Debian testing on an encrypted root partition
Note: This guide is obsolete. As of Debian 4.0 "etch", encrypted root partition support is now built into the installer.
An encrypted root partition is a good idea for a laptop. If the laptop is lost or stolen, the data cannot be recovered. Of course, the downside is a master password must be entered each time the machine is booted. In addition, etch can be set up to dynamically encrypt the swap partition using a different random key during each boot. That way any memory swapped out to disk will become unreadable after the machine is halted. Filesystem encryption has an unnoticable (but non-zero) performance hit, but there should be no perceived difference in system speed.
Finnix specifically is not required for encrypting your root partition (any LiveCD with dm-crypt will do), but it makes it rather easy to do. This guide is specific to Debian testing "etch".
Instructions
1. Install etch as normal. A couple of setup decisions are assumed:
- initramfs-tools is the needed initrd method, and is installed by default with debian-installer as of March 2006. The alternative is yaird, and massive changes to the guide would be needed for a yaird installation.
- Do not use LVM. The LVM initramfs scripts make certain assumptions about the root device that are not compatibile with this setup.
- A /boot partition is required, and will be left unencrypted.
- While technically multiple partitions could be used (/, /usr, /home, etc), it's not recommended, as you would have to type a decryption password for each partition. This guide assumes a /boot partition at /dev/hda1, a swap partition at /dev/hda2 and a root (/) partition at /dev/hda3. The root partition will be encrypted with a password of your choice, and the swap partition will be dynamically encrypted on each boot.
- If you are converting an existing etch system, kernel 2.6.15-1 is required (2.6.13 technically, but etch skipped from 2.6.12 directly to 2.6.15).
2. Create /etc/mkinitramfs/hooks/dmcrypt:
#!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in prereqs) prereqs exit 0 ;; esac if [ ! -x /sbin/cryptsetup ]; then exit 0 fi . /usr/share/initramfs-tools/hook-functions copy_exec /sbin/cryptsetup /sbin for x in dm_mod dm_crypt aes; do manual_add_modules ${x} done
3. Create /etc/mkinitramfs/scripts/local-top/dmcrypt:
#!/bin/sh PREREQ="" prereqs() { echo "$PREREQ" } case $1 in # get pre-requisites prereqs) prereqs exit 0 ;; esac test -z "${crypt_root}" && exit modprobe -q dm_crypt modprobe -q aes cryptsetup create root "${crypt_root}"
4. Create /etc/rcS.d/S09cryptswap (it is important that it be named S09cryptswap; the encrypted swap device must be created before it is activated in S10checkroot.sh):
#! /bin/sh PATH=/sbin:/bin case "$1" in start|"") cryptsetup -d /dev/random create swap /dev/hda2 mkswap /dev/mapper/swap ;; restart|reload|force-reload) echo "Error: argument '$1' not supported" >&2 exit 3 ;; stop) # No-op ;; *) echo "Usage: checkroot.sh [start|stop]" >&2 exit 3 ;; esac :
5. Make /etc/rcS.d/S09cryptswap executable:
# chmod 755 /etc/rcS.d/S09cryptswap
6. Back up the original initrd and re-create it (replace 2.6.15-1-686 with your installed kernel):
# mv /boot/initrd.img-2.6.15-1-686 /boot/initrd.img-2.6.15-1-686.old # mkinitramfs -o /boot/initrd.img-2.6.15-1-686 2.6.15-1-686
7. Edit /boot/grub/menu.lst and look for the line that begins with "# kopt=root=/dev/hda3". Change root=/dev/hda3 to root=/dev/mapper/root, and add crypt_root=/dev/hda3 to the end of the line. You should now have something that resembles this:
## default kernel options for automagic boot options ## If you want special options for specific kernels use kopt_x_y_z ## where x.y.z is kernel version. Minor versions can be omitted. ## e.g. kopt=root=/dev/hda1 ro ## kopt_2_6_8=root=/dev/hdc1 ro ## kopt_2_6_8_2_686=root=/dev/hdc2 ro # kopt=root=/dev/mapper/root ro crypt_root=/dev/hda3
8. Save and exit /boot/grub/menu.lst. Re-create the corresponding entries in the file:
# update-grub
9. Edit /etc/fstab and change /dev/hda3 to /dev/mapper/root, and /dev/hda2 to /dev/mapper/swap.
10. Boot into Finnix and backup/re-create the root partition as an encrypted partition:
finnix# mkdir /mnt/x finnix# mount /dev/hda3 /mnt/x finnix# rsync -avzP -e ssh --numeric-ids /mnt/x/ root@otherhost:/backup-laptop/ finnix# umount /mnt/x finnix# shred -n 1 -z -v /dev/hda3 # Optional, but recommended. Increase -n value based on paranoia. finnix# cryptsetup -y create root /dev/hda3 (enter desired password twice here) finnix# mke2fs -j /dev/mapper/root finnix# mount /dev/mapper/root /mnt/x finnix# rsync -avzP -e ssh --numeric-ids root@otherhost:/backup-laptop/ /mnt/x/ finnix# umount /mnt/x finnix# cryptsetup remove root
11. Reboot. When the initrd begins, you will be asked for a password. Enter the password you provided to encrypt the filesystem. If you enter an incorrect password, the mount will fail, and you will have to reboot in order to try again.