Search:  
Gentoo Wiki

SECURITY_Encrypting_an_existing_root_partition_DM-Crypt_with_LUKS

Contents

Introduction

Disclaimer

This guide is largely based on Reikinio's Article SECURITY System Encryption DM-Crypt with LUKS. Since he no longer seems to be an active member of the Gentoo community any more I feel the mentioned guide is becoming outdated.

There are a lot of guides out there explaining how to encrypt your harddrive in the course of a fresh installation. This guide is supposed to give you some pointers as to what has to be done in case of an existing installation. All the necessary information can actually be found in System Encryption DM-Crypt with LUKS. So basically I'm just going to explain the differences and slightly change the order of the steps to be performed.

Requirements

Before you begin make sure you have some storage device at hand (e.g. a harddrive, external or internal) which has enough free space to backup the data on your /root partition. I'm not an expert here but I believe it needs to be formatted with some filesystem which allows ownership and permission attributes to be preserved. ReiserFS or ext2/3/4 should work well while I would strongly advise against something like FAT16/32. You could even use a large enough partition on the same drive, if you manage to mess up your partition table though by typing a wrong command or something then you're pretty much lost. Furthermore get your favorite LiveCD. I used Knoppix 5.1.1 which worked very well and can be found here: http://knopper.net/knoppix-mirrors/

Additionally you should make sure your kernel is correctly configured. Go read Kernel Configuration and reconfigure and rebuild your kernel if necessary. Then come back an read on.

You need to have some software installed, too:

emerge sys-fs/cryptsetup-luks
emerge sys-fs/device-mapper

Please check that "sys-fs/cryptsetup-luks" has the "dynamic" use flag disabled for we need a statically linked "cryptsetup" binary.

I'll be using the following partitioning scheme throughout this tutorial:

/dev/hda1   /boot
/dev/hda2   /swap (regular)
/dev/hda3   /swap (for suspend2 swapwriter, currently unused)
/dev/hda4   /root

Yours may vary but it should be easy to adopt the following instructions to your liking. The only important thing is actually that if you don't want to boot from a USB stick or the like then you need a separate /boot partition.

Now if your kernel is correctly configured, you have the necessary packages emerged and you're clear about your partitioning scheme and whether or not you need a separate /boot partition we're good to go. Just one word of advice before we begin because it can't be said often enough:

Warning: Back up your data!!

Building the initramfs

The aforementioned HOWTO describes this step in depth, so you should basically go to Creating initramfs image and follow the instructions. What I'm going to show you though is an easy way how to build "Busybox" against uclibc because you'll surely not want to link glibc statically. Off we go getting "buildroot" which you can use to generate a complete uclibc toolchain (compiler, linker etc.) and which consequently also provides a ready to use Busybox for your enjoyment compiled against uclibc.

1. Check out the source

svn co svn://uclibc.org/trunk/buildroot
cd buildroot

2. Configure and build

make menuconfig

Configure your arch and subarch, e.g. arch:i386, subarch:i686 and then type

make

Luckily as a gentoo user you're used to waiting, this will take a while.

3. Configure Busybox

Once "make" has finished you still need to change the Busybox configuration to match the one described here: Building BusyBox. To do so type:

make busybox-menuconfig

Configure the necessary options and then run

make

again.

When done you should find your shiny new Busybox in "buildroot/build_<arch>/busybox-<version>". Now you're all set and can continue building the "initramfs" as described under Creating initramfs image.

Note: No need to rebuild your system gnupg

If you need a static gnupg binary (see the linked guide) you don't necessaryly need to emerge your system gnupg with the "static" use flag set. You might as well just get the gnupg source from www.gnupg.org, unpack it and do

cd gnupg-<version> 
LDFLAGS="-static" ./configure
make

The resulting static gpg binary can then be found in "gnupg-<version>/g10/"

Putting initramfs to use

If you followed the instructions carefully you should now have an "initramfs" ready to use. Now you can either build it directly into the kernel or supply it's name as an argument to the kernel. Do what you like best, both methods are described here: Bootloader configuration.

Configure your bootloader (Grub) (and eventually kernel) preserving the original "menu.lst" entry to boot your system for now.

Note: If you are using bootsplash you should probably stick with verbose mode until you have everything working

Check whether you can boot at all using Busybox by rebooting and selecting the newly created Grub entry. Nothing much will happen since of course your existing /root partition is not encrypted yet and thus can't be decrypted. The Busybox init Script will fail with an error and eventually drop you into a minimal shell but now at least you know your "initramfs" creation has worked out. So far so good. Now you might want to reboot into your system using the original Grub entry to make backup copies of all your valuable data for the next thing we're going to do is play with partitions.

Backing up /root

Since in the process of encrypting the /root partition it's original contents will be lost, we need to make a backup to restore the contents of your /root partition later. This involves taking care of ownership, permissions and special files as well as other mounted filesystems.

1. Boot a LiveCD

Now's the time to boot the LiveCD of your choice. You should check it has all the necessary tools available.

2. Mount the backup medium

I used an external harddisk connected through USB.

mkdir /mnt/backupdrive 
mount /dev/sda1 /mnt/backupdrive
mkdir /mnt/backupdrive/rootbackup

You'll eventually need to specify the filesystem type for mount (e.g. -t ext3).

3. Mount your /root partition

mkdir /mnt/rootpartition
mount /dev/hda /mnt/rootpartition

You'll eventually need to specify the filesystem type for mount (e.g. -t ext3).

4. Taking care of file ownership

I'm not quite sure if this step is actually necessary, it didn't do me any bad though. This is because your LiveCD probably doesn't know all the users and groups on your original system and falls back to defaults when dealing with file ownership.

To circumvent this do the following (as root):

rm /etc/gshadow -f
cp /mnt/rootpartition/etc/group /etc/group
cp /mnt/rootpartition/etc/passwd /etc/passwd
cp /mnt/rootpartition/etc/gshadow /etc/gshadow
cp /mnt/rootpartition/etc/shadow /etc/shadow
chmod 766 /etc/group
chmod 766 /etc/gshadow

This is more or less the brute force approach. Depending on your LiveCD setup you might now have trouble switching users (especially suing to root) so you eventually want to open more than one root console in advance if needed. I'm sure there is a more elegant way to do it, feel free to edit.

5. Performing the backup

Time to perform the actual backup. For more information regarding the commands used look here: http://greenfly.org/tips/filesystem_migration.html

cd /mnt/rootpartition
find ./ -xdev -print0 | cpio -pa0V /mnt/backupdrive/rootbackup/

Depending on the size of your /root partition and the backup device beeing used this will take a while. When done unmount the backup drive (just to be sure):

umount /mnt/backupdrive/

Encrypting the /root partition

The process of luksFormating and luksOpening as well as the creation of a filesystem on the mapped device is covered extensively here: Create mapping between logical and physical partitions. Go there and follow the instructions until you reach "Mounting Partitions".

Restoring the /root backup

OK, I assume you have just luksFormated and luksOpened your brand new crypto /root and that you have created a filesystem of your choice on it. It should map to "/dev/mapper/root", too. Time to get the old stuff back on.

1. Mount the partition

mkdir /mnt/cryptoroot
mount /dev/mapper/root /mnt/cryptoroot

You'll eventually need to specify the filesystem type for mount (e.g. -t ext3).

2. Mount the backup again

mount /dev/sda1 /mnt/backupdrive

You'll eventually need to specify the filesystem type for mount (e.g. -t ext3).

3. Restore the data

cd /mnt/backupdrive/rootbackup
find ./ -xdev -print0 | cpio -pa0V /mnt/cryptoroot

4. Adjusting fstab

Open "fstab" on your encrypted /root partition

vi /mnt/cryptoroot/etc/fstab

and adjust it to use the mappings like this:

/dev/hda1               /boot           ext2            noauto,noatime          1 2
/dev/mapper/root        /               ext3            noatime,user_xattr      0 1
/dev/mapper/swap        none            swap            sw                      0 0

Don't forget to use the correct filesystem specifier.

Finishing up

When you have restored all the data on your /root partition you're almost done. Unmount and luksClose everything:

umount /mnt/cryptoroot
umount /mnt/backupdrive
cryptsetup luksClose swap
cryptsetup luksClose root

And now you're ready to reboot. Good luck!!

Once your system is back up you need to adjust /etc/conf.d/cryptfs for your swap to use encryption, too. Just add the following entry:

swap=swap
source='/dev/hda2'

Adjust to your partitioning scheme of course.

Troubleshooting

If anything goes wrong and you're unable to boot your system with the encrypted /root partition just throw the LiveCD back in and try to fix the problem from there. You can just luksOpen and mount your /root partition then and do what needs to be done. For example chroot into it and rebuild the "initramfs" or even the kernel.

If everything fails just drop the encrypted partition and recreate it as a regular one. Then copy your (backup) data back there as shown above.

TODO

- Beautify this article and provide a little more in depth information.

Author(s)

Special thanks goes out to Reikinio for the brilliant HOWTO this article is based on. Not to forget the developers of cryptsetup-luks and Dm-Crypt.

External links

How to encrypt /home with the help of dm-crypt and LUKS - Ubuntu HOWTO

-- shugaa -- shugaa at web.de

Retrieved from "http://www.gentoo-wiki.info/SECURITY_Encrypting_an_existing_root_partition_DM-Crypt_with_LUKS"

Last modified: Mon, 04 Aug 2008 09:07:00 +0000 Hits: 6,794