Cheap VPS & Xen Server

Residential Proxy Network - Hourly & Monthly Packages

HOWTO: Encrypt The System Manually Upon Installation (Ubuntu 8.04)


Introduction

Another howto by me concerning encryption. However this one will be pretty intense on graphics. I have a step-by-step guide on how to do a manual full encryption of the system.

Due to a bug current in the ubuntu installation, you cannot encrypt the swap partition directly during the manual install. The install will just hang. Here’s a link to the bug report: https://bugs.launchpad.net/ubuntu/+bug/231451

Also the sizes used were just exemplary… please consider carefully how you want to size your partitions. I did this on a 15 GB virtual image, hence swap, root, home are quite small. As I’ve just told, I will make a seperate home partition. If you need to reinstall, you can just follow this guide again BUT leave the /home partition untouched during installation. Once you’ve setup then boot, swap and root, you can manually add the /home partition into the local filesystem and setup it up to automatically unlock by a key.

Because I used a virtual machine for creating this howto, I also set all partitions to be primary partitions. Remeber, you can only have 4 primary partitions on a harddisk. You could also create a logical partition and make partitions in there.

 

Step 1: Getting to the partitioner

So, once you reach the partitioner, select manual partitioning:

01_manual

As I have a completely new harddisk (or rather virtual harddisk) I have to select it first:

02_main

Then to create an empty partition list:

03_emptypartition

Step 2: Creating the boot partition

Now we select to create a new partition on the harddisk:

05_boot_newpartition

About 100 MB is a good size for a boot partition… that will be sufficent for multiple kernels. However it’s up to you how big you want to make it.

06_boot_100mb

Well, as said in the introduction I make all the partitions primary ones. If you want to create a logical one, make it as big as you want so that all other partitions will fit within.

07_boot_primary

I set it at the beginning. You could also set it at the ened… IMHO it doesn’t matter much.

08_boot_beginning

And then we finally get to the partition properties. Make sure to select as filesystem ext3, as mount point /boot and make it bootable.

09_boot_properties

Step 3: Creating the swap partition

Afterwards we end in the main partitioning menu again. Select the free space:

10_swap_main

Make a new partition:

11_swap_newpartition

I select here 256 MB ram because it’s just a virtual drive. Generally you should make it about twice your ram size but not more than 4 GB, except if you want to hibernate and have more than 4 GB ram. You should make it then at least equal your ram size.

12_swap_256mb

Again primary:

13_swap_primary

Again at the beginning:

14_swap_beginning

Set the properties according to the picture:

15_swap_properties

Remember, this will not be immediately setup due to the bug here: https://bugs.launchpad.net/ubuntu/+bug/231451 – we’ll setup swap once we installed the system.

 

Step 4: Creating the “/” folder

Afterwards we end in the main partitioning menu again. Select the free space:

16_root_main

Make a new partition:

17_root_newpartition

I select here 5 GB as root. This is because of the virtual disk. Normally you should use at least 10 Gb…. better 20 Gb to have enough space to install all the apps you want.

18_root_5gb

Again primary:

19_root_primary

Again at the beginning:

20_root_beginning

Set the properties according to the picture however you can change encryption, key size and algorithm according to your preferences. Make sure the encryption key is a passphrase.

21_root_properties

Step 5: Creating the “/home” folder

Afterwards we end in the main partitioning menu again. Select the free space:

22_home_main

Make a new partition:

23_home_newpartition

Use all the remaining disk space for your home folder. That’s where you normally want to store most of your data.

24_home_restspace

Again primary:

25_home_primary

Set the properties according to the picture however you can change encryption, key size and algorithm according to your preferences. Make sure the encryption key is a passphrase.

26_home_properties

Step 6: Configure the encrypted devices

Afterwards we end in the main partitioning menu again. Select the encrypted volumes:

27_configureencrypted

Select here yes:

28_configureencrypted_yes

Then enter the password for the root device (partition #3 sda):

29_configure_password1

Verify the password for the root device:

30_configure_password1_confirm

If your password is too weak you will get this error message. Either go back and fix it or accept it. However a weak password defeats the purpose of having encryption. I only selected yes, because it’s a demo setup on a virtual machine. So once I’m done it gets deleted anyway.

31_configure_password1_weak

Then enter the password for the home device (partition #4 sda):

32_configure_password2

Verify the password for the home device:

33_configure_password2_confirm

Again the weak password message:

34_configure_password2_weak

Step 7: Set the encrypted devices up

Afterwards we end in the main partitioning menu again. You can see that we have two new devices there. We need to set those up now and start with the root partition:

35_main_root

Set the properties according to this. Make sure to select “/” as mount point.

36_root_properties

We end up again in the main partition menu and select now the home partition:

37_main_home

Set the properties according to this. Make sure to select “/home” as mount point.

38_home_properites

Step 8: Finish the partitioner

For the last time we are now in the partitioner main menu. Select finish partitioning and write changes to disk:

39_main_finish

You will get then a warning about swap. Just ignore it and go on:

40_swap_warning

Write changes to disk and the let install continue:

41_confirm_partitions

Step 9: Enable swap and setup key unlocking of /home

Now after the system has finished installed, start it. You will be prompted to enter the crypto password twice. Once for the root partition and then a bit later for the /home partition. Once the computer has booted up run the commands

df -l
sudo fdisk -l

You should get an output similar to this one:

42_systemstat

Enabling swap is pretty simple. You first need to edit the crypttab:

sudo nano /etc/crypttab

and there you need to add a line like this:

cswap	/dev/sda2	/dev/urandom	swap

Save and close it with ctrl-x (follow the instructions) and then open

sudo nano /etc/fstab

and add this line:

/dev/mapper/cswap	none	swap	sw	0	0

So, if you don’t want to enter the password twice for unlocking the root and the home partition, follow this guide here: http://www.Kreationnext.com/automatically-unlock-luks-encrypted-drives-with-a-keyfile

After you set that up accordingly, you can reboot and then you will have to enter the password only once and you will also have an encrypted swap at your disposal. Enjoy!

 

 

Comments

comments