The set of patches are available here
NOTE: The root_filesystem_encryption.sh script guides you through
this process in a logical order. This is now for planning and for
reference.
I. Think About It!
We have some initial limitations. If you are installating
to a prestine machine and do not want to have a system already
up and running and then you will have to live with LVM under the
current anaconda installation program.
For this HOWTO, you will need to use the following utilities
A. the prep script
B. fdisk
C. lvm
D. the modified mkinitrd script provided
II) Decide how you want to handle protection:
A. The Passphrase
Like any password, you will need to remember it to unlock
your data. However, if you choose this method for multiple
partitions you will have to enter the password repeatedly.
B. The Embedded Key
Under this system, the keyfile will be embedded in the
initrd image itself. While not the most secure, you can
destroy the usb media itself to protect the data.
This is best used when you will be booting from a USB key
or other removable media and/or leaving the media in place.
C. The Disappearing Key
Now, this is ugly, but useful. In essence, your key
is stored on another volume or different media than
your boot partition and may not be included in the regular
system. This method allows you to only have the media
present at the time the system boots and may be removed
without disturbing or interrupting the system. This allows
more automatic kernel updates.
III) Now, decide how you want to boot.
A) Fixed Media
Booting from Fixed Media requires that the /boot partition
be unencrypted; however, this does show what OS was on the machine.
B) Removable Media
Normally requires leaving the /boot media in the machine because
you want updates to kernels and initrd images to be consistent
(or risk sanity.)
IV) Prep your Media
This step needs to be done at the welcome screen for Anaconda. Press
CTRL+F2 to get the shell prompt. At this point you should
mount your removable media with root_filesystem_encryption.sh and
root_filesystem_encryption.txt on /tmp/removable.
mkdir /tmp/removable
mount /dev/<device> /tmp/removable
If you haven't prepped your removable media you can do so now or
from the linux rescue cd and then get these files from the network
http://www.cygnetech.com/linux/howtos/root_filesystem_encryption.txt
http://www.cygnetech.com/linux/howtos/root_filesystem_encryption.sh
http://www.cygnetech.com/linux/howtos/root_filesystem_encryption.tar.gz
untar root_filesystem_encryption.tar.gz in /tmp/removable
VI) Manual Installation Information
F) Fixed Media
You will need a partition (preferably 64-256M at the
beginning of your disk for /boot. Everything else
can be encrypted outside of this partition.
fdisk /dev/<fixed device>
create a partition for /boot
| n -> p -> 1 -> 1 -> +64M
| t -> 1 -> 83
| w
mkfs.ext3 -L/boot -m0 /dev/<fixed device>1
mount /dev/<fixed device>1 /tmp/boot
R) Removable Media
You will need a partition (preferably 64-256M at the
beginning of your disk for /boot. Everything else
can be encrypted outside of this partition.
fdisk /dev/<usb device>
create a partition for /boot
| n -> p -> 1 -> 1 -> +64M
| t -> 1 -> 83
| w
You do not want journaling on your USB/flash device. And,
you really don't need any reserved space. I recommend
at least 64M of space for the /boot partition on the
removeable media or more if you want to support more than
one system with the same USB drive.
mkfs.ext2 -Lflashboot -m0 /dev/<usb device>1
mkdir /tmp/removable
mount /dev/<usb device>1 /tmp/removable
3) Preparing The Root Partition
fdisk /dev/<fixed device>
create a LVM partition for the remainder of the disk
| n -> p -> 2 -> {accept defaults} -> {accept defaults}
| t -> 2 -> 8e
write the parition table
| w
The 8e (Linux LVM) entry is a ruse to trick anaconda into
letting us through. After we do the encryption routine,
/dev/<partition> is just random bits, but anaconda does not
know this. It trusts the LVM active volume groups. Proceed!
Create an encrypted volume:
With a key
cryptsetup luksFormat /dev/<device> \
-d /tmp/removable/the.key
cryptsetup luksOpen /dev/<device> <device> \
-d /tmp/removable/the.key
With a passphrase
cryptsetup luksFormat /dev/<device>
cryptsetup luksOpen /dev/<device> <device>
Create the LVM groups and divide the disk however you
want.
# lvm pvcreate /dev/mapper/<device>
# lvm vgcreate VG00 /dev/mapper/<device>
# lvm lvdisplay
This shows how much space is available
# lvm lvcreate -L<twice ram>MB -n swap
# lvm lvcreate -L<remaining size>MB -n slash
If lvm complains that the size is too large, then just
reduce the size gradually until you get it right. For
example, if you think 1.6GB should be left. Try 1.59GB,
then 1.58GB, etc., until it succeeds. Leave at least 16MB
free if you can. Anaconda may carp about space and you
may have to backup to the welcome screen, blow the LV's
away and aim a little smaller.
You are free to be more creative than the all-in-one
presented here.
The installation script will tell you to start the installation.
Read below for specifics.
In Anaconda
When you get to partitioning your drive select custom layout,
and check "Review Partitions and Layout." Move to the next
step.
Select the LV partitions you have just made format them with
the filesystem of your choice and select the mount points.
If you want to boot from fixed disks make sure you select
the partition on your harddisk and use /boot for the mount
point.
If you want to boot from removable media (USB), find the
removeable device partition to use and edit it. Label it
/boot and select "preserve data." Next, select the option
in the Grub menu to configure advanced boot loader options.
On the next screen, change the device ordering and move the
removable device up to the top.
Now the grub loader should be install on the MBR of the
USB device.
Continue through the normal installation process until
you get to the Reboot step. DO NOT REBOOT.
Go back to the emergency shell using CTRL+F2.
Last Steps
These are manual suggestions, consult the root_filesystem_encryption.sh
for a more sane ordering.
mount none -t proc /mnt/sysimage/proc
mount none -t sysfs /mnt/sysimage/sys
mkdir /tmp/sysimage/tmp/removable
mount /dev/<removable device> /mnt/sysimage/tmp/removable
cp -a /etc/lvm /mnt/sysimage/lvm
chroot /mnt/sysimage
vi /mnt/sysimage/etc/sysconfig/mkinitrd
add options for
CRYPTOMODS="DEFAULT"
CRYPTODEVICES="/dev/<device>@/dev/<removeable-device>,<partition type>"
/tmp/removable/tmp/mkinitrd --crypt-device=/dev/<device>@/dev/<removeable-device>,<partition type>:/path/to/key/file
Example
Password protected
CRYPTODEVICES="/dev/sda2"
Disappearing Key
CRYPTODEVICES="/dev/sda2@/dev/sdb1,ext2:/the.key"
Notice /the.key is a relative path for the removeable device holding
the key. The system will mount the removeable partition ro and read
the key and then unmount it before continuing. Also, the device can
be referenced by LABEL=<lable> or UUID=<uuid> for that filesystem.
Embedded Key
CRYPTODEVICES="/dev/sda2:/tmp/the.key"
NOTES
Creating A Key File
If you have decided to use the key method, you will need to
create a key. It's a general practice to use random data
for the key rather than some arbitrary text.
By default LUKS uses aes cbc sha256 encryption. If we use
this default, we will need a 256 bit key.
We'll use dd and urandom to create the key file. However,
we need to know how many bytes to extract.
256 bits 1 byte
-------- X ------ = 32 bytes
8 bits
We need 32 bytes of random data for a permanent key
mkdir -p /tmp/flash
mount /dev/<device> /tmp/flash
dd if=/dev/urandom of=/tmp/flash/the.key count=1 bs=32
F. Fixed Media
You can have your /boot partition at the beginning of your
fixed disk. However, you will not want to use the standard
key file method for encryption. You will want to use
either the [Passphrase], or the slightly more eclectic
[Disappearing Key] method for the remaining paritions
and/or disks for decryption.
R. Removable Media
You will need to have your removable media present and
attached during the installation.
1) Create a key file and store it on removable media
2) Encrypt the partition with a password and boot from alternate media
3) Encrypt the partition and boot from same media
You will need a /boot partition on your boot drive or some place
This will be unencrypted so I highly encourage use of either
storing the key on the on removable disk so you can take it with you
, doing the [Disappearing Key Method], or the password.
# vim: ts=4:sw=4:et
Questions or Comments can go to Thomas Swan thomas.swan@gmail.com