--- published/crypt-rootfs.txt 2011-11-13 00:05:37.000000000 +0100 +++ new/crypt-rootfs.txt 2012-05-16 07:48:16.000000000 +0200 @@ -1,6 +1,6 @@ AUTHOR: Lars Bamberger -DATE: 2009-12-30 +DATE: 2012-05-15 LICENSE: GNU Free Documentation License Version 1.2 @@ -10,8 +10,7 @@ This describes one possible way of encrypting your hard drive, including the root file system. It is intended for experienced users and tries to circumnavigate the pitfalls of encrypting your root file system in a -straightforward way. - +straightforward way. PREREQUISITES: This hint requires that you have sufficient knowledge of BeyondLinuxFromScratch @@ -48,42 +47,46 @@ 2. Required software and dependencies ===================================== -2.1 Software in the BLFS book +2.1 Software in the BLFS book (BLFS-svn as of date of writing) -You need to install 'Popt' as 'cryptsetup' depends on this. -Furthermore you need 'uuencode' to create key files. 'uuencode' is included in -'sharutils' and 'GMime' which has further dependencies mentioned in the BLFS -book. To create the initramfs, you need 'Cpio'. +To satisfy dependencies of 'cryptsetup', you need to install +* 'Popt' +* 'lvm2' +* 'libgcrypt' (has futher dependencies mentioned in the book) + +Furthermore, you need 'uuencode' to create key files. 'uuencode' is included in +'sharutils' and in 'GMime' which has further dependencies mentioned in the BLFS +book. +To create the initramfs, you need 'Cpio'. 2.2 Software not in the BLFS book -2.2.1 devmapper - -Get it from http://packages.debian.org/stable/source/devmapper -Compile and install it. Required for 'cryptsetup'. - - -2.2.2 cryptsetup with LUKS extension +2.2.1 cryptsetup with LUKS extension Get it from http://code.google.com/p/cryptsetup/ -Compile and install it. Required to handle encrypted partitions. +Compile and install it. (CMMI-Standard) Required to handle encrypted partitions. - -2.2.3 busybox +2.2.2 busybox Get it from http://www.busybox.net/ -The minimum required configuration includes: -* cp -* hush (interactive shell not required) -* mount (with support for lots of -o flags) and -* switch_root. + +The configuration system is quite similar to that of the Linux kernel. +First, we build a minimalistic version of busybox: +Do 'make allnoconfig' followed by 'make menuconfig' (or 'make config' if +that doesn't work). Configure as follows: + +Busybox Settings -> Build Options -> Build as a static binary +Coreutils -> cp +Linux System Utilities -> mount with support for lots of -o flags +Linux System Utilities -> switch_root +Shells -> hush (interactive mode not required) Compile it, but DO NOT install it. Keep the binary and name it 'busybox-minimum'. Next, reconfigure busybox for a full-blown desktop system. You will need all the standard tools and utilities for the purpose of initially -encrypting your root partition and for troubleshooting. (Don't forget 'mkefs'.) +encrypting your root partition and for troubleshooting. (Don't forget 'mkefs'.) Doing a 'make defconfig' should do the trick. Using 'make menuconfig', you can safely disable all Networking, Print, and Mail Utiliies as some of these have dependencies and are not needed for your purpose. If busybox complains about missing dependencies, check if you really need the feature and disable it. Configure busybox to compile as a static binary (Build Options). If some libs will be linked to it anyway, use 'ldd busybox' to find out which ones those are and note the names of those libs. If possible, avoid generating a dynamically linked busybox. This behavoiur may vary with the version of busybox used, as this is a generic description. Name this binary 'busybox-large' or something similar. Again, it is not -required to install it. +required to install it 3. Recompiling the kernel @@ -131,14 +134,15 @@ The process is as follows for every partition: -1) Create as many keys as you like for the partition, for example: +1) Create as many passphrases as you like for the partition, for example: head -c 2880 /dev/urandom | uuencode -m - | head -n-1 | tail -n+2 > keyfile or use an easy to remember passphrase. -2) Make a secure backup of your keys and secure the keyfile by 'chmod 0400' or - so. Your backup keys must be absolutely secure (i.e. not on your computer). - Remember: If you lose your key, you will absolutely, definitely NOT be able - to access you data! +2) Make a secure backup of your passphrases and secure the keyfile by + 'chmod 0400' or so. Your backup passphrases must be absolutely secure (i.e. + not on your computer). + Remember: If you lose your passphrase, you will absolutely, definitely NOT + be able to access your data! 3) Make a backup of the data on the partition. @@ -150,7 +154,7 @@ Replace '$cipher-algorithm', '/dev/sd??' and '$keyfile' with the corresponding values. -6) Optionally, add more keys to the partition. Do a +6) Optionally, add more passphrases to the partition. Do a cryptsetup -y -d $keyfile luksAddKey /dev/sd?? Replace '$keyfile' with the same as above and '/dev/sd??' with the corresponding partition. @@ -166,6 +170,7 @@ mkefs.$WHATEVER /dev/mapper/sd?? Replace '$WHATEVER' with the type of filesystem you would like to use (e.g. ext2) and '/dev/mapper/sd??' with the corresponding partition. + NOTE: Do NOT use the -cc option. The system will hang forever! 9) Adjust /etc/fstab Because the device for the partition has changed, you need to @@ -185,11 +190,11 @@ 4.2 Making the system automatically decrypt and mount the partition(s) Create a bootscript that will decrypt your encrypted partition. It is assumed -that the passphrases are stored in /etc/crypt for example. Note that storing the -passphrases on disk might pose a security problem! Use the template for -bootscripts included with BLFS and make it do: +that the passphrases are stored in /etc/crypt for example. Note that storing +the passphrases on disk might pose a security problem! Use the template for +bootscripts included with LFS and make it do: -/sbin/cryptsetup -d /etc/crypt/$PARTITION.key luksOpen \ +(/usr)/sbin/cryptsetup -d /etc/crypt/$PARTITION.key luksOpen \ /dev/$PARTITION $PARTITION for every encrypted partition other than the root partition and the swap @@ -199,7 +204,7 @@ #!/bin/sh ######################################################################## -# Begin $rc_base/init.d/cryptsetup +# Begin cryptsetup # # Description : Make encrypted filesystems available for mounting # And clean up afterwards @@ -210,55 +215,73 @@ # # Notes : This should never be automatically called with any # argument other than "start". During shutdown and reboot, -# it is sufficient to umount the filesystems. /dev/mapper/* +# it is sufficient to umount the filesystems. +# /dev/mapper/* # will be gone when the kernel stops or reboots. # ######################################################################## -. /etc/sysconfig/rc -. ${rc_functions} +### BEGIN INIT INFO +# Provides: cryptsetup +# Required-Start: udev +# Should-Start: +# Required-Stop: +# Should-Stop: +# Default-Start: S +# Default-Stop: +# Short-Description: Make encrypted filesystems available for mounting +# Description: Make encrypted filesystems available for mounting +# X-LFS-Provided-By: +### END INIT INFO + +. /lib/lsb/init-functions PROC=/sbin/cryptsetup case "${1}" in - start) - boot_mesg "luksOpen Home..." - $PROC -d /etc/crypt/home.key luksOpen /dev/sda4 sda4 - evaluate_retval - stop) - boot_mesg "luksClose Home..." - $PROC luksClose sda4 - evaluate_retval - ;; - reload) - boot_mesg "Reloading home..." - $PROC reload sda4 - evaluate_retval - ;; - restart) - ${0} stop - sleep 1 - ${0} start - ;; - status) - $PROC status sda4 - ;; - *) - echo "Usage: ${0} {start|stop|reload|restart|status}" - exit 1 - ;; + start) + log_info_msg "luksOpen sdb3" + $PROC -d /etc/crypt/sdb3.key luksOpen /dev/sdb3 sdb3 + evaluate_retval + ;; + + stop) + log_info_msg "luksClose sdb3" + $PROC luksClose sdb3 + evaluate_retval + ;; + + restart) + ${0} stop + sleep 1 + ${0} start + ;; + + status) + $PROC status sdb3 + ;; + *) + echo "Usage: ${0} {start|stop|restart|status}" + exit 1 + ;; esac -# End $rc_base/init.d/cryptsetup + +exit 0 + +# End cryptsetup Now, before proceeding, make sure everything works as expected up until now. Become familiar with encrypting your partitions this way. Make an appropriate softlink so that this script is called at boottime: -# cd /etc/rc.d/rcsysinit.d +# cd /etc/rc.d/rcS.d # ln -s ../init.d/cryptsetup S19cryptsetup Double-check everything so that booting, rebooting, shutting down etc. works as -expected. - +expected. You may find that the 'checkfs' and 'mountfs' bootscripts check for an +installation of LVM. Since this was installed as cryptsetup needs libdevmapper, +and if your system does NOT use LVM for any other purpose than encrypting your +filesystem, you may choose to comment out the respective parts in those +bootscripts. 5. A word about encrypting the swap partition(s) ================================================ @@ -275,10 +298,12 @@ However, if you suspend your system (either to RAM or to disk), data in swap space must remain consistent. Therefore you have to treat the swap partition(s) just as if they were a regular partition, meaning you should -encrypt them like explained above. +encrypt them like explained above. Note that I have not experimented with +system hiberantion or supension. If you have anything to contribute toward +encrypting swap partiations, feel free to contact me. -6. Encrypting rootfs +6. Encrypting rootfs (This is where the fun starts) ==================== You can't just encrypt the rootfs the way the other partitions were encrypted @@ -290,17 +315,15 @@ You'll need the standard directories (bin, sbin, usr/{bin,sbin}, proc, sys, dev, lib). In bin we put our busybox-large (rename to busybox) and a softlink to busybox named hush. Copy cryptsetup to sbin. -In dev put some useful devices: console, null, urandom, sd?? and a directory -'mapper' containing 'control'. Then make a copy of dev: -cp -a dev init-dev +In dev put some useful devices: console, null, random, urandom, sd?? and a +directory 'mapper' containing 'control'. In lib (and dev) put everything needed to run busybox and cryptsetup. The init script is like this: #!/bin/hush /bin/busybox mount -t proc proc /proc /bin/busybox mount -t sysfs sysfs /sys -/bin/busybox mount -t tmpfs tmpfs /dev -/bin/busybox cp -a /init-dev/* /dev +/bin/busybox mount -t devtmpfs devtmpfs /dev /bin/busybox --install -s exec /bin/busybox hush @@ -312,11 +335,9 @@ boot. *** PITFALL *** -Cryptsetup needs /proc and /sys mounted. It also requires the /dev directory. -As we want to save /dev when we switch_root later, we mount it as tmpfs. This -means that the devices in /dev will be gone, so copy them back into /dev. Be -aware that you need at least 'null' and 'console' in /dev before mounting -tmpfs on /dev. +Cryptsetup needs /proc and /sys mounted. It also requires the /dev directory and +'random' and 'urandom'. Be aware that you need at least 'null' and 'console' in +/dev before mounting tmpfs on /dev. Once in the shell, encrypt your rootfs like any other partition as described above. Don't forget the backup! ABSOLUTELY, POSITIVELY make certain that you are @@ -339,8 +360,8 @@ *** PITFALL *** Since your old rootfs isn't mounted, you might not be able to to run 'mkefs' do to missing libraries. Either copy everything needed to where the linker can -find it, or use the 'mkefs' from busybox. Be sure to configure busybox -accordingly. +find it, reconfigure the linker's search path via 'ldconfig', or use the 'mkefs' +from busybox. Be sure to configure busybox accordingly. Next, modify /etc/fstab (on /new-root) to reflect the new device for the rootfs. Also modify the cryptsetup script as described below (7. PITFALL). @@ -359,7 +380,6 @@ /bin/busybox mount -t proc proc /proc /bin/busybox mount -t sysfs sysfs /sys /bin/busybox mount -t tmpfs tmpfs /dev -/bin/busybox cp -a /init-dev/* /dev /sbin/cryptsetup luksOpen /dev/sd?? sd?? /bin/busybox mount -r -t ext2 /dev/mapper/sd?? /new-root /bin/busybox mount --move /proc /new-root/proc @@ -369,20 +389,7 @@ *** PITFALL *** You want to keep /proc, /sys and /dev after switch_root because cryptsetup uses -them. Hence the 'mount --move' commands. Note that /dev/mapper/sd?? (the root -device) will be gone once you mount the true root partition, switch_root and the -rootfs proper starts udev. That's the reason why this device needs to be -recreated. So, modify the cryptsetup bootscript to include - - if [[ ! -b /dev/mapper/sd?? ]]; - then - boot_mesg "Making device for rootfs..." - /bin/mknod -m 0600 /dev/mapper/sd?? b 254 0 - evaluate_retval; - fi - -in the start section of the script. - +them. Hence the 'mount --move' commands. 8. Making sure security is not compromised ========================================== @@ -393,26 +400,27 @@ Create a bootscript (checkbootfs) that makes sure that the unencrypted partition we booted from was not compromised. Use something like: - boot_mesg "Checking integrity of boot FS..." + log_info_mesg "Checking integrity of boot FS..." if [[ $(/bin/md5sum -b /dev/sd??) == \ "$whatevermd5sum */dev/sd??" ]] \ && \ [[ $(/bin/sha1sum -b /dev/sd??) == \ "$whatevensha1sum */dev/sd??" ]]; - then - echo_ok; - else - echo_failure -boot_mesg -n "FAILURE:\n\nThe boot file system seems to have been -altered!\n\n" ${FAILURE} - boot_mesg -n " DO NOT TRUST THIS SYSTEM!\n\n" - boot_mesg_flush + then + log_success_msg; + else + log_failure_msg "The boot file system has been altered!" + log_warning_msg "DO NOT TRUST THIS SYSTEM!" + log_info_msg "Press Enter to continue anyway ..." + wait_for_user + fi *** PITFALL *** Make sure this is the very last thing you implement, as the hashsums will change as we go on. The hashsums will also change if you run a fsck on the boot -partition. +partition. Also, you will need to move 'md5sum' and 'sha1sum' from /usr/bin to +/bin, if /usr is a separate partition. ACKNOWLEDGMENTS: @@ -424,6 +432,14 @@ CHANGELOG: +[2012-05-15] + * Adjust for LFS-7.1 +[2011-11-13] + * Adjust for LFS-7.0 + * Some touchups +[2010-04-17] + * Dev-mapper is now in the BLFS book + * More verbosity for configuring busybox [2009-12-30] * Merged suggestions (typos, format and others) from Emmanuel Trillaud * More verbosity on the boot partition size