Search Perform an advanced search query SOFTPEDIA
 
SOFTPEDIA
Updated one minute ago
HomeSubmit a program for being reviewedAdvertise on our websiteGet help on surfing our websitesSend us your feedbackGet information about our XML/RSS backend and how to use itBrowse the news archiveVisit our discussion forumVizitati forumul in limba romana



KLIP
  1. HOME
  2. SCIENCE
  3. TECHNOLOGY
  4. WEBMASTER
  5. SECURITY
  6. MICROSOFT
  7. LINUX
  8. APPLE
  9. GAMES
  10. TELECOMS
  11. REVIEWS
  12. LIFE & STYLE
  13. EDITORIALS
  14. INTERVIEWS
  15. RSS
Welcome!
Hello, Guest

Login if you have a Softpedia.com account.

Otherwise, register for one.

UBUNTU TIPS AND TRICKS

Encrypted Ubuntu 7.04

- How safe can you be?

By: Marius Nestor, Linux Editor

Did you ever live with the fear that somebody may break into your system one day and steal your files? Well, those days are over, because you can now have an entire encrypted operating system. For this setup, we used a freshly installed Ubuntu 7.04 with up-to-date software, nothing else installed. But the following guide is supposed to work with your actual Ubuntu 7.04 installation (no reinstall needed). Beware though: if you don't have the partitions setup like it’s shown below, this will NOT work.

I will NOT be held responsible for any data loss on your hard drive if this process will NOT work for you, so you have been warned: TRY THIS AT YOUR OWN RISK!




Things needed:

- Ubuntu LiveCD
- cryptsetup software

Here is how your partitions should look like:

CODE

/dev/sda1 -> /boot (about 150-200 MB, mine is 150 MB)
/dev/sda2 -> swap (double as your computer RAM, mine is 2 GB because I have 1 GB of RAM)
/dev/sda3 -> root (/) (should be more than 5 GB, mine is 35 GB)


WARNING: I have a SATA drive, therefore my partitions are named sda. If you have an IDE drive, then you have to replace sda with hda in the guide.

STEP 1 – Boot from the LiveCD

Insert the Ubuntu 7.04 LiveCD into your optical drive and reboot your computer in order to boot from the CD. When the CD has loaded, open up a terminal (Applications -> Accessories -> Terminal) and become root by typing:

CODE

sudo su


You will be permanently root from now on (that means you will not have to type sudo anymore, until you exit this session).

STEP 2 – Prepare the environment and backup the data

Let's prepare the system for the encryption process by loading some necessary modules into the kernel. Type, or copy / paste the following lines in the terminal window:

CODE

modprobe aes
modprobe dm-crypt
modprobe dm-mod
modprobe sha256


Go to System -> Administration -> Software Sources, check the "Community-maintained Open Source software (universe)" and "Software restricted by copyright or legal issues (multiverse)" options, then click the "Close" button and when you'll be asked to reload the information about software sources, click the "Reload" button. Wait until the Software Source window disappears and then type in the terminal window:

CODE

apt-get install cryptsetup


Then let's backup the existing data by creating some temporary folders:

CODE

cd /mnt
mkdir boot root tmp


Then mount the existing partitions to the newly created folders:

CODE

mount /dev/sda1 boot
mount /dev/sda3 root


And now backup the data:

CODE

mkdir tmp/root
cp -axv root/* tmp/root


This last code will output a lot of text (the files that are being copied), so wait until it stops. It takes about 6-7 minutes (depending on the number of files).

STEP 3 – Encrypt the filesystem

Good, now that the backup has finished, umount the drive with:

CODE

umount root


And encrypt the filesystem with the following command:

CODE

cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda3


WARNING: All the data will be permanently erased!

Type YES when asked, and enter a strong password (twice). Then type:

CODE

cryptsetup luksOpen /dev/sda3 root
mkfs.ext3 /dev/mapper/root
mount /dev/mapper/root root


Now let's copy back the data from the temporary folder to the newly created encrypted root partition:

CODE

cp -axv tmp/root/* root


Same as above, it will output a lot of text, so wait until it finishes and remove the temporary folder:

CODE

rm -rf tmp/root


STEP 4 – Final adjustments

The filesystem is encrypted now, but it will not work until you do some final adjustments. Type, or copy / paste the following lines:

CODE

mkdir root/boot
mount /dev/sda1 root/boot
chroot root


At this moment, you are "virtually" in your root partition, and you can make modifications to it. Let's begin by installing the cryptsetup software:

CODE

apt-get update
apt-get install cryptsetup


Then let's add the necessary kernel modules to the /etc/initramfs-tools/modules file, so that they can be loaded at boot time:

CODE

nano etc/initramfs-tools/modules


And add the following lines to the end of the file:

CODE

aes
dm-crypt
dm-mod
sha256


Hit CTRL+O to and then ENTER to save the file. Hit CTRL+X to close the nano editor.

You must adjust the /etc/fstab file to mount the correct encrypted root partition:

CODE

nano etc/fstab


And change the line that looks like this (the UUID is just an example... yours will be different):

CODE

# /dev/sda3 UUID=4565t675-6c67-56hg-hg7j-67g5jk00b562 / ext3 defaults,errors=remount-ro 0 1


To look like this one:

CODE

/dev/mapper/root / ext3 defaults,errors=remount-ro 0 1


So basically, you just replace (# /dev/sda3 UUID=4565t675-6c67-56hg-hg7j-67g5jk00b562) with (/dev/mapper/root).

Hit CTRL+O and then ENTER to save the file. Hit CTRL+X to close the nano editor.

Now you must edit the /etc/crypttab file:

CODE

nano etc/crypttab


And add the following line at the end of the file:

CODE

root /dev/sda3 none luks,retry=1,cipher=aes-cbc-essiv:sha256


Hit CTRL+O and then ENTER to save the file. Hit CTRL+X to close the nano editor.

And now you have to edit the /boot/grub/menu.lst file:

CODE

nano boot/grub/menu.lst


Search the line that looks like this (the UUID is just an example... yours will be different):

CODE

# kopt=root= UUID=4565t675-6c67-56hg-hg7j-67g5jk00b562 ro


And change it to look like this:

CODE

# kopt=root=/dev/mapper/root ro


Hit CTRL+O and then ENTER to save the file. Hit CTRL+X to close the nano editor.

Update GRUB with the following command:

CODE

update-grub


And check the /boot/grub/menu.lst file to see if the entries changed like this:

CODE

title Ubuntu, kernel 2.6.20-16-generic

root (hd0,0)

kernel /vmlinuz-2.6.20-16-generic root=/dev/mapper/root ro quiet splash vga=775

initrd /initrd.img-2.6.20-16-generic

quiet

savedefault



As you can see, I have an extra option at the end of the kernel line: vga=775. You are not supposed to have or add this option! Just make sure that you have root=/dev/mapper/root option. If so, then you can update initramfs with the following command:

CODE

update-initramfs -u All


WARNING: If you see an error message about "libdevmapper", just ignore it and continue with the guide.

Exit the chrooted environment and reboot the system with:

CODE

exit
reboot


When the system starts, you will see the Ubuntu boot splash, which will disappear after a few seconds and all you'll be able to see is a blinking line on the top left side of your monitor. Now you should type the password you've setup when you encrypted the filesystem and hit ENTER. You will notice that (if you typed the password correctly), the system continues to boot. That's it folks, your whole Ubuntu 7.04 is now fully encrypted!

MORE RELATED ARTICLES: What Should You Expect from Ubuntu 7.04 How to Install Ubuntu 7.04 (Windows User P.O.V.) Ubuntu 7.04 on PS3 Ubuntu Is Enterprise Friendly Ubuntu 8.04 Is an LTS Release Ubuntu 7.04 - Well Done Ubuntu Studio 7.04 Released Ubuntu Goes Mobile
 
Comments | Link here | Subscribe
Print | Send to friend
Today's News | Yesterday's News

Search:

TAGS: Ubuntu encrypted secure

29th July 2007, 14:50 GMT | Copyright (c) 2007 Softpedia | Contact:
Read by 18,343 user(s) | Rating: | 10 vote(s) so far | Cast your vote:
Encrypted Ubuntu 7.04 - USER OPINIONS

Comment #1 by marriouss on 2007-07-30, 01:43 GMT reply to this comment 
Great tutorial!!! Thanks!!!

I've one question: what happens if somehow my system gets damaged (doesn't boot anymore) - will I be able to read the data that I have on the encrypted partition (maybe using the ubuntu live cd)?
A tutorial about these would be great.


Reply #1.1 by marius.nestor on 2007-07-30, 02:15 GMT
Hi! Thanks for your nice words!

It's very simple to mount encrypted partitions.

1. Boot from an Ubuntu LiveCD,
2. Install the cryptsetup software (remember to enable the Universe repository),
3. Create a folder somewhere (sudo mkdir /mnt/tmp)
4. Open the encrypted partition with:

cryptsetup luksOpen /dev/sda3 /mnt/tmp

You'll be asked for the password :)

After that, Ubuntu will immediately open a folder with the hard drive's content.

NOTE: The partition can be /dev/sda3 like in the example above, or any other...

Regards

Comment #2 by marriouss on 2007-07-30, 03:18 GMT reply to this comment 
Many thanks, Marius!

For a ubuntu laptop this thing is absolutely great.

Thanks again :)

Reply #2.1 by marius.nestor on 2007-07-30, 15:42 GMT
You're welcome!

There is a little mistake in the example I gave you:

4. Open the encrypted partition with:

sudo cryptsetup luksOpen /dev/sda3 tmp

You'll be asked for the password :)

5. Mount the encrypted partition with:

sudo mount /dev/mapper/tmp /mnt/tmp

And you will find the hard drive's content in /mnt/tmp

Comment #3 by marriouss on 2007-07-31, 03:13 GMT reply to this comment 
Good to know:) Thanks

Comment #4 by joinsmith on 2007-09-22, 10:04 GMT reply to this comment 
Great guide, but I have a large problem.

I am new to Linux, so this is probably not a big one for you guys.

I have made a fresh install of Ubuntu 7.04 (desktop edition). I have the same setup as int the example above, except that my root is much larger (250GB). I have not installed any additional components before I started this guide.

When I try cp -axv root/* tmp/root, it starts okay, but soon I get problem and run out of space on tmp/root. I don't understand what tmp/root is. Is tmp/root a ramdisk? it could hardly be my CD-ROM drive or harddisk. What should I do ? Please help me!


Reply #4.1 by marius.nestor on 2007-09-22, 11:29 GMT
Hello,

How much RAM do you have? 512 MB?

Comment #5 by joinsmith on 2007-09-22, 11:49 GMT reply to this comment 
Hi Marius!

I have 2GB.

Comment #6 by marius.nestor on 2007-09-22, 11:58 GMT reply to this comment 
That's very strange... could you please paste here the exact error you receive when you ran out of space?

And please try to run the whole thing again, only this time create a temporary partition on the /mnt folder. Just replace /tmp with /mnt in the above guide.

P.S.: How big is your SWAP partition?

Reply #6.1 by joinsmith on 2007-09-23, 07:06 GMT
I started all over again. I removed all partitions and created new ones, those were also formated. I am getting good at installing Ubuntu now :-)

Here is a log of what I have done. I did not attach all lines from the copy process, only the last lines, but there you can see the errors. I also tried replacing tmp with mnt, but with the same result as in the log below.

root@ubuntu:/home/ubuntu# sudo su
root@ubuntu:/home/ubuntu# fdisk -l

Disk /dev/sda: 250.0 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/sda1 1 19 152586 83 Linux
/dev/sda2 66 563 4000185 82 Linux swap / Solaris
/dev/sda3 831 30401 237529057+ 83 Linux
root@ubuntu:/home/ubuntu# modprobe aes
root@ubuntu:/home/ubuntu# modprobe dm-crypt
root@ubuntu:/home/ubuntu# modprobe dm-mod
root@ubuntu:/home/ubuntu# modprobe sha256
root@ubuntu:/home/ubuntu# apt-get install cryptsetup
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
cryptsetup
0 upgraded, 1 newly installed, 0 to remove and 76 not upgraded.
Need to get 266kB of archives.
After unpacking 762kB of additional disk space will be used.
Get:1 http://ftp.ds.karen.hj.se feisty/universe cryptsetup 2:1.0.4+svn26-1ubuntu2 [266kB]
Fetched 266kB in 0s (565kB/s)
Selecting previously deselected package cryptsetup.
(Reading database ... 89899 files and directories currently installed.)
Unpacking cryptsetup (from .../cryptsetup_2%3a1.0.4+svn26-1ubuntu2_amd64.deb) ...
Setting up cryptsetup (1.0.4+svn26-1ubuntu2) ...
update-initramfs: Generating /boot/initrd.img-2.6.20-15-generic

root@ubuntu:/home/ubuntu# cd /mnt
root@ubuntu:/mnt# mkdir boot root tmp
root@ubuntu:/mnt# mount /dev/sda1 boot
root@ubuntu:/mnt# mount /dev/sda3 root
root@ubuntu:/mnt# mkdir tmp/root
root@ubuntu:/mnt# cp -axv root/* tmp/root
.
.
cp: writing `tmp/root/var/run/motd': No space left on device
`root/var/run/klogd' -> `tmp/root/var/run/klogd'
`root/var/run/klogd/kmsg' -> `tmp/root/var/run/klogd/kmsg'
`root/var/run/samba' -> `tmp/root/var/run/samba'
`root/var/run/NetworkManager' -> `tmp/root/var/run/NetworkManager'
`root/var/run/NetworkManager/NetworkManager.pid' -> `tmp/root/var/run/NetworkManager/NetworkManager.pid'
cp: writing `tmp/root/var/run/NetworkManager/NetworkManager.pid': No space left on device
`root/var/run/avahi-daemon' -> `tmp/root/var/run/avahi-daemon'
`root/var/run/cups' -> `tmp/root/var/run/cups'
`root/var/run/cups/certs' -> `tmp/root/var/run/cups/certs'
`root/var/run/dbus' -> `tmp/root/var/run/dbus'
`root/var/run/hal' -> `tmp/root/var/run/hal'
`root/var/run/screen' -> `tmp/root/var/run/screen'
`root/var/run/utmp' -> `tmp/root/var/run/utmp'
`root/var/tmp' -> `tmp/root/var/tmp'
`root/var/local' -> `tmp/root/var/local'
`root/var/opt' -> `tmp/root/var/opt'
`root/var/mail' -> `tmp/root/var/mail'
`root/vmlinuz' -> `tmp/root/vmlinuz'
root@ubuntu:/mnt#




Reply #6.2 by marius.nestor on 2007-09-26, 08:04 GMT
It looks like only on some files it gives you the "No space left on device" warning... which is quite strange...

You didn't tell me how much is your SWAP partition.

Did you try to finish the guide and see if you can boot the system?

Comment #7 by joinsmith on 2007-09-30, 09:44 GMT reply to this comment 
Hi Marius!

My SWAP partition is 4GB but i have also tried 6GB and 10GB. But I gave up yesterday. I installed another harddisk and used that one as tmp-storage and then there were no more errors. Maybe this problem I have is because I use the 64bit version of Ubuntu.

The rest of your guide worked fine.

Reply #7.1 by marius.nestor on 2007-09-30, 09:48 GMT
It could be from the 64-bit, I didn't try it on a 64-bit Ubuntu... but I will when Gutsy will be released.

Comment #8 by Daniel on 2007-12-03, 11:05 GMT reply to this comment 
What iss with the /home Partition?? How can I encrypt these,if I use that partition scheme?

/boot dev/hda1
/swap /dev/hada2
/ /dev/hda3
/home /dev/hda5

go to top


SHARE YOUR OPINION ABOUT Encrypted Ubuntu 7.04

Since you are not logged on, your comments will have to be approved before being displayed.
Click here to login, or register.
Your Name:
Your Email:
Type in the result:
Your Opinion:
 


DO YOU WANT TO CONTACT US?  

If you have some comments or you want to send us some information you can send us an email directly to .
You can use the form below for the same purpose.
Your full name: (at least 3 characters)
Your email address: (at least 5 characters)
Message subject: (at least 5 characters)
Message text:
(at least 10 characters)
Type in the result:
 
 
© 2001 - 2008 Softpedia. All rights reserved.
Softpedia™ and Softpedia™ logo are registered trademarks of SoftNews NET SRL.
Copyright Information | Privacy Policy | Terms of Use | Contact Softpedia | Update your software | Archive