Pages

Wednesday, May 8, 2013

Full Disk Encryption with Linux

A great thing about Linux, is the built-in subsystem DMCrypt, which, with some help from the brilliant Initrd, allows you to make a full disk encryption, including the root partition (Boot excluded of cause) and have it unlocked by a key file or password during boot, all without any third party software. This guide will show you how to encrypt your entire hard drive and set up your computer to unlock it on each boot using a password.

What is even better, is Logical Volume Manager.  This will allow us to create partitions inside a partition, which means that we only need to encrypt one partition on the hard drive, and then create whatever volumes we need, inside that single encrypted partition.

Because Ubuntu is the most used distro of all the available once, this guide will use this for the examples. But it should be easy enough to incorporate this guide into other distro's as well, especially since this guide will be using a terminal to do all of the work, and the shell is mostly the same across all distro's.

Before we can continue, you need to download Ubuntu (Or any distro  of your choice), and create a live CD or USB Pen. Then boot up the live system, and once in the UI, press Ctrl+Alt+F1 to enter a terminal.

This guide will assume that you know your way around Linux. So we will not cover anything about creating live disks or how the shell works. You can google it if you don't already know. This is all about the encryption part.


Erasing the hard drive


The first thing to do, is erasing any existing data on the hard drive and replacing it with random bytes. Even though the hard drive will be encrypted, attachers will still be able to see which part of the drive contains any data. This allows them to focus on that specific part of the drive, and making it much easier cracking it. By placing random bytes across the whole drive, we hide the real data which makes it much harder to determinant which parts of the drive contains anything worth cracking.

shred -v /dev/sd<X>

Remember to replace X with the letter matching your drive. 


Preparing the hard drive


Next we need to create a new partitioning table. By wiping the drive, the existing table was erased along with the rest of the content. Use fdisk, or another partition manager, to create the table below.

Device  Type  Size
/dev/sd<X>1  Primary  1GB
/dev/sd<X>2  Extended  Everything
/dev/sd<X>5  Logical  Everything


Creating the encryption


Now we create the encryption on /dev/sd<X>5. This is the partition that will store our logical volumes.

cryptsetup -y --cipher aes-xts-plain --key-size 512 luksFormat /dev/sd<X>

After you have typed in the password that you wish to use, we need to unlock the encryption in order to use it.

cryptsetup luksOpen /dev/sd<X> <Enc_Name>

The Enc_Name is the name that will be used for the device map. It will create /dev/mapper/<Enc_Name> which is the entry point (door if you will) to the device behind the encryption. Just replace Enc_Name with the name that you wish to use.


Creating the LVM volumes


In this guide, we will be creating 3 volumes. 1 for SWAP, one for root and one for home. You can of cause create whatever you need or want.

Before we can create the volumes, we need to initiate our encrypted volume for LVM and create the volume group that will store the volumes.

pvcreate /dev/mapper/<Enc_Name>
vgcreate <Vg_Name> /dev/mapper/<Enc_Name>

Replace Vg_Name with the name that you wish for your volume group.

Now we are ready to create the actual volumes.

lvcreate -n swap -L 6G <Vg_Name>
lvcreate -n system -L 25G <Vg_Name>
lvcreate -n home -l 100%FREE <Vg_Name>

We now have 3 new devices
  1. /dev/mapper/<Vg_Name>-swap
  2. /dev/mapper/<Vg_Name>-system
  3. /dev/mapper/<Vg_Name>-home 
You can change the names to something else if you'd like, and/or change the sizes. The last volume we created are assigned 100%FREE, which means whatever is left after creating the first two. 


Installing the OS


It is now time to get the OS installed. Press Ctrl+Alt+F7 to get back into the live system UI and select install. Once you get to the partitioning part, select manual. Now assign appropriate mount points to the 3 logical volumes that we created before and use /dev/sd<X>1 as boot. Continue the installation. Once done, do NOT reboot, instead press Ctrl+Alt+F1 again to get back into the terminal.


Set up chroot


Now that we have the OS installed, we need to make some changes to it, but before we can do that, we need for it to act as the main OS. In other words, we need some help from chroot.

mkdir /mnt/system
mount /dev/mapper/<Enc_Name>-system /mnt/system
mount /dev/sd<X>1 /mnt/system/boot
mount --rbind /dev /mnt/system/dev
mount --rbind /sys /mnt/system/sys
mount --rbind /proc /mnt/system/proc
chroot /mnt/system

You should now have entered a new apparent root directory and we are ready to make changes to the OS that you have just installed.


Set up crypttab


The first thing that we need to do here, is edit/create /etc/crypttab. This is a file which will tell the boot loader how to handle the encrypted partition, or more accurate, it will tell the system how initrd should be structured once we rebuild it.

Open  /etc/crypttab with a file editor like nano, and append the content below.

<Enc_Name> /dev/sd<X>5 none luks,retry=1

This will tell the boot loader that /dev/sd<X>5 contains a luks encrypted partition, which should be decrypted to the device map <Enc_Name>. The none part is where we could have assigned a key file, without it, a password prompt will be used instead.


Loading modules


The second thing to do, is have some specific modules loaded on boot, which are needed to unlock the partition.

Open the file /etc/initramfs-tools/modules

dm-crypt
aes-x86_64 (aes-i586 is you are using 32bit)
xts
sha256_generic
sha512_generic
ahci


Recompiling kernel image


And last, we regenerate initrd

update-initramfs -u

Reboot your computer. During boot, you will be prompted to enter a password. Enter the password and your hard drive will decrypted and the computer will continue it's regular boot.

Next time you need to upgrade or for other reasons reinstall your OS, all you have to do, is decrypt/unlock the encrypted partition and then fallow this guide from the parts after the installation of the OS. Everything above that is a one time thing.

No comments:

Post a Comment