This howto explains how to encrypt a root partition and the /home partition using a symmetric key which is stored on an USB memorystick. The memorystick is required during the boot process of the machine and the data partition holding the keys is also encrypted using a key which is stored in the initrd image on the notebook.
The whole process is based on a Linux 2.6.x kernel and a Debian unstable system; the current version as of this writing is
Before starting the whole process, make sure your system meets the following requirements.
devfsmust be disabled in the kernel (
First make sure to make a working backup of your system.
In my try to create an encrypted root partition I did this by creating it on a host which already had a running setup. Since I am not familiar with Debian's BusyBox system during the installation process I will not mess around with it.
I just took my notebook's harddisk and placed it into my desktop PC. This is pretty easy and straight forward with a 3.5” hdd adapter for 2.5” drives. A small howto for this can be found here.
After it was installed and usable in the desktop PC I run
cfdisk to create the necessary partitions. In my case it was this layout:
Device Boot Start End Blocks Id System /dev/hdb1 * 1 8 64228+ 83 Linux /dev/hdb2 9 373 2931862+ 83 Linux /dev/hdb3 374 758 3092512+ 83 Linux /dev/hdb4 759 789 249007+ 82 Linux swap
The planned installation was:
After the partitions where created, I created random noise on all partions by
$ shred --verbose /dev/hdb1 /dev/hdb2 /dev/hdb3 /dev/hdb4
First you have to create a key for each partition you want to encrypt. I suggest to use a different key for each one so you won't run into troubles later when you might want to have them separated. The procedure can be found here.
To install the device manager and format the partitions you need these steps for all data partitions:
$ gpg --decrypt root-keyfile.gpg | cryptsetup create rootpartition /dev/hdb2 $ mkfs -t ext3 /dev/mapper/rootpartition $ gpg --decrypt home-keyfile.gpg | cryptsetup create homepartition /dev/hdb3 $ mkfs -t ext3 /dev/mapper/homepartition
/dev/hdb1will stay unencrypted!
tune2fsat this point
Now after the encryption is in place we can mount the partitions.
$ mount /dev/hdb1 /mnt/boot $ mount /dev/mapper/homepartition /mnt/home $ mount /dev/mapper/rootpartition /mnt/root
After the partitions are mounted we can now restore the backup to the according partitions like
$ cd /mnt $ tar xzf backup.tar.gz "/boot/*" $ tar xzf backup.tar.gz "/home/*" $ cd /mnt/root $ tar --exclude="/boot/*" --exclude="/home/*" -xzf backup.tar.gz "*"
Hopefully all backuped data is now available on the new partitions.
In case you need some path modifications during extraction, take a look at pax.
Note: Make sure that permissions and ownerships are restored properly before you continue!
/etc/fstabmatches the new disk layout; otherwise the used partition might be destroyed during the first boot process
/etc/inittaband set the default runlevel to 1.
Makefileto match your current kernel version
/lib/modules/VERSION) into the same directory named like the
KVERSIONvariable in the
init-cryptoand make sure the partitions in
make alland copy the new initrd.img to the boot partition on the new disk
Update the lilo configuration on the second harddisk (so it can boot later as master). See lilo for details.
After that we can unmount the partitions and see how we continue on the original system.
$ umount /mnt/boot $ umount /mnt/home $ umount /mnt/root $ cryptsetup remove homepartition $ cryptsetup remove rootpartition