More for USB Drives but nonetheless interesting:
Encrypt your entire USB File System and Leave No Trace On Systems You Use It On.
Kudos to Mike from Techno Forensics I'm pretty sure he doesn't want me using his last name so I won't.
But Thanks Mike
Fedora Core 5 Encrypted Root Booting on a USB Stick
- Boot in a FC5 session to be used as a source for the encrypted image
- Create the partition to house the root partition (fdisk)
- Randomize the contents of the new partition
- dd if=/dev/urandom of=/dev/{target root device}
- Encrypt the new partition with a passphrase using dm-crypt (not LUKS)
- cryptsetup create -y --verify-passphrase {name} /dev/{target root device}
- Create a new file system on /dev/{target root device}
- mkfs.ext3 /dev/mapper/{name}
- Create a mount point and mount the new encrypted device
- mkdir /mnt/encroot
- mount /dev/mapper/{name} /mnt/encroot
- Copy the existing root partition to the new one
- cp -ax / /mnt/encroot
- Create an entry in /etc/cryptab for the new encrypted device on the new root partition
- vi /mnt/encroot/etc/cryptab
- add entry:
{name} /dev/{target root device} cipher=aes
- Edit the fstab in the new root to let it know where to find the loopbacked root
- vi /mnt/encroot/etc/fstab
- change "LABEL=/..." line to
- "/dev/mapper/{name} / ext3 defaults 1 1"
** Now it gets fun **
- Need to edit the initrd that gets installed with Fedora Core
- Run mkinitrd to load all the neccessary modules into intrd
- We'll need ehci-hd, usb-storage, scsi_mod, & sd_mod to make the USB booting work
- We'll need aes, dm-mod and dm-crypt for the encryption
- mkinitrd --preload=ehci-hd --preload=usb-storage
--preload=scsi_mod --preload=sd_mod --preload=aes --preload=dm-mod
--preload=dm-crypt /boot/{initrdname}.img {kernel-no}
- NOTE: to get the kernel number run uname -a it should be something like "2.6.15-1.2054_FC5"
- Now we have a initial initrd to work with that contains all the
modules we need. However, we need to add to it to query the user for
their passphrase and decrypt the root before loading.
- So, edit the init script within initrd*.img
- Explode the initrd*.img to a temporary location, with Fedora Core, its a cpio image thats gziped
- cd /wherever
- mkdir initrd
- cd initrd
- gzip -cd /boot/{initrdname}.img | cpio -i
- Edit the init script and add the step to cryptsetup the root partition and capture the passphrase
- vi init
- add the line "/sbin/cryptsetup create {name} /dev/{target root device} < /dev/console > /dev/console
above the line "mkrootdev /dev/root"
- Copy cryptsetup to the initrd/bin directory
- cp /sbin/cryptsetup /wherever/initrd/bin/
- Now wrap the initrd backup to the boot partition
- cd /wherever/initrd
- find . | cpio -o -c | gzip -9 > /boot/{initrdname}.img
- Finally, edit the grub boot loader to point it to the new initrd img
- vi /boot/grub/grub.conf
- add the following lines under the boot choices
title Fedora Core Encrypted ({kernel-no})
rootnoverify (hd0,0)
kernel (hd0,0)/boot/vmlinuz-{kernel-no}.root ro root=/dev/mapper/{name} rhgb quiet
initrd (hd0,0)/boot/{initrdname}.img
- Thats it.
- NOTE: The initrd will get overwritten each time the kernel is upgraded. Repeat these steps each time you upgrade the kernel.
TODO:
- Make Root Partition Read Only
To simply install Fedora Core on a USB drive:
- Check your BIOS to ensure your computer can boot off a USB
- Ensure that your USB drive has an MBR on it. If it doesn't (which is
likely) download and run the "HP USB Disk Storage Format Tool" (search
for it on Google - its home keeps changing). This will install an MBR
on the USB drive.
- Remove your internal harddrive. If it is inserted, the installer won't ask to load the USB drivers.
- Install Fedora Core using the 'linux expert' command line boot option
- When it asks to load additional drivers, select the "usb-storage" driver
- Install to the USB drive: /dev/sda
- Make sure that grub is installed to the boot sector of the USB drive
- When the installation reboots to the installed media, leave the CD in and select "rescue"
- Skip that stage that asks to find your existing linux image
- Go to the command line
- Mount the / partition (/dev/sda2) on /mnt/system (or whatever mount
point it gives you) and the /boot partition (/dev/sda1) on
/mnt/system/boot
- Use chroot to change the root to /mnt/system (or wherever you mounted your drives to) and cd to /boot.
- Need to edit the initrd that gets installed with Fedora Core
- Run mkinitrd to load all the neccessary modules into intrd
- mkinitrd --preload=ehci-hcd --preload=usb-storage --preload=scsi_mod --preload=sd_mod /boot/{initrdname}.img {kernel-no}
- NOTE: to get the kernel number run uname -a it should be something like "2.6.15-1.2054_FC5"
- Finally, edit the grub boot loader to point it to the new initrd img
- vi /boot/grub/grub.conf
- add the following lines under the boot choices
title Fedora Core Encrypted ({kernel-no})
rootnoverify (hd0,0)
kernel (hd0,0)/boot/vmlinuz-{kernel-no}.root ro root=/dev/mapper/{name} rhgb quiet
initrd (hd0,0)/boot/{initrdname}.img
- NOTE: The initrd will get overwritten each time the kernel is upgraded. Repeat these steps each time you upgrade the kernel.
Sources:
http://www.linuxforums.org/forum/lin...isk-drive.html
, How to set up a Fedora Core 4 on a USB disk drive, "ROXOFF", 20 Dec 2005
www.linuxjounal.com/article/7743, Encrypt Your Root Filesystem, Mike Petullo, 01 Dec 2004
lukeross.name/blog/10, Fedora: encrypted root partition, Luke Ross, 20 Feb 2006
__________________