Debian testing on an encrypted root partition

Finnix, the LiveCD for system administrators
Jump to: navigation, search

Note: This guide is obsolete. As of Debian 4.0 "etch", encrypted root partition support is now built into the installer.

An encrypted root partition is a good idea for a laptop. If the laptop is lost or stolen, the data cannot be recovered. Of course, the downside is a master password must be entered each time the machine is booted. In addition, etch can be set up to dynamically encrypt the swap partition using a different random key during each boot. That way any memory swapped out to disk will become unreadable after the machine is halted. Filesystem encryption has an unnoticable (but non-zero) performance hit, but there should be no perceived difference in system speed.

Finnix specifically is not required for encrypting your root partition (any LiveCD with dm-crypt will do), but it makes it rather easy to do. This guide is specific to Debian testing "etch".

Instructions

1. Install etch as normal. A couple of setup decisions are assumed:

  • initramfs-tools is the needed initrd method, and is installed by default with debian-installer as of March 2006. The alternative is yaird, and massive changes to the guide would be needed for a yaird installation.
  • Do not use LVM. The LVM initramfs scripts make certain assumptions about the root device that are not compatibile with this setup.
  • A /boot partition is required, and will be left unencrypted.
  • While technically multiple partitions could be used (/, /usr, /home, etc), it's not recommended, as you would have to type a decryption password for each partition. This guide assumes a /boot partition at /dev/hda1, a swap partition at /dev/hda2 and a root (/) partition at /dev/hda3. The root partition will be encrypted with a password of your choice, and the swap partition will be dynamically encrypted on each boot.
  • If you are converting an existing etch system, kernel 2.6.15-1 is required (2.6.13 technically, but etch skipped from 2.6.12 directly to 2.6.15).

2. Create /etc/mkinitramfs/hooks/dmcrypt:

#!/bin/sh

PREREQ=""

prereqs()
{
        echo "$PREREQ"
}

case $1 in
prereqs)
        prereqs
        exit 0
        ;;
esac

if [ ! -x /sbin/cryptsetup ]; then
        exit 0
fi

. /usr/share/initramfs-tools/hook-functions

copy_exec /sbin/cryptsetup /sbin

for x in dm_mod dm_crypt aes; do
        manual_add_modules ${x}
done

3. Create /etc/mkinitramfs/scripts/local-top/dmcrypt:

#!/bin/sh

PREREQ=""

prereqs()
{
        echo "$PREREQ"
}

case $1 in
# get pre-requisites
prereqs)
        prereqs
        exit 0
        ;;
esac

test -z "${crypt_root}" && exit
modprobe -q dm_crypt
modprobe -q aes
cryptsetup create root "${crypt_root}"

4. Create /etc/rcS.d/S09cryptswap (it is important that it be named S09cryptswap; the encrypted swap device must be created before it is activated in S10checkroot.sh):

#! /bin/sh

PATH=/sbin:/bin

case "$1" in
  start|"")
        cryptsetup -d /dev/random create swap /dev/hda2
        mkswap /dev/mapper/swap
        ;;
  restart|reload|force-reload)
        echo "Error: argument '$1' not supported" >&2
        exit 3
        ;;
  stop)
        # No-op
        ;;
  *)
        echo "Usage: checkroot.sh [start|stop]" >&2
        exit 3
        ;;
esac

:

5. Make /etc/rcS.d/S09cryptswap executable:

# chmod 755 /etc/rcS.d/S09cryptswap

6. Back up the original initrd and re-create it (replace 2.6.15-1-686 with your installed kernel):

# mv /boot/initrd.img-2.6.15-1-686 /boot/initrd.img-2.6.15-1-686.old
# mkinitramfs -o /boot/initrd.img-2.6.15-1-686 2.6.15-1-686

7. Edit /boot/grub/menu.lst and look for the line that begins with "# kopt=root=/dev/hda3". Change root=/dev/hda3 to root=/dev/mapper/root, and add crypt_root=/dev/hda3 to the end of the line. You should now have something that resembles this:

## default kernel options for automagic boot options
## If you want special options for specific kernels use kopt_x_y_z
## where x.y.z is kernel version. Minor versions can be omitted.
## e.g. kopt=root=/dev/hda1 ro
##      kopt_2_6_8=root=/dev/hdc1 ro
##      kopt_2_6_8_2_686=root=/dev/hdc2 ro
# kopt=root=/dev/mapper/root ro crypt_root=/dev/hda3

8. Save and exit /boot/grub/menu.lst. Re-create the corresponding entries in the file:

# update-grub

9. Edit /etc/fstab and change /dev/hda3 to /dev/mapper/root, and /dev/hda2 to /dev/mapper/swap.

10. Boot into Finnix and backup/re-create the root partition as an encrypted partition:

finnix# mkdir /mnt/x
finnix# mount /dev/hda3 /mnt/x
finnix# rsync -avzP -e ssh --numeric-ids /mnt/x/ root@otherhost:/backup-laptop/
finnix# umount /mnt/x
finnix# shred -n 1 -z -v /dev/hda3  # Optional, but recommended.  Increase -n value based on paranoia.
finnix# cryptsetup -y create root /dev/hda3
(enter desired password twice here)
finnix# mke2fs -j /dev/mapper/root
finnix# mount /dev/mapper/root /mnt/x
finnix# rsync -avzP -e ssh --numeric-ids root@otherhost:/backup-laptop/ /mnt/x/
finnix# umount /mnt/x
finnix# cryptsetup remove root

11. Reboot. When the initrd begins, you will be asked for a password. Enter the password you provided to encrypt the filesystem. If you enter an incorrect password, the mount will fail, and you will have to reboot in order to try again.