Submitted by GNUtoo on Tue, 11/10/2009 - 13:51
Revision of Full Disk encryption install from Tue, 11/10/2009 - 18:09
The revisions let you track differences between multiple versions of a post.
Introduction
We will install Trisquel in an encrypted hard drive:- swap will be encrypted
- root (/) will be encrypted
- boot (/boot) cannot be encrypted but could be on an usb key or non-re-writable cdrom (not covered here)
Howto
- Boot with the Trisquel STS livecd
- Connect to the network using network manager
- Open the terminal and become root (type "sudo su" without the quotes):
sudo su
- Install cryptsetup and gparted
apt-get update apt-get install gparted apt-get install cryptsetup
- Launch gparted and partition your hard disk like you would do normally (so create filesystem on the partition etc...) creating unencrypted valid partitions
- Use English wikipedia to find the best block cypher around. I used aes,xts,essiv:256
- Load the modules of the chosen encryption:
modprobe xts modprobe aes_i586 modprobe sha256Note that I aes_i586 is an optimized version of aes for i586 or later X86 CPU
- Format the partition you have chosen for root(/) with cryptsetup:
cryptsetup -y --cipher aes-xts-essiv:sha256 --key-size 512 luksFormat /dev/PARTITIONreplace /dev/PARTITION by your partition. It will overwrite all the data in the partition.
- Open the partition (replace /dev/PARTITION as needed):
cryptsetup luksOpen /dev/PARTITION crypto_root
- Format the partition using the filesystem you want (ext3 is a good choice at the time of writing but ext4 will be a better choice in the future)
mkfs.ext3 /dev/mapper/crypto_root
- Launch the Trisquel installer and proceed until the hard disk partitioning
- Select manual partitioning, then select your root (/) partition to be /dev/mapper/crypto_root
- Select your swap and your /boot partitions in the same manner
- Be careful not to recreate the partition table
- Continue the installation. When it finishes tell the installer that you want to continue trying Trisquel, not to reboot.
- Mount your root partition and chroot into it:
mkdir /mnt/root mount /dev/mapper/crypto_root /mnt/root mount /dev/ /mnt/root/dev -o bind chroot /mnt/root mount /proc chroot /mnt/root mount /sys chroot /mnt/root
- Create the /etc/crypttab replacing /dev/PARTITION as needed
echo "root /dev/disk/by-uuid/$(sudo vol_id --uuid /dev/PARTITION) none luks" >> /etc/crypttab
- Add the cypher modules you have chosen before to /etc/modules so they load at boot and get included in the initd:
echo xts >> /etc/initramfs-tools/modules echo aes_i586 >> /etc/initramfs-tools/modules echo sha256 >> /etc/initramfs-tools/modules
- Install cryptsetup
apt-get update apt-get install cryptsetup
- Rebuild the initrd
mount /boot update-initramfs -u
- Exit the chroot and umount everything
exit umount /mnt/root/boot umount /mnt/root/proc umount /mnt/root/dev umount /mnt/root/sys
- And finally reboot on Trisquel. You will be asked for your hard disk encryption password.