Do you use let's encrypt?





7703 votes ~ 25 comments

 

Encrypting an existing Debian lenny installation

Posted by mikhailian on Wed 8 Jul 2009 at 16:33

Once in a time, I get to travel to places that make me worry about the data on my laptop. This time, it is not the US, but another openly democratic country where they kill you for a joint, let alone nude pictures. Enough politics, though.

I have a laptop with the /boot in a separate partition, followed by a /root partition and a /swap. Having a separate /boot is mandatory, as the BIOS has to load an unencrypted kernel and its initrd image before being able to access the encrypted partition. Another option is to keep /boot on a USB stick, but this setup can take a whole other post.

First things first, let us install software for managing encrypted disks and updating the initrd image:

#aptitude install cryptsetup initramfs-tools

We have to make sure that the encryption modules are present in the initrd image, so I add the following three modules to the initrd config:

#echo aes-i586 >>/etc/initramfs-tools/modules
#echo dm-crypt >>/etc/initramfs-tools/modules
#echo dm-mod >>/etc/initramfs-tools/modules

This step is probably unnecessary as initramfs-update is able to figure out the modules needed by parsing /etc/crypttab and /etc/fstab and by checking the loaded modules.

Next step is to inform cryptsetup and inittab of the partition mapping between /dev/hda2 (the physical device) and /dev/mapper/root (its encryption interface).

#echo "root /dev/hda2 none luks" >>/etc/crypttab
#sed -i 's#/dev/hda2#/dev/mapper/root#' /etc/fstab

We also have to change the root device for grub the same way we did it for inittab:

#sed -i 's#/dev/hda2#/dev/mapper/root#' /boot/grub/menu.lst

Now, recreate the initrd image by issuing

#update-initramfs -k all -u

We are now ready to shutdown and to boot from a LiveCD in order to make a backup, create an encrypted partition and copy back the root filesystem contents on an already encrypted partition. I leave the reader at the exercise of choosing available backup options. A simple "cp -ax /mnt/root/* /mnt/backup" command will be enough to backup, though.

Once the backup is ready, erase the data on the partition by issuing

#shred -n1 -v /dev/hda2

and then create the encrypted partition with

#cryptsetup luksFormat /dev/hda2
#cryptsetup luksOpen /dev/hda2 root

After the encrypted device is set up and open, create a filesystem, mount it and copy the backup of the root partition to the encrypted device.

#mkfs.ext3 /dev/mapper/root
#mount /dev/mapper/root /mnt/root
#cp -ax /mnt/backup/* /mnt/root/

You are now ready to boot into the encrypted root partition.

Once the root encryption works, addding swap encryption is a piece of cake. Just add it to /etc/crypttab and modify the /etc/fstab accordingly:

#echo "swap /dev/hda3 /dev/random swap" >>/etc/crypttab
#sed -i 's#/dev/hda3#/dev/mapper/swap#' /etc/fstab

 

 


Re: Encrypting an existing Debian lenny installation
Posted by Anonymous (207.192.xx.xx) on Wed 8 Jul 2009 at 18:19
Just curious... does this mean that you will be prompted for a password on every boot? What process is responsible for prompting? I would assume it's the kernel, as it loads the root filesystem. ???

[ Parent | Reply to this comment ]

Re: Encrypting an existing Debian lenny installation
Posted by Anonymous (85.27.xx.xx) on Wed 8 Jul 2009 at 18:30
AFAIU, it is the /lib/cryptsetup/askpass executable launched after initrd is initialized and the encrypted partition is detected.

[ Parent | Reply to this comment ]

Re: Encrypting an existing Debian lenny installation
Posted by Anonymous (194.78.xx.xx) on Thu 9 Jul 2009 at 07:11
How can the executable be launched if it is on the encrypted partition?

[ Parent | Reply to this comment ]

initramfs
Posted by Anonymous (212.99.xx.xx) on Wed 29 Jul 2009 at 13:54
I guess it's in the mandatory initramfs

[ Parent | Reply to this comment ]

... but can you make suspend/resume work too?
Posted by Anonymous (217.189.xx.xx) on Wed 8 Jul 2009 at 19:18
Encrypting swap with a random password makes it unnecessary to enter the swap partition password on every boot, but makes it impossible to resume after a suspend.
On a laptop, having suspend/resume is very important.
What would you have to change to make it work?

[ Parent | Reply to this comment ]

Re: ... but can you make suspend/resume work too?
Posted by Anonymous (207.192.xx.xx) on Wed 8 Jul 2009 at 20:05
Tell swap to use a key FILE that is stored on the root partition... LUKS is nice that way. :-)

[ Parent | Reply to this comment ]

Re: ... but can you make suspend/resume work too?
Posted by barak (149.157.xx.xx) on Mon 27 Jul 2009 at 17:49
Easiest way is to set things up the way the Debian installer (including for lenny) wants, namely disk partitioned into /boot and an encrypted partition, which when decrypted is a physical volume for a LVM volume, which is divided into a / partition and a swap partition. So both are decrypted using the same key. And you can hibernate and resume from the encrypted swap partition.

Worked out of the box for me.

[ Parent | Reply to this comment ]

Re: Encrypting an existing Debian lenny installation
Posted by Anonymous (93.82.xx.xx) on Wed 8 Jul 2009 at 22:14
ecryptfs is also worth a glance; it's filesystem-level encryption and can be added after installing a system
http://sunoano.name/ws/public_xhtml/debian_security.html#filesyst em-level_encryption

good thing is, it also features key management and all the metadata is within the files so those become portable

[ Parent | Reply to this comment ]

Re: Encrypting an existing Debian lenny installation
Posted by Anonymous (82.24.xx.xx) on Thu 9 Jul 2009 at 19:09
luks based encryption is great :) have been using this for a while in work, also its possible to do loopback file based encryption, if you just want to encrypt a certain folder for example.

greate article

[ Parent | Reply to this comment ]

Re: Encrypting an existing Debian lenny installation
Posted by Anonymous (83.215.xx.xx) on Thu 9 Jul 2009 at 19:13

[ Parent | Reply to this comment ]

Re: Encrypting an existing Debian lenny installation
Posted by Anonymous (213.85.xx.xx) on Wed 15 Jul 2009 at 18:55
You can crypt/decrypt disks without format

for example we have disk /dev/hda1

cryptsetup create my-disk /dev/hda1

# encrypt disk:
dd if=/dev/hda1 of=/dev/mapper/my-disk

#decrypt disk:
dd if=/dev/mapper/my-disk of=/dev/hda1

Also You can use which way for change encryption type.
Recently i used to loop-aes encryption module, now i am using cryptdisk. I got across fromto without nessesary backups :)

[ Parent | Reply to this comment ]

Re: Encrypting an existing Debian lenny installation
Posted by Anonymous (75.99.xx.xx) on Tue 20 Oct 2009 at 21:37
Thanks for the tip! That's really cool. I was a little wary at first, but I tried it, and it worked perfectly.

Doesn't mean you shouldn't back up, but even if you do back up, this still makes the process simpler.

[ Parent | Reply to this comment ]

Re: Encrypting an existing Debian lenny installation
Posted by mcortese (20.142.xx.xx) on Wed 22 Jul 2009 at 16:52
[ View Weblogs ]
Since you mainly worry about hiding user data, not system details, have you considered encrypting only the home directory? It should be sensibly easier, would save you from any need for an initrd, and would only ask you the password once.

[ Parent | Reply to this comment ]

Re: Encrypting an existing Debian lenny installation
Posted by Anonymous (85.27.xx.xx) on Wed 22 Jul 2009 at 20:18
It either requires the home directory on a separate partition or encryptfs-based setup with dubious security.

[ Parent | Reply to this comment ]

Re: Encrypting an existing Debian lenny installation
Posted by cocolocko (189.138.xx.xx) on Sun 26 Jul 2009 at 18:59
mikhailian, you say a /boot partition is mandatory, can you/someone tell me how to separate this partition after the installation?
I have only /swap /root and /home separate.
Thanks and Greetings ;)

[ Parent | Reply to this comment ]

Re: Encrypting an existing Debian lenny installation
Posted by NicoLarve (82.225.xx.xx) on Mon 17 Aug 2009 at 17:00
You'll need some free space to host a new /boot volume, then:
-copy the content of the initial /boot into it,
-rename the initial /boot into something like /_boot and create an empty /boot directory,
-add a line about this new /boot volume into /etc/fstab & mount it,
-launch update-grub (make sure that the parameter "# groot=(hdX,Y)" is set properly in /boot/grub/menu.lst),
You're done! (I hope I didn't forget something important!)

[ Parent | Reply to this comment ]

Re: Encrypting an existing Debian lenny installation
Posted by Anonymous (130.206.xx.xx) on Wed 29 Jul 2009 at 12:45
"Another option is to keep /boot on a USB stick, but this setup can take a whole other post."

Could you do a post on how to install a new debian system using this approach?

[ Parent | Reply to this comment ]

On the fly
Posted by Anonymous (212.99.xx.xx) on Wed 29 Jul 2009 at 13:58
It can be done on the fly thanks to Mike Hommey :
http://glandium.org/blog/?p=139
http://glandium.org/blog/?p=141

[ Parent | Reply to this comment ]

Re: Encrypting an existing Debian lenny installation
Posted by Xeeper (92.70.xx.xx) on Mon 10 Aug 2009 at 09:32
Well, if you go to a Asiatic country like Singapore or China, encrypting your harddisk is a very bad idea. If you're picked out by customs, they can ask that you'll boot your laptop. You can refuse this ofcourse, but then they can confiscate your laptop. They also know linux. They know how commands like fdisk and lvm work. Using encrypted partitions increases they curiosity and certainly en lengthen your stay at the airport.

My solution is hiding in plain sight. My main laptop OS is a minimum Lenny distro which is able to setup a (working) VPN connection with the office. This explains why there aren't any recent files in my home or other directories.
It also contains a Xen image which boots my 'normal' lenny distro.

BTW: Just make sure that bash on the boot image don't keep a history file.

[ Parent | Reply to this comment ]

Re: Encrypting an existing Debian lenny installation
Posted by Anonymous (75.20.xx.xx) on Tue 15 Dec 2009 at 16:21
I agree.. Virtual machines are becoming common.. instead of modifying the actual boot system, keep it vanilla and use a VM for privacy... I have been using Virtual Box

[ Parent | Reply to this comment ]

Re: Encrypting an existing Debian lenny installation
Posted by NicoLarve (82.225.xx.xx) on Mon 17 Aug 2009 at 17:05
Does anyone know about the cpu load increase when switching to encryption on a netbook (using an Intel Atom cpu for example)?

[ Parent | Reply to this comment ]

Re: Encrypting an existing Debian lenny installation
Posted by NicoLarve (82.225.xx.xx) on Mon 17 Aug 2009 at 18:24

[ Parent | Reply to this comment ]

Re: Encrypting an existing Debian lenny installation
Posted by Anonymous (121.75.xx.xx) on Mon 24 Dec 2012 at 12:37
Do these instructions work with Debian Squeeze?

[ Parent | Reply to this comment ]