[CentOS-docs] potential wiki on encryption

Thu Sep 4 15:14:26 UTC 2008
Chris * <ixeous at hotmail.com>

This is a newer version of the proposed whole disk encryption HowTo.  I have added a section that attempts to combine the information in http://wiki.centos.org/TipsAndTricks/EncryptedFilesystem.  All information has not been incorporated, but I tried to keep the instructions for having non-root partitions consistent with the steps and methods outlined earlier in the document.  I think that this does allow for additional encrypted partitions as described in the TipsAndTricks document.

Here's the latest version.

Whole (Most) Disk Encryption on CentOS 5

This document is in the process of being developed

Credit To Others

The primary source for this document was http://www.tummy.com/Community/Articles/cryptoroot-f8/.
It was heavily used but adapted to CentOS5 and with some changes which
simplify and improve the process. Other sources that were used are http://musialek.org/?p=3 and http://agiletesting.blogspot.com/2008/05/encrypting-linux-root-partition-with.html.


 This document contains step by step instructions for encrypting the
entire disk including swap space with the exception of the /boot
partition on CentOS 5. It assumes that you are planning to encrypt your
disk from install and that your disk is /dev/sda. This document was
created with with CentOS 5.0 before any patches or updates were
applied. There are some optional components within this document that
are not technically necessary for encrypting the disk. Those components
can be ignored for testing, but they should be followed on any “real”

The end of the document contains optional configurations. This is
useful if you prefer to have additional partitions on the disk. The
step by step instructions will leave a disk with two partitions, /boot
(/dev/sda1) and an LVM (/dev/sda2) partition which contains all system
volumes. The optional section will contain the differences needed to
have an additional partition (/dev/sda3) which may be used as a data
store, NFS share, etc.

Step One: Prepare the disk

 The first step is to prepare the disk. The installer partitioning
software doesn't have the flexibility to be able to do this, so you
will need to switch to the shell and perform the setup manually.

Once the installer has moved into the GUI, press Ctrl-Alt-F2 to get a command prompt.

OPTIONAL – Overwrite and randomize the entire
disk. Use shred or dd to overwrite the disk. The technical merits of
multiple overwrites of shred vs. using /dev/random with dd are beyond
the scope of this document. The default options of shred take a very,
very long time to run. The time to complete on any sizeable disk would
likely be measured in days. This note applies to all statements about
radomizing the disks or partitions in this document. 

 # shred -v /dev/sda


 # dd if=/dev/urandom of=/dev/sda

 Use fdisk to create the partitions for install. You will
need to create a /boot partition and an LVM partition at the end of the
disk. The gap in between the two partitions will become your encrypted
file-system. This document will refer to the boot partition as
/dev/sda1 and the install partition at the end of the disk as
/dev/sda3. The encrypted partition will become /dev/sda2.

The partition at the end of the disk should be smaller than the
empty space between /boot and your LVM partition so that there is room
for the meta-data associated with the encryption. The LVM partition
really only needs to be large enough to install the system. You will be
able to expand the system volumes if you like after you have a working,
encrypted system. 
 # fdisk /dev/sda

 RedHat documentation recommends 100MB for the boot partition. Over
time, the /boot partition can fill up as a result of updated kernels if
it is not regularly cleaned. Using a larger /boot partition may be
beneficial. /dev/sda1 should be of type 83 (Linux) and should be
bootable. /dev/sda3 should have sufficient space to perform the
installation. The partition type of /dev/sda3 should be 8e (Linux LVM).
When done, it should look something like: 
 Device    Boot      Start         End      Blocks   Id  System
 /dev/sda1   *           1          65      521955   83  Linux
 /dev/sda3           20000       30401    83554065   8e  Linux LVM

 If you are not familiar with the fdisk commands, you can type “?”
at the fdisk prompt to see a list of commands. Once you have the disk
partitioned correctly (view the partition table with the “p” command
within fdisk), remember to write the partition table while exiting with
the “w” command.

Return to the GUI to complete the installation. Press Ctrl-Alt-F6 to return to the GUI.

Step Two: Installing the OS

 The installation must be done using the graphical installer because
the text installer doesn't allow a custom installation to use LVM.

For the partitioning, select “Custom”, and tell it to format sda1 as /boot, and sda3 as an LVM physical partition.

Then use the “LVM” button to create a volume group, and a logical
volumes within it for the / file-system. Create the swap partition
within LVM to ensure that your swap space is ultimately encrypted as
well. You can create /usr, /var, /tmp, and other volumes within LVM if
you choose. Note that you'll be able to resize the partitions later, so
they don't need to be the desired target space or proportion right now.

Complete the rest of the installation process as normal.

Step Three: Create the encrypted partition

 Boot into the installed system and create /dev/sda2 using fdisk. It
needs to be the space between sda1 and sda3, and it should have a
partition type of 83 (Linux) (it does not need to be type 8e, Linux
LVM). Write the partition table and quit fdisk.

Once you have create the partition, use the partprobe command to read new partition. 

 # partprobe

 If you did not randomize the disk via shred or dd, you should
randomize the partition using dd. This may take a while depending on
the size of the partition. 
 # dd if=/dev/urandom of=/dev/sda2

 You now need to set up encryption. 

 # cryptsetup --key-size 256 --verbose --verify-passphrase --cipher aes-cbc-essiv:sha256 luksFormat /dev/sda2

 Confirm that you want to destroy all data on the partition and then
provide a pass-phrase. You will need to remember the pass-phrase in
order to access your system.

Open the encrypted file-system to ensure that all is well with the encrypted partition 

 # /sbin/cryptsetup luksOpen /dev/sda2 lvm

 Enter the pass-phrase for the file-system. Close the file-system with 

 # /sbin/cryptsetup luksClose lvm

 OPTIONAL - Additional pass-phrases can be
added at this point. This is especially useful in enterprise
environments where you would like to have an administrative pass-phrase
should a user forget the pass-phrase or you need to have access after a
user leaves. 

 # /sbin/cryptsetup luksAddKey /dev/sda2

 Enter the existing pass-phrase twice, it will then ask you to
enter a new pass-phrase where you can add the second key. You can
verify that you now have 2 keys by using the luksOpen option with the
cryptsetup command using each password or by using the command 

 # /sbin/cryptsetup luksDump /dev/sda2

 The output will look similar to 

 Version:        1
 Cipher name:    aes
 Cipher mode:    cbc-essiv:sha256
 Hash spec:      sha1
 Payload offset: 2056
 MK bits:        256
 MK digest:      f3 6e 66 7c d2 40 1c 4e 6e ce fa d5 b9 ac 3b 13 f9 a0 9c 7d
 MK salt:        2b f2 38 ff 21 0a 31 cd a9 17 97 a9 c0 ad 72 46
                 e3 78 21 b2 03 1a d1 68 a3 2d 80 61 bf d0 09 4d
 MK iterations:  10
 UUID:           ca858575-a412-4d26-bde7-7dfdfd0f6a72
 Key Slot 0: ENABLED
         Iterations:             51953
         Salt:                   69 51 dc 85 57 84 9d c1 97 5c ef a6 d5 31 6d d2
                                 4f 8b ce 90 71 90 8c 6c 3f 81 b7 75 41 85 59 5b
         Key material offset:    8
         AF stripes:             4000
 Key Slot 1: ENABLED
         Iterations:             52068
         Salt:                   c7 a6 e5 e9 08 d1 d6 80 c5 0a fe f5 74 22 2e 74
                                 63 a3 e3 41 f3 4f 82 fe 54 7d 5d 99 0b 14 8c 80
         Key material offset:    264
         AF stripes:             4000
 Key Slot 2: DISABLED
 Key Slot 3: DISABLED
 Key Slot 4: DISABLED
 Key Slot 5: DISABLED
 Key Slot 6: DISABLED
 Key Slot 7: DISABLED

Step Four: Configure mkinitrd for encrypted system

 Make a backup copy of /sbin/mkinitrd. Future updates of the
mkinitrd package will overwrite it, but the changes will allow future
kernel updates to properly build an initrd. Modify /sbin/mkinitrd per
the patch below. The patch modifies the MODULES line so that initrd has
the proper modules for encryption, adds cryptsetup to initrd, and
configures initrd to open the encrypted file-system. 
 >--- /sbin/mkinitrd.before.dm-crypt.20080811     2008-08-11 23:17:04.000000000 -0400
 +++ /sbin/mkinitrd      2008-08-14 18:52:31.000000000 -0400
 @@ -40,7 +40,7 @@
 +MODULES="aes sha256 dm_crypt cbc"
 @@ -1081,6 +1081,7 @@
  inst /sbin/nash "$MNTIMAGE/bin/nash"
  inst /sbin/insmod.static "$MNTIMAGE/bin/insmod"
 +inst /sbin/cryptsetup "$MNTIMAGE/bin/cryptsetup"
  ln -s /sbin/nash $MNTIMAGE/sbin/modprobe
  for MODULE in $MODULES; do
 @@ -1264,6 +1265,10 @@
  # things like RAID or LVM
  emit "mkblkdevs"
 +# Adding stuff for dm-cyrpted root partition
 +emit "echo Decrypting root device"
 +emit "cryptsetup luksOpen /dev/sda2 lvm"
  if [ -n "$raiddevices" ]; then

NOTE: If you choose to modify the /sbin/mkinitrd file
manually, the additions for “cryptsetup luksOpen /dev/sda2 lvm” should
occur after the SECOND occurance of “emit mkblkdevs”

OPTIONAL – You can prevent the mkinitrd script from being updated via yum by modifying /etc/yum.conf  to include the line 

exclude=mkinitrd nash

Step Five: Build new initrd

 You now need to create the new initrd that will allow the system to
boot using the encrypted device. The method used here will allow the
presence of both the encrypted system and the unencrypted system on the
computer. This provides the opportunity to ensure that the encrypted
system is working properly and to boot into the unencrypted system
should any modifications be needed. 
 # mkinitrd -v /boot/initrd-2.6.18-8.el5.crypt.img 2.6.18-8.el5

Step Six: Copy the LVM to the encrypted partition

 Make sure that any modifications to the system configurations such
as the modified mkinitrd or the modified yum.conf are done before
performing this step. Although those things can be duplicated on the
encrypted system, it is easier if they don't need to be repeated.

Reboot the system into single user mode.

Open the encrypted file-system 

 # /sbin/cryptsetup luksOpen /dev/sda2 lvm

 Enter the pass-phrase. Now you can copy the contents of sda3 to the encrypted sda2. 

 # dd if=/dev/sda3 of=/dev/mapper/lvm

 When it's done, close the encrypted partition with: 

 # /sbin/cryptsetup luksClose lvm

Step Seven: Modify grub.conf to boot the encrypted system

 Add the following lines to the end of /boot/grub/grub.conf. This can be done while still in single user mode. 

 title CentOS Encrypted System (2.6.18-8.el5)
    root (hd0,0)
    kernel /vimlinuz-2.6.18-8.el5 ro root=/dev/VolGroup00/LogVol00 rhgb quiet
    initrd /initrd-2.6.18-8.el5.crypt.img

 NOTE: To make the encrypted system the default system, make the above lines the first block listed in grub.conf

Step Eight: Extend encryption to the entire disk

 NOTE: The /boot partition will not be encrypted, however the rest of the disk will be.

Once the encrypted system is confirmed to be working correctly,
remove the unencrypted system. Randomize /dev/hda3 by using either
shred or dd. Once this step is performed, there is no turning back.
The unencrypted system will no longer exist on the disk. It is also
safe to remove the grub.conf entries for the unencrypted system. 
 # shred -v /dev/sda3


 # dd if=/dev/urandom of=/dev/sda3

 Use the fdisk command to resize sda2 to fill the entire disk. 

 # fdisk /dev/sda

 Within fdisk, delete /dev/sda2 and /dev/sda3. Create a new
/dev/sda2 that fills the entire disk. When adding the new /dev/sda2 the
defaults should be sufficient.

Write the changes to the partition table. Use partprobe to detect changes to the partition table. 

 # partprobe

Step Nine: Resize the file-systems

 First, resize the crypto device. 

 # cryptsetup resize lvm

 Next, resize the physical volume in the volume group: 

 # pvresize –-setphysicalvolumesize [size of disk - /boot] /dev/mapper/lvm

 In order to resize the LVM volumes to use the entire disk, a reboot is required.

NOTE to testers This seems strange to me and seems to
defeat one of the primary strengths of using LVM, but I was unable to
extend the logical volumes beyond the original number of physical
extents until after a reboot. I will do some more with this to see if
it can be done without the reboot.

Extend the logical volumes of the system with lvextend.  man lvextend for more information on the command. 

 # lvextend -L +[size to increase the volume] /dev/VolGroup00/LogVol00

 Resize each of the file-systems with: 

 # resize2fs /dev/VolGroup00/LogVol00

 Replace VolGroup00 and LogVol00 with the correct volume group names and logical volume names for each volume on the system.

Optional Configurations

A: Encrypting Additional Partitions

 A.1: Create the encrypted system

This step is optional. If the goal is to have the entire system
encrypted, follow steps 1-7 above. The only difference is that when
creating /dev/sda2 in fdisk, only make it as large as you want your
system volumes to use. If /dev/sda2 is larger than /dev/sda3 and you
wish to change the volume sizes for the system volumes, follow step 9
from above.

A.2: Create partition

Because /dev/sda3 as used for install only needed to be large enough
to perform the installation, the partition should now be enlarged to
the desired size. 

Randomize /dev/hda3 by using either shred or dd. Once this step is performed, there is no turning back.
The unencrypted system will no longer exist on the disk. It is also
safe to remove the grub.conf entries for the unencrypted system. 
 # shred -v /dev/sda3


 # dd if=/dev/urandom of=/dev/sda3

 Use the fdisk command to resize sda3. 

 # fdisk /dev/sda

 Within fdisk, delete /dev/sda3. Create a new /dev/sda3 that follows
/dev/sda2 and is of the desired size. If /dev/sda3 is intended to fill
the remainder of the disk, the defaults should be sufficient.

Write the changes to the partition table. Use partprobe to detect changes to the partition table. 

 # partprobe

 A.3: Create the file system

Create the new file system on /dev/sda3 

 # mkfs -t ext3 /dev/sda3

 A.4: Encrypt the file system

This step is essentially the same as step 3 above. The difference
being the device encrypted and a different mapper device name should be
 # cryptsetup --key-size 256 --verbose --verify-passphrase --cipher aes-cbc-essiv:sha256 luksFormat /dev/sda3
 # /sbin/cryptsetup luksOpen /dev/sda3 myencryptedpartition
 # /sbin/cryptsetup luksClose myencryptedpartition

 OPTIONAL - Add additional pass-phrases. A
key file can be used to prevent the need for typing in a pass-phrase
every time the file-system is mounted. 

 # /sbin/cryptsetup luksAddKey /dev/sda3


 # /sbin/cryptsetup luksAddKey /dev/sda3 /path/and/keyfile

 A.5: Configure encrypted partitions to mount at boot

This step simplifies the use of an encrypted file system. It will allow
the encrypted file system to be treated as any non-encrypted system.
The file /etc/crypttab will automate the luksOpen commands that were
used earlier. The format of the /etc/crypttab is 
 mappingname        devicename        password_file_path        options

 Not all fields are needed. Most of the possible options for the
options field are ignored for LUKS volumes, because LUKS volumes have
all the necessary information about the cipher, key size, and hash in
the volume header. Also, if the password_file_path field is empty or
has the value “none”, the system will prompt for the pass-phrase when
mounting the file system.

Create /etc/crypttab 

 myencryptedpartition        /dev/sda3        /path/and/keyfile


 myencryptedpartition        /dev/sda3        none

 It is usually a bad idea to store the pass-phrase in a plain text
file, however, an encrypted root partition does alleviate some of the
concern. Under no circumstances should a pass-phrase be stored on an
unencrypted partition such as /boot.

Modify /etc/fstab to add the line 

 /dev/mapper/myencryptedparition       /myFileSystem        ext3    defaults        1 2

 The encrypted partition is now configured to mount at boot. 

From: ixeous at hotmail.com
To: centos-docs at centos.org
Date: Thu, 28 Aug 2008 09:53:26 -0400
Subject: [CentOS-docs] potential wiki on encryption

Hello all,

I posted the whole disk encryption instructions in the forum that has been briefly discussed on the list.  I joined the list per Ned's post on the thread.


I have a couple of questions about the process of creating a wiki.

1.  How does the peer-review process work?
2.  Is there a place to place an article being reviewed that can be modified while being reviewed but not necessarily available to the public?

The reason that I ask the second question is because the posting in the forum is literally my first draft as I was going through the process.  I have found a couple of modifications that need to be made.  The changes that I know should be made are:

1.  The optional step of adding exclude=mkinitrd to /etc/yum.conf should be "exclude=mkinitrd nash"
2.  I switched up my disk device on some instructions to /dev/hda which should be /dev/sda for consistency.
3.  I think that the last 2 steps of extending the encrypted partition to the entire disk could be clearer.


Get thousands of games on your PC, your mobile phone, and the web with Windows®. Game with Windows

See how Windows Mobile brings your life together—at home, work, or on the go.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-docs/attachments/20080904/3aa5f6b0/attachment-0001.html>