Encrypting root

I am using disk encryption for a while now. But never really managed to encrypt my root filesystem. Finally got so far! Decision made! Now the hard part: Make it work…

There is a nice tutorial, but it’s not working out of the box. So first I installed Gentoo on a non-encrypted partition just to make it work. It was actually a VirtualBox instance. So after the installation I we have somewhere an image, let’s say called “gentoo.vdi” with the working installation.

Hard Drives

In my system and for the purpose of this tutorial I will assime we have 3 disks:

  • /dev/sda – for the root and swap
  • /dev/sdb – home (already encrypted, with luks passphrase)
The /dev/sdb is a encrypted home from previous installation and contains also the gentoo.vdi image. Now we boot into the Gentoo LiveCD environment.

Creating an encrypted root partition

There are more options how to do that. First one needs to decide how the system will look like. I decided to encrypt the the whole RAW disk first and than create LVM. The reason for  that is that a system I intend to build will have at least 3 partitions:

  1. Boot partition – will be on a USB
  2. Root partition
  3. SWAP partition

In case we would create LVM first and then encrypt the particular partitions separately, we would need to enter the passphrase for each partition at every boot. If we do it my way we enter one passphrase for the whole disk and than we can do the rest. Also we are hidding the disk structure which may have some security benefits too.

So lets do it. I assume that we have a brand new disk, so we do not need to fill it 100 times with random data from /dev/random and get children, grandchildren finally die much before we wipe out the disk. If you insist u can fill it with pseudo-random data from /dev/urandom once:

# dd if=/dev/urandom of=/dev/sda
Now lets encrypt the /dev/sda disk:
# cryptsetup -y --cipher aes-xts-essiv:sha256 --key-size 8196 luksFormat /dev/sda
This will overwrite data on /dev/sda irrevocably.

Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: (enter your passphrase, and remember it!)
Verify passphrase: (repeat passphrase)

The reason why I use the particular cipher is explaned in this post. The reason why my key has 8Kb is that I am too paranoid :-PA key with 256 bits should be more than enough 🙂 Finally open the created LUKS partition:

# cryptsetup luksOpen /dev/sda vault
I am using "vault" since the disk will contain more paritions, not only root.

Creating LVM, patitioning and formating

# emerge --ask lvm2
# pvcreate /dev/mapper/vault
# vgcreate vg /dev/mapper/vault
# lvcreate -L 20G -n root vg
# lvcreate -L 4G -n swap vg

So what we have done is: We formated the whole /dev/mapper/vault as a LVM. We created a default LVM group called “vg” and we created 2 partitions in it: “root”, with the size of 20GB and “swap” with the size of 4GB (this depends on your RAM size and if you want to use it for hibernation. The 20GB for root are more than enough. My instalation with KDE4, Compiz, Java and all the other stuff I use has below 10GB. Cool he? 😛

So now we have to format the new partitons. In this tutorial I am using EXT4 filesystem for root:

# mkfs.ext4 /dev/mapper/vg-root
# e2label /dev/mapper/vg-root SystemRoot
# tune2fs -O extents,uninit_bg,dir_index /dev/mapper/vg-root
# mkswap -L SystemSwap /dev/mapper/vg-swap

With this we have a root partition with EXT4 filesystem and additional features turned on, labeled as “SystemRoot”. And we have swap partition labeled as “SystemSwap”. I am using labels to identify disks. This makes easier orientation and in case a disk failure we can just take another disk, restore data from backup (of course we have backup!) and lable it. UUID is not usable since the new disk would have another UUID.

Mounting VDI with the gentoo instalation

After a bit Googling i found this article: http://bethesignal.org/blog/2011/01/05/how-to-mount-virtualbox-vdi-image/

So we do following:

# emerge -av qemu-kvm
# modprobe nbd

Now we mount our encrypted home:

# cryptsetup luksOpen /dev/sdb old-crypted-home
# mkdir /mnt/oldhome
# mount /dev/mapper/old-crypted-home /mnt/oldhome

And we can mount the prepared Gentoo instalation VDI image. I am assuming that the VDI image has 3 paritions:

  1. Boot
  2. Root
  3. Swap
so we mount only “root” using the parameter -P:
# mkdir /mnt/gentoo-instalation
# qemu-nbd -P 2 -c /dev/nbd0 /mnt/gentoo-installation

Copying the prepared gentoo instalation

Lets copy the system:

# mkdir /mnt/gentoo
# mount /dev/mapper/vg-root /mnt/gentoo
# cp -afv /mnt/gentoo-instalation/* /mnt/gentoo

After we are done we can unmount and disconnect the VDI image, we will not need it anymore:

# umount /mnt/gentoo-installation
# qemu-nbd -d /dev/nbd0
Thats it! System is installed but not usable! It will not boot since we have no boot partition and bootloader. I describe this later.


Leave a Reply

Your email address will not be published. Required fields are marked *