I really would like to have an encrypted swap, tmp and home partition on my laptop. In case it gets stolen or if I should forget it somewhere, I can be sure that no-one would be able to read my private files. In this mini-howto I set my home partition using LVM, but using a regular partition should work just fine. This howto should also work, with minor modification, if you use another distribution than Ubuntu.
Updated:
May 2009: Updated for Ubuntu 9.04. Added encrypted /tmp.
May 2008: Init for Ubuntu 8.04.
Note! Both the "server" and "alternate" Ubuntu ISO-images provide the option to encrypt your home directory (but in a different way using eCryptfs. Swap and /tmp are not encrypted). It might be an easier solution if you find this page too hard to follow. The difference? They are two different implementations. eCryptfs is file level encryption, LUKS is block device (/dev/sda3). Think of it like SSL vs. IPSec. Both have their advantages and drawbacks. Read more here and here
By using Linux Unified Key Setup (LUKS) setting up encrypted partition in Linux is done in no time.
Prerequisites
Install required packages:
# apt-get install lvm2 cryptsetup libpam-mount
The device-mapper should be active (if not, reboot):
$ ls -l /dev/mapper/
total 0
crw-rw---- 1 root root 10, 61 2009-05-19 15:39 control
..with support for crypto:
# dmsetup targets | grep crypt
crypt v1.6.0
Good. Now we're ready.
Part I: Setting up encrypted swap
Step 1: Disable your current swap partition.
# swapoff /dev/sda2
Step 2: Fill your swap with random data.
# dd if=/dev/urandom of=/dev/sda2 bs=1M
1954+0 records in
1953+0 records out
2048094208 bytes (2.0 GB) copied, 529.177 s, 3.9 MB/s
As you see, this might take some time depending on your swap size. So go grab a coffe.
Step 3: Configure encrypted swap.
Add this to your /etc/crypttab
# cat /etc/cryptab
...
cryptoswap /dev/sda2 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap
Why /dev/urandom and not /dev/random? The latter blocks until it got enough entropy to continue, urandom don't. So if you use random instead urandom you might have to wait during boot until enough entropy is collected. (It does help to type your keyboard and move the mouse.) Use /dev/random if you're really paranoid.
Next, change your swap entry in /etc/fstab to this:
# cat /etc/fstab
...
/dev/mapper/cryptoswap /tmp swap sw 0 0
For every time we boot, swap will be encrypted with a different encryption key.
Step 4: Test it.
Reboot to test.
We now have an encrypted swap:
# cat /proc/swaps
Filename Type Size Used Priority
/dev/mapper/cryptoswap partition 2000084 0 -1
# cryptsetup status cryptoswap
/dev/mapper/cryptoswap is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda2
offset: 0 sectors
size: 4000185 sectors
mode: read/write
Good. Now we're safe right?
Part II: Dealing with /tmp
To protect /tmp, we have two choices. 1) we can encrypt it like we did with swap or 2) we can create a ramdisk. The content of a ramdisk don't survive a reboot and /tmp rarely is used for any big files, its is also a good option. But, paranoid as we are, we choose option 1)
The setup is almost identical as for swap:
Step 1: Setting up a tmp partition using LVM.
If you use a regular partition, you can easily skip this step.
# pvcreate /dev/sda3
Physical volume "/dev/sda3" successfully created
# vgcreate vg_storage /dev/sda3
Volume group "vg_storage" successfully created
# vgchange -a y vg_storage
0 logical volume(s) in volume group "vg_storage" now active
# lvcreate -L500M -nlv_tmp vg_storage
Logical volume "lv_tmp" created
For more details on how to use LVM, please check out the excellent LVM HOWTO.
Step 2: Fill the partition with random data.
# dd if=/dev/urandom of=/dev/vg_storage/lv_tmp
1024001+0 records in
1024000+0 records out
524288000 bytes (524 MB) copied, 139.983 s, 3.7 MB/s
Step 3: Add entry in /etc/crypttab
# cat /etc/cryptab
...
cryptotmp /dev/vg_storage/lv_tmp /dev/random cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,tmp
Now, since /tmp is encrypted with a new key every time, the filsystem must be created every time as well. The option "tmp" fixes that for us and calls mkfs before mount. Since it is created with filesystem ext2, we add in fstab:
# cat /etc/fstab
...
/dev/mapper/cryptotmp none ext2 defaults 0 0
Step 4: Test it.
Reboot to test.
We now have an encrypted /tmp partition as well. Great!
# cryptsetup status cryptotmp
/dev/mapper/cryptotmp is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/mapper/vg_storage-lv_tmp
offset: 0 sectors
size: 1024000 sectors
mode: read/write
Part III: Creating and setting up an encrypted home partition
Step 1: Setting up a home partition using LVM.
If you use a regular partition, you can easily skip this step.
# lvcreate -L20G -nlv_home vg_storage
Logical volume "lv_home" created
Step 2: Fill your soon-to-be home partition with random data.
# dd if=/dev/urandom of=/dev/vg_storage/lv_home
20481+0 records in
20480+0 records out
21474836480 bytes (21 GB) copied, 5554.23 s, 3.9 MB/s
This will take even longer than the swap partition. So go for lunch or something.
Step 3: Initialize the partition and set initial key.
Remember, if you use a weak password, your screwed. If you forget the password, its game over.
# cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/vg_storage/lv_home
WARNING!
========
This will overwrite data on /dev/vg_storage/lv_home irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase:
Verify passphrase:
Command successful.
We use cipher "aes-cbc-essi", since the default is vulnerable to Watermarking attack.
Step 4: Create a device mapping.
# cryptsetup luksOpen /dev/vg_storage/lv_home cryptohome
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
This will create a device mapping, as can bee see under:
$ ls -l /dev/mapper/
total 0
crw-rw---- 1 root root 10, 61 2009-05-19 15:39 control
brw-rw---- 1 root disk 252, 4 2009-05-19 15:52 cryptohome
brw-rw---- 1 root disk 252, 1 2009-05-19 15:39 cryptoswap
brw-rw---- 1 root disk 252, 2 2009-05-19 15:39 cryptotmp
brw-rw---- 1 root disk 252, 3 2009-05-19 15:52 vg_storage-lv_home
brw-rw---- 1 root disk 252, 0 2009-05-19 15:39 vg_storage-lv_tmp
Note that LVM also uses the device-mapper (that is why LVM volumes also are listed).
Or, you can use the command dmsetup ls to list the mapped devices:
$ dmsetup ls
cryptoswap (252, 1)
vg_storage-lv_tmp (252, 0)
cryptotmp (252, 2)
vg_storage-lv_home (252, 3)
cryptohome (252, 4)
Step 5: Create a filesystem.
We now have an encrypted partition. To use it, we need to create a filesystem on it:
# mkfs.ext4 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/cryptohome
mke2fs 1.41.4 (27-Jan-2009)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
1310720 inodes, 5242623 blocks
52426 blocks (1.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=0
160 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 28 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
Step 6: Testing!
We start by closing and reopen the encrypted partition before we mount it:
# cryptsetup luksClose cryptohome
# cryptsetup luksOpen /dev/vg_storage/lv_home cryptohome
Enter LUKS passphrase:
key slot 0 unlocked.
Command successful.
# mkdir -p /mnt/cryptohome
# mount /dev/mapper/cryptohome /mnt/cryptohome
# touch /mnt/cryptohome/testfile
# ls /mnt/cryptohome/
lost+found testfile
We can also confirm that it works by issuing the command:
# cryptsetup status cryptohome
/dev/mapper/cryptohome is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/mapper/vg_storage-lv_home
offset: 2056 sectors
size: 41940984 sectors
mode: read/write
Now would be a good time to move your current home to this partition.
Finally we umount:
# umount /mnt/cryptohome
# cryptsetup luksClose cryptohome
Step 7: Cryptohome mounted at boot or at login?
Now you have to take a choice. You can enable the partition at boot time, but then the boot sequence is interrupted asking you for the LUKS password. If you want the partition automatically mounted when you login, skip to the next section.
Instead of manually typing in password, you can have the key stored externally - for instance on a usb-stick. Read more about that here.
You want to enable mounting at boot time? Then update /etc/crypttab:
# cat /etc/crypttab
...
cryptohome /dev/vg_storage/lv_home none luks
And /etc/fstab:
# cat /etc/fstab
...
/dev/mapper/cryptohome /home/ ext4 relatime,errors=remount-ro 0 2
When you now reboot, the boot process is interrupted asking you for the LUKS password. If you type it correctly, the home partition is mounted. When you now log in, you will have an encrypted home partition ready waiting for you.
Part IV: Automatically mount when logging in.
A more elegant solution would be to automatically mount the home partition the same time you log in. This require that you use the same password for login as for the encrypted partition. (Actually that is not entirely true. You may have the password stored on file somewhere. But in this howto, we assume you have the same password for both.)
Step 1: Remove home partition from /etc/fstab
If there is an entry to your (encrypted) home partition in /etc/fstab, remove it
# cat /etc/fstab
...
/dev/mapper/cryptohome /home ext4 relatime,errors=remount-ro 0 2 # this gotta go
Step 2: Update /etc/crypttab
Make sure the you have a line in /etc/crypttab that reads as follows:
# cat /etc/crypttab
...
cryptohome /dev/vg_storage/lv_home noauto luks
Step 3: Configure pam_mount
Add the following entry in /etc/security/pam_mount.conf.xml. This file is heavily commented, and it may be useful to read the comments.
# cat /etc/security/pam_mount.conf.xml
...
Step 4: Configure PAM
No longer necessary. As of 9.04 all options already included.
Step 5: Test!
Log out and back in. You should now have an encrypted home:
$ df -h
...
/dev/mapper/_dev_mapper_vg_storage-lv_home
20G 296M 20G 2% /home
Congratulation, you now have an encrypted swap, tmp and home partition!
A final advice: Take regular backups.
Useful links:
- "dm-crypt: a device-mapper crypto target": http://www.saout.de/misc/dm-crypt/
- "dm-crypt HOWTO for Debian unstable and testing": http://www.saout.de/tikiwiki/tiki-index.php?page=HOWTO
What's Related
Story Options
Trackback
Trackback URL for this entry: http://blog.gnist.org/trackback.php?id=EncryptedSwapAndHomeUbuntu
Here's what others have to say about 'Encrypted swap, tmp and home partition in Ubuntu 9.04':
The prattlings of Steve Crook » Blog Archive » Encrypted Filesystems Revised
Tracked on Friday, 16 May 2008 @ 13:53 CEST
Jason L. Froebe: Ramblings of a Geek » Blog Archive » Encrypting your /home and swap on Ubuntu Linux v8.0
Tracked on Wednesday, 28 May 2008 @ 16:30 CEST
Perfect dual boot crypted hard disk setup with Truecrypt and LUKS | Redi for Life
Tracked on Tuesday, 15 July 2008 @ 2:31 CEST
How To: Encriptar particiones swap y Home en Ubuntu 8.04 (Eng) from meneame.net
Un sencillo tutorial para encriptar las particiones swap y home en Ubuntu, manteniendo tus datos seguros de miradas ajenas. Está en inglés pero no requiere mucho conocimiento para entenderlo. [read more]
Tracked on Tuesday, 02 September 2008 @ 12:31 CEST
[Howto] Encriptar las particiones Home y Swap en Ubuntu 8.04 | el tecnicida
Tracked on Tuesday, 02 September 2008 @ 13:20 CEST
Coredump » Setting up encrypted swap on Ubuntu 7.10 (Gutsy Gibbon)
Tracked on Saturday, 20 September 2008 @ 17:17 CEST
carrierdetect.com » Migrating a MacBook Pro to GNU/Linux
Tracked on Wednesday, 17 December 2008 @ 0:25 CET
I'm using LUKS encrypted home+swap with unencrypted root for some months now, or years? works like a charm :-)
some comments (especially for part III):
with pam-mount you do not need the /etc/crypttab entry. I do only have the cryptswap-entry.
ubuntus pam-mount installs a common-pammount file in /etc/pam.d/ you can use:
I added "@include common-pammount" to my common-auth and common-session instead of loading pam_mount.so directly.
this way you'll benefit from changes the package maintainer grants to you ;-) but nevertheless if dpkg updates common-auth/session ... you know...
and at least:
why do you use lvm to create only one volume in it? ;-)
I successfully used your post to encrypt the /home and swap partitions on my laptop running LinuxMint. Mint, unfortunately, does not have an alternative install CD so if one wants LVM and/or encryption one has to do the setup manually.
A minor correction in the line for the swap in /etc/fstab, the mount point should be "none" instead of "swap":
/dev/mapper/cryptoswap none swap sw 0 0
Thank you for the post,
Peter
- Encrypted swap and home partition in Ubuntu 8.04 - Authored by: lars on Sunday, 22 June 2008 @ 15:40 CEST
don't forget to rewrite the initrd: e.g. with "dpkg-reconfigure [yourkernelimage, e.g. linux-image-2.6.24-19-generic]" or use aptitude/synaptic or even update-initramfs directly.
- Encrypted swap and home partition in Ubuntu 8.04 - Authored by: Anonymous on Saturday, 01 November 2008 @ 21:59 CET
I added only "@include common-pammount" in both /etc/pam.d/common-auth and /etc/pam.d/common-session and the login unencryption worked correctly with a single password.
You have written a very useful article.
If one wanted to encrypt /tmp instead of /home, what should one do differently? The big difference is that /tmp should be encrypted with a throw-away key because I prefer NOT to be asked for a password at the boot time for opening up /tmp. It is because of this that I haven't been able to encrypt /tmp. :-/ Maybe, or hopefully, you could help?
Much oblige!
Tuomas
- Encrypted swap and home (or /tmp?) partition in Ubuntu 8.04 - Authored by: Anonymous on Tuesday, 14 October 2008 @ 16:36 CEST
Here is your document's Turkish translation: http://docs.comu.edu.tr/howto/encrypted-swap-howto.html
Best regards
Necdet Yucel
[11:18:35] ~> sudo cryptsetup status _dev_sda3
/dev/mapper/_dev_sda3 is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda3
offset: 2056 sectors
size: 220377614 sectors
mode: read/write
[11:18:45] ~> sudo cryptsetup status cryptoswap
/dev/mapper/cryptoswap is active:
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda5
offset: 0 sectors
size: 9847719 sectors
mode: read/write
Best regards,
Guy S.
- Encrypted swap, tmp and home partition in Ubuntu 9.04 - Authored by: lars on Thursday, 28 May 2009 @ 12:56 CEST
sudo cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda8 I got this error:
pam_mount(pam_mount.c:100): unknown pam_mount option "use_first_pass"
WARNING!
========
This will overwrite data on /dev/sda8 irrevocably.
Are you sure? (Type uppercase yes): YES
Command failed: Can not access device
Could you please tell me if I did something wrong?
- Encrypted swap, tmp and home partition in Ubuntu 9.04 - Authored by: Anonymous on Monday, 08 June 2009 @ 13:14 CEST
- Encrypted swap, tmp and home partition in Ubuntu 9.04 - Authored by: Anonymous on Tuesday, 16 June 2009 @ 22:22 CEST
It is possible to set up Luks from the 9.04 alternate CD/DVD. I've done it on my laptop.
Just set up the whole disk as encrypted LVM, and say no to the question about encrypted home directory ( it's the eCryptfs thing ).
Then I made a backdoor for it which transmit my LUKS phassphrase using the leds on my X61 as a covert channel.... but that's another story.
Espen G
Aucun commentaire:
Enregistrer un commentaire