Did you ever live with the fear that somebody may break into your system one day and steal your files? Well, those days are over, because you can now have an entire encrypted operating system. For this setup, we used a freshly installed Ubuntu 7.04 with up-to-date software, nothing else installed. But the following guide is supposed to work with your actual Ubuntu 7.04 installation (no reinstall needed). Beware though: if you don't have the partitions setup like it?s shown below, this will NOT work.
I will NOT be held responsible for any data loss on your hard drive if this process will NOT work for you, so you have been warned: TRY THIS AT YOUR OWN RISK!
Things needed:
- Ubuntu LiveCD
- cryptsetup software
Here is how your partitions should look like:
/dev/sda2 -> swap (double as your computer RAM, mine is 2 GB because I have 1 GB of RAM)
/dev/sda3 -> root (/) (should be more than 5 GB, mine is 35 GB)
WARNING: I have a SATA drive, therefore my partitions are named sda. If you have an IDE drive, then you have to replace sda with hda in the guide.
STEP 1 ? Boot from the LiveCD
Insert the Ubuntu 7.04 LiveCD into your optical drive and reboot your computer in order to boot from the CD. When the CD has loaded, open up a terminal (Applications -> Accessories -> Terminal) and become root by typing:
You will be permanently root from now on (that means you will not have to type sudo anymore, until you exit this session).
STEP 2 ? Prepare the environment and backup the data
Let's prepare the system for the encryption process by loading some necessary modules into the kernel. Type, or copy / paste the following lines in the terminal window:
modprobe dm-crypt
modprobe dm-mod
modprobe sha256
Go to System -> Administration -> Software Sources, check the "Community-maintained Open Source software (universe)" and "Software restricted by copyright or legal issues (multiverse)" options, then click the "Close" button and when you'll be asked to reload the information about software sources, click the "Reload" button. Wait until the Software Source window disappears and then type in the terminal window:
Then let's backup the existing data by creating some temporary folders:
mkdir boot root tmp
Then mount the existing partitions to the newly created folders:
mount /dev/sda3 root
And now backup the data:
cp -axv root/* tmp/root
This last code will output a lot of text (the files that are being copied), so wait until it stops. It takes about 6-7 minutes (depending on the number of files).
STEP 3 ? Encrypt the filesystem
Good, now that the backup has finished, umount the drive with:
And encrypt the filesystem with the following command:
WARNING: All the data will be permanently erased!
Type YES when asked, and enter a strong password (twice). Then type:
mkfs.ext3 /dev/mapper/root
mount /dev/mapper/root root
Now let's copy back the data from the temporary folder to the newly created encrypted root partition:
Same as above, it will output a lot of text, so wait until it finishes and remove the temporary folder:
STEP 4 ? Final adjustments
The filesystem is encrypted now, but it will not work until you do some final adjustments. Type, or copy / paste the following lines:
mount /dev/sda1 root/boot
chroot root
At this moment, you are "virtually" in your root partition, and you can make modifications to it. Let's begin by installing the cryptsetup software:
apt-get install cryptsetup
Then let's add the necessary kernel modules to the /etc/initramfs-tools/modules file, so that they can be loaded at boot time:
And add the following lines to the end of the file:
dm-crypt
dm-mod
sha256
Hit CTRL+O to and then ENTER to save the file. Hit CTRL+X to close the nano editor.
You must adjust the /etc/fstab file to mount the correct encrypted root partition:
And change the line that looks like this (the UUID is just an example... yours will be different):
To look like this one:
So basically, you just replace (# /dev/sda3 UUID=4565t675-6c67-56hg-hg7j-67g5jk00b562) with (/dev/mapper/root).
Hit CTRL+O and then ENTER to save the file. Hit CTRL+X to close the nano editor.
Now you must edit the /etc/crypttab file:
And add the following line at the end of the file:
Hit CTRL+O and then ENTER to save the file. Hit CTRL+X to close the nano editor.
And now you have to edit the /boot/grub/menu.lst file:
Search the line that looks like this (the UUID is just an example... yours will be different):
And change it to look like this:
Hit CTRL+O and then ENTER to save the file. Hit CTRL+X to close the nano editor.
Update GRUB with the following command:
And check the /boot/grub/menu.lst file to see if the entries changed like this:
root (hd0,0)
kernel /vmlinuz-2.6.20-16-generic root=/dev/mapper/root ro quiet splash vga=775
initrd /initrd.img-2.6.20-16-generic
quiet
savedefault
As you can see, I have an extra option at the end of the kernel line: vga=775. You are not supposed to have or add this option! Just make sure that you have root=/dev/mapper/root option. If so, then you can update initramfs with the following command:
WARNING: If you see an error message about "libdevmapper", just ignore it and continue with the guide.
Exit the chrooted environment and reboot the system with:
reboot
When the system starts, you will see the Ubuntu boot splash, which will disappear after a few seconds and all you'll be able to see is a blinking line on the top left side of your monitor. Now you should type the password you've setup when you encrypted the filesystem and hit ENTER. You will notice that (if you typed the password correctly), the system continues to boot. That's it folks, your whole Ubuntu 7.04 is now fully encrypted!
