Setting up an Encrypted Debian System
Ever since I heard that the new Debian “etch” installer supports encrypted LVM, I wanted to try having an encrypted disk. Given recent news stories about loss of identity information from stolen laptops, it is certainly not paranoid to want to do this — and if you tell me otherwise you are probably one of those guys trying to steal my identity information!
One way would have been to re-install Debian on my laptop from a Debian install CD after saving all my data — but I can already hear sarcastic clucking sounds to the accompaniment of flapping arms folded at the elbows if I even think this way. The whole point of the exercise would be lost if I have to re-configure my laptop all over again. So here goes!
Axioms
Let me first describe the disk configuration that I like to have as it might be a bit unusual. Ever since I learnt about dmsetup and the Linux Device Mapper stuff, my system has had just two partitions:
- /dev/hda1 which is a small (50-100MB) partition for /boot.
- /dev/hda2 which is the rest of the disk and is used through the device mapper.
This allows me to resize filesystems as and when required. Since
Debian “sarge” I have used the Linux Volume Manager (LVM) rather
than dmsetup
to handle this second part. LVM makes it easier to
avoid mistakes while configuring the device mapper.
If your current setup is a more “standard” one that consists of a number of partitions for different purposes, don't worry. As part of the process, your machine too will be configured the same way. “We are the Borg. Your devices will also be mapped out!”
Backups Are Important
I do need to assume that you have a backup disk that has enough space to hold a copy of your entire system. You don't?! Then let's assume that you have a partition that has enough space to hold a copy of your entire system. What?! You used up all 40GB of diskspace and don't even have a backup!!
In that case, stop reading this article until you have gone and bought yourself that additional disk space. We won't go anywhere. Come right here after you get ready to backup before your system breaks.
Making Space in the Boot
So let us assume that /dev/sda contains enough free space to keep a copy of your entire system. This is probably an external USB disk and requires a little more care while booting.
The first step in creating a bootable backup is to install all the tools we will need after we re-boot:
apt-get install cryptsetup lvm2 initramfs-tools grub apt-get install linux-image-2.6-686
In particular, we will use the stock Debian kernel and the stock Debian boot system (grub+initrd). The order of the install commands is important since we want to make sure that the scripts to handle encrypted and/or LVM disks get installed in the initrd. In case you already have the stock Debian kernel installed you should run
update-initramfs -u
instead of the second step above.
Next, we partition the disk /dev/sda with a scheme like that above:
- /dev/sda1 a big enough partition to contain a copy of /boot.
- /dev/sda2 is the rest.
Next, create a regular ext2 file system on /dev/sda1.
mke2fs -L Boot /dev/sda1
We now setup the other partition as an encrypted LVM partition.
crypsetup luksFormat /dev/sda2
This will ask for a passphrase which will be used to create a Linux Unified Key Setup (LUKS) partition. The partition header of a LUKS parition contains information on how the disk is to be decrypted using a key that is generated using the passphrase.
This passphrase is very important. If you forget it you can forget about all the data in this partition. If you lose it and someone else finds it they can get all the data in this partition.
[ Writing it down on a Post-It note and sticking it to your screen would make a useful reminder... or maybe saving a copy on that newly-encrypted filesystem would be even better. :) If, for some silly reason, you decide that you don't want to follow these time-honored practices, then you might consider saving this password in several places - securely - to prevent loss. -- Ben ]
Next, we get ready to use this partition with the command
cryptsetup luksOpen /dev/sda2 backup
This creates /dev/mapper/backup as a block device containing the unencrypted version of the partition. We will carve this up using LVM2. The commands
pvcreate /dev/mapper/backup vgcreate vgb /dev/mapper/backup
create an LVM volume group called vgb which will contain the various filesystems. Commands like
lvcreate -n root -L 3G vgb lvcreate -n swap -L 2G vgb lvcreate -n home -L 10G vgb
can be used to create the block devices /dev/vgb/root, etc. These can be prepared as usual
mkswap -L Swap /dev/vgb/swap mke2fs -j -L Root /dev/vgb/root mke2fs -j -L Home /dev/vgb/home
A Filling
Well, most of you know the drill, but let me repeat it anyway. First create the empty target tree with commands like
mkdir /tmp/target mount /dev/vgb/root /tmp/target mkdir /tmp/target/{boot,home} mount /dev/vgb/home /tmp/target/home mount /dev/sda1 /tmp/target/boot
Next, copy the files without looping,
find . -wholename '/tmp/target' -prune -o -print | cpio -pdum /tmp/target
…and go find that cup of coffee with your name written on it. If you are like Chance the gardener in Being There and “like to watch”, then change the -pdum to -pdumv.
Finally, just look through the directory /tmp/target and make sure that you have copied everything properly. This completes the encrypted backup of your system.
Making the Backup Bootable
The first step is to install grub into the boot record of /dev/sda
grub-install --root-directory /tmp/target /dev/sda
After this you may want to replace the device.map file created
by grub
echo '(hd0) /dev/sda' > /tmp/target/boot/grub/device.map
We also want the /etc/fstab to reflect the new filesystem structure
pushd /tmp/target/etc mv fstab fstab.orig cat > fstab <<EOF LABEL=Root / ext3 defaults,errors=remount-ro 0 1 LABEL=Swap swap swap defaults 0 0 LABEL=Boot /boot ext2 defaults 0 1 LABEL=Home /home ext3 defaults 0 2 EOF popd
You may want to add the information on how this disk is encrypted
cat >> /tmp/target/etc/crypttab <<EOF backup /dev/sda2 none luks EOF
Finally, we need to create the boot instructions for grub. Begin by editing the file /tmp/target/boot/grub/menu.lst at the line that starts with # kopt= and append to it so that the line reads like
# kopt=ro root=/dev/mapper/vgb-root cryptopts=source=/dev/sda2,target=backup,lvm=vgb-root rootdelay=10
This is all in one line and has been line wrapped for readability. The rootdelay=10 option gives 10 seconds for the USB disk to be recognised by the Debian boot process; you may need more (or less) time on your system.
You may add options like vga=791 to enable the default VESA framebuffer and so on. Just remember to add these to the same line.
Then incorporate this changed configuration into the boot process
for grub
chroot /tmp/target update-grub
We now unmount the whole mess.
umount /tmp/target/home umount /tmp/target/boot umount /tmp/target
Then disable the LVM:
vgchange -an vgb
Remove the decrypted block device:
cryptsetup remove backup
Now, you can safely detach your external USB disk.
And there you have an encrypted bootable backup. It is possible that your laptop does not boot from USB hard disks. In that case you need create a “grub boot floppy” if you want this backup to be bootable!
Keeping Up-to-Date
This is rather easy using rsync.
apt-get install rsync
The command would then be something like
rsync -aW --exclude=/tmp/target \ --exclude=/boot \ --exclude=/etc/fstab \ /. /tmp/target/.
You also need to re-run the grub-install command if you do not
exclude /boot
from the backup. Just to avoid blaming your typing
finger you may want to create a script to mount the target, perform
the rsync and unmount the target.
And Repeat
Of course, this still leaves you open to loss of identity information
if your laptop is stolen. So you just boot your newly created
encrypted bootable backup (you need to do that anyway to test it!) and
repeat the above steps with /dev/sda
replaced with /dev/hda
. You
might also want to replace labels like backup
with laptop
and
vgb
with vg
to avoid confusing yourself and your system. You
should probably skip the rootdelay option in this case since you
are booting from the internal disk.
One advantage of converting to LVM is that you can take more “authentic” backups by using “snapshot” images of your system instead of doing a back up while the system is “live”.
Acknowledgements
Clearly, many thanks go out to the guys who wrote the software that makes all this work. In many cases the source is part of the documentation and so it helps that it is very readable.
Thanks also go to the intrepid reader who actually tries out the above steps. They worked for me, but just in case: “Best of LUKS”.
This document was translated from LATEX by HEVEA.
Talkback: Discuss this article with The Answer Gang
Kapil Hari Paranjape has been a ``hack''-er since his punch-card days.
Specifically, this means that he has never written a ``real'' program.
He has merely tinkered with programs written by others. After playing
with Minix in 1990-91 he thought of writing his first program---a
``genuine'' *nix kernel for the x86 class of machines. Luckily for him a
certain L. Torvalds got there first---thereby saving him the trouble
(once again) of actually writing code. In eternal gratitude he has spent
a lot of time tinkering with and promoting Linux and GNU since those
days---much to the dismay of many around him who think he should
concentrate on mathematical research---which is his paying job. The
interplay between actual running programs, what can be computed in
principle and what can be shown to exist continues to fascinate him.