<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'><div style="text-align: left;">This is a newer version of the proposed whole disk encryption HowTo. I have added a section that attempts to combine the information in http://wiki.centos.org/TipsAndTricks/EncryptedFilesystem. All information has not been incorporated, but I tried to keep the instructions for having non-root partitions consistent with the steps and methods outlined earlier in the document. I think that this does allow for additional encrypted partitions as described in the TipsAndTricks document.<br></div><br>Here's the latest version.<br><br><h2><a name="whole_most_disk_encryption_on_centos_5" id="whole_most_disk_encryption_on_centos_5">Whole (Most) Disk Encryption on CentOS 5</a></h2>
<div class="level2">
</div>
<h4><a name="this_document_is_in_the_process_of_being_developed" id="this_document_is_in_the_process_of_being_developed">This document is in the process of being developed</a></h4>
<div class="level4">
</div>
<h5><a name="credit_to_others" id="credit_to_others">Credit To Others</a></h5>
<div class="level5">
The primary source for this document was <a href="http://www.tummy.com/Community/Articles/cryptoroot-f8/" class="urlextern" title="http://www.tummy.com/Community/Articles/cryptoroot-f8/" rel="nofollow">http://www.tummy.com/Community/Articles/cryptoroot-f8/</a>.
It was heavily used but adapted to CentOS5 and with some changes which
simplify and improve the process. Other sources that were used are <a href="http://musialek.org/?p=3" class="urlextern" title="http://musialek.org/?p=3" rel="nofollow">http://musialek.org/?p=3</a> and <a href="http://agiletesting.blogspot.com/2008/05/encrypting-linux-root-partition-with.html" class="urlextern" title="http://agiletesting.blogspot.com/2008/05/encrypting-linux-root-partition-with.html" rel="nofollow">http://agiletesting.blogspot.com/2008/05/encrypting-linux-root-partition-with.html</a>.
<BR>
</div>
<h5><a name="summary" id="summary">Summary</a></h5>
<div class="level5">
This document contains step by step instructions for encrypting the
entire disk including swap space with the exception of the /boot
partition on CentOS 5. It assumes that you are planning to encrypt your
disk from install and that your disk is /dev/sda. This document was
created with with CentOS 5.0 before any patches or updates were
applied. There are some optional components within this document that
are not technically necessary for encrypting the disk. Those components
can be ignored for testing, but they should be followed on any “real”
systems.
<BR>
The end of the document contains optional configurations. This is
useful if you prefer to have additional partitions on the disk. The
step by step instructions will leave a disk with two partitions, /boot
(/dev/sda1) and an LVM (/dev/sda2) partition which contains all system
volumes. The optional section will contain the differences needed to
have an additional partition (/dev/sda3) which may be used as a data
store, NFS share, etc.
<BR>
</div>
<h5><a name="step_oneprepare_the_disk" id="step_oneprepare_the_disk">Step One: Prepare the disk</a></h5>
<div class="level5">
The first step is to prepare the disk. The installer partitioning
software doesn't have the flexibility to be able to do this, so you
will need to switch to the shell and perform the setup manually.
<BR>
Once the installer has moved into the <acronym title="Graphical User Interface">GUI</acronym>, press Ctrl-Alt-F2 to get a command prompt.
<BR>
<em><strong>OPTIONAL –</strong> Overwrite and randomize the entire
disk. Use shred or dd to overwrite the disk. The technical merits of
multiple overwrites of shred vs. using /dev/random with dd are beyond
the scope of this document. The default options of shred take a very,
very long time to run. The time to complete on any sizeable disk would
likely be measured in days. This note applies to all statements about
radomizing the disks or partitions in this document.</em>
<BR>
<pre class="code"> # shred -v /dev/sda</pre>
<em>or</em>
<BR>
<pre class="code"> # dd if=/dev/urandom of=/dev/sda</pre>
<br> Use fdisk to create the partitions for install. You will
need to create a /boot partition and an LVM partition at the end of the
disk. The gap in between the two partitions will become your encrypted
file-system. This document will refer to the boot partition as
/dev/sda1 and the install partition at the end of the disk as
/dev/sda3. The encrypted partition will become /dev/sda2.
<BR>
The partition at the end of the disk should be smaller than the
empty space between /boot and your LVM partition so that there is room
for the meta-data associated with the encryption. The LVM partition
really only needs to be large enough to install the system. You will be
able to expand the system volumes if you like after you have a working,
encrypted system. <BR>
<pre class="code"> # fdisk /dev/sda</pre>
RedHat documentation recommends 100MB for the boot partition. Over
time, the /boot partition can fill up as a result of updated kernels if
it is not regularly cleaned. Using a larger /boot partition may be
beneficial. /dev/sda1 should be of type 83 (Linux) and should be
bootable. /dev/sda3 should have sufficient space to perform the
installation. The partition type of /dev/sda3 should be 8e (Linux LVM).
When done, it should look something like: <BR>
<pre class="code"> Device Boot Start End Blocks Id System<br> /dev/sda1 * 1 65 521955 83 Linux<br> /dev/sda3 20000 30401 83554065 8e Linux LVM</pre>
If you are not familiar with the fdisk commands, you can type “?”
at the fdisk prompt to see a list of commands. Once you have the disk
partitioned correctly (view the partition table with the “p” command
within fdisk), remember to write the partition table while exiting with
the “w” command.
<BR>
Return to the <acronym title="Graphical User Interface">GUI</acronym> to complete the installation. Press Ctrl-Alt-F6 to return to the <acronym title="Graphical User Interface">GUI</acronym>.
<BR>
</div>
<h5><a name="step_twoinstalling_the_os" id="step_twoinstalling_the_os">Step Two: Installing the OS</a></h5>
<div class="level5">
The installation must be done using the graphical installer because
the text installer doesn't allow a custom installation to use LVM.
<BR>
For the partitioning, select “Custom”, and tell it to format sda1 as /boot, and sda3 as an LVM physical partition.
<BR>
Then use the “LVM” button to create a volume group, and a logical
volumes within it for the / file-system. Create the swap partition
within LVM to ensure that your swap space is ultimately encrypted as
well. You can create /usr, /var, /tmp, and other volumes within LVM if
you choose. Note that you'll be able to resize the partitions later, so
they don't need to be the desired target space or proportion right now.
<BR>
Complete the rest of the installation process as normal.
<BR>
</div>
<h5><a name="step_threecreate_the_encrypted_partition" id="step_threecreate_the_encrypted_partition">Step Three: Create the encrypted partition</a></h5>
<div class="level5">
Boot into the installed system and create /dev/sda2 using fdisk. It
needs to be the space between sda1 and sda3, and it should have a
partition type of 83 (Linux) (it does not need to be type 8e, Linux
LVM). Write the partition table and quit fdisk.
<BR>
Once you have create the partition, use the partprobe command to read new partition.
<BR>
<pre class="code"> # partprobe</pre>
If you did not randomize the disk via shred or dd, you should
randomize the partition using dd. This may take a while depending on
the size of the partition. <BR>
<pre class="code"> # dd if=/dev/urandom of=/dev/sda2</pre>
You now need to set up encryption.
<BR>
<pre class="code"> # cryptsetup --key-size 256 --verbose --verify-passphrase --cipher aes-cbc-essiv:sha256 luksFormat /dev/sda2</pre>
Confirm that you want to destroy all data on the partition and then
provide a pass-phrase. You will need to remember the pass-phrase in
order to access your system.
<BR>
Open the encrypted file-system to ensure that all is well with the encrypted partition
<BR>
<pre class="code"> # /sbin/cryptsetup luksOpen /dev/sda2 lvm</pre>
Enter the pass-phrase for the file-system. Close the file-system with
<BR>
<pre class="code"> # /sbin/cryptsetup luksClose lvm</pre>
<em><strong>OPTIONAL -</strong> Additional pass-phrases can be
added at this point. This is especially useful in enterprise
environments where you would like to have an administrative pass-phrase
should a user forget the pass-phrase or you need to have access after a
user leaves.</em>
<BR>
<pre class="code"> # /sbin/cryptsetup luksAddKey /dev/sda2</pre>
<em>Enter the existing pass-phrase twice, it will then ask you to
enter a new pass-phrase where you can add the second key. You can
verify that you now have 2 keys by using the luksOpen option with the
cryptsetup command using each password or by using the command</em>
<BR>
<pre class="code"> # /sbin/cryptsetup luksDump /dev/sda2</pre>
The output will look similar to
<BR>
<pre class="code"> Version: 1<br> Cipher name: aes<br> Cipher mode: cbc-essiv:sha256<br> Hash spec: sha1<br> Payload offset: 2056<br> MK bits: 256<br> MK digest: f3 6e 66 7c d2 40 1c 4e 6e ce fa d5 b9 ac 3b 13 f9 a0 9c 7d<br> MK salt: 2b f2 38 ff 21 0a 31 cd a9 17 97 a9 c0 ad 72 46<br> e3 78 21 b2 03 1a d1 68 a3 2d 80 61 bf d0 09 4d<br> MK iterations: 10<br> UUID: ca858575-a412-4d26-bde7-7dfdfd0f6a72<br> <br> Key Slot 0: ENABLED<br> Iterations: 51953<br> Salt: 69 51 dc 85 57 84 9d c1 97 5c ef a6 d5 31 6d d2<br> 4f 8b ce 90 71 90 8c 6c 3f 81 b7 75 41 85 59 5b<br> Key material offset: 8<br> AF stripes: 4000<br> Key Slot 1: ENABLED<br> Iterations: 52068<br> Salt: c7 a6 e5 e9 08 d1 d6 80 c5 0a fe f5 74 22 2e 74<br> 63 a3 e3 41 f3 4f 82 fe 54 7d 5d 99 0b 14 8c 80<br> Key material offset: 264<br> AF stripes: 4000<br> Key Slot 2: DISABLED<br> Key Slot 3: DISABLED<br> Key Slot 4: DISABLED<br> Key Slot 5: DISABLED<br> Key Slot 6: DISABLED<br> Key Slot 7: DISABLED</pre>
</div>
<h5><a name="step_fourconfigure_mkinitrd_for_encrypted_system" id="step_fourconfigure_mkinitrd_for_encrypted_system">Step Four: Configure mkinitrd for encrypted system</a></h5>
<div class="level5">
Make a backup copy of /sbin/mkinitrd. Future updates of the
mkinitrd package will overwrite it, but the changes will allow future
kernel updates to properly build an initrd. Modify /sbin/mkinitrd per
the patch below. The patch modifies the MODULES line so that initrd has
the proper modules for encryption, adds cryptsetup to initrd, and
configures initrd to open the encrypted file-system. <BR>
<pre class="code"> >--- /sbin/mkinitrd.before.dm-crypt.20080811 2008-08-11 23:17:04.000000000 -0400<br> +++ /sbin/mkinitrd 2008-08-14 18:52:31.000000000 -0400<br> @@ -40,7 +40,7 @@<br> VERSION=5.1.19.6<br> <br> PROBE="yes"<br> -MODULES=""<br> +MODULES="aes sha256 dm_crypt cbc"<br> PREMODS=""<br> DMDEVS=""<br> NET_LIST=""<br> @@ -1081,6 +1081,7 @@<br> fi<br> inst /sbin/nash "$MNTIMAGE/bin/nash"<br> inst /sbin/insmod.static "$MNTIMAGE/bin/insmod"<br> +inst /sbin/cryptsetup "$MNTIMAGE/bin/cryptsetup"<br> ln -s /sbin/nash $MNTIMAGE/sbin/modprobe<br> <br> for MODULE in $MODULES; do<br> @@ -1264,6 +1265,10 @@<br> # things like RAID or LVM<br> emit "mkblkdevs"<br> <br> +# Adding stuff for dm-cyrpted root partition<br> +emit "echo Decrypting root device"<br> +emit "cryptsetup luksOpen /dev/sda2 lvm"<br> +<br> emitdms<br> if [ -n "$raiddevices" ]; then<br> </pre>
<strong>NOTE:</strong> If you choose to modify the /sbin/mkinitrd file
manually, the additions for “cryptsetup luksOpen /dev/sda2 lvm” should
occur after the SECOND occurance of “emit mkblkdevs”
<BR>
<em><strong>OPTIONAL –</strong> You can prevent the mkinitrd script from being updated via yum by modifying /etc/yum.conf to include the line</em>
<BR>
<pre class="code">exclude=mkinitrd nash</pre>
</div>
<h5><a name="step_fivebuild_new_initrd" id="step_fivebuild_new_initrd">Step Five: Build new initrd</a></h5>
<div class="level5">
You now need to create the new initrd that will allow the system to
boot using the encrypted device. The method used here will allow the
presence of both the encrypted system and the unencrypted system on the
computer. This provides the opportunity to ensure that the encrypted
system is working properly and to boot into the unencrypted system
should any modifications be needed. <BR>
<pre class="code"> # mkinitrd -v /boot/initrd-2.6.18-8.el5.crypt.img 2.6.18-8.el5</pre>
</div>
<h5><a name="step_sixcopy_the_lvm_to_the_encrypted_partition" id="step_sixcopy_the_lvm_to_the_encrypted_partition">Step Six: Copy the LVM to the encrypted partition</a></h5>
<div class="level5">
Make sure that any modifications to the system configurations such
as the modified mkinitrd or the modified yum.conf are done before
performing this step. Although those things can be duplicated on the
encrypted system, it is easier if they don't need to be repeated.
<BR>
Reboot the system into single user mode.
<BR>
Open the encrypted file-system
<BR>
<pre class="code"> # /sbin/cryptsetup luksOpen /dev/sda2 lvm</pre>
Enter the pass-phrase. Now you can copy the contents of sda3 to the encrypted sda2.
<BR>
<pre class="code"> # dd if=/dev/sda3 of=/dev/mapper/lvm</pre>
When it's done, close the encrypted partition with:
<BR>
<pre class="code"> # /sbin/cryptsetup luksClose lvm</pre>
</div>
<h5><a name="step_sevenmodify_grub.conf_to_boot_the_encrypted_system" id="step_sevenmodify_grub.conf_to_boot_the_encrypted_system">Step Seven: Modify grub.conf to boot the encrypted system</a></h5>
<div class="level5">
Add the following lines to the end of /boot/grub/grub.conf. This can be done while still in single user mode.
<BR>
<pre class="code"> title CentOS Encrypted System (2.6.18-8.el5)<br> root (hd0,0)<br> kernel /vimlinuz-2.6.18-8.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet<br> initrd /initrd-2.6.18-8.el5.crypt.img</pre>
<strong>NOTE:</strong> To make the encrypted system the default system, make the above lines the first block listed in grub.conf
<BR>
</div>
<h5><a name="step_eightextend_encryption_to_the_entire_disk" id="step_eightextend_encryption_to_the_entire_disk">Step Eight: Extend encryption to the entire disk</a></h5>
<div class="level5">
<strong>NOTE:</strong> The /boot partition will not be encrypted, however the rest of the disk will be.
<BR>
Once the encrypted system is confirmed to be working correctly,
remove the unencrypted system. Randomize /dev/hda3 by using either
shred or dd. <strong><em><em class="u">Once this step is performed, there is no turning back.</em></em></strong>
The unencrypted system will no longer exist on the disk. It is also
safe to remove the grub.conf entries for the unencrypted system. <BR>
<pre class="code"> # shred -v /dev/sda3</pre>
or
<BR>
<pre class="code"> # dd if=/dev/urandom of=/dev/sda3</pre>
Use the fdisk command to resize sda2 to fill the entire disk.
<BR>
<pre class="code"> # fdisk /dev/sda</pre>
Within fdisk, delete /dev/sda2 and /dev/sda3. Create a new
/dev/sda2 that fills the entire disk. When adding the new /dev/sda2 the
defaults should be sufficient.
<BR>
Write the changes to the partition table. Use partprobe to detect changes to the partition table.
<BR>
<pre class="code"> # partprobe</pre>
</div>
<h5><a name="step_nineresize_the_file-systems" id="step_nineresize_the_file-systems">Step Nine: Resize the file-systems</a></h5>
<div class="level5">
First, resize the crypto device.
<BR>
<pre class="code"> # cryptsetup resize lvm</pre>
Next, resize the physical volume in the volume group:
<BR>
<pre class="code"> # pvresize –-setphysicalvolumesize [size of disk - /boot] /dev/mapper/lvm</pre>
In order to resize the LVM volumes to use the entire disk, a reboot is required.
<BR>
<strong>NOTE to testers</strong> This seems strange to me and seems to
defeat one of the primary strengths of using LVM, but I was unable to
extend the logical volumes beyond the original number of physical
extents until after a reboot. I will do some more with this to see if
it can be done without the reboot.
<BR>
Extend the logical volumes of the system with lvextend. man lvextend for more information on the command.
<BR>
<pre class="code"> # lvextend -L +[size to increase the volume] /dev/VolGroup00/LogVol00</pre>
Resize each of the file-systems with:
<BR>
<pre class="code"> # resize2fs /dev/VolGroup00/LogVol00</pre>
Replace VolGroup00 and LogVol00 with the correct volume group names and logical volume names for each volume on the system.
<BR>
</div>
<h4><a name="optional_configurations" id="optional_configurations">Optional Configurations</a></h4>
<div class="level4">
</div>
<h5><a name="aencrypting_additional_partitions" id="aencrypting_additional_partitions">A: Encrypting Additional Partitions</a></h5>
<div class="level5">
<strong>A.1: Create the encrypted system</strong>
<BR>
This step is optional. If the goal is to have the entire system
encrypted, follow steps 1-7 above. The only difference is that when
creating /dev/sda2 in fdisk, only make it as large as you want your
system volumes to use. If /dev/sda2 is larger than /dev/sda3 and you
wish to change the volume sizes for the system volumes, follow step 9
from above.
<BR>
<strong>A.2: Create partition</strong>
<BR>
Because /dev/sda3 as used for install only needed to be large enough
to perform the installation, the partition should now be enlarged to
the desired size. <BR>
Randomize /dev/hda3 by using either shred or dd. <strong><em><em class="u">Once this step is performed, there is no turning back.</em></em></strong>
The unencrypted system will no longer exist on the disk. It is also
safe to remove the grub.conf entries for the unencrypted system. <BR>
<pre class="code"> # shred -v /dev/sda3</pre>
or
<BR>
<pre class="code"> # dd if=/dev/urandom of=/dev/sda3</pre>
Use the fdisk command to resize sda3.
<BR>
<pre class="code"> # fdisk /dev/sda</pre>
Within fdisk, delete /dev/sda3. Create a new /dev/sda3 that follows
/dev/sda2 and is of the desired size. If /dev/sda3 is intended to fill
the remainder of the disk, the defaults should be sufficient.
<BR>
Write the changes to the partition table. Use partprobe to detect changes to the partition table.
<BR>
<pre class="code"> # partprobe</pre>
<strong>A.3: Create the file system</strong>
<BR>
Create the new file system on /dev/sda3
<BR>
<pre class="code"> # mkfs -t ext3 /dev/sda3</pre>
<strong>A.4: Encrypt the file system</strong>
<BR>
This step is essentially the same as step 3 above. The difference
being the device encrypted and a different mapper device name should be
used. <BR>
<pre class="code"> # cryptsetup --key-size 256 --verbose --verify-passphrase --cipher aes-cbc-essiv:sha256 luksFormat /dev/sda3</pre>
<pre class="code"> # /sbin/cryptsetup luksOpen /dev/sda3 myencryptedpartition</pre>
<pre class="code"> # /sbin/cryptsetup luksClose myencryptedpartition</pre>
<em><strong>OPTIONAL -</strong> Add additional pass-phrases. A
key file can be used to prevent the need for typing in a pass-phrase
every time the file-system is mounted.</em>
<BR>
<pre class="code"> # /sbin/cryptsetup luksAddKey /dev/sda3</pre>
<em>or</em>
<BR>
<pre class="code"> # /sbin/cryptsetup luksAddKey /dev/sda3 /path/and/keyfile</pre>
<strong>A.5: Configure encrypted partitions to mount at boot</strong>
<BR>
This step simplifies the use of an encrypted file system. It will allow
the encrypted file system to be treated as any non-encrypted system.
The file /etc/crypttab will automate the luksOpen commands that were
used earlier. The format of the /etc/crypttab is <BR>
<pre class="code"> mappingname devicename password_file_path options</pre>
Not all fields are needed. Most of the possible options for the
options field are ignored for LUKS volumes, because LUKS volumes have
all the necessary information about the cipher, key size, and hash in
the volume header. Also, if the password_file_path field is empty or
has the value “none”, the system will prompt for the pass-phrase when
mounting the file system.
<BR>
Create /etc/crypttab
<BR>
<pre class="code"> myencryptedpartition /dev/sda3 /path/and/keyfile</pre>
or
<BR>
<pre class="code"> myencryptedpartition /dev/sda3 none</pre>
It is usually a bad idea to store the pass-phrase in a plain text
file, however, an encrypted root partition does alleviate some of the
concern. Under no circumstances should a pass-phrase be stored on an
unencrypted partition such as /boot.
<BR>
Modify /etc/fstab to add the line
<BR>
<pre class="code"> /dev/mapper/myencryptedparition /myFileSystem ext3 defaults 1 2</pre>
The encrypted partition is now configured to mount at boot.
<BR>
</div><br><br><br><hr id="EC_stopSpelling">From: ixeous@hotmail.com<br>To: centos-docs@centos.org<br>Date: Thu, 28 Aug 2008 09:53:26 -0400<br>Subject: [CentOS-docs] potential wiki on encryption<br><br>
<meta http-equiv="Content-Type" content="text/html; charset=unicode">
<meta name="Generator" content="Microsoft SafeHTML">
<style>
.ExternalClass .EC_hmmessage P
{padding:0px;}
.ExternalClass body.EC_hmmessage
{font-size:10pt;font-family:Tahoma;}
</style>
<div style="text-align: left;">Hello all,<br><br>I posted the whole disk encryption instructions in the forum that has been briefly discussed on the list. I joined the list per Ned's post on the thread.<br><br><pre><a href="http://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=15923&forum=42" target="_blank">http://www.centos.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=15923&forum=42</a><i><br></i><br></pre>I have a couple of questions about the process of creating a wiki.<br><br>1. How does the peer-review process work?<br>2. Is there a place to place an article being reviewed that can be modified while being reviewed but not necessarily available to the public?<br><br>The reason that I ask the second question is because the posting in the forum is literally my first draft as I was going through the process. I have found a couple of modifications that need to be made. The changes that I know should be made are:<br><br>1. The optional step of adding exclude=mkinitrd to /etc/yum.conf should be "exclude=mkinitrd nash"<br>2. I switched up my disk device on some instructions to /dev/hda which should be /dev/sda for consistency.<br>3. I think that the last 2 steps of extending the encrypted partition to the entire disk could be clearer.<br><br>Thanks.<br>Chris<br></div><br><hr>Get thousands of games on your PC, your mobile phone, and the web with Windows®. <a href="http://clk.atdmt.com/MRT/go/108588800/direct/01/" target="_blank">Game with Windows</a>
<br /><hr />See how Windows Mobile brings your life together—at home, work, or on the go. <a href='http://clk.atdmt.com/MRT/go/msnnkwxp1020093182mrt/direct/01/' target='_new'>See Now</a></body>
</html>