Debian testing on an encrypted root partition

Finnix, the LiveCD for system administrators

Note: This guide is obsolete. As of Debian 4.0 "etch", encrypted root partition support is now built into the installer.

An encrypted root partition is a good idea for a laptop. If the laptop is lost or stolen, the data cannot be recovered. Of course, the downside is a master password must be entered each time the machine is booted. In addition, etch can be set up to dynamically encrypt the swap partition using a different random key during each boot. That way any memory swapped out to disk will become unreadable after the machine is halted. Filesystem encryption has an unnoticable (but non-zero) performance hit, but there should be no perceived difference in system speed.

Finnix specifically is not required for encrypting your root partition (any LiveCD with dm-crypt will do), but it makes it rather easy to do. This guide is specific to Debian testing "etch".

Instructions

1. Install etch as normal. A couple of setup decisions are assumed:

  • initramfs-tools is the needed initrd method, and is installed by default with debian-installer as of March 2006. The alternative is yaird, and massive changes to the guide would be needed for a yaird installation.
  • Do not use LVM. The LVM initramfs scripts make certain assumptions about the root device that are not compatibile with this setup.
  • A /boot partition is required, and will be left unencrypted.
  • While technically multiple partitions could be used (/, /usr, /home, etc), it's not recommended, as you would have to type a decryption password for each partition. This guide assumes a /boot partition at /dev/hda1, a swap partition at /dev/hda2 and a root (/) partition at /dev/hda3. The root partition will be encrypted with a password of your choice, and the swap partition will be dynamically encrypted on each boot.
  • If you are converting an existing etch system, kernel 2.6.15-1 is required (2.6.13 technically, but etch skipped from 2.6.12 directly to 2.6.15).

2. Create /etc/mkinitramfs/hooks/dmcrypt:

#!/bin/sh

PREREQ=""

prereqs()
{
        echo "$PREREQ"
}

case $1 in
prereqs)
        prereqs
        exit 0
        ;;
esac

if [ ! -x /sbin/cryptsetup ]; then
        exit 0
fi

. /usr/share/initramfs-tools/hook-functions

copy_exec /sbin/cryptsetup /sbin

for x in dm_mod dm_crypt aes; do
        manual_add_modules ${x}
done

3. Create /etc/mkinitramfs/scripts/local-top/dmcrypt:

#!/bin/sh

PREREQ=""

prereqs()
{
        echo "$PREREQ"
}

case $1 in
# get pre-requisites
prereqs)
        prereqs
        exit 0
        ;;
esac

test -z "${crypt_root}" && exit
modprobe -q dm_crypt
modprobe -q aes
cryptsetup create root "${crypt_root}"

4. Create /etc/rcS.d/S09cryptswap (it is important that it be named S09cryptswap; the encrypted swap device must be created before it is activated in S10checkroot.sh):

#! /bin/sh

PATH=/sbin:/bin

case "$1" in
  start|"")
        cryptsetup -d /dev/random create swap /dev/hda2
        mkswap /dev/mapper/swap
        ;;
  restart|reload|force-reload)
        echo "Error: argument '$1' not supported" >&2
        exit 3
        ;;
  stop)
        # No-op
        ;;
  *)
        echo "Usage: checkroot.sh [start|stop]" >&2
        exit 3
        ;;
esac

:

5. Make /etc/rcS.d/S09cryptswap executable:

# chmod 755 /etc/rcS.d/S09cryptswap

6. Back up the original initrd and re-create it (replace 2.6.15-1-686 with your installed kernel):

# mv /boot/initrd.img-2.6.15-1-686 /boot/initrd.img-2.6.15-1-686.old
# mkinitramfs -o /boot/initrd.img-2.6.15-1-686 2.6.15-1-686

7. Edit /boot/grub/menu.lst and look for the line that begins with "# kopt=root=/dev/hda3". Change root=/dev/hda3 to root=/dev/mapper/root, and add crypt_root=/dev/hda3 to the end of the line. You should now have something that resembles this:

## default kernel options for automagic boot options
## If you want special options for specific kernels use kopt_x_y_z
## where x.y.z is kernel version. Minor versions can be omitted.
## e.g. kopt=root=/dev/hda1 ro
##      kopt_2_6_8=root=/dev/hdc1 ro
##      kopt_2_6_8_2_686=root=/dev/hdc2 ro
# kopt=root=/dev/mapper/root ro crypt_root=/dev/hda3

8. Save and exit /boot/grub/menu.lst. Re-create the corresponding entries in the file:

# update-grub

9. Edit /etc/fstab and change /dev/hda3 to /dev/mapper/root, and /dev/hda2 to /dev/mapper/swap.

10. Boot into Finnix and backup/re-create the root partition as an encrypted partition:

finnix# mkdir /mnt/x
finnix# mount /dev/hda3 /mnt/x
finnix# rsync -avzP -e ssh --numeric-ids /mnt/x/ root@otherhost:/backup-laptop/
finnix# umount /mnt/x
finnix# shred -n 1 -z -v /dev/hda3  # Optional, but recommended.  Increase -n value based on paranoia.
finnix# cryptsetup -y create root /dev/hda3
(enter desired password twice here)
finnix# mke2fs -j /dev/mapper/root
finnix# mount /dev/mapper/root /mnt/x
finnix# rsync -avzP -e ssh --numeric-ids root@otherhost:/backup-laptop/ /mnt/x/
finnix# umount /mnt/x
finnix# cryptsetup remove root

11. Reboot. When the initrd begins, you will be asked for a password. Enter the password you provided to encrypt the filesystem. If you enter an incorrect password, the mount will fail, and you will have to reboot in order to try again.

Personal tools