Attached are some directions on how to create a Debian system with
encrypted root.
--
Russell O'Connor <http://r6.ca/>
``All talk about `theft,''' the general counsel of the American Graphophone
Company wrote, ``is the merest claptrap, for there exists no property in
ideas musical, literary or artistic, except as defined by statute.''
2006-09-17
This document describes how to create a root encrypted partition for a Debian
system. The resulting system will have /boot partition for booting that
remains unencrypted.
1. Install loop-aes
- You can either install the precompiled modules for your precompiled kernel,
or compile the modules yourself
Install precompiled modules
- Install the precompiled module for your kernel (example package:
loop-aes-2.6.17-1-686)
Compile the modules yourself
- Install the packages are loop-aes-source (and optionally loop-aes-ciphers).
- get the headers for your kernel (example package:
linux-headers-2.6.17-1-686)
- run the commands
module-assistant build loop-aes
module-assistant install loop-aes
- In both cases install loop-aes-utils
- Now add ``loop'' to your /etc/modules file and reboot.
(Alternatively you can just ``modprobe loop'')
- Now would be a good time to try out loop-aes by enabling encrypted swap (see
loop-aes readme).
Make new partitions
- use (c)fdisk or whatever.
- create a new partition for the new encrypted root partition.
- create a new partition for the unencrypted boot partition (if you have an
existing boot partition it can be reused).
(This document will use the partition /dev/hdb1 as the running example for
the encrypted root partition and /dev/hdb2 for the boot partition.)
- We will keep the existing root partition as a bootable maintenance partition.
(Bs eting the existing partition (to turn into swap for instance) is a
reasonable alternative)
- In a vague attempt to hide the purpose of the partition you may set the
partition type to whatever you want. Although this method of stenography isn't
particularly effective.
Fill new root partition with random data
- initializing your partition with random data will disguise how much data is
on your partition.
- The commands (from the loop-aes readme) are
head -c 15 /dev/urandom | uuencode -m - | head -n 2 | tail -n 1 | losetup
-p 0 -e AES128 /dev/loop3 /dev/hdb1
dd if=/dev/zero of=/dev/loop0 bs=4k conv=notrunc
losetup -d /dev/loop0
(/dev/loopn can be used for any n if loop0 is already in use.
We shall continue to use loop0 in this example)
Make encryption keys
- While the disk is being filled with random data (from the previous step) you
can start making the encryption keys.
(If the local machine doesn't have a good source of entropy, you may wish to
generate the keys on a local machine and copy it to your remote machine.)
- Choose a passphrase for the keys. This is all that is standing between an
attacker and your data, so choose carefully.
- The command (from the loop-aes readme) is
head -c 2925 /dev/random | uuencode -m - | head -n 66 | tail -n 65 | gpg
--symmetric -a > keyfile.gpg
Create and mount a filesystem on the encrypted partition
- Enable the loopback device with the command
losetup -e AES128 -K keyfile.gpg /dev/loop0 /dev/hdb1
(you can choose any n from 0 to 7 for /dev/loopn so long as it is unique for
your system)
- Create your favourite file system on /dev/loop0 with mkfs
- Mount your new file system
mount /dev/loop0 /mnt
Create and mount a filesystem on the boot partion (if you created a new boot
partition)
- use mkfs
- mount it
mkdir /mnt/boot
mount /dev/hdb2 /mnt/boot
(If you are reusing an existing /boot you must ``mkdir /mnt/boot && mount
--bind /boot/ /mnt/boot/'' to mount it on the new root filesystem).
Copy keys onto boot partition
- mkdir /mnt/boot/keys
- cp keyfile.gpg /mnt/boot/keys/rootkeyfile.gpg
Install Debian on encrypted root
- install package cdebootstrap
- Run cdebootstrap
cdebootstrap --flavour=standard stable /mnt/
http://ftp.[CC].debian.org/debian
([CC] is the country code of the mirror you want to use.)
Configure the new Debian system
- The following file need to be created (usually by copying from your existing
system).
/mnt/etc/apt/sources.list
/mnt/etc/resolv.conf
/mnt/etc/network/interfaces
/mnt/etc/hostname
/mnt/etc/hosts
- Create (copy) /mnt/etc/fstab but edit it as follows.
1. Create (replace) a new root entry such as
/dev/hdb1 / ext3
defaults,loop=/dev/loop0,encryption=AES128,gpgkey=/boot/keys/rootkeyfile.gpg
0 0
2. Make sure there is a /boot entry such as
/dev/hdb2 /boot ext2 sync 0 2
- Chroot into the new root
chroot /mnt
- Set a root password with ``passwd''
- Run ``aptitude update''.
- Install loop-aes modules (and a kernel) and utils into the new root as you
did above. (It is important to install loop-aes first before installing
initramfs-tools so that initramfs-tools on installation will detect the
encrypted root partition.)
- Install packages for the system to be able to boot
grub
gnupg
initramfs-tools (do not install yaird, loop-aes-utils supports
initramfs-tools out of the box)
Setup grub
- In the case you have a new /boot then
exit the chroot ``exit''
run ``grub-install --root-directory=/mnt/boot/ /dev/hda''
``chroot /mnt''
run ``update-grub'' (this creates /boot/grub/menu.lst)
- In all cases
edit /boot/grub/menu.lst
kopt=root=/dev/sdb1 ro
groot=(hd1,1) ## This is the boot partition
run ``update-grub''
Reboot!
