Posted by gpall on Mon 28 Jan 2008 at 15:07
The point of this how-to is to describe the way to migrate to a full-encrypted LVM system (rootfs + data) (only the boot partition obviously stays unencrypted), either coming from an LVM system, either from a simple ext3 system. All you need is some kind of external storage.
It should be here noted that since the operations described below are not very trivial, this procedure should only be followed by people somewhat experienced.
--EDIT: After filing a bug report about this file 'cryptroot', the developers informed me that this file is not needed, so I deleted it (after having completed the whole migration process). Everything seems to be working fine.
Remember again that if at some point, things go bad, you can always use clonezilla to restore your old system.
Now that your system is secured let's play around!
I use the clonezilla CD for most of the jobs as live CD.
So, boot Clonezilla, and give it network. Then enter a console prompt (sudo su) and...
# aptitude update && aptitude dist-upgrade
Before that, you may need something like that:
# ifconfig eth0 up
# dhclient eth0
After sometime your live system will have all the latest & greatest debian software so time to install a couple of tools:
# aptitude install cryptsetup joe
Joe is my favourite editor, so for the rest of the how-to we'll pretend it is yours too.
First, let's destroy your disk!
# cfdisk /dev/hda
and delete all partitions except your /dev/hda1 (NTFS).
Then create a primary partition that will be used for booting: /dev/hda2, with a size of 200 MB.
Then create another primary partition with the rest of the free space (/dev/hda3). This will be your future rootfs and data home.
Then write the partition table to the disk and exit.
This whole fuss just rendered your operating system inoperable and your data a bit crappy. But don't ya worry, we got everything on tar!
We want now to utterly destroy everything on the disk and fill it with random little bits, while at the same time checking for badblocks. Here we go:
# badblocks -s -w -t random -v /dev/hda2
# badblocks -s -w -t random -v /dev/hda3
these two commands will utterly destroy all data on your disk. They will need some time though to do that, so be patient.
After that, let's first give a filesystem to the boot partition. Easy:
# mkfs.ext3 /dev/hda2
Then we will use cryptsetup to make the big partition a dm-crypt device. This is also as easy as stealing from children.
# cryptsetup -y -s 256 -c aes-cbc-essiv:sha256 luksFormat /dev/hda3
I may not have the options in the correct order but this will get you going. Note: Give a good passphrase that you will also remember. You can change this passphrase afterwards, and you also can have multiple passphrases!
Now, time to use this initialized space:
# cryptsetup luksOpen /dev/hda3 lukspace
This will ask you for the previous passphrase. After that, you will see a /dev/mapper/lukspace appearing. This can be now regarded as a device, ready to accept any kind of data. You can format it with ext3, or you can build an LVM on it, which is what we will now do.
So, let's create the LVM.
# pvcreate /dev/mapper/lukspace
# vgcreate vg /dev/mapper/lukspace
# lvcreate -L10G -nroot vg
# lvcreate -l 100%FREE -nmyspace vg
So, we now created the LVM logical volume /dev/vg/root which will host the root filesystem and /dev/vg/myspace which will hold our data! That wasn't difficult, was it?
And now something trivial: format the partitions we've just made...
# mkfs.ext3 /dev/vg/root
# mkfs.ext3 /dev/vg/myspace
After we've created the space for our root filesystem, time to untar our system to its new space.
First of all, we create a mountpoint, say /media/rootfs and we...
# mount /dev/vg/root /media/rootfs
# cd /media/rootfs
# tar xSjf /external_storage/sysbackup.tar.bz2
and wait for it to finish.
Next, create the directories which are needed but were not backuped:
# mkdir proc sys media dev tmp mnt
# chmod 1777 tmp
Now create elsewhere a bootfs mountpoint and mount our future boot partition:
# mount /dev/hda2 bootfs
Then move the boot files from rootfs/boot to this new bootfs place. So, now the /dev/hda2 boot partition has the necessary files to boot.