[CentOS-docs] Encrypting tmp swap and home

Fri Oct 17 01:41:12 UTC 2008
Chris * <ixeous at hotmail.com>

I had submitted a document to this list a few weeks back that gave instructions for whole disk encryption which would cover /tmp /home /swap and everything other than /boot.  I did not ask for space in the wiki because i thought it was waiting for "peer review" for accuracy.  That entire thread seemed to simply die so I haven't pursued the wiki any further.  I already have this document in a wiki format at work and would be happy to submit it to the CentOS wiki should it pass muster.  The contents of my last post are:

Whole (Most) Disk Encryption on CentOS 5

This document is in the process of being developed

Credit To Others
The primary source for this document was http://www.tummy.com/Community/Articles/cryptoroot-f8/. It was heavily used but adapted to CentOS5 and with some changes which simplify and improve the process. Other sources that were used are http://musialek.org/?p=3 and http://agiletesting.blogspot.com/2008/05/encrypting-linux-root-partition-with.html.

Summary
This document contains step by step instructions for encrypting the entire disk including swap space with the exception of the /boot partition on CentOS 5. It assumes that you are planning to encrypt your disk from install and that your disk is /dev/sda. This document was created with with CentOS 5.0 before any patches or updates were applied. There are some optional components within this document that are not technically necessary for encrypting the disk. Those components can be ignored for testing, but they should be followed on any “real” systems.
The end of the document contains optional configurations. This is useful if you prefer to have additional partitions on the disk. The step by step instructions will leave a disk with two partitions, /boot (/dev/sda1) and an LVM (/dev/sda2) partition which contains all system volumes. The optional section will contain the differences needed to have an additional partition (/dev/sda3) which may be used as a data store, NFS share, etc.

Step One: Prepare the disk
The first step is to prepare the disk. The installer partitioning software doesn't have the flexibility to be able to do this, so you will need to switch to the shell and perform the setup manually.
Once the installer has moved into the GUI, press Ctrl-Alt-F2 to get a command prompt.
OPTIONAL – Overwrite and randomize the entire disk. Use shred or dd to overwrite the disk. The technical merits of multiple overwrites of shred vs. using /dev/random with dd are beyond the scope of this document. The default options of shred take a very, very long time to run. The time to complete on any sizeable disk would likely be measured in days. This note applies to all statements about radomizing the disks or partitions in this document.

 # shred -v /dev/sda

or

 # dd if=/dev/urandom of=/dev/sda


Use fdisk to create the partitions for install. You will need to create a /boot partition and an LVM partition at the end of the disk. The gap in between the two partitions will become your encrypted file-system. This document will refer to the boot partition as /dev/sda1 and the install partition at the end of the disk as /dev/sda3. The encrypted partition will become /dev/sda2.
The partition at the end of the disk should be smaller than the empty space between /boot and your LVM partition so that there is room for the meta-data associated with the encryption. The LVM partition really only needs to be large enough to install the system. You will be able to expand the system volumes if you like after you have a working, encrypted system.

 # fdisk /dev/sda

RedHat documentation recommends 100MB for the boot partition. Over time, the /boot partition can fill up as a result of updated kernels if it is not regularly cleaned. Using a larger /boot partition may be beneficial. /dev/sda1 should be of type 83 (Linux) and should be bootable. /dev/sda3 should have sufficient space to perform the installation. The partition type of /dev/sda3 should be 8e (Linux LVM). When done, it should look something like:

 Device    Boot      Start         End      Blocks   Id  System
 /dev/sda1   *           1          65      521955   83  Linux
 /dev/sda3           20000       30401    83554065   8e  Linux LVM

If you are not familiar with the fdisk commands, you can type “?” at the fdisk prompt to see a list of commands. Once you have the disk partitioned correctly (view the partition table with the “p” command within fdisk), remember to write the partition table while exiting with the “w” command.
Return to the GUI to complete the installation. Press Ctrl-Alt-F6 to return to the GUI.

Step Two: Installing the OS
The installation must be done using the graphical installer because the text installer doesn't allow a custom installation to use LVM.
For the partitioning, select “Custom”, and tell it to format sda1 as /boot, and sda3 as an LVM physical partition.
Then use the “LVM” button to create a volume group, and a logical volumes within it for the / file-system. Create the swap partition within LVM to ensure that your swap space is ultimately encrypted as well. You can create /usr, /var, /tmp, and other volumes within LVM if you choose. Note that you'll be able to resize the partitions later, so they don't need to be the desired target space or proportion right now.
Complete the rest of the installation process as normal.

Step Three: Create the encrypted partition
Boot into the installed system and create /dev/sda2 using fdisk. It needs to be the space between sda1 and sda3, and it should have a partition type of 83 (Linux) (it does not need to be type 8e, Linux LVM). Write the partition table and quit fdisk.
Once you have create the partition, use the partprobe command to read new partition.

 # partprobe

If you did not randomize the disk via shred or dd, you should randomize the partition using dd. This may take a while depending on the size of the partition.

 # dd if=/dev/urandom of=/dev/sda2

You now need to set up encryption.

 # cryptsetup --key-size 256 --verbose --verify-passphrase --cipher aes-cbc-essiv:sha256 luksFormat /dev/sda2

Confirm that you want to destroy all data on the partition and then provide a pass-phrase. You will need to remember the pass-phrase in order to access your system.
Open the encrypted file-system to ensure that all is well with the encrypted partition

 # /sbin/cryptsetup luksOpen /dev/sda2 lvm

Enter the pass-phrase for the file-system. Close the file-system with

 # /sbin/cryptsetup luksClose lvm

OPTIONAL - Additional pass-phrases can be added at this point. This is especially useful in enterprise environments where you would like to have an administrative pass-phrase should a user forget the pass-phrase or you need to have access after a user leaves.

 # /sbin/cryptsetup luksAddKey /dev/sda2

Enter the existing pass-phrase twice, it will then ask you to enter a new pass-phrase where you can add the second key. You can verify that you now have 2 keys by using the luksOpen option with the cryptsetup command using each password or by using the command

 # /sbin/cryptsetup luksDump /dev/sda2

The output will look similar to

 Version:        1
 Cipher name:    aes
 Cipher mode:    cbc-essiv:sha256
 Hash spec:      sha1
 Payload offset: 2056
 MK bits:        256
 MK digest:      f3 6e 66 7c d2 40 1c 4e 6e ce fa d5 b9 ac 3b 13 f9 a0 9c 7d
 MK salt:        2b f2 38 ff 21 0a 31 cd a9 17 97 a9 c0 ad 72 46
                 e3 78 21 b2 03 1a d1 68 a3 2d 80 61 bf d0 09 4d
 MK iterations:  10
 UUID:           ca858575-a412-4d26-bde7-7dfdfd0f6a72
 
 Key Slot 0: ENABLED
         Iterations:             51953
         Salt:                   69 51 dc 85 57 84 9d c1 97 5c ef a6 d5 31 6d d2
                                 4f 8b ce 90 71 90 8c 6c 3f 81 b7 75 41 85 59 5b
         Key material offset:    8
         AF stripes:             4000
 Key Slot 1: ENABLED
         Iterations:             52068
         Salt:                   c7 a6 e5 e9 08 d1 d6 80 c5 0a fe f5 74 22 2e 74
                                 63 a3 e3 41 f3 4f 82 fe 54 7d 5d 99 0b 14 8c 80
         Key material offset:    264
         AF stripes:             4000
 Key Slot 2: DISABLED
 Key Slot 3: DISABLED
 Key Slot 4: DISABLED
 Key Slot 5: DISABLED
 Key Slot 6: DISABLED
 Key Slot 7: DISABLED

Step Four: Configure mkinitrd for encrypted system
Make a backup copy of /sbin/mkinitrd. Future updates of the mkinitrd package will overwrite it, but the changes will allow future kernel updates to properly build an initrd. Modify /sbin/mkinitrd per the patch below. The patch modifies the MODULES line so that initrd has the proper modules for encryption, adds cryptsetup to initrd, and configures initrd to open the encrypted file-system.

>--- /sbin/mkinitrd.before.dm-crypt.20080811     2008-08-11 23:17:04.000000000 -0400
 +++ /sbin/mkinitrd      2008-08-14 18:52:31.000000000 -0400
 @@ -40,7 +40,7 @@
  VERSION=5.1.19.6
 
  PROBE="yes"
 -MODULES=""
 +MODULES="aes sha256 dm_crypt cbc"
  PREMODS=""
  DMDEVS=""
  NET_LIST=""
 @@ -1081,6 +1081,7 @@
  fi
  inst /sbin/nash "$MNTIMAGE/bin/nash"
  inst /sbin/insmod.static "$MNTIMAGE/bin/insmod"
 +inst /sbin/cryptsetup "$MNTIMAGE/bin/cryptsetup"
  ln -s /sbin/nash $MNTIMAGE/sbin/modprobe
 
  for MODULE in $MODULES; do
 @@ -1264,6 +1265,10 @@
  # things like RAID or LVM
  emit "mkblkdevs"
 
 +# Adding stuff for dm-cyrpted root partition
 +emit "echo Decrypting root device"
 +emit "cryptsetup luksOpen /dev/sda2 lvm"
 +
  emitdms
  if [ -n "$raiddevices" ]; then
 

NOTE: If you choose to modify the /sbin/mkinitrd file manually, the additions for “cryptsetup luksOpen /dev/sda2 lvm” should occur after the SECOND occurance of “emit mkblkdevs”
OPTIONAL – You can prevent the mkinitrd script from being updated via yum by modifying /etc/yum.conf to include the line

exclude=mkinitrd nash

Step Five: Build new initrd
You now need to create the new initrd that will allow the system to boot using the encrypted device. The method used here will allow the presence of both the encrypted system and the unencrypted system on the computer. This provides the opportunity to ensure that the encrypted system is working properly and to boot into the unencrypted system should any modifications be needed.

 # mkinitrd -v /boot/initrd-2.6.18-8.el5.crypt.img 2.6.18-8.el5

Step Six: Copy the LVM to the encrypted partition
Make sure that any modifications to the system configurations such as the modified mkinitrd or the modified yum.conf are done before performing this step. Although those things can be duplicated on the encrypted system, it is easier if they don't need to be repeated.
Reboot the system into single user mode.
Open the encrypted file-system

 # /sbin/cryptsetup luksOpen /dev/sda2 lvm

Enter the pass-phrase. Now you can copy the contents of sda3 to the encrypted sda2.

 # dd if=/dev/sda3 of=/dev/mapper/lvm

When it's done, close the encrypted partition with:

 # /sbin/cryptsetup luksClose lvm

Step Seven: Modify grub.conf to boot the encrypted system
Add the following lines to the end of /boot/grub/grub.conf. This can be done while still in single user mode.

 title CentOS Encrypted System (2.6.18-8.el5)
    root (hd0,0)
    kernel /vimlinuz-2.6.18-8.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
    initrd /initrd-2.6.18-8.el5.crypt.img

NOTE: To make the encrypted system the default system, make the above lines the first block listed in grub.conf

Step Eight: Extend encryption to the entire disk
NOTE: The /boot partition will not be encrypted, however the rest of the disk will be.
Once the encrypted system is confirmed to be working correctly, remove the unencrypted system. Randomize /dev/hda3 by using either shred or dd. Once this step is performed, there is no turning back. The unencrypted system will no longer exist on the disk. It is also safe to remove the grub.conf entries for the unencrypted system.

 # shred -v /dev/sda3

or

 # dd if=/dev/urandom of=/dev/sda3

Use the fdisk command to resize sda2 to fill the entire disk.

 # fdisk /dev/sda

Within fdisk, delete /dev/sda2 and /dev/sda3. Create a new /dev/sda2 that fills the entire disk. When adding the new /dev/sda2 the defaults should be sufficient.
Write the changes to the partition table. Use partprobe to detect changes to the partition table.

 # partprobe

Step Nine: Resize the file-systems
First, resize the crypto device.

 # cryptsetup resize lvm

Next, resize the physical volume in the volume group:

 # pvresize –-setphysicalvolumesize [size of disk - /boot] /dev/mapper/lvm

In order to resize the LVM volumes to use the entire disk, a reboot is required.
NOTE to testers This seems strange to me and seems to defeat one of the primary strengths of using LVM, but I was unable to extend the logical volumes beyond the original number of physical extents until after a reboot. I will do some more with this to see if it can be done without the reboot.
Extend the logical volumes of the system with lvextend. man lvextend for more information on the command.

 # lvextend -L +[size to increase the volume] /dev/VolGroup00/LogVol00

Resize each of the file-systems with:

 # resize2fs /dev/VolGroup00/LogVol00

Replace VolGroup00 and LogVol00 with the correct volume group names and logical volume names for each volume on the system.

Optional Configurations
A: Encrypting Additional Partitions

A.1: Create the encrypted system
This step is optional. If the goal is to have the entire system encrypted, follow steps 1-7 above. The only difference is that when creating /dev/sda2 in fdisk, only make it as large as you want your system volumes to use. If /dev/sda2 is larger than /dev/sda3 and you wish to change the volume sizes for the system volumes, follow step 9 from above.

A.2: Create partition
Because /dev/sda3 as used for install only needed to be large enough to perform the installation, the partition should now be enlarged to the desired size.
Randomize /dev/hda3 by using either shred or dd. Once this step is performed, there is no turning back. The unencrypted system will no longer exist on the disk. It is also safe to remove the grub.conf entries for the unencrypted system.

 # shred -v /dev/sda3

or

 # dd if=/dev/urandom of=/dev/sda3

Use the fdisk command to resize sda3.

 # fdisk /dev/sda

Within fdisk, delete /dev/sda3. Create a new /dev/sda3 that follows /dev/sda2 and is of the desired size. If /dev/sda3 is intended to fill the remainder of the disk, the defaults should be sufficient.
Write the changes to the partition table. Use partprobe to detect changes to the partition table.

 # partprobe

A.3: Create the file system
Create the new file system on /dev/sda3

 # mkfs -t ext3 /dev/sda3

A.4: Encrypt the file system
This step is essentially the same as step 3 above. The difference being the device encrypted and a different mapper device name should be used.

 # cryptsetup --key-size 256 --verbose --verify-passphrase --cipher aes-cbc-essiv:sha256 luksFormat /dev/sda3

 # /sbin/cryptsetup luksOpen /dev/sda3 myencryptedpartition

 # /sbin/cryptsetup luksClose myencryptedpartition

OPTIONAL - Add additional pass-phrases. A key file can be used to prevent the need for typing in a pass-phrase every time the file-system is mounted.

 # /sbin/cryptsetup luksAddKey /dev/sda3

or

 # /sbin/cryptsetup luksAddKey /dev/sda3 /path/and/keyfile

A.5: Configure encrypted partitions to mount at boot
This step simplifies the use of an encrypted file system. It will allow the encrypted file system to be treated as any non-encrypted system. The file /etc/crypttab will automate the luksOpen commands that were used earlier. The format of the /etc/crypttab is

 mappingname        devicename        password_file_path        options

Not all fields are needed. Most of the possible options for the options field are ignored for LUKS volumes, because LUKS volumes have all the necessary information about the cipher, key size, and hash in the volume header. Also, if the password_file_path field is empty or has the value “none”, the system will prompt for the pass-phrase when mounting the file system.
Create /etc/crypttab

 myencryptedpartition        /dev/sda3        /path/and/keyfile

or

 myencryptedpartition        /dev/sda3        none

It is usually a bad idea to store the pass-phrase in a plain text file, however, an encrypted root partition does alleviate some of the concern. Under no circumstances should a pass-phrase be stored on an unencrypted partition such as /boot.
Modify /etc/fstab to add the line

 /dev/mapper/myencryptedparition       /myFileSystem        ext3    defaults        1 2

The encrypted partition is now configured to mount at boot. 

----------------------------------------
> Date: Wed, 15 Oct 2008 07:52:40 -0400
> From: maxhetrick at verizon.net
> To: centos-docs at centos.org
> Subject: [CentOS-docs] Encrypting tmp swap and home
> 
> Hi everyone,
> 
> I added a page under the HowTos for Encryption, and then added a guide 
> for encrypting /tmp /swap and /home using cryptsetup and LUKS keys on 
> LVM, when you already have partitions setup.
> 
> http://wiki.centos.org/HowTos/EncryptTmpSwapHome
> 
> Regards,
> Max
> _______________________________________________
> CentOS-docs mailing list
> CentOS-docs at centos.org
> http://lists.centos.org/mailman/listinfo/centos-docs

_________________________________________________________________
You live life beyond your PC. So now Windows goes beyond your PC.
http://clk.atdmt.com/MRT/go/115298556/direct/01/