Archive for August, 2009
Installing Slackware on encrypted volumes
Increasingly desired in any modern Linux distribution is the ability to install onto an encrypted partition (or drive, or volume). Especially for people with a laptop who are traveling a lot, it adds a lot to the security of your data if access to that data is denied to the potential thief of your computer.
Slackware 12.0 has improved support for LVM built into the installer. With a little more effort, the installer offers the opportunity to use transparent encryption on the partitions/volumes/disks where you install Slackware. You can combine the use of LVM and encryption to minimize the number of times you need to enter an unlock passphrase.
If you want to know more about setting up and using LVM during the installation, read the file ‘README_LVM.TXT’.
Slackware uses device-mapper and cryptsetup to achieve transparent encryption of your data partitions and your swap. Cryptsetup uses a concept called LUKS (Linux Unified Key Setup) which enables you to change your unlock password for the encrypted volume without having to re-encrypt all of your data. You can even assign multiple passphrases to an encrypted volume, so that other people besides you are able to unlock the encryption without the need to know _your_ passphrase.
When preparing a partition for transparent encryption with cryptsetup, the program will ask you for a password. This password is used to encrypt another randomly generated password and this particular password is used to actually encrypt the data inside the mapped volume. Cryptsetup will create a mapped device and make this block device available under the ‘/dev/mapper’ directory. Any data read from or written to this mapped device will automatically be decrypted from / encrypted to the actual partition.
A big NOTE finally. When you encrypt your root filesystem, you will have to make sure that there will be at least one (small) partition which is left unencrypted. This partition will contain your kernel(s) to boot from,the initrd that is needed with encrypted volumes, and you need to install LILO either to the MBR – or if that is not possible, into the root sector of this small unencrypted partition. You will probably guess why we can not use an encrypted partition for this…
Using cryptsetup during Slackware installation
We are going to encrypt our partitions/volumes before installing Slackware onto them.
After the computer boots up from the install CD/DVD (or USB flash disk, or PXE) and you find yourself at the ‘#’ prompt, the first thing to do is use ‘fdisk’ to create any partitions you need for your Slackware. Next, use ‘cryptsetup’ to prepare the partitions you intend to be encrypted. Note:
this section of the README concerns itself with setting up encrypted *data* partitions. If you want to know how to configure an encrypted *swap* partition, skip to the section called “Encrypted swap”.
Suppose, you want to encrypt the partition called ‘/dev/sda2’ and use it as your ‘/home’ filesystem. If your actual partition is called differently, PLEASE use that partition name in the next series of examples. Several of the commands shown below will irrevocably destroy any data that you currently have on the partition.
* To begin with, we are going to fill the partition with random data. This will make it a lot harder for any forensics expert to determine where your encrypted data resides on that partition after we’re finished installing Slackware onto it. The process will take a long time – depending on the size of your partition it may take hours or more. if you’re not _too_ concerned with the possibility of an FBI agent confiscating your computer, you can skip this command:
# dd if=/dev/urandom of=/dev/sda2
* Prepare the partition for encryption. You will be asked twice to enter a passphrase. Note that a passphrase is not limited to a single word. The
passphrase may contain spaces. We will use a key size of 256 bits. The default cipher is ‘aes’, with mode ‘cbc-essiv:sha256’ which is safe enough.
# cryptsetup -s 256 -y luksFormat /dev/sda2
You can dump information about the encrypted partition to your console by running the following command:
# cryptsetup luksDump /dev/sda2
* Now we will open the encrypted partition and let the devicemapper create a mapped block device. We will use the mapped device which behaves just like an ordinary disk partition when we get to the TARGET selection in ‘setup’. The mapped device nodes will be made available in the directory ‘/dev/mapper’. The command will ask you for the passphrase which you entered during the “luksFormat” operation. The last argument that the command takes is the name of the mapped device. We will call our mapped device ‘crypthome’ – it will be available for use as the block device ‘/dev/mapper/crypthome’.
# cryptsetup luksOpen /dev/sda2 crypthome
We’ve now finished our preparations, and it is time to start the ‘setup’ program and install Slackware. This setup does not differ at all from the setup you have become used to. The only notable difference lies in the names of the devices you will select for your target partitions. Be sure to read until the end of the story though, because we will have to do some postprocessing in order to make your encrypted partitions available after reboot (setup can not yet do all of this automatically).
In setup, under “SWAP”, proceed as usual and configure a normal unencrypted swap partition, even if you want to have your swap encrypted. We will take care of swap encryption after the installation of Slackware finishes.
In setup, when you choose “TARGET” in the main menu, you will notice that the mapped device is available in the ‘Linux partition’ selection as “/dev/mapper/crypthome”. Select the partition you designated for your root (‘/’) filesystem, and next select “/dev/mapper/crypthome” for your ‘/home’ filesystem. Create any filesystem you like on them. My favorite fstype still is ext3, but you can choose xfs or jfs for stability and speed.
NOTE: The underlying partition will *also* be visible in the target selection menu. Be very careful NOT to select this device (‘/dev/sda2’ in our example) for any other filesystem you wish to reate, or you will destroy the data on the encrypted partition.
At the end of the Slackware installation when you select “Exit”, don’t reboot just yet. We are going to create a configuration file for the cryptsetup program, called ‘/etc/crypttab’. This file ontains the information cryptsetup needs for unlocking your encrypted volume and mapping it to the correct device name. The file ‘/etc/crypttab’ contains lines of the format: “mappedname evicename password options”. Since we are still inside the installer, the root filesystem of our fresh Slackware installation is still mounted under ‘/mnt’. For our example where we encrypted ‘/dev/sda2’ and mapped the unlocked device to ‘/dev/mapper/crypthome’, we need this single line in ‘/etc/crypttab’:
So, we need to run the command:
# echo “crypthome /dev/sda2” > /mnt/etc/crypttab
in order to create the file with the required content. You can of course also just start the ‘vi’ editor and add the above line. When the password is not listed in the crypttab file (potentially very unsafe of course) cryptsetup will ask you for the password when your computer boots.
Now, remember we have configured the swap partition as usual during the installation of Slackware, which means we have not yet configured it as an encrypted swap. We are going to take care of that omission right now. it really is very simple and straight-forward. It is also independent of whether or not you are using encryption for any other (data) partition. Add the following line to the ‘crypttab’ file on your fresh installation of Slackware – for the sake of this example I am assuming that the swap partition you chose is ‘/dev/sda3’:
cryptswap /dev/sda3 none swap
You can use the ‘vi’ editor to add this line to ‘/mnt/etc/crypttab’.
You can also choose to run the following command which adds that line to the end of the file:
# echo “cryptswap /dev/sda3 none swap” >> /mnt/etc/crypttab
We need to edit the ‘fstab’ file of your Slackware installation so that the correct device will be used for the swap after your computer reboots (the device ‘/dev/sda3′ will no longer be useful, but /dev/mapper/cryptswap will’). The line in ‘/mnt/etc/fstab’ for your swap will look like this at first:
/dev/sda3 swap swap defaults 0 0
and you will have to change it so that it becomes like this:
/dev/mapper/cryptswap swap swap defaults 0 0
These two edits are sufficient. The Slackware boot-up process will take care of the rest. At shutdown of your Slackware, the encrypted swap partition will be reformatted as a normal nencrypted swap, so that any other OSs you might be running in a multi-boot configuration will have no problems in using this swap partition as well.
NOTE: the swap partition is encrypted with a new randomly generated key every time your computer boots.
There is no need to ever enter a passphrase!
Encrypted root filesystem
You can go one step further than merely encrypting your ‘/home’ filesystem’s partition. You can choose to encrypt _all_ of your Slackware partitions, including the root partition. In this case you ill have to perform some additional post-install configuration before you reboot your Slackware box.
* Be sure to create a small partition which you leave *unencrypted*. Tell the installer to mount it under ‘/boot’. The kernel and the initrd (with the cryptsetup and additional required kernel odules) will go there, and LILO will have to be installed to the root sector of that partition in case you are not able to use the MBR. * Perform a Slackware install just like I described above, reating additional encrypted partitions and mapping them to appropriate names – for this example I assume that you map the encrypted root partition ‘/dev/sda1’ to ‘cryptroot’. When the LILO configuration pops up, tell lilo that your root partition is ‘/dev/mapper/cryptroot’. Lilo will try to install and fail, and will tell you so. It will however have written a ‘lilo.conf’ file which we can edit in a follow-up action. Proceed with the installation and at the end, exit the setup program but do _not_ reboot just yet.
* After the return to the command prompt, perform a ‘chroot’ into the new
installation. All the filesystems are still mounted, so we can run the following commands:
# mount -o bind /proc /mnt/proc
# mount -o bind /sys /mnt/sys
# chroot /mnt
* Next, now that we are in the chroot, create the initrd with LVM and CRYPT support – or else your Slackware computer will not be able to proceed past the initial stage of booting the kernel. The initial ramdisk (initrd) contains a small filesystem with the tools needed to unlock the root filesystem, so that the kernel can start the init program. In the example command line below which creates the ‘initrd.gz’ image I assume that the root filesystem is ‘ext3’, we used the mapped device ‘cryptroot’ for the root filesystem on the real partition ‘/dev/sda1’, and are running the Slackware 12.0 default SMP kernel ‘220.127.116.11-smp’:
# mkinitrd -c -k 18.104.22.168-smp -m ext3 -f ext3 -r cryptroot -C /dev/sda1 -L
The resulting initrd image will be written to the file ‘/boot/initrd.gz’ by default. We still need to tell lilo about this initrd, so open the configuration file ‘/etc/lilo.conf’ in an editor such as vi or pico – it should already have been generated by the ‘liloconfig’ part of setup. Look for the “Linux bootable partition config” and add a line for the initrd – it should end up looking somewhat like this:
image = /boot/vmlinuz
initrd = /boot/initrd.gz
root = /dev/mapper/cryptroot
label = linux
* We have one additional change to make, and that is almost at the top of the file. Look up the line that says “boot = /dev/mapper/cryptroot” and which was the reason for lilo to fail installing itself. Change the boot device to name of the small *unencrypted* partition you’ve created and which is mounted under ‘/boot’. Assuming the name of that partition is
‘/dev/sda4’, the “boot =” line must become like this:
boot = /dev/sda4
We are done. Write the changes, exit the editor and run the command ‘lilo’.
Lilo will issue a couple of warnings concerning a difference in what
‘/proc/partitions’ reports and what lilo thinks are the available partitions, but it is safe to ignore these.
Reboot now, and you will be presented with a “Enter passphrase: ” prompt. After entering the passphrase which unlocks your root filesystem, the system will boot into Slackware. If there are other encrypted partitions, you will be prompted for their respective passphrases, too.
Additional passphrases, keyfiles
The cryptsetup program assigns 7 ‘key slots’ to any partition or volume it encrypts. Each of those seven slots can contain a key to unlock the partition’s data. The key can be a passphrase, but the content of a *keyfile* is another option. You can then pass the name of a file as a parameter to cryptsetup in order to unlock an encrypted volume so that you won’t have to type a passphrase. This creates the possibility to use a keyfile on a removable USB flash disk for unlocking your Slackware computer. Slackware has partial support for keyfiles: if the file can be found, it will be used and you won’t have to type a passphrase. A file on a USB stick will *not* be found on boot because the stick’s filesystem is not mounted. Future versions of Slackware will support USB sticks as unlocking mechanism. For now, if you encrypt your root filesystem, you will have to enter a passphrase to boot into it. After the root filesystem is unlocked and mounted, it is completely safe to have a keyfile for _additional_encrypted filesystems stored in for instance the ‘/root’ directory. That way, you have only one passphrase to type. Alternatively, you can setup LVM, encrypt the underlying physical device, and create logical volumes on the mapped device. Once that encrypted physical device is unlocked all the logical volumes you’ve created and which contain your filesystems are accessible without having to enter additional passphrases.
Good luck with your Slackware with encrypted partition(s)!
Eric Hameleers <firstname.lastname@example.org> 26-jun-2007