Softpedia >News >Linux >Ubuntu Tips and Tricks
Softpedia Homepage   

Encrypted Ubuntu 7.04

How safe can you be?

Jul 29, 2007 14:50 GMT  ·  By
Secure your data
   Secure your data

Did you ever live with the fear that somebody may break into your system one day and steal your files? Well, those days are over, because you can now have an entire encrypted operating system. For this setup, we used a freshly installed Ubuntu 7.04 with up-to-date software, nothing else installed. But the following guide is supposed to work with your actual Ubuntu 7.04 installation (no reinstall needed). Beware though: if you don't have the partitions setup like it?s shown below, this will NOT work.

I will NOT be held responsible for any data loss on your hard drive if this process will NOT work for you, so you have been warned: TRY THIS AT YOUR OWN RISK!

Things needed:

- Ubuntu LiveCD - cryptsetup software

Here is how your partitions should look like:

code
/dev/sda1 -> /boot (about 150-200 MB, mine is 150 MB)
/dev/sda2 -> swap (double as your computer RAM, mine is 2 GB because I have 1 GB of RAM)
/dev/sda3 -> root (/) (should be more than 5 GB, mine is 35 GB)
WARNING: I have a SATA drive, therefore my partitions are named sda. If you have an IDE drive, then you have to replace sda with hda in the guide.

STEP 1 ? Boot from the LiveCD

Insert the Ubuntu 7.04 LiveCD into your optical drive and reboot your computer in order to boot from the CD. When the CD has loaded, open up a terminal (Applications -> Accessories -> Terminal) and become root by typing:

code
sudo su
You will be permanently root from now on (that means you will not have to type sudo anymore, until you exit this session).

STEP 2 ? Prepare the environment and backup the data

Let's prepare the system for the encryption process by loading some necessary modules into the kernel. Type, or copy / paste the following lines in the terminal window:

code
modprobe aes
modprobe dm-crypt
modprobe dm-mod
modprobe sha256
Go to System -> Administration -> Software Sources, check the "Community-maintained Open Source software (universe)" and "Software restricted by copyright or legal issues (multiverse)" options, then click the "Close" button and when you'll be asked to reload the information about software sources, click the "Reload" button. Wait until the Software Source window disappears and then type in the terminal window:
code
apt-get install cryptsetup
Then let's backup the existing data by creating some temporary folders:
code
cd /mnt
mkdir boot root tmp
Then mount the existing partitions to the newly created folders:
code
mount /dev/sda1 boot
mount /dev/sda3 root
And now backup the data:
code
mkdir tmp/root
cp -axv root/* tmp/root
This last code will output a lot of text (the files that are being copied), so wait until it stops. It takes about 6-7 minutes (depending on the number of files).

STEP 3 ? Encrypt the filesystem

Good, now that the backup has finished, umount the drive with:

code
umount root
And encrypt the filesystem with the following command:
code
cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda3
WARNING: All the data will be permanently erased!

Type YES when asked, and enter a strong password (twice). Then type:

code
cryptsetup luksOpen /dev/sda3 root
mkfs.ext3 /dev/mapper/root
mount /dev/mapper/root root
Now let's copy back the data from the temporary folder to the newly created encrypted root partition:
code
cp -axv tmp/root/* root
Same as above, it will output a lot of text, so wait until it finishes and remove the temporary folder:
code
rm -rf tmp/root
STEP 4 ? Final adjustments

The filesystem is encrypted now, but it will not work until you do some final adjustments. Type, or copy / paste the following lines:

code
mkdir root/boot
mount /dev/sda1 root/boot
chroot root
At this moment, you are "virtually" in your root partition, and you can make modifications to it. Let's begin by installing the cryptsetup software:
code
apt-get update
apt-get install cryptsetup
Then let's add the necessary kernel modules to the /etc/initramfs-tools/modules file, so that they can be loaded at boot time:
code
nano etc/initramfs-tools/modules
And add the following lines to the end of the file:
code
aes
dm-crypt
dm-mod
sha256
Hit CTRL+O to and then ENTER to save the file. Hit CTRL+X to close the nano editor.

You must adjust the /etc/fstab file to mount the correct encrypted root partition:

code
nano etc/fstab
And change the line that looks like this (the UUID is just an example... yours will be different):
code
# /dev/sda3 UUID=4565t675-6c67-56hg-hg7j-67g5jk00b562 / ext3 defaults,errors=remount-ro 0 1
To look like this one:
code
/dev/mapper/root / ext3 defaults,errors=remount-ro 0 1
So basically, you just replace (# /dev/sda3 UUID=4565t675-6c67-56hg-hg7j-67g5jk00b562) with (/dev/mapper/root).

Hit CTRL+O and then ENTER to save the file. Hit CTRL+X to close the nano editor.

Now you must edit the /etc/crypttab file:

code
nano etc/crypttab
And add the following line at the end of the file:
code
root /dev/sda3 none luks,retry=1,cipher=aes-cbc-essiv:sha256
Hit CTRL+O and then ENTER to save the file. Hit CTRL+X to close the nano editor.

And now you have to edit the /boot/grub/menu.lst file:

code
nano boot/grub/menu.lst
Search the line that looks like this (the UUID is just an example... yours will be different):
code
# kopt=root= UUID=4565t675-6c67-56hg-hg7j-67g5jk00b562 ro
And change it to look like this:
code
# kopt=root=/dev/mapper/root ro
Hit CTRL+O and then ENTER to save the file. Hit CTRL+X to close the nano editor.

Update GRUB with the following command:

code
update-grub
And check the /boot/grub/menu.lst file to see if the entries changed like this:
code
title Ubuntu, kernel 2.6.20-16-generic

root (hd0,0)

kernel /vmlinuz-2.6.20-16-generic root=/dev/mapper/root ro quiet splash vga=775

initrd /initrd.img-2.6.20-16-generic

quiet

savedefault
As you can see, I have an extra option at the end of the kernel line: vga=775. You are not supposed to have or add this option! Just make sure that you have root=/dev/mapper/root option. If so, then you can update initramfs with the following command:
code
update-initramfs -u All
WARNING: If you see an error message about "libdevmapper", just ignore it and continue with the guide.

Exit the chrooted environment and reboot the system with:

code
exit
reboot
When the system starts, you will see the Ubuntu boot splash, which will disappear after a few seconds and all you'll be able to see is a blinking line on the top left side of your monitor. Now you should type the password you've setup when you encrypted the filesystem and hit ENTER. You will notice that (if you typed the password correctly), the system continues to boot. That's it folks, your whole Ubuntu 7.04 is now fully encrypted!