Revision of Full Disk encryption install from Tue, 11/10/2009 - 18:09

The revisions let you track differences between multiple versions of a post.

Introduction

We will install Trisquel in an encrypted hard drive:
  • swap will be encrypted
  • root (/) will be encrypted
  • boot (/boot) cannot be encrypted but could be on an usb key or non-re-writable cdrom (not covered here)

Howto

  • Boot with the Trisquel STS livecd
  • Connect to the network using network manager
  • Open the terminal and become root (type "sudo su" without the quotes):

sudo su
  • Install cryptsetup and gparted

apt-get update
apt-get install gparted
apt-get install cryptsetup
  • Launch gparted and partition your hard disk like you would do normally (so create filesystem on the partition etc...) creating unencrypted valid partitions

  • Use English wikipedia to find the best block cypher around. I used aes,xts,essiv:256
  • Load the modules of the chosen encryption:

modprobe xts
modprobe aes_i586
modprobe sha256
Note that I aes_i586 is an optimized version of aes for i586 or later X86 CPU
  • Format the partition you have chosen for root(/) with cryptsetup:

cryptsetup -y --cipher aes-xts-essiv:sha256 --key-size 512 luksFormat /dev/PARTITION
replace /dev/PARTITION by your partition. It will overwrite all the data in the partition.

  • Open the partition (replace /dev/PARTITION as needed):

cryptsetup luksOpen /dev/PARTITION crypto_root
  • Format the partition using the filesystem you want (ext3 is a good choice at the time of writing but ext4 will be a better choice in the future)

mkfs.ext3 /dev/mapper/crypto_root
  • Launch the Trisquel installer and proceed until the hard disk partitioning
  • Select manual partitioning, then select your root (/) partition to be /dev/mapper/crypto_root
  • Select your swap and your /boot partitions in the same manner
  • Be careful not to recreate the partition table
  • Continue the installation. When it finishes tell the installer that you want to continue trying Trisquel, not to reboot.
  • Mount your root partition and chroot into it:

mkdir /mnt/root
mount /dev/mapper/crypto_root /mnt/root
mount /dev/ /mnt/root/dev -o bind
chroot /mnt/root mount /proc
chroot /mnt/root mount /sys
chroot /mnt/root
  • Create the /etc/crypttab replacing /dev/PARTITION as needed

echo "root /dev/disk/by-uuid/$(sudo vol_id --uuid /dev/PARTITION) none luks" >> /etc/crypttab
  • Add the cypher modules you have chosen before to /etc/modules so they load at boot and get included in the initd:

echo xts >> /etc/initramfs-tools/modules
echo aes_i586 >> /etc/initramfs-tools/modules
echo sha256 >> /etc/initramfs-tools/modules
  • Install cryptsetup

apt-get update
apt-get install cryptsetup
  • Rebuild the initrd

mount /boot
update-initramfs -u
  • Exit the chroot and umount everything

exit
umount /mnt/root/boot
umount /mnt/root/proc
umount /mnt/root/dev
umount /mnt/root/sys
  • And finally reboot on Trisquel. You will be asked for your hard disk encryption password.

Revisions

11/10/2009 - 18:09
Trisquel
02/16/2010 - 05:38
AndrewT
10/18/2011 - 16:49
anonymous
02/03/2012 - 11:51
SirGrant
08/13/2013 - 17:57
lloydsmart
09/03/2014 - 03:37
muhammed
01/05/2016 - 13:14
lembas
01/14/2017 - 10:30
umdhlebe
10/07/2022 - 10:10
Staircase
09/20/2024 - 20:26
knife