encrypted root partition

This howto explains how to encrypt a root partition and the /home partition using a symmetric key which is stored on an USB memorystick. The memorystick is required during the boot process of the machine and the data partition holding the keys is also encrypted using a key which is stored in the initrd image on the notebook.

The whole process is based on a Linux 2.6.x kernel and a Debian unstable system; the current version as of this writing is

draft of the process

  1. boot the machine
  2. pass BIOS and lilo password and get Linux to boot an initrd image
  3. plugin the memorystick (USB)
  4. mount the memorystick using a cleartext-key stored in the initrd image
  5. get the root harddisk masterkey from the memorystick by authenticating the user
  6. setup all other encrypted partitions using the device mapper and the keys on the memorystick
  7. start the device encryption of the root partition
  8. continue the boot process on the real root partition


Before starting the whole process, make sure your system meets the following requirements.

  • the current kernel must use initrd
  • devfs must be disabled in the kernel (CONFIG_DEVFS_FS)
  • the udev package must be installed

backup of the original system

First make sure to make a working backup of your system.

prepare the harddisk

In my try to create an encrypted root partition I did this by creating it on a host which already had a running setup. Since I am not familiar with Debian's BusyBox system during the installation process I will not mess around with it.

I just took my notebook's harddisk and placed it into my desktop PC. This is pretty easy and straight forward with a 3.5” hdd adapter for 2.5” drives. A small howto for this can be found here.


After it was installed and usable in the desktop PC I run cfdisk to create the necessary partitions. In my case it was this layout:

   Device Boot      Start         End      Blocks   Id  System
/dev/hdb1   *           1           8       64228+  83  Linux
/dev/hdb2               9         373     2931862+  83  Linux
/dev/hdb3             374         758     3092512+  83  Linux
/dev/hdb4             759         789      249007+  82  Linux swap

The planned installation was:

  1. /dev/hdb1 /boot
  2. /dev/hdb2 /
  3. /dev/hdb3 /home
  4. /dev/hdb4 swap

shredding the content

After the partitions where created, I created random noise on all partions by

$ shred --verbose /dev/hdb1 /dev/hdb2 /dev/hdb3 /dev/hdb4

create the keys

First you have to create a key for each partition you want to encrypt. I suggest to use a different key for each one so you won't run into troubles later when you might want to have them separated. The procedure can be found here.

format the partitions

To install the device manager and format the partitions you need these steps for all data partitions:

$ gpg --decrypt root-keyfile.gpg | cryptsetup create rootpartition /dev/hdb2
$ mkfs -t ext3 /dev/mapper/rootpartition
$ gpg --decrypt home-keyfile.gpg | cryptsetup create homepartition /dev/hdb3
$ mkfs -t ext3 /dev/mapper/homepartition


  1. Keep in mind that our boot partition at /dev/hdb1 will stay unencrypted!
  2. You also might want to modify the partitions with tune2fs at this point
  3. A note about the use of journaling filesystems can be found here

mount the partitions

Now after the encryption is in place we can mount the partitions.

$ mount /dev/hdb1 /mnt/boot
$ mount /dev/mapper/homepartition /mnt/home
$ mount /dev/mapper/rootpartition /mnt/root

restore the backup

After the partitions are mounted we can now restore the backup to the according partitions like

$ cd /mnt
$ tar xzf backup.tar.gz "/boot/*"
$ tar xzf backup.tar.gz "/home/*"
$ cd /mnt/root
$ tar --exclude="/boot/*" --exclude="/home/*" -xzf backup.tar.gz "*"

Hopefully all backuped data is now available on the new partitions. ;-)

In case you need some path modifications during extraction, take a look at pax.

Note: Make sure that permissions and ownerships are restored properly before you continue!

prepare the new root partition

  1. Create the mount points /boot and /home
  2. Check that the ownership and permissions of all files were restored as well
  3. Verify that the swap partition in /etc/fstab matches the new disk layout; otherwise the used partition might be destroyed during the first boot process
  4. for the first try its a good idea to set the init runlevel to single user mode; on Debian systems this edit /etc/inittab and set the default runlevel to 1.

create a crypto enabled initrd image

The process to create a new initrd image is all in this tar archive. A SHA1 fingerprint of this package can be found here. The files can be viewed here.

  1. modify the variable KVERSION in the Makefile to match your current kernel version
  2. copy your current kernel's module directory (usually /lib/modules/VERSION) into the same directory named like the KVERSION variable in the Makefile, e.g.
  3. Check the file init-crypto and make sure the partitions in PARTITIONS are correct
  4. run make all and copy the new initrd.img to the boot partition on the new disk
  5. make sure lilo uses the right initrd image

configure lilo

Update the lilo configuration on the second harddisk (so it can boot later as master). See lilo for details.

unmount the partitions

After that we can unmount the partitions and see how we continue on the original system.

$ umount /mnt/boot
$ umount /mnt/home
$ umount /mnt/root
$ cryptsetup remove homepartition
$ cryptsetup remove rootpartition
harry/encrypted_root_partition.txt · Last modified: 2006/03/26 14:46 (external edit)
Locations of visitors to this page

Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki