<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'><div style="text-align: left;"><h2><font size="3"><span style="font-weight: normal;"></span></font><a name="whole_most_disk_encryption_on_centos_5" id="whole_most_disk_encryption_on_centos_5"></a></h2><h2><font size="3"><span style="font-weight: normal;">The proposed document is below. Hopefully is remains readable.</span></font></h2><br>Chris<br><br><h2><a name="whole_most_disk_encryption_on_centos_5" id="whole_most_disk_encryption_on_centos_5">Whole (Most) Disk Encryption on CentOS 5</a></h2>
<div class="level2">
</div>
<h4><a name="this_document_is_in_the_process_of_being_developed" id="this_document_is_in_the_process_of_being_developed">This document is in the process of being developed</a></h4>
<div class="level4">
</div>
<h5><a name="credit_to_others" id="credit_to_others">Credit To Others</a></h5>
<div class="level5">
The primary source for this document was <a href="http://www.tummy.com/Community/Articles/cryptoroot-f8/" class="urlextern" title="http://www.tummy.com/Community/Articles/cryptoroot-f8/" rel="nofollow">http://www.tummy.com/Community/Articles/cryptoroot-f8/</a>.
It was heavily used but adapted to CentOS5 and with some changes which
simplify and improve the process. Other sources that were used are <a href="http://musialek.org/?p=3" class="urlextern" title="http://musialek.org/?p=3" rel="nofollow">http://musialek.org/?p=3</a> and <a href="http://agiletesting.blogspot.com/2008/05/encrypting-linux-root-partition-with.html" class="urlextern" title="http://agiletesting.blogspot.com/2008/05/encrypting-linux-root-partition-with.html" rel="nofollow">http://agiletesting.blogspot.com/2008/05/encrypting-linux-root-partition-with.html</a>.
<BR>
</div>
<h5><a name="summary" id="summary">Summary</a></h5>
<div class="level5">
This document contains step by step instructions for encrypting the
entire disk including swap space with the exception of the /boot
partition on CentOS 5. It assumes that you are planning to encrypt your
disk from install and that your disk is /dev/sda. This document was
created with with CentOS 5.0 before any patches or updates were
applied. There are some optional components within this document that
are not technically necessary for encrypting the disk. Those components
can be ignored for testing, but they should be followed on any “real”
systems.
<BR>
</div>
<h5><a name="step_oneprepare_the_disk" id="step_oneprepare_the_disk">Step One: Prepare the disk</a></h5>
<div class="level5">
The first step is to prepare the disk. The installer partitioning
software doesn't have the flexibility to be able to do this, so you
will need to switch to the shell and perform the setup manually.
<BR>
Once the installer has moved into the <acronym title="Graphical User Interface">GUI</acronym>, press Ctrl-Alt-F2 to get a command prompt.
<BR>
<em><strong>OPTIONAL –</strong> Overwrite and randomize the entire
disk. Use shred or dd to overwrite the disk. The technical merits of
multiple overwrites of shred vs. using /dev/random with dd are beyond
the scope of this document. The default options of shred take a very,
very long time to run. The time to complete on any sizeable disk would
likely be measured in days. This note applies to all statements about
radomizing the disks or partitions in this document.</em>
<BR>
<pre class="code"> # shred -v /dev/sda</pre>
<em>or</em>
<BR>
<pre class="code"> # dd if=/dev/urandom of=/dev/sda</pre>
<br> Use fdisk to create the partitions for install. You will
need to create a /boot partition and an LVM partition at the end of the
disk. The gap in between the two partitions will become your encrypted
file-system. This document will refer to the boot partition as
/dev/sda1 and the install partition at the end of the disk as
/dev/sda3. The encrypted partition will become /dev/sda2.
<BR>
The partition at the end of the disk should be smaller than the
empty space between /boot and your LVM partition so that there is room
for the meta-data associated with the encryption. The LVM partition
really only needs to be large enough to install the system. You will be
able to expand the system volumes if you like after you have a working,
encrypted system. <BR>
<pre class="code"> # fdisk /dev/sda</pre>
RedHat documentation recommends 100MB for the boot partition. Over
time, the /boot partition can fill up as a result of updated kernels if
it is not regularly cleaned. Using a larger /boot partition may be
beneficial. /dev/sda1 should be of type 83 (Linux) and should be
bootable. /dev/sda3 should have sufficient space to perform the
installation. The partition type of /dev/sda3 should be 8e (Linux LVM).
When done, it should look something like: <BR>
<pre class="code"> Device Boot Start End Blocks Id System<br> /dev/sda1 * 1 65 521955 83 Linux<br> /dev/sda3 20000 30401 83554065 8e Linux LVM</pre>
If you are not familiar with the fdisk commands, you can type “?”
at the fdisk prompt to see a list of commands. Once you have the disk
partitioned correctly (view the partition table with the “p” command
within fdisk), remember to write the partition table while exiting with
the “w” command.
<BR>
Return to the <acronym title="Graphical User Interface">GUI</acronym> to complete the installation. Press Ctrl-Alt-F6 to return to the <acronym title="Graphical User Interface">GUI</acronym>.
<BR>
</div>
<h5><a name="step_twoinstalling_the_os" id="step_twoinstalling_the_os">Step Two: Installing the OS</a></h5>
<div class="level5">
The installation must be done using the graphical installer because
the text installer doesn't allow a custom installation to use LVM.
<BR>
For the partitioning, select “Custom”, and tell it to format sda1 as /boot, and sda3 as an LVM physical partition.
<BR>
Then use the “LVM” button to create a volume group, and a logical
volumes within it for the / file-system. Create the swap partition
within LVM to ensure that your swap space is ultimately encrypted as
well. You can create /usr, /var, /tmp, and other volumes within LVM if
you choose. Note that you'll be able to resize the partitions later, so
they don't need to be the desired target space or proportion right now.
<BR>
Complete the rest of the installation process as normal.
<BR>
</div>
<h5><a name="step_threecreate_the_encrypted_partition" id="step_threecreate_the_encrypted_partition">Step Three: Create the encrypted partition</a></h5>
<div class="level5">
Boot into the installed system and create /dev/sda2 using fdisk. It
needs to be the space between sda1 and sda3, and it should have a
partition type of 83 (Linux) (it does not need to be type 8e, Linux
LVM). Write the partition table and quit fdisk.
<BR>
Once you have create the partition, use the partprobe command to read new partition.
<BR>
<pre class="code"> # partprobe</pre>
If you did not randomize the disk via shred or dd, you should
randomize the partition using dd. This may take a while depending on
the size of the partition. <BR>
<pre class="code"> # dd if=/dev/urandom of=/dev/sda2</pre>
You now need to set up encryption.
<BR>
<pre class="code"> # cryptsetup --key-size 256 --verbose --verify-passphrase --cipher aes-cbc-essiv:sha256 luksFormat /dev/sda2</pre>
Confirm that you want to destroy all data on the partition and then
provide a pass-phrase. You will need to remember the pass-phrase in
order to access your system.
<BR>
Open the encrypted file-system to ensure that all is well with the encrypted partition
<BR>
<pre class="code"> # /sbin/cryptsetup luksOpen /dev/sda2 lvm</pre>
Enter the pass-phrase for the file-system. Close the file-system with
<BR>
<pre class="code"> # /sbin/cryptsetup luksClose lvm</pre>
<em><strong>OPTIONAL -</strong> Additional pass-phrases can be
added at this point. This is especially useful in enterprise
environments where you would like to have an administrative pass-phrase
should a user forget the pass-phrase or you need to have access after a
user leaves.</em>
<BR>
<pre class="code"> # /sbin/cryptsetup luksAddKey /dev/sda2</pre>
<em>Enter the existing pass-phrase twice, it will then ask you to
enter a new pass-phrase where you can add the second key. You can
verify that you now have 2 keys by using the luksOpen option with the
cryptsetup command using each password or by using the command</em>
<BR>
<pre class="code"> # /sbin/cryptsetup luksDump /dev/sda2</pre>
The output will look similar to
<BR>
<pre class="code"> Version: 1<br> Cipher name: aes<br> Cipher mode: cbc-essiv:sha256<br> Hash spec: sha1<br> Payload offset: 2056<br> MK bits: 256<br> MK digest: f3 6e 66 7c d2 40 1c 4e 6e ce fa d5 b9 ac 3b 13 f9 a0 9c 7d<br> MK salt: 2b f2 38 ff 21 0a 31 cd a9 17 97 a9 c0 ad 72 46<br> e3 78 21 b2 03 1a d1 68 a3 2d 80 61 bf d0 09 4d<br> MK iterations: 10<br> UUID: ca858575-a412-4d26-bde7-7dfdfd0f6a72<br> <br> Key Slot 0: ENABLED<br> Iterations: 51953<br> Salt: 69 51 dc 85 57 84 9d c1 97 5c ef a6 d5 31 6d d2<br> 4f 8b ce 90 71 90 8c 6c 3f 81 b7 75 41 85 59 5b<br> Key material offset: 8<br> AF stripes: 4000<br> Key Slot 1: ENABLED<br> Iterations: 52068<br> Salt: c7 a6 e5 e9 08 d1 d6 80 c5 0a fe f5 74 22 2e 74<br> 63 a3 e3 41 f3 4f 82 fe 54 7d 5d 99 0b 14 8c 80<br> Key material offset: 264<br> AF stripes: 4000<br> Key Slot 2: DISABLED<br> Key Slot 3: DISABLED<br> Key Slot 4: DISABLED<br> Key Slot 5: DISABLED<br> Key Slot 6: DISABLED<br> Key Slot 7: DISABLED</pre>
</div>
<h5><a name="step_fourconfigure_mkinitrd_for_encrypted_system" id="step_fourconfigure_mkinitrd_for_encrypted_system">Step Four: Configure mkinitrd for encrypted system</a></h5>
<div class="level5">
Make a backup copy of /sbin/mkinitrd. Future updates of the
mkinitrd package will overwrite it, but the changes will allow future
kernel updates to properly build an initrd. Modify /sbin/mkinitrd per
the patch below. The patch modifies the MODULES line so that initrd has
the proper modules for encryption, adds cryptsetup to initrd, and
configures initrd to open the encrypted file-system. <BR>
<pre class="code"> >--- /sbin/mkinitrd.before.dm-crypt.20080811 2008-08-11 23:17:04.000000000 -0400<br> +++ /sbin/mkinitrd 2008-08-14 18:52:31.000000000 -0400<br> @@ -40,7 +40,7 @@<br> VERSION=5.1.19.6<br> <br> PROBE="yes"<br> -MODULES=""<br> +MODULES="aes sha256 dm_crypt cbc"<br> PREMODS=""<br> DMDEVS=""<br> NET_LIST=""<br> @@ -1081,6 +1081,7 @@<br> fi<br> inst /sbin/nash "$MNTIMAGE/bin/nash"<br> inst /sbin/insmod.static "$MNTIMAGE/bin/insmod"<br> +inst /sbin/cryptsetup "$MNTIMAGE/bin/cryptsetup"<br> ln -s /sbin/nash $MNTIMAGE/sbin/modprobe<br> <br> for MODULE in $MODULES; do<br> @@ -1264,6 +1265,10 @@<br> # things like RAID or LVM<br> emit "mkblkdevs"<br> <br> +# Adding stuff for dm-cyrpted root partition<br> +emit "echo Decrypting root device"<br> +emit "cryptsetup luksOpen /dev/sda2 lvm"<br> +<br> emitdms<br> if [ -n "$raiddevices" ]; then<br> </pre>
<strong>NOTE:</strong> If you choose to modify the /sbin/mkinitrd file
manually, the additions for “cryptsetup luksOpen /dev/sda2 lvm” should
occur after the SECOND occurance of “emit mkblkdevs”
<BR>
<em><strong>OPTIONAL –</strong> You can prevent the mkinitrd script from being updated via yum by modifying /etc/yum.conf to include the line</em>
<BR>
<pre class="code">exclude=mkinitrd nash</pre>
</div>
<h5><a name="step_fivebuild_new_initrd" id="step_fivebuild_new_initrd">Step Five: Build new initrd</a></h5>
<div class="level5">
You now need to create the new initrd that will allow the system to
boot using the encrypted device. The method used here will allow the
presence of both the encrypted system and the unencrypted system on the
computer. This provides the opportunity to ensure that the encrypted
system is working properly and to boot into the unencrypted system
should any modifications be needed. <BR>
<pre class="code"> # mkinitrd -v /boot/initrd-2.6.18-8.el5.crypt.img 2.6.18-8.el5</pre>
</div>
<h5><a name="step_sixcopy_the_lvm_to_the_encrypted_partition" id="step_sixcopy_the_lvm_to_the_encrypted_partition">Step Six: Copy the LVM to the encrypted partition</a></h5>
<div class="level5">
Make sure that any modifications to the system configurations such
as the modified mkinitrd or the modified yum.conf are done before
performing this step. Although those things can be duplicated on the
encrypted system, it is easier if they don't need to be repeated.
<BR>
Reboot the system into single user mode.
<BR>
Open the encrypted file-system
<BR>
<pre class="code"> # /sbin/cryptsetup luksOpen /dev/sda2 lvm</pre>
Enter the pass-phrase. Now you can copy the contents of sda3 to the encrypted sda2.
<BR>
<pre class="code"> # dd if=/dev/sda3 of=/dev/mapper/lvm</pre>
When it's done, close the encrypted partition with:
<BR>
<pre class="code"> # /sbin/cryptsetup luksClose lvm</pre>
</div>
<h5><a name="step_sevenmodify_grub.conf_to_boot_the_encrypted_system" id="step_sevenmodify_grub.conf_to_boot_the_encrypted_system">Step Seven: Modify grub.conf to boot the encrypted system</a></h5>
<div class="level5">
Add the following lines to the end of /boot/grub/grub.conf. This can be done while still in single user mode.
<BR>
<pre class="code"> title CentOS Encrypted System (2.6.18-8.el5)<br> root (hd0,0)<br> kernel /vimlinuz-2.6.18-8.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet<br> initrd /initrd-2.6.18-8.el5.crypt.img</pre>
<strong>NOTE:</strong> To make the encrypted system the default system, make the above lines the first block listed in grub.conf
<BR>
</div>
<h5><a name="step_eightextend_encryption_to_the_entire_disk" id="step_eightextend_encryption_to_the_entire_disk">Step Eight: Extend encryption to the entire disk</a></h5>
<div class="level5">
<strong>NOTE:</strong> The /boot partition will not be encrypted, however the rest of the disk will be.
<BR>
Once the encrypted system is confirmed to be working correctly,
remove the unencrypted system. Randomize /dev/hda3 by using either
shred or dd. <strong><em><em class="u">Once this step is performed, there is no turning back.</em></em></strong>
The unencrypted system will no longer exist on the disk. It is also
safe to remove the grub.conf entries for the unencrypted system. <BR>
<pre class="code"> # shred -v /dev/sda3</pre>
or
<BR>
<pre class="code"> # dd if=/dev/urandom of=/dev/sda3</pre>
Use the fdisk command to resize sda2 to fill the entire disk.
<BR>
<pre class="code"> # fdisk /dev/sda</pre>
Within fdisk, delete /dev/sda2 and /dev/sda3. Create a new
/dev/sda2 that fills the entire disk. When adding the new /dev/sda2 the
defaults should be sufficient.
<BR>
Write the changes to the partition table. Use partprobe to detect changes to the partition table.
<BR>
<pre class="code"> # partprobe</pre>
</div>
<h5><a name="step_nineresize_the_file-systems" id="step_nineresize_the_file-systems">Step Nine: Resize the file-systems</a></h5>
<div class="level5">
First, resize the crypto device.
<BR>
<pre class="code"> # cryptsetup resize lvm</pre>
Next, resize the physical volume in the volume group:
<BR>
<pre class="code"> # pvresize –-setphysicalvolumesize [size of disk - /boot] /dev/mapper/lvm</pre>
In order to resize the LVM volumes to use the entire disk, a reboot is required.
<BR>
<strong>NOTE to testers</strong> This seems strange to me and seems to
defeat one of the primary strengths of using LVM, but I was unable to
extend the logical volumes beyond the original number of physical
extents until after a reboot. I will do some more with this to see if
it can be done without the reboot.
<BR>
Extend the logical volumes of the system with lvextend. man lvextend for more information on the command.
<BR>
<pre class="code"> # lvextend -L +[size to increase the volume] /dev/VolGroup00/LogVol00</pre>
Resize each of the file-systems with:
<BR>
<pre class="code"> # resize2fs /dev/VolGroup00/LogVol00</pre>
Replace VolGroup00 and LogVol00 with the correct volume group names and logical volume names for each volume on the system.
<BR>
</div>
<h5><a name="finishing_up" id="finishing_up">Finishing Up</a></h5>
<div class="level5">
Have a beer.
<BR>
</div>
<h5><a name="interesting_and_related_information" id="interesting_and_related_information">Interesting and Related Information</a></h5>
<div class="level5">
<strong>NOTE to peer-reviewers:</strong> The idea of this section
was to have links to additional information such as why someone should
randomize the entire disk,additional information related to the whole
Gutmann method situation, NIST 800-88 publication, etc. <BR>
</div></div><br><br><br><hr id="EC_stopSpelling">From: ixeous@hotmail.com<br>To: centos-docs@centos.org<br>Date: Thu, 28 Aug 2008 09:53:26 -0400<br>Subject: [CentOS-docs] potential wiki on encryption<br><br>
<meta http-equiv="Content-Type" content="text/html; charset=unicode">
<meta name="Generator" content="Microsoft SafeHTML">
<style>
.ExternalClass .EC_hmmessage P
{padding:0px;}
.ExternalClass body.EC_hmmessage
{font-size:10pt;font-family:Tahoma;}
</style>
<div style="text-align: left;">Hello all,<br><br>I posted the whole disk encryption instructions in the forum that has been briefly discussed on the list. I joined the list per Ned's post on the thread.<br><br><pre><a href="http://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=15923&forum=42" target="_blank">http://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=15923&forum=42</a><i><br></i><br></pre>I have a couple of questions about the process of creating a wiki.<br><br>1. How does the peer-review process work?<br>2. Is there a place to place an article being reviewed that can be modified while being reviewed but not necessarily available to the public?<br><br>The reason that I ask the second question is because the posting in the forum is literally my first draft as I was going through the process. I have found a couple of modifications that need to be made. The changes that I know should be made are:<br><br>1. The optional step of adding exclude=mkinitrd to /etc/yum.conf should be "exclude=mkinitrd nash"<br>2. I switched up my disk device on some instructions to /dev/hda which should be /dev/sda for consistency.<br>3. I think that the last 2 steps of extending the encrypted partition to the entire disk could be clearer.<br><br>Thanks.<br>Chris<br></div><br><hr>Get thousands of games on your PC, your mobile phone, and the web with Windows®. <a href="http://clk.atdmt.com/MRT/go/108588800/direct/01/" target="_blank">Game with Windows</a>
<br /><hr />See what people are saying about Windows Live. Check out featured posts. <a href='http://www.windowslive.com/connect?ocid=TXT_TAGLM_WL_connect2_082008' target='_new'>Check It Out!</a></body>
</html>