Encrypting (almost) your entire hard drive with dm-crypt (LUKS) and lvm2, Part 1

| 4 Comments | 1 TrackBack

Introduction

About five months ago, I wrote about how to convert an existing Linux install from using regular partitioning to encrypted volumes (in particular, an encrypted /home with an unencrypted /). That sort of setup is relatively simple, once you have all the partitioning done. There is no need for any special early userland stuff (an initramfs image). However, that approach only provides a relatively minimal level of security for your data -- someone could still root your system.

For those who are a little more paranoid (especially in light of some recent news), the next level of security for your data is to encrypt everything except your /boot partition.

Going to this level, you're going to be repartitioning pretty much your entire hard disk, so you might be best off just backing up everything (you should do this in any case), and reinstalling your system.

Some recent Linux installers make this sort of setup relatively pain-free. For example, Ubuntu 8.04's Alternative install disk gives the option of setting up an encrypted LVM volume to install the system on during its guided partitioning wizard. This is a rather easy way have your laptop's data securely encrypted quickly. However, with this setup, I wasn't able to get suspend-to-disk support to function properly (though I'm sure it could be done with a little extra effort, I don't know if most Ubuntu users would be willing to do so).

However, this guide is focused on the crowd of people who use distros that do not make this easy. For myself, I'm installing Exherbo during this guide, but the instructions should be almost exactly the same for Gentoo, or most any other distro.

Partitioning Overview

For this first step, you will need to create two standard disk partitions. The first should be only 32M or so in size -- this will be our /boot partition, and should probably be ext2. The second will be the rest of the space you wish to devote to this Linux install (in my case, 10G).

The final layout of everything is going to be like this:


/dev/hda1 - /boot
/dev/hda2 - dm-crypt encrypted volume, containing one lvm2
  physical volume

/dev/mapper/hda2_crypt - what we get when we run cryptsetup luksOpen
  on hda2, contains one lvm physical volume, containing the volume
  group "vg"

/dev/mapper/vg-swap - our swap partition
/dev/mapper/vg-root - our root partition

With this layout, all our data that can be encrypted / lvm-ized is. And we only need to enter our disk decryption key once to get to all of it.

Next Time...

In my next few posts, I'll go into more details about how to set this partition scheme up, how to configure your kernel, and how to create the necessary initramfs image to boot from an encrypted / partition.

1 TrackBack

Six months ago I posted an outline for encrypting your system with LUKS. Well, I figure it's about time for me to write up how to actually go about it. In this post, I'll outline the necessary kernel configuration. The... Read More

4 Comments

I'm really looking forward to these posts (and exherbo, for that matter), thank you.

Could you expand a little into placing /boot on a usb stick or bootable cd? That should give extra protection from tampering at little cost.

Another thing: If I remember correctly, LUKS keeps the actual key on the encrypted disk, itself encrypted with a passphrase. Naturally this means that an attacker only has to break the passphrase, which gets him the key. Back in Loop-AES days you were able to place the key itself on an external medium, which meant a _lot_ more work for any attacker. Is there any way to do this with LUKS?

Yes, it is possible to place /boot on some removable media. That can give a little extra protection... but in my case, if someone steals my laptop bag, or searches it at the airport, it seems quite possible they'd have that device, too.

LUKS does let you use a keyfile. I haven't decided for sure yet, but other tutorials I have read point to using gpg to encrypt that key data. You could put that encrypted data on your removable media, but the same issue as above still applies.

But, as with any sort of encryption, a strong password is key to having your data remain secure.

In my case that usb stick is likely in my pocket or traveling seperately, so it would increase security quite a bit.

While LUKS let's you use a keyfile, I recall that it is just a copy of the one that is still (And AFAIK that can't be changed!) stored on disk (which is quite stupid, I think), because it is rather meant as a way to transfer and backup (I may be wrong here, but I remeber this being the primary reason I decided against LUKS a one or two years ago)

A strong password is good, but being able to physically destroy your only copy of the keyfile (as in: melt that usb stick and smash the remains) is much better. As I said before, if your keyfile is stored on the same medium, an attacker only has to force the password (stronger is better here), but if it is on a seperate medium (that may be far away, unobtainable or even destroyed), then the attacker has to force the actual encryption, which is quite a few powers of 2 more difficult, so I'd prefer that.

I don't know much about the new (proposed?) airport security in the US, but couldn't they probably just detain you until you give the password? A system that doesn't start makes it probably just more suspicious.

Of course encrypting data is good, but in addition just have a minimal XP installation that boots (bootloader timeout=0). I doubt they would be able to spot you have linux in there as well on a routine inspection. And on the XP side there's nothing sensitive. You would have to sacrifice some space, but in general IMO it would probably be "safer" then a system that doesn't boot until it gets a password...