Tuesday, June 22, 2010

Whole-disk encryption on Ubuntu

I've had my wife's laptop running whole-disk encryption with TrueCrypt for a couple of years now, and I always wanted to get that level of security on my Ubuntu machine.  It really makes a lot of sense for the laptops to have as much privacy protection as possible, since we travel with them and therefore they are at higher risk of being stolen.  This week I finally got the opportunity to try it out.

The Plan

I knew I was going to take a performance hit, so I got myself an 8 gig SD card.  The root of my Ubuntu installation would go on it, with an unencrypted /boot partition on the hard drive as well as a 60 gig encrypted /home partition to store all of my files.  The home partition needs its own encryption key, so I decided on a key file that would be stored on the already encrypted root parition, allowing the OS to automatically unlock the home parition and mount it at boot time.


I downloaded the Ubuntu Alternate Install disk, since the standard install does not include the option to install logical volumes, which are necessary for thinks like encryption or software RAID.  The installation process was somewhat involved as you need to manually configure your partitions.  There's simply no way around it as your /boot directory needs to be unencrypted (this is because the software that performs on-the-fly encryption and decryption is a kernel module, and it can't be started if it is encrypted).  I tried to configure my /home partition on the 60 gig partition on the hard drive like I wanted, but I kept running into weird problems with the installer so I decided to take my chances installing /home on the SD card with everything else and seeing if I could set up /home on the 60 gig encrypted partition later.

So I ended up with /boot on an unencrypted partition on the hard drive, my swap space on an encrypted partition on the hard drive, and the root directory with everything else (/etc, /usr, /bin, /home, etc) on the encrypted partition on the SD card.

Configuration of the /home partition on the hard drive

Less than 8 gigs of space was just not going to cut it for my /home partition, so I was anxious to get the 60 gig encrypted parition configured.

After much Googling, I learned that encrypted volumes in Linux are configured on logical volumes.  This means creating a physical parition, configuring it as a physical volume, adding it to a volumne group, creating a logical volume inside the group, and finally installing a file system inside the logical volume, but fortunately a handy program called cryptsetup takes care of most of that for you.  Encrypted volumes use LUKS, the Linux Unified Key Setup along with dm-crypt.  One of the nice things about LUKS is that it contains 8 key "slots", meaning that you can have up to 8 passphrases or key files, any of which will unlock the volume.  This allows me to have a backup passphrase in case I need to reinstall the operating system or the key file goes corrupt.

So I formatted the 60 gig parition with ext4, and then I ran the following to initialize it as a physical volume for use as a logical volume, giving it the name pvHomeDir:

    $ sudo pvcreate /dev/sda7 pvHomeDir

Then I create a volume group called vgHomeDir and added that volume:

    $ sudo vgcreate vgHomeDir /dev/sda7

I then ran the following line to create an encrypted volume in that virtual group:

    $ sudo cryptsetup -y --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda7

It asked me for a passphrase, which I supplied.  When it was finished, I unlocked the new encrypted partition with:

    $ sudo cryptsetup luksOpen /dev/sda7 pvHomeDir

I then created a 60 gig logical volume called lvHomeDir in the encrypted parition with this:

    $ sudo lvcreate -n lvHomeDir -L 60G vgHomeDir

Then I installed an ext4 file system in the new logical volume (note the name and location of the volume; it is located in /dev/mapper and has the name of the volume group prepended with a dash to the name I gave it):

    $ sudo mkfs.ext4 /dev/mapper/vgHomeDir-lvHomeDir

OK, at this point the drive is all set up but it needs that key file so that I don't have to enter in two passphrases every time my computer boots.  I create a folder under /usr called keyfile, and copy a picture of myself and my daughter into it, and rename it "file".  To add the file as a key to the new partition I ran the following (I'm pretty sure this is the command but not 100%; I'm sorry if it is wrong and please post a comment if this line needs correcting):

    $ sudo cryptsetup luksAddKey --key-file=/usr/keyfile/file /dev/sda7

Almost done!  The partition just needs to be configured so that it will be used for my /home directory.  I edited 2 files:
    1. In /etc/crypttab I entered:
        pvHomeDir /dev/sda7 /usr/keyfile/file luks,retry=1,lvm=vgHomeDir

    2. In /etc/fstab I entered:
        /dev/mapper/vgHomeDir-lvHomeDir /home ext4 defaults 0 2

I created a directory called crypt in my home directory on the SD card and mounted the volume with the following command:

    $ sudo mount /dev/mapper/vgHomeDir-lvHomeDir /home/jizldrangs/crypt

I then restored my home directory to that folder, and when I rebooted, I had my old desktop background and all of my files! 


    1.  I have noticed a performance hit when booting and every so often when browsing the web in Firefox
    2.  During the installation process, I chose the "random key" option for my swap space, so there is no way to do true hibernation, where the state of the machine in memory is saved to disk and restored later.  Suspend, which is where the computer turns off most components and uses minimal power, still works just fine.

No comments:

Post a Comment