Encrypted Ubuntu 7.04

How safe can you be?

By on July 29th, 2007 14:50 GMT
Did you ever live with the fear that somebody may break into your system one day and steal your files? Well, those days are over, because you can now have an entire encrypted operating system. For this setup, we used a freshly installed Ubuntu 7.04 with up-to-date software, nothing else installed. But the following guide is supposed to work with your actual Ubuntu 7.04 installation (no reinstall needed). Beware though: if you don't have the partitions setup like it’s shown below, this will NOT work.

I will NOT be held responsible for any data loss on your hard drive if this process will NOT work for you, so you have been warned: TRY THIS AT YOUR OWN RISK!

Things needed:

- Ubuntu LiveCD
- cryptsetup software

Here is how your partitions should look like:

code

/dev/sda1 -> /boot (about 150-200 MB, mine is 150 MB)
/dev/sda2 -> swap (double as your computer RAM, mine is 2 GB because I have 1 GB of RAM)
/dev/sda3 -> root (/) (should be more than 5 GB, mine is 35 GB)

WARNING: I have a SATA drive, therefore my partitions are named sda. If you have an IDE drive, then you have to replace sda with hda in the guide.

STEP 1 – Boot from the LiveCD

Insert the Ubuntu 7.04 LiveCD into your optical drive and reboot your computer in order to boot from the CD. When the CD has loaded, open up a terminal (Applications -> Accessories -> Terminal) and become root by typing:

code

sudo su

You will be permanently root from now on (that means you will not have to type sudo anymore, until you exit this session).

STEP 2 – Prepare the environment and backup the data

Let's prepare the system for the encryption process by loading some necessary modules into the kernel. Type, or copy / paste the following lines in the terminal window:

code

modprobe aes
modprobe dm-crypt
modprobe dm-mod
modprobe sha256

Go to System -> Administration -> Software Sources, check the "Community-maintained Open Source software (universe)" and "Software restricted by copyright or legal issues (multiverse)" options, then click the "Close" button and when you'll be asked to reload the information about software sources, click the "Reload" button. Wait until the Software Source window disappears and then type in the terminal window:

code

apt-get install cryptsetup

Then let's backup the existing data by creating some temporary folders:

code

cd /mnt
mkdir boot root tmp

Then mount the existing partitions to the newly created folders:

code

mount /dev/sda1 boot
mount /dev/sda3 root

And now backup the data:

code

mkdir tmp/root
cp -axv root/* tmp/root

This last code will output a lot of text (the files that are being copied), so wait until it stops. It takes about 6-7 minutes (depending on the number of files).

STEP 3 – Encrypt the filesystem

Good, now that the backup has finished, umount the drive with:

code

umount root

And encrypt the filesystem with the following command:

code

cryptsetup -c aes-cbc-essiv:sha256 -y -s 256 luksFormat /dev/sda3

WARNING: All the data will be permanently erased!

Type YES when asked, and enter a strong password (twice). Then type:

code

cryptsetup luksOpen /dev/sda3 root
mkfs.ext3 /dev/mapper/root
mount /dev/mapper/root root

Now let's copy back the data from the temporary folder to the newly created encrypted root partition:

code

cp -axv tmp/root/* root

Same as above, it will output a lot of text, so wait until it finishes and remove the temporary folder:

code

rm -rf tmp/root

STEP 4 – Final adjustments

The filesystem is encrypted now, but it will not work until you do some final adjustments. Type, or copy / paste the following lines:

code

mkdir root/boot
mount /dev/sda1 root/boot
chroot root

At this moment, you are "virtually" in your root partition, and you can make modifications to it. Let's begin by installing the cryptsetup software:

code

apt-get update
apt-get install cryptsetup

Then let's add the necessary kernel modules to the /etc/initramfs-tools/modules file, so that they can be loaded at boot time:

code

nano etc/initramfs-tools/modules

And add the following lines to the end of the file:

code

aes
dm-crypt
dm-mod
sha256

Hit CTRL+O to and then ENTER to save the file. Hit CTRL+X to close the nano editor.

You must adjust the /etc/fstab file to mount the correct encrypted root partition:

code

nano etc/fstab

And change the line that looks like this (the UUID is just an example... yours will be different):

code

# /dev/sda3 UUID=4565t675-6c67-56hg-hg7j-67g5jk00b562 / ext3 defaults,errors=remount-ro 0 1

To look like this one:

code

/dev/mapper/root / ext3 defaults,errors=remount-ro 0 1

So basically, you just replace (# /dev/sda3 UUID=4565t675-6c67-56hg-hg7j-67g5jk00b562) with (/dev/mapper/root).

Hit CTRL+O and then ENTER to save the file. Hit CTRL+X to close the nano editor.

Now you must edit the /etc/crypttab file:

code

nano etc/crypttab

And add the following line at the end of the file:

code

root /dev/sda3 none luks,retry=1,cipher=aes-cbc-essiv:sha256

Hit CTRL+O and then ENTER to save the file. Hit CTRL+X to close the nano editor.

And now you have to edit the /boot/grub/menu.lst file:

code

nano boot/grub/menu.lst

Search the line that looks like this (the UUID is just an example... yours will be different):

code

# kopt=root= UUID=4565t675-6c67-56hg-hg7j-67g5jk00b562 ro

And change it to look like this:

code

# kopt=root=/dev/mapper/root ro

Hit CTRL+O and then ENTER to save the file. Hit CTRL+X to close the nano editor.

Update GRUB with the following command:

code

update-grub

And check the /boot/grub/menu.lst file to see if the entries changed like this:

code

title Ubuntu, kernel 2.6.20-16-generic

root (hd0,0)

kernel /vmlinuz-2.6.20-16-generic root=/dev/mapper/root ro quiet splash vga=775

initrd /initrd.img-2.6.20-16-generic

quiet

savedefault


As you can see, I have an extra option at the end of the kernel line: vga=775. You are not supposed to have or add this option! Just make sure that you have root=/dev/mapper/root option. If so, then you can update initramfs with the following command:

code

update-initramfs -u All

WARNING: If you see an error message about "libdevmapper", just ignore it and continue with the guide.

Exit the chrooted environment and reboot the system with:

code

exit
reboot

When the system starts, you will see the Ubuntu boot splash, which will disappear after a few seconds and all you'll be able to see is a blinking line on the top left side of your monitor. Now you should type the password you've setup when you encrypted the filesystem and hit ENTER. You will notice that (if you typed the password correctly), the system continues to boot. That's it folks, your whole Ubuntu 7.04 is now fully encrypted!
Secure your data
   Secure your data
MORE ON THIS TOPIC
LATEST NEWS
HOT RIGHT NOW

15 Comments