...making Linux just a little more fun!

Setting up an Encrypted Debian System

By Kapil Hari Paranjape

Ever since I heard that the new Debian “etch” installer supports encrypted LVM, I wanted to try having an encrypted disk. Given recent news stories about loss of identity information from stolen laptops, it is certainly not paranoid to want to do this — and if you tell me otherwise you are probably one of those guys trying to steal my identity information!

One way would have been to re-install Debian on my laptop from a Debian install CD after saving all my data — but I can already hear sarcastic clucking sounds to the accompaniment of flapping arms folded at the elbows if I even think this way. The whole point of the exercise would be lost if I have to re-configure my laptop all over again. So here goes!

Axioms

Let me first describe the disk configuration that I like to have as it might be a bit unusual. Ever since I learnt about dmsetup and the Linux Device Mapper stuff, my system has had just two partitions:

This allows me to resize filesystems as and when required. Since Debian “sarge” I have used the Linux Volume Manager (LVM) rather than dmsetup to handle this second part. LVM makes it easier to avoid mistakes while configuring the device mapper.

If your current setup is a more “standard” one that consists of a number of partitions for different purposes, don't worry. As part of the process, your machine too will be configured the same way. “We are the Borg. Your devices will also be mapped out!”

Backups Are Important

I do need to assume that you have a backup disk that has enough space to hold a copy of your entire system. You don't?! Then let's assume that you have a partition that has enough space to hold a copy of your entire system. What?! You used up all 40GB of diskspace and don't even have a backup!!

In that case, stop reading this article until you have gone and bought yourself that additional disk space. We won't go anywhere. Come right here after you get ready to backup before your system breaks.

Making Space in the Boot

So let us assume that /dev/sda contains enough free space to keep a copy of your entire system. This is probably an external USB disk and requires a little more care while booting.

The first step in creating a bootable backup is to install all the tools we will need after we re-boot:

        apt-get install cryptsetup lvm2 initramfs-tools grub
        apt-get install linux-image-2.6-686 

In particular, we will use the stock Debian kernel and the stock Debian boot system (grub+initrd). The order of the install commands is important since we want to make sure that the scripts to handle encrypted and/or LVM disks get installed in the initrd. In case you already have the stock Debian kernel installed you should run

        update-initramfs -u

instead of the second step above.

Next, we partition the disk /dev/sda with a scheme like that above:

Next, create a regular ext2 file system on /dev/sda1.

        mke2fs -L Boot /dev/sda1

We now setup the other partition as an encrypted LVM partition.

        crypsetup luksFormat /dev/sda2 

This will ask for a passphrase which will be used to create a Linux Unified Key Setup (LUKS) partition. The partition header of a LUKS parition contains information on how the disk is to be decrypted using a key that is generated using the passphrase.

This passphrase is very important. If you forget it you can forget about all the data in this partition. If you lose it and someone else finds it they can get all the data in this partition.

[ Writing it down on a Post-It note and sticking it to your screen would make a useful reminder... or maybe saving a copy on that newly-encrypted filesystem would be even better. :) If, for some silly reason, you decide that you don't want to follow these time-honored practices, then you might consider saving this password in several places - securely - to prevent loss. -- Ben ]

Next, we get ready to use this partition with the command

        cryptsetup luksOpen /dev/sda2 backup

This creates /dev/mapper/backup as a block device containing the unencrypted version of the partition. We will carve this up using LVM2. The commands

        pvcreate /dev/mapper/backup
        vgcreate vgb /dev/mapper/backup

create an LVM volume group called vgb which will contain the various filesystems. Commands like

        lvcreate -n root -L 3G vgb
        lvcreate -n swap -L 2G vgb
        lvcreate -n home -L 10G vgb

can be used to create the block devices /dev/vgb/root, etc. These can be prepared as usual

        mkswap -L Swap /dev/vgb/swap
        mke2fs -j -L Root /dev/vgb/root
        mke2fs -j -L Home /dev/vgb/home

A Filling

Well, most of you know the drill, but let me repeat it anyway. First create the empty target tree with commands like

        mkdir /tmp/target
        mount /dev/vgb/root /tmp/target
        mkdir /tmp/target/{boot,home}
        mount /dev/vgb/home /tmp/target/home
        mount /dev/sda1 /tmp/target/boot

Next, copy the files without looping,

        find . -wholename '/tmp/target' -prune -o -print  | cpio -pdum /tmp/target 

…and go find that cup of coffee with your name written on it. If you are like Chance the gardener in Being There and “like to watch”, then change the -pdum to -pdumv.

Finally, just look through the directory /tmp/target and make sure that you have copied everything properly. This completes the encrypted backup of your system.

Making the Backup Bootable

The first step is to install grub into the boot record of /dev/sda

        grub-install --root-directory /tmp/target /dev/sda

After this you may want to replace the device.map file created by grub

        echo '(hd0) /dev/sda' > /tmp/target/boot/grub/device.map

We also want the /etc/fstab to reflect the new filesystem structure

        pushd /tmp/target/etc
        mv fstab fstab.orig
        cat > fstab <<EOF
        LABEL=Root      /       ext3 defaults,errors=remount-ro 0 1
        LABEL=Swap      swap    swap defaults   0 0
        LABEL=Boot      /boot   ext2 defaults   0 1
        LABEL=Home      /home   ext3 defaults   0 2
        EOF
        popd

You may want to add the information on how this disk is encrypted

        cat >> /tmp/target/etc/crypttab <<EOF
        backup  /dev/sda2       none    luks
        EOF

Finally, we need to create the boot instructions for grub. Begin by editing the file /tmp/target/boot/grub/menu.lst at the line that starts with # kopt= and append to it so that the line reads like

        # kopt=ro root=/dev/mapper/vgb-root
           cryptopts=source=/dev/sda2,target=backup,lvm=vgb-root 
           rootdelay=10

This is all in one line and has been line wrapped for readability. The rootdelay=10 option gives 10 seconds for the USB disk to be recognised by the Debian boot process; you may need more (or less) time on your system.

You may add options like vga=791 to enable the default VESA framebuffer and so on. Just remember to add these to the same line.

Then incorporate this changed configuration into the boot process for grub

        chroot /tmp/target update-grub

We now unmount the whole mess.

        umount /tmp/target/home
        umount /tmp/target/boot
        umount /tmp/target

Then disable the LVM:

        vgchange -an vgb

Remove the decrypted block device:

        cryptsetup remove backup

Now, you can safely detach your external USB disk.

And there you have an encrypted bootable backup. It is possible that your laptop does not boot from USB hard disks. In that case you need create a “grub boot floppy” if you want this backup to be bootable!

Keeping Up-to-Date

This is rather easy using rsync.

        apt-get install rsync

The command would then be something like

        rsync -aW --exclude=/tmp/target \
          --exclude=/boot \
          --exclude=/etc/fstab \
          /. /tmp/target/.

You also need to re-run the grub-install command if you do not exclude /boot from the backup. Just to avoid blaming your typing finger you may want to create a script to mount the target, perform the rsync and unmount the target.

And Repeat

Of course, this still leaves you open to loss of identity information if your laptop is stolen. So you just boot your newly created encrypted bootable backup (you need to do that anyway to test it!) and repeat the above steps with /dev/sda replaced with /dev/hda. You might also want to replace labels like backup with laptop and vgb with vg to avoid confusing yourself and your system. You should probably skip the rootdelay option in this case since you are booting from the internal disk.

One advantage of converting to LVM is that you can take more “authentic” backups by using “snapshot” images of your system instead of doing a back up while the system is “live”.

Acknowledgements

Clearly, many thanks go out to the guys who wrote the software that makes all this work. In many cases the source is part of the documentation and so it helps that it is very readable.

Thanks also go to the intrepid reader who actually tries out the above steps. They worked for me, but just in case: “Best of LUKS”.


This document was translated from LATEX by HEVEA.

Talkback: Discuss this article with The Answer Gang


Bio picture Kapil Hari Paranjape has been a ``hack''-er since his punch-card days. Specifically, this means that he has never written a ``real'' program. He has merely tinkered with programs written by others. After playing with Minix in 1990-91 he thought of writing his first program---a ``genuine'' *nix kernel for the x86 class of machines. Luckily for him a certain L. Torvalds got there first---thereby saving him the trouble (once again) of actually writing code. In eternal gratitude he has spent a lot of time tinkering with and promoting Linux and GNU since those days---much to the dismay of many around him who think he should concentrate on mathematical research---which is his paying job. The interplay between actual running programs, what can be computed in principle and what can be shown to exist continues to fascinate him.

Copyright © 2007, Kapil Hari Paranjape. Released under the Open Publication License unless otherwise noted in the body of the article. Linux Gazette is not produced, sponsored, or endorsed by its prior host, SSC, Inc.

Published in Issue 140 of Linux Gazette, July 2007

Tux