Full Disk Encryption via terminal

This manual describes how to install Trisquel using full disk encryption.

  • swap will be encrypted.
  • root (/) will be encrypted.
  • boot (/boot) cannot be encrypted but could be on an USB key or non-rewritable CD-ROM (not covered here).

Instructions

  • Boot the CD, DVD, or USB thumb drive into the live environment.
  • Connect to the network using NetworkManager (located on the far-right side of the Panel).
  • Open the terminal and become root:

sudo su
  • Install cryptsetup and gparted:

apt-get update
apt-get install gparted
apt-get install cryptsetup
  • Launch gparted and partition your hard disk like you would do normally (so create filesystem on the partition etc...) creating unencrypted valid partitions.

  • Use Wikipedia to find a good block cypher. One example is aes,xts,essiv:256.
  • Load the modules of the chosen encryption:

modprobe xts
modprobe aes_i586 
modprobe sha256
Note that aes_i586 is an optimized version of aes for i586 or later X86 CPU. For a 64 bit architecture (amd64), you have to load the aes_x86_64 module.

  • Format the partition you have chosen for root(/) with cryptsetup:

cryptsetup -y --cipher aes-xts-essiv:sha256 --key-size 512 luksFormat /dev/PARTITION
  • Replace /dev/PARTITION by your partition. It will overwrite all the data in the partition.

  • Open the partition (replace /dev/PARTITION as needed):

cryptsetup luksOpen /dev/PARTITION crypto_root
  • Format the partition using the filesystem you want (preferably ext4, or XFS if you don't mind that partitions cannot be shrunk in XFS). For an ext4 filesystem, run:

mkfs.ext4 /dev/mapper/crypto_root
  • Launch the Trisquel installer and proceed to step 4, hard disk partitioning.
  • Select manual partitioning, then select your root (/) partition to be /dev/mapper/crypto_root.
  • Select your swap partition
  • Select your unencrypted /boot partition
  • Be careful not to recreate the partition table.
  • Proceed with installation. When it finishes, select to continue trying Trisquel. Do not reboot.
  • Mount your root partition and chroot into it:

mkdir /mnt/root
mount /dev/mapper/crypto_root /mnt/root
mount /dev/ /mnt/root/dev -o bind
chroot /mnt/root mount /proc
chroot /mnt/root mount /sys
chroot /mnt/root
  • Create the /etc/crypttab replacing /dev/PARTITION as needed:

echo "root /dev/disk/by-uuid/$(blkid -o value -s UUID /dev/PARTITION) none luks" >> /etc/crypttab
  • Add the cypher modules you have chosen before to /etc/modules so they load at boot and get included in the initd:

echo xts >> /etc/initramfs-tools/modules
echo aes_i586 >> /etc/initramfs-tools/modules
echo aes_x86_64 >> /etc/initramfs-tools/modules # for amd64 arch
echo sha256 >> /etc/initramfs-tools/modules
  • Install cryptsetup:

apt-get update
apt-get install cryptsetup
  • Rebuild the initrd:

mount /boot
update-initramfs -u
  • Exit the chroot and unmount everything:

exit
umount /mnt/root/boot
umount /mnt/root/proc
umount /mnt/root/dev
umount /mnt/root/sys
  • Finally, reboot Trisquel. You will be asked for your hard disk encryption password.

Revisions

02/07/2012 - 21:43
SirGrant