1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
********
* NOTE *
********
This procedure describes how to setup an encrypted root fs using
initrd-tools and cryptsetup.
initrd-tools are no longer supported (for kernels > 2.6.12), and
if you are going to setup an encrypted root file system, you are
probably better off following the instructions in README.initramfs
which describes a similar procedure but for initramfs-tools which
support more recent 2.6 kernels.
If you wish to perform a Debian installation to an encrypted root,
you might be interested in using a version of Debian Installer
with partman-crypto (experimental at the time of writing), which
will install the system and setup cryptsetup and initramfs-tools.
************
* END NOTE *
************
To setup cryptoroot you will need several things:
- an existing /boot partition
- a boot loader pointing at /boot (i recommend grub)
- a standard debian kernel
- an encrypted partition for the root filesystem
- a /etc/crypttab describing the root filesystem
- a /etc/fstab referring to the encrypted device mapper name
Step by step:
# Enter run-level 1
init 1
# Install a standard debian linux kernel (>= 2.6.4) and the initrd-tools
# packages, replace 2.6.12-1 with the kernel version you'dd like to install,
# and 386 with whatever architecture you have (such as k8)
apt-get install initrd-tools linux-image-2.6.12-1-386
# Edit /etc/crypttab and add the following line
# Replace /dev/hda4 with your backing device (lvm is ok, as is raid)
root /dev/hda4 none cipher=aes-cbc-essiv:sha256
# Note: Specifying this cipher and IV generation through the "cipher="
# parameter mode avoids the watermark attack mentioned in README.html.
# However, unlike the default parameters, it creates an encrypted
# partition that is incompatible with the old cryptoloop implementation.
# If that matters to you, omit the cipher specification (and live with
# the watermark attack).
# Start the encrypted root filesystem
/etc/init.d/cryptdisks start
# Enter a password for the filesystem when prompted
my_boot_password
# Now, setup a filesystem (/dev/mapper/root is always the encrypted disk)
mkfs.ext3 /dev/mapper/root
# Mount the device for initialization
mount /dev/mapper/root /mnt
# Copy your root filesystem into place
cp -axv / /mnt
# Edit the new root's /mnt/etc/fstab to add the line
/dev/mapper/root / ext3 defaults 0 1
# Remove whatever the old root filesystem line was
# Enter the new root filesystem
chroot /mnt /bin/bash
# Mount your core filesystems (/usr, /var, etc)
mount sysfs /sys -t sysfs
mount proc /proc -t proc
mount /dev/??? /boot
# Prepare mkinitrd to create the initrd. Add the following lines to
# /etc/mkinitrd/modules (varies depending on the cipher you use):
sha256
aes_i586
# Setup the initrd (change 2.6.12-1-386 to the correct value, just as above)
mkinitrd -o /boot/initrd.img-2.6.12-1-386
# Configure your boot loader to use /dev/mapper/root for the root filesystem
# If you are using grub, you can test boot without changing your old setup
# Re-run your boot-loader setup program if needed (lilo)
# Reboot!
# If all works out, you will be prompted for a password at boot-up
# You can now add entries in /etc/crypttab for other partitions.
# Note that since /etc/keys is encrypted, it is ok to keep keys for the other
# partitions in this directory. This is _NOT_ ok for unencrypted root.
|
