Languages

User login
Create new account

Navigation

Recent donations

Kirsten Thiemann
donated € 10.00

STEFFEN SCHULER
donated € 20.00

PublicLewdness
donated CAD 5.00

Dietmar Nowak
donated € 20.00

Donate now!

bc1q3t3vxjhd3dmvg3cfn24k4l7n4mf750utpp75hn

Submitted by SirGrant on Tue, 02/07/2012 - 22:43

Full Disk Encryption via terminal

This manual describes how to install Trisquel using full disk encryption.

swap will be encrypted.
root (/) will be encrypted.
boot (/boot) cannot be encrypted but could be on an USB key or non-rewritable CD-ROM (not covered here).

Instructions

Boot the CD, DVD, or USB thumb drive into the live environment.
Connect to the network using NetworkManager (located on the far-right side of the Panel).
Open the terminal and become root:

sudo su

Install cryptsetup and gparted:

apt-get update
apt-get install gparted
apt-get install cryptsetup

Launch gparted and partition your hard disk like you would do normally (so create filesystem on the partition etc...) creating unencrypted valid partitions.

Use Wikipedia to find a good block cypher. One example is aes,xts,essiv:256.
Load the modules of the chosen encryption:

modprobe xts
modprobe aes_i586 
modprobe sha256

Note that aes_i586 is an optimized version of aes for i586 or later X86 CPU. For a 64 bit architecture (amd64), you have to load the aes_x86_64 module.

Format the partition you have chosen for root(/) with cryptsetup:

cryptsetup -y --cipher aes-xts-essiv:sha256 --key-size 512 luksFormat /dev/PARTITION

Replace /dev/PARTITION by your partition. It will overwrite all the data in the partition.

Open the partition (replace /dev/PARTITION as needed):

cryptsetup luksOpen /dev/PARTITION crypto_root

Format the partition using the filesystem you want (preferably ext4, or XFS if you don't mind that partitions cannot be shrunk in XFS). For an ext4 filesystem, run:

mkfs.ext4 /dev/mapper/crypto_root

Launch the Trisquel installer and proceed to step 4, hard disk partitioning.
Select manual partitioning, then select your root (/) partition to be /dev/mapper/crypto_root.
Select your swap partition
Select your unencrypted /boot partition
Be careful not to recreate the partition table.
Proceed with installation. When it finishes, select to continue trying Trisquel. Do not reboot.
Mount your root partition and chroot into it:

mkdir /mnt/root
mount /dev/mapper/crypto_root /mnt/root
mount /dev/ /mnt/root/dev -o bind
chroot /mnt/root mount /proc
chroot /mnt/root mount /sys
chroot /mnt/root

Create the /etc/crypttab replacing /dev/PARTITION as needed:

echo "root /dev/disk/by-uuid/$(blkid -o value -s UUID /dev/PARTITION) none luks" >> /etc/crypttab

Add the cypher modules you have chosen before to /etc/modules so they load at boot and get included in the initd:

echo xts >> /etc/initramfs-tools/modules
echo aes_i586 >> /etc/initramfs-tools/modules
echo aes_x86_64 >> /etc/initramfs-tools/modules # for amd64 arch
echo sha256 >> /etc/initramfs-tools/modules

Install cryptsetup:

apt-get update
apt-get install cryptsetup

Rebuild the initrd:

mount /boot
update-initramfs -u

Exit the chroot and unmount everything:

exit
umount /mnt/root/boot
umount /mnt/root/proc
umount /mnt/root/dev
umount /mnt/root/sys

Finally, reboot Trisquel. You will be asked for your hard disk encryption password.

Revisions

02/07/2012 - 22:43