "* This could have leaked your encryption password. You are *"
echo "* advised to install a new encryption setup.

*"

echo "*

*"

echo "* Press Enter to boot up the system.

*"

echo "************************************************************"
read junk
fi

chmod a+x /etc/rcS.d/S00checkosloader

md5sum /dev/hda1 > /etc/osloader_checksum
Nowexitthechroot,rebootandyoushouldhaveafullyencryptedenvironment.
FullDiskEncryptionHowto(lastedited2014111718:48:36byphilipgroet)
Thematerialonthiswikiisavailableunderafreelicense,seeCopyright/Licensefordetails
Youcancontributetothiswiki,seeWikiGuidefordetails

https://help.ubuntu.com/community/FullDiskEncryptionHowto

5/5