I've merged in some suggestions from Emmanuel Trillaud and changed some other things as well.
Lars
--- crypt-rootfs.txt.orig 2009-12-29 12:27:50.000000000 +0100 +++ crypt-rootfs.txt.new 2009-12-31 12:03:59.000000000 +0100 @@ -1,6 +1,6 @@ AUTHOR: Lars Bamberger <Lars.Bamberger at gmx dot de> -DATE: 2009-11-20 +DATE: 2009-12-30 LICENSE: GNU Free Documentation License Version 1.2 @@ -37,9 +37,12 @@ This is about encrypting all but one of your hard drive partitions using LUKS for dm-crypt. We'll boot from one small unencrypted partition using initramfs in -order to to decrypt the rootfs. +order to decrypt the rootfs. This hint assumes that a small partition from where to boot from is already set -up. (10 MB should be enough.) +up. This partition should be 10 to 15 MB in size in order to store more than +one kernel and more than one initramfs image for testing and upgrading +purposes. Avoid any larger partition because during every boot we'll calculate +a checksum for this partition, a time consuming process. 2. Required software and dependencies @@ -47,9 +50,10 @@ 2.1 Software in the BLFS book -You need to install 'Popt' as 'cryptsetup' depends on this. Furthermore you need -'uuencode' to create key files. 'uuencode' is included in 'GMime' which has -further dependencies mentioned in the BLFS book. +You need to install 'Popt' as 'cryptsetup' depends on this. +Furthermore you need 'uuencode' to create key files. 'uuencode' is included in +'sharutils' and 'GMime' which has further dependencies mentioned in the BLFS +book. To create the initramfs, you need 'Cpio'. 2.2 Software not in the BLFS book @@ -75,28 +79,29 @@ * switch_root. Compile it, but DO NOT install it. Keep the binary and name it -"busybox-minimum". Next, reconfigure busybox for a full-blown desktop system. +'busybox-minimum'. Next, reconfigure busybox for a full-blown desktop system. You will need all the standard tools and utilities for the purpose of initially -encrypting your root partition and for troubleshooting. Name this binary -"busybox-large" or something similar. Again, it is not required to install it. +encrypting your root partition and for troubleshooting. (Don't forget 'mkefs'.) +Name this binary 'busybox-large' or something similar. Again, it is not +required to install it. -3 Recompiling the kernel -======================== +3. Recompiling the kernel +========================= Decide what algorithm you would like to use to encrypt your hard drive with. Note that this is a crucial decision and you should read more background information on this. (See ACKNOWLEDGMENTS below.) -The appropriate modules need to be compiled (hardcoded, not as modules) into +The appropriate modules need to be compiled (hard-coded, not as modules) into the kernel. As an example you could use the "twofish-cbc-essiv:sha256" method. -Also, select the 'Device mapper support' from the 'Multiple devices driver -support' menu in the kernel configuration and the 'crypto target' support as -well. +Also, from the 'Device Drivers' -> 'Multiple devices driver support' menu in +the kernel configuration, select the 'Device mapper support' and the 'Crypt +target support' as well. -Configure 'Initial RAM filesystem and RAM disk' under 'general setup' -and 'RAM block device support' under 'Block devices'. +Under 'Device Drivers' -> 'Block devices', select 'RAM block device support' +and from 'General setup', select 'Initial RAM filesystem and RAM disk'. NOTE: You must boot this new kernel before proceeding. @@ -122,7 +127,7 @@ cryptsetup must be on the root partition. Use 'ldd cryptsetup' to find out. It may be necessary to switch to runlevel 1 because you need to be able to unmount /usr. Also, make sure that root's shell does not use any libs on that -partition. If required, compile a static shell for root's use. +partition. If required, compile a statically linked shell for root's use. The process is as follows for every partition: @@ -153,17 +158,18 @@ 7) Open the encrypted partition. Do a cryptsetup -d $keyfile luksOpen /dev/sd?? sd?? Replace '$keyfile' and '/dev/sd??' with the corresponding values. Replace - 'sd??' with a meaningful name. If everything worked out, the partition will - appear as '/dev/mapper/sd??' with sd?? being the name you chose. + 'sd??' with a meaningful name. If everything worked out, the unencrypted + partition will appear as '/dev/mapper/sd??' with sd?? being the name you + chose. -8) Create a filesystem on the partitions. Do a +8) Create a filesystem on the partition. Do a mkefs.$WHATEVER /dev/mapper/sd?? Replace '$WHATEVER' with the type of filesystem you would like to use - (e.g. ext2) and '/dev/mapper/sd??' with the corresponding partition. + (e.g. ext2) and '/dev/mapper/sd??' with the corresponding partition. 9) Adjust /etc/fstab - Because the mountpoints for encrypted partitions have changed, you need to - tell the system where to find them. Change the mountpoint by inserting + Because the device for the partition has changed, you need to + tell the system where to find it. Change the device by inserting "mapper/" in the device field. Example: @@ -178,7 +184,7 @@ 4.2 Making the system automatically decrypt and mount the partition(s) -Create a bootscript that will decrypt your encrypted partitions. It is assumed +Create a bootscript that will decrypt your encrypted partition. It is assumed that the passphrases are stored in /etc/crypt for example. Note that storing the passphrases on disk might pose a security problem! Use the template for bootscripts included with BLFS and make it do: @@ -196,7 +202,7 @@ # Begin $rc_base/init.d/cryptsetup # # Description : Make encrypted filesystems available for mounting -# Ande clean up afterwards +# And clean up afterwards # # Authors : Lars Bamberger # @@ -260,15 +266,14 @@ Do not omit encrypting your swap partitions. Lot's of interesting data can be found on swap spaces. Do not consider you data safe if you don't use encrypted swap spaces. - In theory, the data on the swap partition(s) does not need to be consistent -between reboots. This means we could create a swapspace anew during boottime, +between reboots. This means we could create a swap space anew during boottime, using a random (and thus different) cryptokey every time the system boots. This way you don't have to bother with managing swap's cryptokeys and you won't have to store them anywhere (except in memory). This can be considered an additional security feature. However, if you suspend your system (either to RAM or to disk), data in -swapspace must remain consistent. Therefore you have to treat the swap +swap space must remain consistent. Therefore you have to treat the swap partition(s) just as if they were a regular partition, meaning you should encrypt them like explained above. @@ -282,7 +287,7 @@ be found in the kernel's documentation: 'filesystems/ramfs-rootfs-initramfs.txt'.) -You'll need all the standard directories (bin, sbin, usr/{bin,sbin}, proc, sys, +You'll need the standard directories (bin, sbin, usr/{bin,sbin}, proc, sys, dev, lib). In bin we put our busybox-large (rename to busybox) and a softlink to busybox named hush. Copy cryptsetup to sbin. In dev put some useful devices: console, null, urandom, sd?? and a directory @@ -299,42 +304,43 @@ /bin/busybox --install -s exec /bin/busybox hush -Put all this into a directory (init goes there as well and not into sbin) and -create the image using -find . | cpio --quiet -H newc -o | gzip -9 -n > /boot/imagefile.img -Pass the appropriate initrd argument to the kernel when booting and this will -drop you into the hush shell after system boot. - -PITFALLS: -cryptsetup needs proc and sys mounted. It also requires the dev directory. -As we want to save dev when we switch_root later, we mount it as tmpfs. This -means that the devices in dev will be gone, so copy them back into dev. Be aware -that you need at least 'null' and 'console' in dev before mounting tmpfs on dev. +Put all this into one directory (init goes there as well and not into sbin). Cd +into this directory and create the image using +find . | cpio --quiet -H newc -o | gzip -9 -n > /boot/initramfs.img +Pass the appropriate initrd argument (e.g. initrd (hd0,0)/initramfs.img) to the +kernel when booting and this will drop you into the hush shell after system +boot. + +*** PITFALL *** +Cryptsetup needs /proc and /sys mounted. It also requires the /dev directory. +As we want to save /dev when we switch_root later, we mount it as tmpfs. This +means that the devices in /dev will be gone, so copy them back into /dev. Be +aware that you need at least 'null' and 'console' in /dev before mounting +tmpfs on /dev. Once in the shell, encrypt your rootfs like any other partition as described above. Don't forget the backup! ABSOLUTELY, POSITIVELY make certain that you are able to mount and access the unencrypted backup of the rootfs from within the hush shell! -Next, create the encrypted rootpartition. Note that the passphrase won't be +Next, create the encrypted root partition. Note that the passphrase won't be stored anywhere on disk, so do: - cryptsetup -y -c $cipher-algorithm luksFormat /dev/sd?? - to create the encrypted rootfs. Replace '$cipher-algorithm' and '/dev/sd??' with -the respective values. Next, open the partition and format it and recover the +the respective values. Next, open the partition, format it and recover the backup: cryptsetup luksOpen /dev/sd?? sd?? -$BAKUROOTFS/mkefs.$TYPE /dev/mapper/sd?? +$BACKUPROOTFS/mkefs.$TYPE /dev/mapper/sd?? mkdir /new-root mount -t $FSTYPE /dev/mapper/sd?? /new-root cp -a $BACKUPROOTFS /new-root -PITFALL: Since your old rootfs isn't mounted, you might not be able to to run - mkefs do to missing libraries. Either copy everything needed to where - the linker can find it, or use the mkefs from busybox. Be sure to - configure busybox accordingly. +*** PITFALL *** +Since your old rootfs isn't mounted, you might not be able to to run 'mkefs' do +to missing libraries. Either copy everything needed to where the linker can +find it, or use the 'mkefs' from busybox. Be sure to configure busybox +accordingly. Next, modify /etc/fstab (on /new-root) to reflect the new device for the rootfs. Also modify the cryptsetup script as described below (7. PITFALL). @@ -361,8 +367,8 @@ /bin/busybox mount --move /dev /new-root/dev exec /bin/busybox switch_root /new-root /sbin/init $@ -PITFALLS: -You want to keep /proc /sys and /dev after switch_root because cryptsetup uses +*** PITFALL *** +You want to keep /proc, /sys and /dev after switch_root because cryptsetup uses them. Hence the 'mount --move' commands. Note that /dev/mapper/sd?? (the root device) will be gone once you mount the true root partition, switch_root and the rootfs proper starts udev. That's the reason why this device needs to be @@ -403,21 +409,25 @@ boot_mesg -n " DO NOT TRUST THIS SYSTEM!\n\n" boot_mesg_flush -PITFALLS: +*** PITFALL *** Make sure this is the very last thing you implement, as the hashsums will change as we go on. The hashsums will also change if you run a fsck on the boot partition. -ACKNOWLEDGEMENTS: - * Various for the wiki at http://de.gentoo-wiki.com/Cryptsetup-luks_initramfs - (not online anymore) and - http://en.gentoo-wiki.com/wiki/SECURITY_System_Encryption_DM-Crypt_with_LUKS - * Clemens Fruhwirth (http://clemens.endorphin.org/) - for LUKS for dm-crypt: http://code.google.com/p/cryptsetup +ACKNOWLEDGMENTS: + * Emmanuel Trillaud for some suggestions and pointers. + * Various for the Gentoo-Wiki at + http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS + * Clemens Fruhwirth (http://clemens.endorphin.org/) for LUKS for dm-crypt: + http://code.google.com/p/cryptsetup CHANGELOG: +[2009-12-30] + * Merged suggestions (typos, format and others) from Emmanuel Trillaud + * More verbosity on the boot partition size + * Some reformatting [2009-11-23] * list dependencies in the BLFS book [2009-11-20]
-- http://linuxfromscratch.org/mailman/listinfo/hints FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page